One of the biggest challenges for any federal agency is finding ways to identify and minimize the impact of “insider threats,” that someone with access to the organization’s networks – an employee, former employee, or contractor – will use that access maliciously. Compounding the problem, if someone external to the agency gains network access, they can look like an insider.

The major goal of the Cyber Sprint ordered by Federal CIO Tony Scott last summer was to cut down on the ways outsiders could penetrate government networks; from critical vulnerability patching to strengthened policies and procedures for privileged users to requiring multi-factor identification for network access, the sprint aimed to make outside intrusion both more difficult and easier to detect when it happens.

The Transportation Security Administration, created in the aftermath of 9/11, knows something about the need for vigilance against threats. Dale Beauchamp, the branch manager for network security operations in the Information Assurance and Cyber Security Division of TSA’s Office of Information Technology, has been leading the development of an insider threat program for the agency.

“We started the insider threat program before it was popular,” Beauchamp told FTI in a telephone interview. “We knew people were clicking on bad links.”

Beauchamp said the insider threat program at TSA is somewhat different than what many other agencies are doing.

“We were built out of the criminal investigation side,” he explained. “A lot of folks doing insider threat started down the road of counterintelligence.”

This makes a difference. In counterintelligence, investigators tend to watch illicit activities because they want to build out an understanding of relationships, identify as many players as possible, where the criminal investigations side sees bad behavior and wants to build the criminal case for prosecution, Beauchamp said.

At TSA, this means “we watch data [rather than] a person … We create a process where we build probable cause before we ever look at a person,” he said.

Monitoring user activities is tailored at TSA. “We’ve focused on risks, so not everyone gets the same level of monitoring,” Beauchamp explained. Systems administrators get far more attention than the thousands of airport screeners, for instance. Coupled with the agency’s focus on watching the data, this really narrows the universe to be watched.

“Organizations that effectively use behavioral analysis rely on understanding what normal, everyday activity on the network looks like in order to identify abnormal and suspicious behavior. Of course, modern networks are too large and complex to monitor effectively using manual analysis, so security professionals must instead rely on technology to extend their vision across the network and ensure critical information rises to the top,” said John Sellers, Vice President of Federal Sales for Lancope, a Cisco company, focused on network visibility and security intelligence to protect agencies and enterprises against threats.

“This is where Cisco’s StealthWatch System comes into play,” Sellers said. “By relying on NetFlow, a context-rich and common source of network traffic metadata, StealthWatch can leverage the existing networking infrastructure to give the security operations center (SOC) complete visibility into every transaction of every host on the network. It then can baseline what normal behavior looks like for each host and detect and alert on suspicious or anomalous behavior, so that the SOC can respond before an event becomes a major crisis.”

Beauchamp said TSA’s insider threat program is continually being revised, with new tools being evaluated and new policies being considered. As the program has been refined, he said one important lesson learned is the usefulness of centrally locating the forensic tools and making them available for other offices within the agency. “We’re not a silo of excellence; that’s a key element,” he said.