by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : June 2014
Q If government agencies could do one thing to re- duce insider threats, what should it be? AChange their mindsets. To catch criminals, you have to think like a criminal. That re- quires thinking creatively about how and why someone might want to steal informa- tion from your agency. What does your agency have that someone would want to steal? What would their moti- vations be? How could they do it? With that kind of thinking, an agency will be able to develop IT risk sce- narios that represent actions an insider might take, and be on the look out for those speci c actions. QDo most government agencies have the technology they need to effectively deal with insider threats? Most have some sort of security information and event management system (SIEM) and a number have data loss prevention (DLP) systems, which are a good start. These systems work pretty well at watching for the transfer of speci c types of documents through the net- work perimeter and being able to audit hosts and desk- tops to make sure you don't have documents there that are sensitive, but they don't provide enough context to be able to build a case. They get you far enough to un- derstand that you have a problem, but not far enough to help you understand why. This means a lot of potential false positives and a lot of effort to tune the DLP sys- tems to reduce noise. We can't get to root cause analy- sis without using a big data system to get additional context and perform statistical analysis on the data. Q What do agencies need to nish the job? They need a way to analyze log data and big data, and the ability to run statistical analysis and visualiza- tion alongside of that. That's what provides the context you need to nd legitimate cases of insider fraud and eliminate false positives. A DLP system, for example, isn't going to take into account whether or not a person changes home addresses four times in the last three months, hasn't taken a vacation in the last two years or has had a stressful event such as a personal relation- ship change. Those are critical factors to determining context for insider threats. Q What is the relationship of big data to insider threats? When people talk about big data, they are really talking about structured and unstructured machine data---the data in log les generated constantly by applications, IT architectures that support them and traditional security point solutions. Important examples include social me- dia, emails and web logs. This data is then seen in the context of HR vacation time records, personnel reviews and layoff notices. Collected and analyzed properly, this data provides the missing link to solving insider threats. What big data gives you is context, which can help understand the intent of the fraud. For example, when an employee does something against policy, a log is generated. But was it due to ignorance of policy or was it malicious? Big data systems can help you un- derstand the difference. Q What is the technology that can make those kinds of connections? It's about combining big data with statistical analysis, threat modeling and forecasting, and visualization so that you can analyze any set of data, from any source. You should also be able to search for any term through- out all of your data and look at standard deviations over a speci c period of time to nd outliers. For example: "Find me all of the failed logins across these types of systems that didn't happen on a Saturday, in this spe- ci c department and check this against any individuals on a layoff noti cation list." That's the type of speci city you need. Mark Seward, Senior Director, Public Sector, Splunk Inc. I Sponsored Content For more information and to download Splunk Enterprise for free, visit www.splunk.com/insiderthreat A A A A