US Marine Corps Looks to Expand Insider Threat ProgramMarines Seek to Deploy User Activity Monitoring System on Networks
The U.S. Marine Corps looks to expand its insider threat program and now seeks proposals to include user activity monitoring technology on its enterprise and classified networks.
The goal of expanding the insider threat program and investing in activity monitoring technology is to give the Marine Corps a greater ability to audit traffic, while allowing its IT and security staff to better monitor traffic to look for data leaks that originate with insiders, according to the proposal posted earlier this month at the beta.SMA.gov site, which manages the awarding of federal contracts.
"The Marine Corps Insider Threat Program's [user activity monitoring] requires a user monitoring capability and auditing capability to identify and evaluate anomalous activity by [Marine Corps Enterprise Network] users," according to the proposal. "This capability with established procedures for responding to anomalous user activity on the MCEN will be used to detect, deter, and mitigate potential damage to data on the MCEN and to contact applicable investigative authority when necessary."
The proposal also notes that both federal government and U.S. Department of Defense policies require user activity monitoring on classified and unclassified networks to support insider threat programs. "Logging, monitoring, and auditing of information system activities can lead to early discovery and mitigation of behavior indicative of an insider threat," according to the proposal.
Rick Holland, CISO and vice president for strategy at the security firm Digital Shadows, who is also a former U.S. Army intelligence officer, notes that since the leaks attributed to Edward Snowden occurred in 2013, the Pentagon and various military branches have steadily built up their insider threat programs.
"One advantage the military has is that it is far easier to deploy user monitoring controls that are invasive or even illegal in the private sector," Holland says. "There is no expectation of privacy in the military, especially in classified environments. Any action you take on a classified network in a sensitive compartmented information facility is fair game."
The request for vendor proposals for the Marine Corps insider threat program and the deployment of user activity monitoring systems within its IT networks is open now through March 4.
As part of the proposal, the Marine Corps seeks user activity monitoring technologies or tools that can address seven areas of possible insider threats. These include connecting to networks, privilege elevation, connecting to target systems, establishing file shares, accessing sensitive information, copying to file shares and copying data outside of a network or system.
Technical requirements for the proposed user activity monitoring systems must include the abilities to:
- Monitor keystrokes;
- Monitor application content, such as email, chat and data importing and exporting;
- Capture screenshots;
- File shadow, such as tracking documents when names and locations have changed;
- Attribute data to a specific user to help monitor activity.
Holland notes that while it might be easier to create an insider threat program within a military branch since the expectation of privacy is much lower, the success of any program is hard to gauge and to get right.
"Just because it is easier to deploy a user monitoring solution in a military environment doesn't mean that the deployment will be successful," Holland says. "These sorts of solutions are notoriously tricky to implement. Having well-defined use cases deployed in a measured manner is critical to success. It isn't all about the endpoint agents and monitoring services; the people and process aspects are essential to any user monitoring implementation."
Tim Wade, a former network and security technical manager with the U.S. Air Force who is now a technical director at the security firm Vectra AI, notes that the success of any insider threat procedures, whether deployed in the military or the private sector, is the technology's ability to detect changes in behavior.
"The challenge, of course, is locating and assessing anomalous activity as a means of detecting insider threats," Wade says. "They will certainly find it … particularly in an organization that compartmentalizes components of its operational activities based on clearance level, the authority to access and a need to know."
In May 2020, Verizon released its annual Data Breach Investigations Report, which found that insider threats now account for about 30% of breaches and security incidents.
Like Wade, Erich Kron, security awareness advocate at security firm KnowBe4, notes that successful insider threat programs are based on ensuring that the technical components work at detecting changes in behavior.
"A key component of technical controls is the ability to ensure the identification of the potential insider threat," Kron says. "This means being able to properly identify the person accessing the information or property. Most commonly used are a username and password, however, this type of credential is prone to problems such as loss, use of common passwords and reuse across different services that others could use to mask their activities using a compromised account. Use of technologies such as the Department of Defense Common Access Card - CAC - that use cryptographically secure identification certificates, protected by a Personal Identification Number helps here."
Beyond the technical components, Kron also recommends training for security teams to detect changes in personal behavior to help identify who might pose a potential insider risk threat.