CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC)

Presentation to: Insider Threat SOAR Workshop

Dr. Paul B. Paul LosiewiczSenior Scientific Advisor Cyber Security and Information Systems Information Analysis Center

15 August 2013

Insider Threat Research and Development

2

Overview

• Technology Increases Risk from Insider Threat

• Recent high level R&D Topics

• Recent R&D initiatives

• Implications and Policy Responses

Technology Increases Risk from Insider Threat

3

• Computing capacity continues to increase while embedded systems proliferate.

• Operating systems gain efficiency and capability with more sensors and distributed controls linked to other operating systems.

• Infrastructure is capital intensive and expensive to operate. Efficient and cost minimizing approaches have great emphasis. SCADA systems have evolved to meet this need.

• Combination of greater computing power and reach afforded by linked information systems affords greater span of influence; asymmetric threats increase.

• Greater span of control allows fewer personnel to monitor a greater range of control systems – with lower personnel cost. Personnel costs are the highest business costs.

• Similar dynamic holds in intellectual property and knowledge management systems. Less expensive cloud storage allows for more information to be available to more collaborative processes by small to mid-size businesses

4

Recent High Level R&D topics• Critical Infrastructure Security and Resilience (CISR)

• CSIAC input to Department of Homeland Security (DHS) EO13636/PPD-21 R&D WG

• Problems of complex system interdependencies must be adequately researched at the basic research level

• Cross-domain interfaces and influences must be thoroughly understood, represented and modeled at the applied research level

• Well-defined metrics must be appropriated from, and shared across, multiple domains and CI Sectors, to include Human Systems Interactions

• 8 Aug - NSA plans to eliminate 90% of Sys Admins using smart networks• “Using technology to automate much of the work now done by

employees and contractors would make the NSA's networks "more defensible and more secure," as well as faster”

• “These efforts pre-date Snowden's leaks, the agency has said, but have since been accelerated.”

5

Recent R&D initiatives

• Insider Threat Identification (Network Anomaly Detection)• Chief Information Officer/Defense Information Systems Agency

(CIO/DISA) CIO_DISA-13-BAA-RIF-0001 • Demonstrate the ability to analyze trends, patterns and other relevant

data to identify insider threats that exist on DoD networks.

• SBIR N132-132: Cognitive Modeling for Cyber Defense• Develop and validate a computational model of the cognitive

processes from cues to actions of the attackers, defenders, and users to create a synthetic experimentation capability to examine, explore, and assess effectiveness of cyber operations.

• But has NOT yet been extended to Insider Threat profiles

6

Implications and Policy Responses?• Technologically riskier environments require new solutions

– New system monitoring , data mining , and anomaly detection methods are being pursued

• Risk to Privacy by Big Data Mining and Cognitive Modeling? – Congressional and public opinion divided post-Snowden, regardless

of recent Administration defense of bulk data collection under Section 215 of the USA Patriot Act

– Greater transparency vs. improving threat detection a challenge

• Cognitive (Smart) Networks development accelerated – will require corresponding advances in Secure Hardware and Protocols– may require advances in distributed High Performance Computing

and Modeling and Simulation for Test and Evaluation before fielding

• New anomaly detection and cognitive approaches in Personnel Reliability need investigation– E.g. “Is Steganography and Steganalysis useful as a deterrent?”