When Army intelligence specialist Chelsea Manning leaked classified military documents, diplomatic cables and other sensitive information to WikiLeaks in 2010, the federal government's security clearance process served as the main defense against such insider breaches by the U.S. military and federal agencies.
"Back then, it was a trust model that relied upon a security clearance process that did proper vetting of employees," Randy Trzeciak of Carnegie Mellon's CERT insider threat program says in an interview with Information Security Media Group (click on player beneath image to listen). "But where the organizations back then tended to be a bit limited is in the 'trust but verify' [monitoring] of the activities that were happening on networking systems."
Manning, sentenced to 35 years in prison in 2013 for copying 750,000 pages of U.S. military reports and several videos, accessed information she wasn't authorized to see or retrieve, with much of the data downloaded onto a read-write compact disk labeled "Lady Gaga." Barack Obama, in one of his final acts as president, last month commuted Manning's sentence to seven years.
In the interview, edited for length, Trzeciak discusses the evolution of how organizations have toughened their insider-threat defenses since the highly publicized leaks by Manning and former National Security Agency intelligence contractor Edward Snowden in 2013, and explains:
- Why the federal government relied heavily, sometimes exclusively, on security clearance background checks as a defense against insider attacks;
- How the government and private-sector organizations integrate security information and event management, data loss protection and behavioral analytical tools to continually monitor networks to detect in real time possible insider breaches;
- Steps organizations should take to ensure employees privacy rights are protected as enterprises build profiles on possible malicious insiders.
A senior member of the technical staff for the Carnegie Mellon University Software Engineering Institute's CERT insider threat program, Trzeciak analyzes the physical and online behavior of malicious insiders prior to and during network compromises.. He also is an adjunct professor in Carnegie Mellon's H. John Heinz School of Public Policy and Management.