Compliance with NITTF, CNSSD 504 Workforce cybersecurity usage versus user activity monitoring

Insider threats have long been recognized as a problem by Federal government. the National Insider Threat Task Force (NITTF) was created by executive order in 2011. In part, it directed all federal departments and agencies with access to classified information to establish insider threat detection and prevention programs “to deter, detect, and mitigate insider threats, including the safeguarding of classified information”. information from exploitation, compromise or other unauthorized disclosure. »

As insider threats continued to grow, the federal government increased its demands. In 2014, National Security Systems Committee Directive 504 (CNSSD 504 – Protecting National Security Systems from Insider Threats) prescribed the minimum measures required for user activity monitoring (UAM) on all classified networks “to detect indicators of insider threat behavior” and have the “technical ability to observe and record the actions and activities of an individual, at any time, on any device accessing U.S. government information.”

At a minimum, this includes:

  • Keystroke Monitoring
  • Capture full app content (e.g. email, chat, data import, data export)
  • Screenshot
  • File spinning for any legitimate purpose
  • Ability to set triggers/alerts based on user activity

What about user privacy
In many jurisdictions, primarily outside of the United States, organizations are subject to employee privacy regulations. In these countries, targeted observation capabilities as described above would be prohibited because, by design and deployment, they would violate privacy regulations. Workforce CybersecurityHowever, the approach of is different from UAM. For example, DTEX INTERCEPTIONThe patent-protected “privacy by design” architecture allows for proportional deployment of targeted observation capabilities (where permitted) while protecting employee privacy rights. DTEX InterCEPT is specifically designed to collect the minimum amount of data needed to create a forensic audit trail while respecting confidentiality – gathering only the necessary application and user metadata, and uses pseudo-anonymization which tokenizes raw data fields including username, email, IP address, domain name, and device name. When evidence points to a threat, some administrators may anonymize user identities for investigations.

Focus on threat behavior, not actions
The directive recognizes an important distinction with which we fully agree. Tracking specific actions by specific users on specific data is an outdated and inefficient way to stop insider threats (and requires too much overhead for creating and maintaining rules). Instead, CNSSD 504 focuses on “threat behavior”; things that insider threats do as part of the insider threat kill chain.

Focusing on malicious behavior enables security and compliance teams to stop threats before they steal data or cause damage. By understanding business in the context of data, machines, applications and people, Intent Indicators can help SOC teams identify activities that provide “the telltale” when malicious actors perform reconnaissance, circumvention, aggregation, obfuscation, long before exfiltration.

How DTEX InterCEPT handles UAM
DTEX combines privacy first User activity monitoring, Insider Threat Management, Analysis of user and entity behavior, Digital forensicsand Endpoint DLP. It enables organizations to meet the UAM requirements of Directive 504.

Capturing full app content
Identifying intent indicators requires observing activities across data, machines, applications and people (DMAP). Our DMAP+ technology provides a continuous audit trail of unique endpoint metadata to observe, record, and correlate the actions and activities of data, machines, applications, and people in near real-time, including complete capture of all sessions , process, file system, and Window activities, on and off the organizational network.

Screen capture and keystroke monitoring
When a user has been bred for targeted observation, DTEX provides application content monitoring (includes SSL inspection for web browser-based activities), video/screen capture, and keystroke capture. Capture can be based on device, app, specific user rules, or for people flagged as “persons of interest”. All captures can be exported for further analysis.

File Shadowing
Malicious insiders often attempt to disguise (obfuscate) their actions by changing filenames or extensions. DTEX continuously tracks documents, even when names and locations have changed, using configurable hashing algorithms including MD5, SHA1, and SHA256. It can determine the “lineage” of a file to answer who, what, when, where and why a file was copied, modified, obfuscated or exfiltrated. DTEX also tracks file classification metadata as well as the use of Alternate Data Stream (ADS) for advanced data obfuscation attempts.

Set triggers/alerts based on user activity
When a skilled insider wants to steal data, they often separate their activities into smaller steps over a period of time to avoid detection. Alerting on every activity (which could be benign) can lead to alert fatigue. DTEX has partnered with MITER Corporation to advance Five Eyes’ capability for detection and mitigation of insider threats and foreign interference.

  • Alert Stacking and machine learning capabilities combine behavioral rules and anomaly detection to reduce false positives and analyst overhead.
  • Automated activity correlation allows multiple disparate events to be attributed to a defined sequence of events occurring within a given time window.
  • This further improves true positive detection rates by raising alert scores for events that occur sequentially across the entire insider threat kill chain, beyond alert rules that are triggered in a sequential manner. isolated.

DTEX also provides the ability to automatically augment monitoring and alerting mechanisms for high-risk user populations (e.g. new entrants, departures, or detected “at risk of flight” employees and flagged individuals as “persons of interest”) and the automatic correlation of these populations with insiders. threat-related activities.

Contact us today to find out more.

Sources
https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf
https://www.dni.gov/files/NCSC/documents/nittf/NITTF-Insider-Threat-Guide-2017.pdf
https://www.dni.gov/files/NCSC/documents/nittf/20181022-UAM-Definition.pdf

The post office Compliance with NITTF, CNSSD 504 Workforce cybersecurity usage versus user activity monitoring appeared first on DTEX Systems Inc..

*** This is a syndicated blog from the Security Bloggers Network of DTEX Systems Inc. written by Jonathan Daly. Read the original post at: https://www.dtexsystems.com/blog/compliance-with-nittf-cnssd-504-using-workforce-cyber-security-vs-user-activity-monitoring/

About Donald J. Beadle

Check Also

NCSC releases supply chain cybersecurity guidance

Image source: istock.com/Alzay The National Cyber ​​Security Center (NCSC) and a number of international partners …