As agencies move their insider threat programs forward, multiple strategies are key to ensuring effective continuous monitoring – including externally provided data. Early identification of risk is critical to evaluating threats to effectively intervene before a malicious event occurs.
At the Insider Threat Summit in March, there was much talk about the newly updated initiative from the Office of the Director of National Intelligence: Trusted Workforce 2.0. Agencies and contractors are shifting to a continuous vetting process for personnel with security clearances. Consequently, many organizations are focusing on using employee assistance programs (EAP) to help employees avoid negative adjudicative impacts and therefore maintain clearance status.
TransUnion supports continuous evaluation programs by providing actionable credit, public and proprietary records, as well as other information and insights to government agencies and government contractors with a permissible use for such information. At the Summit, we introduced device intelligence as an important new tool that helps agencies monitor for risks, protect employees and manage trust based upon frequently updated data.
Device intelligence: An early-warning signal to detect insider threats
Malicious insider threat represents 37% of incidents at a financial cost of nearly $7 million annually, with national security costs weighing in much heavier. Addressing this type of threat, including espionage, fraud, and credential theft, is critically important to the security and integrity of our nation’s sensitive programs.
Currently, user activity monitoring typically focuses on internal system and data protection by using content filtering or logging of network events. What’s missing is a more comprehensive, holistic consideration of an individual’s digital footprint, to include changes in how devices linked to that individual behave over time. Such changes may be indicative of other, significant life events that may put a person on a path to becoming a hostile actor.
Getting left of boom: Fraud risk trigger repurposed for continuous vetting
Most insider threat programs rely on credit and public records data to identify individuals displaying factors along a path to insider threat hostile acts. Pinpointing a risk before it turns into a hostile act — getting left of boom — is vital to an agency’s or contractor’s ability to reduce potential insider threats. Traditional activity monitoring methods alone still leave a gap in identifying risk as devices are not monitored, nor are their histories of accessing outside networks.
TransUnion’s device intelligence platform — IDVision® with iovation® — bridges that gap. It has experience with 7 billion global devices interacting with 40,000 clients on a daily basis. This system has protected a total of 54 billion transactions – including 33 million daily transactions – and has a network of 83 million confirmed fraud and abuse reports. By leveraging this powerful fraud detection tool, agencies and contractors can gain visibility into risky behavior occurring in and outside of the workplace as government or government contractor employees access the Internet from various devices.
How device intelligence offers unique visibility into potential insider threat
Employees are consumers. Day-to-day activities like banking, shopping and more are performed on all their devices — both employer-provided and personal. Device intelligence relies predominantly upon device information, and not individual PII, to discern potential risks. Using proprietary linking technology, it’s also possible to associate a family of devices to an employee’s device. Suspicious behavior conducted by one device or the family of devices may provide key insights relevant to the government agency’s security clearance decisions.
Device intelligence provides a unique approach to online behavior activity monitoring. By associating devices, device reputation, device behavior and known fraud can be used to flag potential risk for an individual user. Using the insights gained from device-based associations, agencies and government contractors can identify potential insider threat risks, such as:
Known fraud rings — devices associated to groups of cybercriminals committed to a particular type of fraud like bank or tax fraud
Suspicious activities — devices operating outside of normal usage patterns
Identity theft — devices known to be associated to accounts where identity theft has been reported or suspected
Closing the behavior monitoring gap
Whether you have an established insider threat program or are working toward implementation, now is the time to close the gap in suspicious behavior monitoring capabilities. Device intelligence can provide the necessary insight into potentially risky behavior before it leads to a national security event.