Humanizing the Way Government Tackles Insider Threats With Cognitive Computing IN DU S T RY P E R S P ECTI V E
HUMANIZING T H E WAY GOV E R NME NT TAC KLE S I NS I D E R T H R E AT S WI T H COGNI T I VE CO M P U T IN G
1
EXECUTIVE SUMMARY When you consider insider threats in government, you probably think of computers and networks. It’s important to remember, however, that the entire
That’s why government agencies are exploring
population of potential internal threat actors is made
cognitive computing technology to establish
up of humans who are just that: human. Behind every
continuous monitoring programs while ensuring
insider threat is an individual who maliciously or
a trusted workforce. By analyzing electronic
inadvertently compromises government information
communications, social media and web activity, along
or plans to do physical harm.
with human resources records, cognitive computing
To detect these threats and better protect government information, agencies have turned
insider threats before they become a problem.
to modernized digital systems and technologies
GovLoop sat down with the following experts
to strengthen firewalls and monitor access. But
from Digital Reasoning, a company that derives
traditional cybersecurity technologies and
knowledge by merging computational logic with an
approaches have been heavily focused on detecting
understanding of context in order to build software
threat actors coming from the outside. Trusted
that understands human communication:
insiders planning nefarious activities have no external firewall to break through – they already have access to facilities and data. As such, these threats are not readily detected by current methodologies. Yet the consequences from insider threats can be catastrophic, including dangerous compromises to national security and loss of human lives. Insider threat strategies must look beyond current detection methods that only address access log data or authentication management. To better thwart attacks before irreparable damage is done, agencies need a holistic picture of the threat landscape and the people behind those threats.
2
can help agencies spot erratic behavior and prevent
I N DUST RY P E R SP E CT I VE
}} Marten Den Haring, Chief Product Officer }} Bill DiPietro, Vice President of Product Management }} Aaron Nelson, Director of Applied Analytics By reading this industry perspective, you’ll learn more about what cognitive computing is, how it works and how you can leverage cognitive computing’s entitycentric analytic capabilities to be more proactive in preventing insider threats.
GOVERNMENT THREAT L ANDSCAPE Insider threats are some of the most pernicious risks to government. Whether malicious attacks, such as those executed
communications data that can provide vital clues into
by Edward Snowden and Chelsea Manning, or
behaviors and intentions to dramatically reduce false
inadvertent misuse of information, they can do grave
positives and provide a more proactive defense.
damage to national security interests and place human lives in danger.
For example, let’s say John Doe, a disgruntled employee at X agency is experiencing financial
An insider threat arises when a person with authorized
difficulties. An external bad actor offers him money in
access to U.S. government personnel, facilities,
exchange for confidential information. Key indicators
information, equipment, networks or systems, uses
that Doe could pose an insider threat can be found
that access to intentionally or unintentionally share
within his emails, social media posts and other
government information with unauthorized sources
unstructured data, including indicators concerning
or to plan physical attacks. Not only are insider threats
his attitude and personal finance problems. This
increasing, but they are also especially difficult to
information typically remains unobserved and
address due to their complex nature. According to a
underutilized with traditional detection methods, but
recent study from Raytheon Cyber:
is clearly a rich source of insights and a clue to the individual’s future intentions.
}} 88 percent of industry and government sources believe insider threats will increase
That’s why to more effectively mitigate the potential loss of data and lives, agencies need to marry
}} 69 percent find it hard to identify threats because security tools offer little context
structured indicators, such as atypical file access, work hours and other anomalous behaviors with insights into behaviors and intentions that are buried within
}} 56 percent complain that security tools produce too many false positives
human communications. With the exponential growth of electronic
Traditional threat-detection methods comprise
communication data and mounting pressure on
identity access management technologies where
government leaders to do more to defend against
password credentials and badges are used for
threats to national security, the government needs to
authorized access, and where agencies monitor
leverage technologies such as cognitive computing. By
networks and physical systems to flag potential
combining natural language processing and machine
concerns. But those approaches provide minimal or
learning, cognitive computing allows agencies to tap
no insight into a user’s intent and most often result
into the vast reservoir of human communications and
in excessive false positives. More importantly, they
open source documents to provide a better, more
typically only generate warnings after data has been
holistic picture of the threat landscape to thwart the
compromised. Yet there are key indicators in human
next insider threat.
HUMANIZING T H E WAY GOV E R NME NT TAC KLE S I NS I D E R T H R E AT S WI T H COGNI T I V E CO M P U T IN G
3
THE NEED FOR HUMAN-LIKE COMPUTERS Cognitive computing is the simulation of human thought processes in a computerized model. It can help read and understand a variety of forms
systems are designed to deal with complexity and
of electronic communications data, including
probability. They can better handle unstructured
emails, social media and open source news sources.
sources by focusing more on entities and behaviors.”
Cognitive computing analyzes context and complex relationships with human-like acuity.
systems, anomalous activity that could indicate an
Cognitive computing involves self-learning systems,
insider threat can be spotted earlier. By establishing
data mining, pattern recognition and natural language
normal patterns of activity, outliers can be identified,
processing to mimic human behavior. It uses a process
including work schedules, file and facility access
called machine learning, which helps computers
that are outside the norm, or new life events such as
learn from data to make more accurate predictions
divorce or bankruptcy that could make an employee
over time. By accumulating context and filling in
more vulnerable to bribes. Cognitive systems can also
knowledge gaps concerning human behavior, over
flag indicators of anti-American sentiments buried
time the system can then rely on statistical patterns
within communications that could be a precursor to
and generalize from examples.
espionage or terrorist activity.
“Cognitive computing looks more into the way the
A lot of companies in the private sector are taking
human brain works,” Den Haring said. “It also applies
advantage of this technology already. Take investment
aggregation, where you can remember and learn
banks, for example. To monitor employee behavior in
things through association or knowledge. Humans
these types of settings, banks monitor financial data.
are good at complexity and ambiguity, and to train
But they also use less traditional information sources.
a computer to do that, you need a cognitive learning
That’s why all conversations at banks can be recorded
platform.”
and analyzed with phones. For instance, NASDAQ
Understanding behaviors and intent is key to detecting insider threats. Cognitive systems can resolve entities and relationships and understand complex, nuanced communications in context to identify anomalous behaviors and intentions that could indicate a new
4
With the behavior analytic capabilities of cognitive
uses cognitive computing to help their clients analyze human communications. In this way, their cognitive platforms can perform surveillance of human patterns and detect any suspicious trades or transactions and any irregularities right away.
threat. Without the help of a cognitive system, these
Government agencies and organizations can reap
indicators might otherwise go unnoticed. “A lot of the
significant benefits from this technology to combat
systems today are built on programmable rules that
cybersecurity attacks and insider threats that
are rigid and deterministic,” DiPietro said. “Cognitive
jeopardize national security interests.
I N D UST RY P E R SP E CT I VE
CONTINUOUS MONITORING: A PATH TO EVER-VIGIL ANCE Whether threats are executed unwittingly by employees or maliciously by nefarious individuals, it is becoming increasingly difficult to detect and circumvent the next security breach. In an effort to thwart the next insider attack,
changes in patterns within electronic and voice
continuous monitoring for insider threats has to
communications, as well as other unstructured data
become a top priority for government, with directives
sources, continuous monitoring can help uncover
ranging from executive orders to DoD personnel
erratic behaviors and intentions and identify any
security programs.
potential data leakage or theft. This results in near
Monitoring is essential as insights that can help thwart the next attack lay hidden within massive volumes of
real-time threat detection and working to ensure a trusted workforce.
human communications data, including patterns and
“Continuous monitoring broadens the scope of
anomalies that can reveal current behaviors as well as
analytics,” Nelson said. “It looks at a huge number of
help predict future behaviors.
vulnerabilities and threats in order to continuously
Through continuous monitoring of emails, social
maintain important assets.”
media and other forms of human communications,
Cognitive computing with continuous monitoring
alerts of suspicious activity can be generated for
helps agencies automatically monitor systems and
further investigation by analysts. Such alerts can help
employee behavior, discover threats and quickly
prevent events from escalating or even occurring.
address threats revealed in the data.
But, manually monitoring a sampling of personnel communications or merely using keyword searches is woefully inadequate. That’s why continuous monitoring must be paired with cognitive computing, as uncovering these patterns requires the machine learning capabilities of cognitive computing. With cognitive computing, agencies can continuously monitor electronic communications or web and social activity and layer them with insights from legacy solutions to achieve holistic knowledge of
With cognitive computing, agencies can continuously monitor electronic communications or web and social activity and layer them with insights from legacy solutions to achieve holistic knowledge of threats, their source and their cause.
threats, their source and their cause. By detecting
HUMANIZING T H E WAY GOV E R NME NT TAC KLE S I NS I D E R T H R E AT S WI T H COGNI T I V E CO M P U T IN G
5
COGNITIVE COMPUTING’S ENTITY-CENTRIC ANALYTICS FUEL THREAT DETECTION There are two prominent types of analytics in the data world: system-centric analytics and entity-centric analytics. System-centric analytics, which focuses on numbers
Given the volume of communications data, a manual
and statistical patterns, only looks at the quantitative
process is not a sustainable model. “There could be 10
aspects of the data, which is unhelpful to government
to 30 people within an agency performing continuous
in predicting human behavior. Rather than just
monitoring and analysis, which is extremely time-
filtering down and organizing a set of documents that
consuming,” Nelson said. “But an effective continuous
may contain the information being sought by the user,
monitoring effort can’t just be relegated to the task
an entity-centric approach to data analytics focuses
of manually investigating individuals. Agencies need
on uncovering interesting facts, concepts, events and
a system that can help automate these tasks, while
relationships defined in the data.
monitoring every entity across the organization. That’s
“Computers do well with computing the ones and zeroes,” Den Haring said. “But the beauty of cognitive computing is that it turns words into computable building blocks and looks for behavioral patterns.” “In this assembly of different technologies, entitycentric analytics helps to reliably aggregate information about similar things,” Den Haring said.
why an entity-centric view, using cognitive computing to help automate these tasks, can be a more productive use of time and resources, while making these knowledge workers much more productive and valued.” Cognitive computing platforms like Digital Reasoning’s Synthesys®, incorporate entity-centric analytics, automating the analysis of massive amounts of data so analysts can zero in on what’s most relevant to potential threats
EXTRACTING VALUE FROM COMPLEX AND OPAQUE DATA With cognitive computing systems, like Synthesys,
What should you look for in an ideal cognitive computing
analysts are empowered to extract value from complex
platform? A combination of Natural Language Processing
data sets, providing advanced situational awareness
(NLP), Machine Learning, and Knowledge Representations
and better-informed decisions.
in a platform that can automatically:
ê Read and understand
ê Resolve which entities
ê Reveal hidden risks
ê Identify, prioritize and
human communication
represent the same re-
and relationships and
assess threats by linking
in context across multi-
al-world person, organi-
build profiles of persons
important places, data
ple big data sources at
zation or location across
of interest
and key facts
scale and speed
millions of unstructured source elements
With cognitive computing, the government can better detect threat activities by revealing hidden risks and relationships within massive volumes of human communications data – insights buried within complex, opaque data that would otherwise likely remain unobserved.
6
I N D UST RY P E R SP E CT IVE
CONCLUSION Insider threats are increasingly complex for government agencies to address, because humans are complex. While computers are able to rapidly crunch numbers and perform tasks in sophisticated ways that people never could, they lack the complexity, emotional intelligence and spontaneity that comes with being human. Cognitive computing provides the enhanced capability to analyze vast amounts of data and reveal insights into concealed risks and relationships, identifying erratic behaviors and intentions that could compromise a government entity. With cognitive computing, government agencies can better scrutinize larger volumes of data and respond to all types of threats with greater speed and accuracy, protecting national security interests and human lives.
ABOUT DIGITAL REASONING Digital Reasoning is a global leader in using artificial intelligence to understand the world’s most sensitive human information. Our award-winning platform, Synthesys®, provides automation of key tasks and uncovers transformative insights across vast amounts of human communications for many of the world’s most elite companies, organizations and agencies. Our technology has been proven to find critical risks and valuable revenue-generating activities, delivering rapid and large return on investment in the most complex big data and analytical environments.
ABOUT GOVLOOP GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.
Digital Reasoning is headquartered in Nashville, Tennessee and has offices in Washington, D.C., New York, and London. www.digitalreasoning.com
HUMANIZING T H E WAY GOV E R NME NT TAC KLE S I NS I D E R T H R E AT S WI T H COGNI T I V E CO M P U T IN G
7
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 | F: (202) 407-7501 www.govloop.com @govloop
8
I N DUST RY P E R SP E CT IVE