How the NSA uses behavior analytics to detect threats

07.12.2015
The National Security Agency has significantly enhanced its capabilities for detecting cyber-threats in the two-plus years since former NSA contractor Edward Snowden pilfered and disclosed classified information. The multi-layered capabilities, which include user behavior analytics, now protect a private cloud that provides storage, computing and operational analytics to the intelligence community, CIO Greg Smithberger tells CIO.com.

“There are a number of initiatives we have underway there to really use a lot of our big data analytics, a lot of the technology we have developed for our foreign intelligence mission, as well as technology we've developed inside our Information Assurance Directorate," says Smithberger, who began his new job six months ago after serving in various operational foreign intelligence roles over the past 27 years. He says the NSA is using automated capabilities "to up our game" for detecting and responding to anomalies, including anything from external attacks to suspicious internal activity.

[ Related: How Cisco is trying to keep NSA spies out of its gear ]

The NSA has taken it on the chin from the mainstream media and privacy advocates because several revelations by Snowden, who while working as an NSA contractor through Booz Allen in 2013 copied and began releasing documents detailing NSA secret programs that surveil communications in the U.S. and abroad. The documents shed new light about the government's monitoring of phone and email records to surveil terrorism suspects. The controversy is regularly stoked with new findings, including the New York Times revelation that the NSA augments the way it sifts through large amounts of digital data in pursuit of bad actors.

The NSA has similarly enhanced threat detection for its own network, which analysts, operatives and engineers use for a variety of intelligence-gathering tasks.

Smithberger says that one of the obvious examples includes the capability to spot anomalies as when a credentialed user accesses the network at a strange time and from an unusual geographic location. Imagine, for example, a user bearing credentials of a Virginia-based NSA analyst, who normally access sensitive information from 7 a.m. to 7 p.m., trying to access the same information from Tel Aviv at 3 a.m. Eastern Standard Time. Such behavioral analytics, which incorporate profiling and anomaly-detection based on machine learning, is new but gaining steam in the corporate arena, where it is used to detect breaches early by prioritizing the most reliable alerts, according to research conducted by Gartner analyst Avivah Litan.

[ Related: Protect yourself from hackers and the NSA ]

The NSA is conducting real-time forensic analysis of cybersecurity software and appliances, including firewalls, VPNs and audit logs on every network device "so that we can observe things that humans cannot put together on their own," Smithberger says. He adds there are other, far more "subtle" methods of threat detection, though he declined to describe such capabilities. "I'm not going to get into all of the details here," Smithberger says. "But it's a matter of understanding what is normal on your network, what is authorized on your network with pretty fine granularity ... and comparing the observed, in real time, to what has been authorized and what is normal.”

These measures protect a meticulously constructed private cloud that, Smithberger says, deploys technologies similar to what you would expect from public cloud services such as Amazon Web Services, including virtualized servers and applications. However, there are key differences, as the technology is arranged to grants access to a variety of analysts and operatives with varying levels of classification, ranging from low level to top secret. The access is tightly controlled down to each data element layer. Two analysts conducting identical information queries on this system may see different results, based on the security clearances, Smithberger says.

"There's multiple layers inside the network, outside of the network to separate us from the outside world ... very much a layered security model with combinations of government-developed, custom developed for government and commercial products," Smithberger says. “That paranoid, layered defense is really the best answer and, frankly, if you get that right then if there are inside problems they become visible as well.”

The private cloud itself could be considered a triumph. Cultivated under the Intelligence Community Information Technology Enterprise (ICITE) program, which in 2011 proposed a cloud environment that allows the intelligence community to securely access and share information. Defense Intelligence Agency Director David Shedd said in March that “cultural resistance,” not technology, was the greatest impediment to building the private cloud.

Smithberger says the NSA private cloud is fully operational today, thanks to the help of several government contractors and his internal IT staff, who replaced a number of aging commercial and custom-built servers, database software and applications, many of which isolated data. By upgrading these technologies in the construct of an integrated resource pool, the NSA says it will be better positioned to analyze its information assets, thus better serving analysts, operatives and other constituents.

[ Related: NSA approves Samsung and Boeing mobile devices for employee use ]

Smithberger says this private cloud has much finer grained security than anything that's commercially available. But he stopped short of proclaiming the NSA's private cloud is impenetrable.

"It's arrogant for anyone to say that it is impossible to get to the network,” he says. “I would say that there are lots of mechanisms in place with lots of scrutiny to protect our classified world from the outside world and we continue to develop new ideas all the time to shore that up and layer additional pieces -- let's say we are a very hard target."

(www.cio.com)

Clint Boulton