In my last blog post, I discussed what an inside threat actually means in the cybersecurity world and why it is so important for the Department of Defense to pay attention to. Now, I’m going to dive a little deeper into tools that DoD and other government agencies can use to help protect its networks and the sensitive government information they contain from insider attacks.

Previously, I went over the three prongs of the Insider Threat Task Force (ITTF)’s baseline requirements: 1) human intelligence, 2) training, and 3) monitoring. All three used together make up an equation to help agencies stay on top of insider threats. For me, the most important part of that equation is achieving comprehensive visibility into what is actually on the network – not what agencies think is on the network. I have long been a proponent of traffic analysis, from my earliest days as a network engineer and even more so now as a security professional.

If you look at currently U.S. Government-mandated technologies, the two most commonly used to achieve network visibility are Full Network Pack Capture (PCAP) and the Security Information and Event Management (SIEM) platforms. Both PCAP and SIEM are very powerful platforms, but each have inherent limitations.

Security Information and Event Management (SIEM) platforms provide near real-time analysis of security alerts generated by network hardware and applications. They are relied upon by analysts to create situational awareness and a general overview of the state of the enterprise. As powerful of a tool as the SIEM can be, it has a couple of major flaws. Out-of-the-box, the SIEM can only collect events data (syslog) and has no understanding of what those events actually mean or how they relate to each other. To make sense of that data requires a highly skilled individual that understands both the inner workings of the SIEM platform and the environment that they are trying to monitor. The second major problem is the syslog itself, because it is limited to only known threats.

PCAP data is another powerful tool to troubleshoot application performance issues or dig into data exfiltration event details. Most network engineers rely on a network PCAP tool as a go-to platform to debug unusual issues on the network, and DOD security professionals rely on PCAP to rebuild session information around suspect activity on the network. However, PCAP tools are often limited because they can only see what traffic is being redirected to them, as opposed to all traffic (internal and external) that actually moves across the entire network. PCAP platforms are most commonly deployed so they only provide a very narrow view of the network, which, in most cases, is only where data enters and/or leaves the network.

So if both PCAP and SIEM have shortcomings, how do analysts get the comprehensive visibility needed to keep an eye on their network? One way is to deploy probes throughout the network, a better way and a far more cost-effective way is to use the network itself as a very power sensor grid. By simply enabling a tool such as Cisco NetFlow on your current network infrastructure, the network transforms from its traditional role of moving packets around the network to a powerful sensor grid. It becomes a network-as-a-sensor.


NetFlow provides some very powerful functionality:

  • A trace of every conversation in your network
  • An ability to collect records everywhere in your network (switch, router, or firewall)
  • Network usage measurements
  • An ability to find that is entering and leaving the network as well as traffic that never leaves the network.
  • Lightweight visibility compared to Switched Port Analyzer (SPAN)-based traffic analysis or Network TAP based security solutions.
  • Indications of compromise (IOC)
  • Security group information

With a platform that can leverage that flow data, such as Cisco StealthWatch, agencies can then easily identify what is on the network and have an early warning system in place to cut off the suspect activity.

Why is it so important for your agency to have these tools? One in four of all security breaches are caused by malicious insiders. In today’s environment, the question is not whether your network is going to be breached – agencies should assume malicious actors are already inside. The real question is how to minimize the damage.

We as an industry continue to try to outthink and out-engineer the bad guys. Unfortunately, the bad guys heavily outnumber the good guys in both numbers and resources. While it is imperative we continue to guard the gates and make getting in as difficult as possible, federal agencies like the DOD must also shift from just looking at the perimeter to focusing on what is going on in their own backyards. If there is one thing to remember, it is that visibility is the key to garnering real-time intelligence and the catalyst for properly identifying and remediating threats. Agencies should keep this in mind when evaluating potential solutions for addressing insider threats.


Michael Reed

Security Engineering Manager

Cisco StealthWatch - Federal