Where human analysis might fail in the intelligence community, technological solutions are at the ready to fill the void. Companies are ginning up software programs that can prove to be key for intelligence analysts as they track the bad guys, so to speak—be they insider threats or an outside enemy.
The amount of data produced in the increasingly connected and virtual world makes it difficult for human beings to scour, catalog and process and mounting information and produce actionable intelligence. So industry is devising technological workarounds or complementary programs to ease the workload and make their efforts more effective.
RedOwl Analytics, out of Baltimore, developed software that can alert managers to insider threats, tracking behavioral changes and flagging significant anomalies that could indicate nefarious deeds by employees, says Michael Madon, company vice president and general manager of RedOwl Government.
The product, Reveal, analyzes statistically significant changes to an employee’s behavior, such as altered work hours or Internet search habits. “It’s the first tool I have ever seen that seriously attempts to quantify and evaluate through mathematics and statistics these behavioral indicators, to actually quantify them, and by doing that, producing something of value,” says Madon a former senior executive at the U.S. Treasury Department who spent several years as deputy assistant secretary in the Office of Intelligence and Analysis.
Insider threats, whether malicious or unintentional, cause the majority of breaches to a company’s network security, according to a Forrester Forrsights security survey. Inadvertent misuse of data from insiders topped the list in 2013, responsible for 36 percent of breaches. Abuse by malicious insiders accounted for 25 percent.
“Based on what Forrester sees as data security trends for 2013 to 2014, organizations continue to falter when it comes to addressing internal and employee-related risks,” reads a summary of the report. “No surprise, given that security awareness training is undervalued; employees have access to data but don’t understand data use policies and are using and storing data across a variety of devices today.”
According to a survey by the Ponoemon Institute commissioned by defense contractor Raytheon, 69 percent of the information technology respondents said they do not believe they have the ability to identify an insider threat before it’s too late.
Madon cites the now-famous incident involving Edward Snowden, the one-time National Security Agency contractor who leaked to news reporters classified information about NSA’s secret surveillance programs.
“When the Snowden event occurred, it really had a dramatic effect on my office (at Treasury) and, I think, that … it impacted, in some ways, the way information flows” within the intelligence community overall, Madon says. “I think with me personally, I began to think about it more, about the insider threat, because what I had been focused on initially was the outside threat.
“For me, before Snowden, when I was thinking cyber, I was thinking of a frontal assault from the outside,” Madon continues. “What I was missing was the Trojan horse.”
While the software tries to buffer against false positives, events such as divorce, bankruptcy or dynamic changes in behavior are likely to trip a red flag. But those results should prompt managers to get more involved with employees, and if the behavioral change is benign, provide counseling or help if warranted. “If someone is going through a divorce or going through a significant emotional event, then that is an opportunity for a manager to maybe provide an environment that is safe and secure, … to help the employee, an opportunity to find out what’s wrong, to have a conversation that results in something positive,” Madon declares.
Not all incidents of insider threats might rise to the level of Snowden, but the hunt can detract from agencies’ main missions, Madon says. Technology can help managers focus on mission instead of insider threats, leading to increased productivity and better mission focus, he says.
When agencies aren’t observing employees, they’re spying on the enemy.
Modus Operandi, based in Melbourne, Florida, sold the Defense Department software platforms that ingest incredibly large amounts of data from multiple data sources to produce tangible, interactive and user-friendly graphs that can highlight important counterintelligence trends.
“The advantage there, when you turn data into a graph, all of your separate pieces of data become connected,” says Eric Little, vice president and chief scientist who oversees Modus Operandi’s research and development efforts. “With a graph, what you’re able to do is show lots of rich relationships in the data, and these graphs are structured by a type of logical model called ontology, a logical representations of things. If you bring your data in and fuse your data inside that ontology, the data now in the graph has meaning.”
Details about an individual tracked by intelligence analysts can mean little when scattered in different databases, but when combined, can point to a person of interest. For example, data such as a man’s height and weight might be stored in a biometrics database, while data about his group affiliation stored in another, and his criminal record in yet another. “This model will connect all of that data, right for the user to look at,” Little adds. “Normally these connections are made by human beings. People are having to query databases and pulling information off of spreadsheets. Your average intel analyst gets handed hundreds of PowerPoint slides, they get handed all of these types of reports, they get handed access to databases and it’s up to them to make all of these connections.”
The software named WAVE collects the information and draws relevant graphs, while another program, BLADE, mirrors Wikipedia in concept, Little says. The latter creates many pages of information that intelligence analysts constantly update. “It’s a dynamic way to interact with data, where people are sharing it in near real time.” Analysts can get constant data updates, monitor exactly where the new information is coming from, be it data fed or entered by another analyst, and can determine whether the details are trustworthy.