Insider threats, such as Edward Snowden’s theft of classified information from the National Security Agency, and external attacks, such as the Chinese intrusion at the Office of Personnel Management, pose a dual problem for federal agencies. 

On one hand, agencies want to keep attackers out of federal information systems. On the other, they also must protect against users who already have access to sensitive federal data and may maliciously or unwittingly divulge it. 

Evolving cybersecurity threats demand that agencies develop new levels of expertise and deploy new security solutions to safeguard their systems and data. This requires the use of flexible, sophisticated solutions that can be tailored to the mission-specific needs of agencies and departments. In most cases, a customized approach that draws upon a set of curated technologies is more effective than a one-size-fits-all solution.

As agencies turn their attention to combatting the insider threat, they depend on a set of powerful technologies: 

• Network access control solutions control the devices and users that may connect to agency networks. NAC solutions can confirm that a device is authorized to connect to the network and verify the device’s current security posture before allowing it to gain access to other networked systems and resources. This approach prevents insiders with physical access to agency facilities from connecting unauthorized or unsecured devices to the network.
  
• Security assessment tools automatically scan agency systems and networks looking for vulnerable devices, web applications and other technology components that might present an entry point for attackers seeking to gain access to agency operations. This approach limits the ability of a malicious insider to escalate privileges and gain administrative rights by waging an internal attack against the agency.
• Email security solutions scan inbound and outbound email for signs of malicious activity, such as malware and phishing attacks. The use of email security solutions combats the insider threat by reducing the likelihood that an internal user will unintentionally fall victim to an attack seeking to gain access to their credentials.
• Endpoint security products protect all systems on the network from malicious software and monitor their security status on a continuous basis. These solutions prevent insiders from accidentally or intentionally infecting systems with malware or taking other actions that undermine their security controls.

Each of these solutions plays an important role in an agency’s cybersecurity strategy. Cybersecurity professionals consider each of them to be a critical component of an agency’s defense-in-depth approach to cybersecurity.

CDW•G has developed its own proprietary solution for federal agencies: Security Management Infrastructure. SMI helps agencies combat insider threats and other serious cybersecurity risks by providing them with an integrated stack of security technologies designed to work together to meet specific security needs. CDW•G’s approach to SMI, shown in Figure 1, seeks to achieve continuous monitoring of an agency’s security environment, allowing prompt detection and response to cybersecurity risks.

The foundation of CDW•G’s SMI stack is a resilient computing solution that can be deployed either on-premises or in a virtual cloud. This computing and storage solution supports a virtualized platform upon which the other SMI components reside. Agencies may then select from a menu of providers for each of the operational security components of the SMI. CDW•G partners with top cybersecurity solution providers to offer a flexible set of tools capable of meeting the needs of any federal government network.

The security information and event management (SIEM) package acts as the nerve center of SMI, receiving information from other SMI components, correlating those reports and providing real-time reporting on the security status of the agency. For example, CDW•G partners with Splunk to provide agencies with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams. Splunk provides agency cybersecurity teams with a centralized dashboard that monitors different security threats in real time.

The SIEM tool integrates with virus detection, change management, application management and other security components. The tool is tailored to meet agency requirements for performance and budget, while incorporating existing solutions that the agency already has in place. Several CDW•G core partners integrate into SMI to provide the following capabilities:

• Firewall capabilities monitor inbound and outbound connection requests for compliance with security policies, blocking activities that do not meet security standards.
• Intrusion prevention system capabilities perform deep inspection of network content for signs of malicious activity, blocking suspicious content before it reaches the endpoint.
• Data loss prevention capabilities monitor systems and networks for the exfiltration of sensitive information, blocking attempts to remove agency information in a manner that is inconsistent with security policies.
• Application and change management control capabilities spot unauthorized modifications to system configurations or the installation of unauthorized software that might undermine the agency’s security posture.

The SIEM tool ingests information from these other SMI components and uses it to perform continuous monitoring of key cybersecurity program assets. This includes system, network and application monitoring for suspicious activity. It also includes the monitoring of data and user activity by incorporating information received from Active Directory, identity and access management (IAM) platforms, and network authentication information. Advanced SMI capabilities allow agencies to build employee behavioral baselines and then use those baselines to detect deviations that might indicate insider threat activity. Finally, the SMI provides advanced log management and analytics capabilities that allow both routine reporting and ad hoc searching to facilitate cybersecurity activities.