What is NITTF?

Following the Executive Order 13587 by former President Barack Obama October 2011, the National Insider Threat Task Force (NITTF) was established.

All federal departments and agencies with classified networks were ordered to establish insider threat detection and prevention programs. The NITTF’s mission is to “develop a Government-wide insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.” (NCSC - NITTF).

In the Executive Order, the U.S. Attorney General and the Director of National Intelligence were ordered to co-chair the NITTF. The U.S. Attorney General and the Director of National Intelligence in turn decided that the Federal Bureau of Investigation (FBI) co-lead the daily NITTF activities together with the National Counterintelligence Executive (NCSC).

Why was NITTF established?

The NITTF was established as a response to thousands of unclassified and classified documents being uploaded to WikiLeaks. The interest for insider threat grew after the public leaks completed by former NSA System Administrator Edward Snowden and ex-soldier Chelsea Manning. The program was started to prevent further leaks that may be a threat to national security. Furthermore, the NITTF sets guidelines to assist, evaluate progress, and analyze existing and emerging insider threat challenges.

What is an insider threat to the U.S. Government?

An insider threat is someone who misuses or betrays their access to a U.S. Government resource–whether it is done in full awareness or without being aware (unintentionally). This means someone inside the U.S. Government is considered an insider threat if their access is being exploited. Threats include damage through “espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities” (NCSC - Mission Fact Sheet)

However, it is important to note that the insider threat programs analyzes malicious activities and behaviors, not individuals.

How does CNSSD 504 define User Activity Monitoring (UAM)?

The Committee on National Security Systems Directive 504 (CNSSD 504), is the directive describing the minimum measures each department or agency need to take to protect national security systems from insider threats.

CNSSD 504 defines UAM as “the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing US Government information in order to detect insider threats and to support authorized investigations.” (CNSSD 504 - Definitions).

At a minimum, each department and agency needs the technical capabilities to collect user activity data, including the following (CNSSD 504 Annex B):

Keystroke monitoring
Full application content, e.g. email, chat, data import, and data export
Screen capture
File shadowing for all lawful purposes, i.e. the ability to track documents when the names and locations have changed
All collected data must be attributable to a specific user

Who does CNSSD 504 apply to?

The policy is applicable to all executive branch departments and agencies with access to classified national security information and classified networks, according to National Insider Threat Policy Minimum Standards

How does Reveal Cloud fulfill the UAM requirements?

Reveal is compliant with the CNSSD 504 and meets the key UAM requirements defined by the NITTF.

Keystroke monitoring: With the Reveal Agent, you have several capabilities for monitoring, including keyboard typing pattern, keystroke analytics, and keyword blacklisting.
Full application content: With a full paper trail—even if the data is deleted or evidence is destroyed during an attack, you can see full application content and metadata. You have all the data structured, consistent, and continuous collected and reported in one place by collecting our own telemetry.
Screen capture: You can take a screenshot to capture an image of a user’s desktop based on automatic and manual real-time actions, In addition, motion screenshots shows the screen capture recording of when the policy was breached.
File shadowing for all lawful purposes: With files, you can do advanced (regex) and standard content inspection, track file types, content and name changes, as well as see how the files moves through your organization.
All collected data must be attributable to a specific user: With the Cyber Passport, all data collected and user activity is attributed to an individual. In the Cyber Passport’s activity feed you can see all user actions and alarms in logical sequence, including print, browser, file and integration events, as well as connections, logins, DNS lookups, USB events, applications, sensors, alarms and more.

In addition to meeting the minimum requirements, Next DLP is working towards the Maturity Framework to include human behavior models, risk scoring, and AI/ML capability to enhance and automate insider threat detection and response.