Insider Threat is a Human Problem
In a recent discussion on Zero Trust, one expert stated, “Insider threat is not just a technical problem, but a human one—effective detection depends on combining behavioral analytics with robust identity controls.” The quote underscores the critical role of the User & Identity pillar in any effective DoD security strategy.
Insider threats have surged, with incidents rising 47% in the past two years. A 2024 report from Cybersecurity Insiders revealed 83% of organizations experienced at least one insider attack in the last year, a significant jump from previous periods. These threats are not monolithic; they stem from malicious, negligent, or compromised insiders. While malicious actors intentionally steal data or cause harm, two out of every three incidents are attributed to employee or contractor negligence, such as falling victim to phishing attacks. The Department of Defense is addressing this by implementing a Zero Trust architecture by fiscal year 2027, a strategy built upon seven pillars including User, Data, and Visibility and Analytics. This framework abandons the idea of a trusted internal network, instead requiring continuous verification for every access request. For the DoD, Identity, Credential, and Access Management (ICAM) is the foundational element of Zero Trust. The Defense Information Systems Agency (DISA) is developing a federated ICAM model, which allows a user to authenticate once to gain access across multiple DoD systems, streamlining security and user experience. This is where User Behavior Analytics (UBA) becomes critical for detection engineering. Splunk's UBA platform leverages machine learning to create activity baselines for individuals and flags anomalies like logins at unusual hours or unauthorized access to sensitive files. Specific Splunk Enterprise Security (ES) rules can be built to detect insider threat indicators. For example, monitoring for Windows Event Codes like 4728 (a user is added to a privileged group) or 4732 (a member is added to a security-enabled global group) can detect suspicious privilege escalations in near real-time. Integrating UBA with a SIEM provides a unified view, correlating behavioral anomalies with other security data. In Splunk, this allows threats detected by UBA to be automatically pushed to ES as notable events, enriching them with a risk score to prioritize and accelerate incident response.
