Over the course of its first two phases, the Department of Homeland Security’s Continuous Diagnostics and Mitigation program has effectively laid the groundwork for better security. Now, the hard part begins.

Phase 3 – “What is happening on the network?” – and Phase 4 – “How is data protected?” – are about to take the CDM program to a new level.

These final phases will be centered on “Dynamic and Evolving Federal Enterprise Network Defense”, or DEFEND. It is a program specifically designed to help monitor cloud systems and protect data that is accessed, stored and transmitted using cloud services, mobile, and applications, like email or productivity software.

The new phases shift the CDM program’s focus beyond legacy technologies and requires government agencies to gain a deep understanding of how, when, and why their employees are using these services.

Putting employees at the forefront of security

The key word in that sentence is “employees.”

Security professionals spend a lot of time focusing on bad actors, but they would do better to focus on their co-workers – not as potential threats, but as an appropriate first line of defense. Employees are the ones managing an agency’s data and, as such, are the gatekeepers of that agency’s most precious and proprietary information. Understanding how they work with that information is fundamental to better security.

That is why adopting a security strategy based on people, not just technology, is critical as agencies move into the final components of CDM. By taking a look at users’ unique behavioral patterns, agencies can meet their CDM goals and develop programs that center on understanding the context behind employees’ interactions with agency data. In doing so, they can deliver more dynamic, efficient, and effective security measures that protect information without compromising or inhibiting employees’ work.

Managing the security gray area

Phase 3 calls for the monitoring of user behavior and activities -- something that traditional security methods, like as firewalls, Anti-Virus, and most threat based security technologies, are not equipped to address. Those methods are designed to provide a binary response to perceived security threats.

When something questionable happens, it is deemed either “good” or “bad” without any context behind the activity’s intent, and little to no context around that activity’s impact on the user experience.

DEFEND provides us with an opportunity to address today’s risks that are not simply “good” or “bad.” There is a gray area and this is where most modern day cyber challenges reside. For instance, an employee may innocently attempt to access a file on Dropbox that may help them do their job, only to find themselves unfairly penalized. That person’s action could even result in more stringent security measures unfairly imposed upon everyone in the agency. Security managers may end up chasing down a false alert and workers will likely try to find security workarounds, resulting in unnecessary friction between IT and employees.

A risk-adaptive approach to security that examines users’ interactions with agency data, systems, and cloud-based platforms can prevent this friction. With risk-adaptive security, individual user behavioral patterns are anonymously monitored so managers can gain a better understanding of when, how, and why those users are accessing data.

Creating a behavioral baseline

Establishing a baseline for behavioral patterns is an important first step in this process. The security system can monitor a person’s everyday patterns – the files they typically access, for example, or the software applications they normally use – establish a normal pattern of activity for that user, scan for anomalies in that pattern, and take action if anything is amiss. This approach works equally well for intentional and unintentional user activities.

For example, the Air Force recently discovered that its network was infiltrated by a hacker who accessed and copied manuals for one of their Reaper Drones by using an employee’s credentials. Monitoring that user’s behavioral patterns could have exposed this threat before it became an issue. The system would have detected that someone was using this person’s credentials in an anomalous manner that was not consistent with that employee’s normal activities, and would have automatically flagged or shut down the activity depend on the policy configurations.

Scoring real-time risks

Assigning unique “risk scores” to individual users is another essential element of risk-adaptive security. Numerical risk scores can be based on an individual’s proximity to sensitive data or importance in the agency. Scores can be compiled on a scale from one to five, with five representing the highest risk factor and one signifying a lower potential for risk. This is based on the individual users’ normal interactions with data and their general behavioral patterns.

For instance, a CIO might have a risk score of “5,” indicating a higher potential vulnerability, while an administrative aide might receive a score of “1.” That does not mean the CIO is a threat, only that they pose a greater risk due to their job. They could be more likely to be targeted by hackers, for instance, or accidentally compromise an agency’s information through simple human error. The higher score indicates that they should be monitored more closely than someone with a lesser score. Scores can fluctuate as roles and responsibilities change, thereby addressing the CDM’s requirement for “dynamic monitoring of security controls.”

Focusing on the person, not the threat

Focusing on keeping malware off of government networks or most any network is a futile effort. Over the past 30 plus years we’re proven that malware can reach any system through a multitude of vectors and we need to assume that it will get onto systems.

In 2018 if it computes, it’s a target. Malware that is not executed is not a threat until someone uses it, and if an enterprising hacker wants to infiltrate the network, they will. But that piece of malware is only a threat if someone accesses it, which is why it is vitally important to focus on monitoring users’ interactions with data and their unique behavioral patterns.

Indeed, focusing on users is a far more effective approach to security than building yet another barrier dictated by binary policies. Agencies that move away from this strategy and opt to employ a user-centric approach to security will satisfy the CDM program’s call for greater insight into user behaviors and patterns. They will also find themselves with more robust and effective security postures.

It’s time that we stop conducting security by compliance and do proper security for the sake of securing our systems. Isn’t it time to change the approach to protecting our users and their data?

Eric Trexler is the vice president of global government and critical infrastructure at Forcepoint.