Government Technology

Is Cybersecurity an Inside Job?

October 16, 2013 By

While security clearance and authentication processes are essential to physical and other security, the physical DC Navy Yard breach by Aaron Alexis and the state secret breaches by Edward Snowden illustrate some disturbing weaknesses in personal validation and authentication. These clearance breaches were very different in nature but show a range of how a person’s calculated action can subvert basic security measures.

Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the "moat around the castle" approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.

The Enemy Within

The highest percent of breaches occur inside an organization. When a criminal wants something specific he or she will choose the path of least resistance to obtain it. Cybercriminals don’t do this by breaking complex security algorithms. They normally do it by gaining access as a trusted insider, using and manipulating secured and authorized software and hardware to which they have access.

Corporate espionage has utilized this methodology for years and now entire countries are using software exploits to gain access to state secrets in this new cyberwar. Authenticated access is not the issue. The unknown enemy already has access. We need to quit focusing so much on allowing and disallowing access and instead watch the business system process tools and how people are using them.

As our organizational systems grow larger and our business process and control systems become more complex and connected, we begin to lose track of what we are doing, let alone securing what we are doing. We currently run business processes using layers of software, hardware and people all trying to achieve a certain departmental or subsystem task. Whether software, machine or human -- the actions of these process components are seldom if ever combined in a single understandable view of the entire process. By not allowing a total system action view, the breach of a single process action could greatly affect other connected process actions and potentially take down the whole system.

These process actions are the Achilles heel of cybersecurity and they cannot be defended by hardening physical, network or system information process security. We need to direct our attention more toward action viewing technologies vs. encrypted authorized actions. We need to assume the enemy is already in and needs to be watched.

What We Don’t See Can Hurt Us

While many people are very concerned about technical snooping capabilities, the fact is that we need better snooping capabilities in areas such as critical infrastructure, industrial control systems, intellectual property and national defense. We have created massive intelligence process capabilities through computer software, hardware and networks and have done a pretty good job securing the transport and storage of information but little in securing system processes. When we interconnect multiple actions to multiple processes without detection capabilities, we leave a wide open opportunity for breaches. Physical security in background checks, biometric authentication, RFID location based services and network encryption all have value, but they alone  will not stop an authenticated breach. We are not even looking in the right place.

The recent national security breaches were recognized at the action output level after the breach action already occurred. These breaches demonstrate two very important requirements in security that we must be concerned with. One is that we need to add intelligence to physical, human and machine actions that view and even predict a physical breach like a person breaking barricades. We can’t just go back to the old days and think that getting rid of all this digital smart stuff will improve security. It won’t. These intelligent and connected technologies can greatly help both physical and digital security if properly implemented. There are a multitude of technologies that can give intelligence to our physical world.

The second important requirement is the timing of when a process action breach occurs versus when a process breach can be observed and blocked. This is where new technologies such as anomaly detection can be used to recognize, audit and block these process actions at the real-time data input level when seconds matter. The technologies exist and are called anomaly detection. Companies such as IBM and Decision Zone have so much belief in these technologies that they have both patented their solutions. When things aren’t working properly, demonstrated by the scale and magnitude of the cyber breaches we see today, we need to do something different and there are some security companies that are realizing this. So the big question is how much? The answer may surprise you.

Cost Justifying Security Through Anomaly Detection Process Efficiencies

One of the biggest concerns in security services is the initial cost in deploying these technologies, the continued cost in using them and how these costs can be justified. Even improvements in first-level authentication and IT security are not yet considered a cost of doing business although these opinions are changing. There are ROI calculators  that are now at least trying to put a number on the cost of potential security breaches and attempts to reduce insurance policy premiums when cybersecurity defensive plans can be demonstrated.

Security is only the anomaly detection of an incorrect process action. More accurately viewing the process actions through anomaly detection can also improve the total process. Security is really only a byproduct of detecting anomaly actions that are not part of the process. People are not buying security because they can’t justify the cost. Both the public and private sectors can gain efficiencies through the use of anomaly detection resulting in service savings or profit that would justify the cost of security. The process efficiencies gained through anomaly detection technologies can absorb the  cost of security while improving process actions.


Problems occur in business processes when someone or some technology does something wrong whether intentional, mistakenly or as part of a targeted attack. We can only achieve true security when multiple actions and process can be detected simultaneously and in real time. New technologies are offering these capabilities in a time when we are rapidly expanding interconnected humans to intelligent machines that have capabilities that are so large we are having trouble even viewing these processes.

We need to start recognizing that authentication of a person no matter how accurate the techniques used are only the first level of cybersecurity. True security can only be achieved when combining prevention and detection technologies at the real time business or process input action level. Most security breaches occur quickly and are themselves an input process action. Using technology than can focus on these input actions is where we need to focus our efforts.

True cybersecurity will be obtained when we can effectively view, audit, correct and block organizational process actions. If you could have a technology that does this, then why not?  

Larry Karisny is the director of, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure.

| More


C.BALASUBRAMANYA    |    Commented October 16, 2013

Quite interesting.Well explained the system level implications of security .It can be achieved when combining prevention and detection technologies at the real time process input action level. A case sudsy of real time domain would have been better,All the best CB

Saad Shakeel    |    Commented October 16, 2013

Good piece and quite valid in terms of todays IT processes. At the end of the day, it all comes down to securing the 8th Layer - the human. We will continue to face insider threats until we re-engineer our processes on the principles of segregation of duties and implement preventative controls that thwart the possibilities of single person sabotage...

Larry Karisny    |    Commented October 17, 2013

C. The case study will be offered in a white paper soon. Contact me and I will forward. Saad. yes it is all about layer 8, that human variable that drives all security technology people nuts and also makes us who we are today. Thanks for the comments.

Axel Leviathan    |    Commented October 18, 2013

Great article and spot on insight. It really puts into perspective how physical security and cybersecurity overlap. The malicious human factor coupled with complacency and a lack of redundant systems hurt our security posture. We have to continue to make it known that security is everyone's responsibility.

Lori Brooks    |    Commented October 18, 2013

Interesting article, but curious where the facts are coming from? Author claims that "the highest percent of breaches occur inside an organization," but that is not what I have learned in my research. According to the 2013 Data Breach Investigation Report published by Verizon (, the majority of breaches in 2012 involved outsiders. The same info was echoed in Mandiant's report.

Andy R    |    Commented October 19, 2013

Larry, Do you have any suggestions as to what technology systems could be deployed to best secure that 8th layer?

Larry Karisny    |    Commented October 19, 2013

Great comments by all. Let me address the part about inside jobs. First when you are authenticated the breach is not normally even reported as a security breach if it is from the inside. I work with a top Private Investigator out of the Silicon Valley that has over 20 years of documenting corporate espionage. Remember, people do this for money. That I can assure you and the easiest way to get what you want is to get in first. The anomaly technology system that I addressed in the article can detect breaches at the data input level and is the technology system I suggest. We need to have digital intelligence then address Layer 8 security at the data input level. That's how we can deploy the best security. Please feel free to continue comments.

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
View All

Featured Papers