How the NSA uses behaviour analytics to detect threats

The CIO of the National Security Agency says analytics protect the U.S. intelligence community’s private cloud system from internal and external threats.

The National Security Agency has significantly enhanced its capabilities for detecting cyber-threats in the two-plus years since former NSA contractor Edward Snowden pilfered and disclosed classified information. The multi-layered capabilities, which include user behavior analytics, now protect a private cloud that provides storage, computing and operational analytics to the intelligence community, CIO Greg Smithberger tells CIO.


Greg Smithberger, CIO of the National Security Agency.

“There are a number of initiatives we have underway there to really use a lot of our big data analytics, a lot of the technology we have developed for our foreign intelligence mission, as well as technology we've developed inside our Information Assurance Directorate," says Smithberger, who began his new job six months ago after serving in various operational foreign intelligence roles over the past 27 years.

He says the NSA is using automated capabilities "to up our game" for detecting and responding to anomalies, including anything from external attacks to suspicious internal activity.

[ Related: How Cisco is trying to keep NSA spies out of its gear ]

The NSA has taken it on the chin from the mainstream media and privacy advocates because several revelations by Snowden, who while working as an NSA contractor through Booz Allen in 2013 copied and began releasing documents detailing NSA secret programs that surveil communications in the U.S. and abroad.

The documents shed new light about the government's monitoring of phone and email records to surveil terrorism suspects. The controversy is regularly stoked with new findings, including the New York Times revelation that the NSA augments the way it sifts through large amounts of digital data in pursuit of bad actors.

NSA analytics capabilities thwart internal, external threats

The NSA has similarly enhanced threat detection for its own network, which analysts, operatives and engineers use for a variety of intelligence-gathering tasks.

Smithberger says that one of the obvious examples includes the capability to spot anomalies as when a credentialed user accesses the network at a strange time and from an unusual geographic location. Imagine, for example, a user bearing credentials of a Virginia-based NSA analyst, who normally access sensitive information from 7 a.m. to 7 p.m., trying to access the same information from Tel Aviv at 3 a.m.

Eastern Standard Time. Such behavioral analytics, which incorporate profiling and anomaly-detection based on machine learning, is new but gaining steam in the corporate arena, where it is used to detect breaches early by prioritising the most reliable alerts, according to research conducted by Gartner analyst Avivah Litan.

[ Related: Protect yourself from hackers and the NSA ]

The NSA is conducting real-time forensic analysis of cybersecurity software and appliances, including firewalls, VPNs and audit logs on every network device "so that we can observe things that humans cannot put together on their own," Smithberger says. He adds there are other, far more "subtle" methods of threat detection, though he declined to describe such capabilities.

"I'm not going to get into all of the details here," Smithberger says. "But it's a matter of understanding what is normal on your network, what is authorized on your network with pretty fine granularity ... and comparing the observed, in real time, to what has been authorised and what is normal.”

These measures protect a meticulously constructed private cloud that, Smithberger says, deploys technologies similar to what you would expect from public cloud services such as Amazon Web Services, including virtualized servers and applications.

However, there are key differences, as the technology is arranged to grants access to a variety of analysts and operatives with varying levels of classification, ranging from low level to top secret. The access is tightly controlled down to each data element layer. Two analysts conducting identical information queries on this system may see different results, based on the security clearances, Smithberger says.

"There's multiple layers inside the network, outside of the network to separate us from the outside world ... very much a layered security model with combinations of government-developed, custom developed for government and commercial products," Smithberger says. “That paranoid, layered defense is really the best answer and, frankly, if you get that right then if there are inside problems they become visible as well.”

Private cloud, done public cloud style

The private cloud itself could be considered a triumph. Cultivated under the Intelligence Community Information Technology Enterprise (ICITE) program, which in 2011 proposed a cloud environment that allows the intelligence community to securely access and share information. Defense Intelligence Agency Director David Shedd said in March that “cultural resistance,” not technology, was the greatest impediment to building the private cloud.

Smithberger says the NSA private cloud is fully operational today, thanks to the help of several government contractors and his internal IT staff, who replaced a number of aging commercial and custom-built servers, database software and applications, many of which isolated data. By upgrading these technologies in the construct of an integrated resource pool, the NSA says it will be better positioned to analyse its information assets, thus better serving analysts, operatives and other constituents.

[Related: NSA approves Samsung and Boeing mobile devices for employee use ]

Smithberger says this private cloud has much finer grained security than anything that's commercially available. But he stopped short of proclaiming the NSA's private cloud is impenetrable.

"It's arrogant for anyone to say that it is impossible to get to the network,” he says. “I would say that there are lots of mechanisms in place with lots of scrutiny to protect our classified world from the outside world and we continue to develop new ideas all the time to shore that up and layer additional pieces -- let's say we are a very hard target."

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon Web ServicesAssuranceCiscoGartnerNational Security AgencyNSASamsungTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts