Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How the NSA uses behavior analytics to detect threats

Clint Boulton | Dec. 8, 2015
The CIO of the National Security Agency says analytics protect the U.S. intelligence community’s private cloud system from internal and external threats.

security analytics

The National Security Agency has significantly enhanced its capabilities for detecting cyber-threats in the two-plus years since former NSA contractor Edward Snowden pilfered and disclosed classified information. The multi-layered capabilities, which include user behavior analytics, now protect a private cloud that provides storage, computing and operational analytics to the intelligence community, CIO Greg Smithberger tells

Greg Smithberger, CIO of the National Security Agency.


“There are a number of initiatives we have underway there to really use a lot of our big data analytics, a lot of the technology we have developed for our foreign intelligence mission, as well as technology we've developed inside our Information Assurance Directorate," says Smithberger, who began his new job six months ago after serving in various operational foreign intelligence roles over the past 27 years. He says the NSA is using automated capabilities "to up our game" for detecting and responding to anomalies, including anything from external attacks to suspicious internal activity.

The NSA has taken it on the chin from the mainstream media and privacy advocates because several revelations by Snowden, who while working as an NSA contractor through Booz Allen in 2013 copied and began releasing documents detailing NSA secret programs that surveil communications in the U.S. and abroad. The documents shed new light about the government's monitoring of phone and email records to surveil terrorism suspects. The controversy is regularly stoked with new findings, including the New York Times revelation that the NSA augments the way it sifts through large amounts of digital data in pursuit of bad actors.

NSA analytics capabilities thwart internal, external threats

The NSA has similarly enhanced threat detection for its own network, which analysts, operatives and engineers use for a variety of intelligence-gathering tasks.

Smithberger says that one of the obvious examples includes the capability to spot anomalies as when a credentialed user accesses the network at a strange time and from an unusual geographic location. Imagine, for example, a user bearing credentials of a Virginia-based NSA analyst, who normally access sensitive information from 7 a.m. to 7 p.m., trying to access the same information from Tel Aviv at 3 a.m. Eastern Standard Time. Such behavioral analytics, which incorporate profiling and anomaly-detection based on machine learning, is new but gaining steam in the corporate arena, where it is used to detect breaches early by prioritizing the most reliable alerts, according to research conducted by Gartner analyst Avivah Litan.

The NSA is conducting real-time forensic analysis of cybersecurity software and appliances, including firewalls, VPNs and audit logs on every network device "so that we can observe things that humans cannot put together on their own," Smithberger says. He adds there are other, far more "subtle" methods of threat detection, though he declined to describe such capabilities. "I'm not going to get into all of the details here," Smithberger says. "But it's a matter of understanding what is normal on your network, what is authorized on your network with pretty fine granularity ... and comparing the observed, in real time, to what has been authorized and what is normal.”


1  2  Next Page 

Sign up for CIO Asia eNewsletters.