OPM using log files to fight insider threats


Written by

The Office of Personnel Management generates about 70 terabytes of log files monthly from its cybersecurity tools alone, and instead of letting that information just sit there, the agency is flexing its big data muscle to draw insights to prevent evolving threats. 

Clif Triplett, OPM’s senior cyber and IT adviser, estimates the agency holds something like 1 petabyte of log file data that it’s generated from cyber tools like the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, and other apps that he wouldn’t disclose.

“We spent a lot of money to get those log files, it’s worth trying to get something out of it,” Triplett told the audience at a Professional Services Council conference Wednesday. With extra storage handy, “Rather than let it go to waste, we said let’s keep it.”

Triplett admitted “we don’t know which data or how long we need to keep it … we need to do research on that,” but OPM’s cyber experts want to detect patterns of subtle “anomalous behaviors or triggers” using data analytics.  

Behavioral analysis, in fact, has become one of OPM’s bigger cyber focuses of late, Triplett explained, particularly in looking for insider threats. 

“We’re trying to understand how behavioral analysis fits overall into our cybersecurity position,” he said. “Most of our applications are older, they don’t have very granular security controls, so we’re going to have to catch [insider threats] generally in the way they behave, not necessarily a traditional flag.”

Furthering OPM’s efforts to defend against insider threats, Triplett also emphasized data masking, what he called “a big push right now.”

For some employees with appropriate credentials, this means they can see some or all of the sensitive information they require when they log in to a system. For those without approval, though, they’d see nothing. 

“This is where probably the greater potential risk of compromised data  is, somebody getting a credential, getting into the system and being able to see data,” he said. 

OPM holds information on millions upon millions of current and former federal employees — many whose personally identifiable information was leaked in a series of breaches announced last year — from recruitment all the way to their deaths. Included are data on things like retirement benefits and personal health information. 

“We present a lot of information,” Triplett said. “So we’re trying to reduce how much sensitive information we present … We want to make sure that only the person with the need to know and see that information can see that sensitive information. It’s an additional level of access control.”

-In this Story-

Agencies, Cybersecurity, Office of Personnel Management (OPM), Tech