The Enemy WithinTechniques to Combat Insider Threats:Lessons From the Aviation Industry

Shayne Bates, CPPStratum Knowledge, LLC.

Risk Based

Divestment

Partnership Cloud

Business Value Compliance

ConvergenceLeaders

Rapid

From Replication to Transformation & Automation

2005 2015 2016 2017 2018

Security industry starts

replication of functions

of security from

analog to digital.

Process Automation is

being extended to safety,

security and compliance

programs.

IDC predicted that 2

out of 3 CEOs had

digital transformation

at the heart of their

corporate strategy.

more than 85% of

organizations have

already started Digital

Transformation projects.

Innovation decade

ahead

One Decade to Replicate

• Life Safety

• Security & Compliance

• Emergency Communications

• IoT

• Big Data

• AI & Machine Learning

• Location Based Data

Supported By

1

2

3

4

5

MANDATECreate a shared vison and objectives for the program – reinvention –productivity – cost reduction.

EVALUATEApply a data-driven approach to the assessment, business case and prioritisation of opportunities.

INTEGRATEDeliver the projects expected benefits using the plan, schedule and resources.

INITIATEPlan and schedule the deliverables required to deliver the project.

IDEATEExplore opportunities to improve security and enhance service through the lens of ESRM. How does it help the business?

Connecting With The Business

Risk Assessment Techniques

QUALITATIVE

Effective when there is no relevant data present. Typically used for risks

that have never occurred before. Subject to bios

and errors in estimation.

ANALYTICS

Effective when there is data set that can be

analysed by subject matter expert. Data needs to be

interpreted and aligned to risk events

MACHINE LEARNING

Effective to predict a specific value or category

of a given risk event. Requires similar data to

analytics and skill to build the model. Highly effective in predicting the outcome of a potential event with

many dimensions.

QUANTITATIVE - DATA DRIVEN

Source: Int:rsect 2017 https://www.slideshare.net/ResolverInc/data-driven-risk-management

Donald Zoufal, CPPSDI Presence

Layered Approach to Security

Source of Image: U.S. General Accountability Office. Testimony Before the Subcommittee on National Security, Homeland Defense and Foreign Operations, Committee on Oversight and Government Reform House of Representatives. “Aviation Security: TSA Has Taken Action to Improve, but Additional Efforts Remain.” GAO-11-807T. July 13, 2011. Cited at http://www.gao.gov/new.items/d11807t.pdf (Accessed September 21, 2017)

Complex Multi-Level Environment

Source of Image: U.S. General Accountability Office. Report to Congressional Requestors. “Aviation Security: Airport Perimeter and Access Control Would Benefit from Risk Assessments and Strategy Updates.” GAO -16-632. May 2016. cited at http://www.gao.gov/assets/680/677586.pdf (Accessed September 7, 2016)

Airport Risk Management Process

Source of Image: U.S. General Accountability Office. Report to Congressional Requestors. “Aviation Security: Airport Perimeter and Access Control Would Benefit from Risk Assessments and Strategy Updates.” GAO -16-632. May 2016. cited at http://www.gao.gov/assets/680/677586.pdf (Accessed September 21, 2017)

Airport Risk Management Process

Source of Image: RTCA, Inc, Special Committee 224 (SC224) ‘Standards for Airport Security Access Control Systems,” DO 230f. 2015. cited at http://www.rtca.org/storedef.asp?optid=1231 (accessed September 21, 2017)

Regulated Process Under 42 CFR 1542 Including Requirements for

• Employment History Checks

• Criminal History Records Checks

• Verification of Eligibility to Work

• Security Threat Assessment

• Security Training

• Authorized Signatories

• Trusted Agents

• Audit Requirements

Aviation’s Partnered Vetting Environment

Source of Image: U.S. General Accountability Office. Testimony Before the Subcommittee on Transportation Security, Committee on Homeland Security, House of Representatives, “Aviation Security: TSA Has Taken Steps to Improve the Vetting of Airport Workers.” GAO-15-704T. June 16 2015. Cited at http://www.gao.gov/assets/680/670809.pdf(Accessed September 21, 2017)

Linking to Next Generation Identification (NGI)

FBI Next Generation Identification (NGI)

• System to replace IAFIS (the integration system for biometrics and criminal histories)

• AFIS modified to AFIT (more accurate algorithms)

• Facial Recognition

• Iris Pilot

• Latent and Palm Prints

• Rap Back & RISC

Source of Image: U.S. Department of Justice, Federal Bureau of Investigation. Official Website. “ Next Generation Identification (NGI).” Cited at https://www.fbi.gov/services/cjis/fingerprints-and-other-biometrics/ngi (Accessed September 21, 2017)

Inside Threat Triad

Malicious Actors

Mental LapsersMilitantly Stupid

The Three M’s

• Intentional • Reckless• Negligent

Josh JacksonRightCrowd Software

• Task: Implement & Automate Security Workflows:

• Mitigate: Reduce Criticality & Fast Moving Risk (“Zero Day”)

• Service: Real-time Efficiencies (e.g. - Visitor Approvals)

• Cost: Drive Transactional Delivery Cost Down

• Need: IT Platforms Need to Host and Integrate a Wide range of Sensors, Data Sets and Connections

• Opportunity: The Rise of Process Automation tools

Implementing Security Process Automation

● Increasing insider threats

● Frequency and complexity of cyber attacks

CYBER SECURITY

PHYSICAL SECURITY ● Terrorism concerns

● Increasing perimeter protection

● Growing insider threats

PROCESS AUTOMATION ● Reduction in employee expenses

● Improved resource productivity

● Enabling new security models

PRIVACY ● Maintaining intellectual property integrity

COMPLIANCE ● Satisfying increasing regulatory requirements

SAFETY ● Protection of people, assets and reputation

COMMERCIAL BENEFITS● Automated contract administration and compliance

● Mitigating risk of litigation

Process Automation Drivers

Integrating business and security systems to deliver safety, security and business efficiency.

Workflow Integration

Secret Sauce: Keeping Business

Knowledge & Processes Separate from Access Technology

Empowering Physical Security Systems

Process Automation in the Business Ecosystem

PHYSICAL SECURITY – IT CONVERGENCE

TALENT IS KEY; ESRM

PROGRAM IS ESSENTIAL

ESRM ENABLERS CRITICAL

GENUINE PARTNERSHIPS

● Everything is IT – including physical security systems

● Threat landscape is constantly evolving

● Failure to adapt programs leaves the organization open

● Digital capability gap in physical security to be closed

● Battle for talent to attract technical people to physical security

● ESRM is a systematic approach to adapting to a changing threat landscape

● Broad range of new technology to be understood in the context of ESRM

● Not just about more CONTROL

● Data driven risk VISIBILITY enablers are critical

● Untapped opportunities to breakdown internal silos

● Continued evolution of technology platforms has benefits for Security Practitioners and vendors

● ESRM & automation creates genuine opportunities

for new security models

Building Digital Momentum

Enterprise CWA & Process Automation

Bill McAteerEvolv Technology

AV

IAT

ION

IN

SID

ER

TH

RE

AT

IN

CID

EN

TS

CONFIDENTIAL & PROPRIETARY. Any use of this material without specific permission of Evolv Technology is strictly prohibited.

Egypt – Metrojet 9268 October 2015

o Airport Employee plants explosive device on plane

o 224 passengers & crew killed in crash

San Juan International Airport – February 2017

o Airport Employees arrested in drug smuggling case

Dallas – DFW August 2018

o Nationwide drug smuggling aboard planes

o 46 people indicted including airport employees

Minneapolis – MSP 2008-14

o Men recruited by ISIS were former airport

employees with access to airplanes

o One of the men became a suicide bomber

abroad

Seattle – SeaTac August 2018

o Ramp worker “steals” plane, flies around Seattle

area and crashes plane.

Ba

ck

to

th

e b

asi

cs Who?

What?

Where?

When?

Why?

How?CONFIDENTIAL & PROPRIETARY. Any use of this material without specific permission of Evolv Technology is strictly prohibited.

CONFIDENTIAL & PROPRIETARY. Any use of this material without specific permission of Evolv Technology is strictly prohibited.

Wh

o is

the

th

rea

t? Who?

Friend or Foe?o Airport Employee

o Airline Employee

o Vendor/Concessionaire

o Law Enforcement, TSA, or other Security

Personnel

o Taxi, TNC or Shuttle Drivers

o Construction Workers

o Contracted Services, Janitorial Staff, etc.

WH

AT

& W

HER

E A

RE Y

OU

R V

ULN

ER

AB

ILIT

ES?

What?

What is the intent?o Malicious- are they intent on causing

damage?

o Complacent- are there lax security

procedures?o Unwitting- are the employees aware of

policies and security procedures?

CONFIDENTIAL & PROPRIETARY. Any use of this material without specific permission of Evolv Technology is strictly prohibited.

WH

EN

& W

HY

AR

E T

HEY

IN

TH

AT

AR

EA

?

When?When are they at your airport?o Are they scheduled to work

today?

o Are there special events or VIP's in the area?

CONFIDENTIAL & PROPRIETARY. Any use of this material without specific permission of Evolv Technology is strictly prohibited.

Where?Where are they in the airport?o Do they have access to areas

outside of their work area?

o Do they have access to the

aircraft? The cockpit?

HO

W D

O Y

OU

MIT

IGA

TE T

HE T

HR

EA

T ?

Current AVSEC Best Practices -o Threat Assessment & Rap Back

o Employee Screening Programs

o Risk Based Security

o TSA- Known Crew Member (KCM)

& TSA PreCheck

How?

CONFIDENTIAL & PROPRIETARY. Any use of this material without specific permission of Evolv Technology is strictly prohibited.

Why?

Why are they at the airporto Work?

o Seeing off family

members/friends?

o Criminal intent?

Threat Assessment/ Rap Back

Threat Assessment (Background Check)o Recurring (every 2 years)

o Criminal Convictions only

o Condition of employment

RAPBACo Currently in use at several airports

o Realtime Alerts

Employee Screening & RBS

Leverage Technologyo Be ahead of the threat!

o What are you looking for?

o Metallic/Non-metallic threats?

Prohibited Items?

o TSA level of screening?

Risk Based Securityo TSA Pre-Check

o Known Crew Member (KCM)

RISK BASED SECURITY

De

nie

d

En

try

“W

alk

Up

” P

art

icip

an

ts

Ve

rifie

d a

nd

Tru

ste

d P

art

icip

an

ts

TR

US

T

Quantifiable concern based on

known or suspected affiliations

No reason to trust… no reason not to trust…

Organizationally determined reasons to

withhold trust – poor past behavior, etc.

Organizationally determined reasons to trust –

background verified, tenure, financial commitment

Su

spic

iou

s

Pa

rtic

ipa

nts

PHYSICAL SCREENING

Questions