DISA seeks input on insider threat tools

The Defense Information Systems Agency wants industry input on tools that could counter insider threats to Defense Department information systems.

DISA said traditional efforts to secure networks focus on outside threats, but insiders pose an equally damaging threat. And they can access DOD networks without detection by the security systems.

DISA, in a request for information released June 1, said it is looking for an insider threat focused observation tool that could be deployed on selected host DOD machines to aggressively gather and analyze data on inside threats.

DISA said the insider threat tools would enhance the network security of DOD information systems.

The agency would install the host machines on network end points and could be servers, desktop PCs or laptop PCs equipped with agent-based tools that can monitor insider network activity. The tool would collect data such as user IDs, computer type and the processes – e-mail clients, Web browsers, office management tools, database access – that monitored computers run.

DISA said it wants tools that can then conduct user analysis on the collected data and warn of anomalies based on user profiles and behavior patterns.

DISA envisions that the host machines would connect to a central manager that can handle as many as 250 hosts at a time, with hosts located within an enclave, such as local-area or base network.

The insider threat tools should also include a console, which is the central display and action point for collected user data and will provide the operator with real-time insight into user activity, the RFI states.

DISA said it wants a tool capable of working with a wide range of operating systems including Microsoft Windows 2000, Windows XP, Windows NT4, Sun Microsystems Solaris, Unix and Linux.

The due date for RFI responses is July 5.