If you ask any executive whether they prefer to stop something bad from happening or waiting for it to happen they would always pick the first scenario. Unfortunately, many of the things we do in cybersecurity are only detected once something terrible has already happened. Insider risk is an evolving area – and companies are starting to realize their current tools are not providing the proactive results they want and need.
The desire to stop data loss and maintain compliance has been a strong driver in the adoption of the legacy technologies used for data protection. Unfortunately, data loss prevention (DLP) technologies are largely complex. And, in every major breach over the past 10 years, the company’s DLP did not prevent the attack. A major reason for this is that most companies are not able to put DLP into blocking mode because of too many false positives and complaints from their employees.
Insider risk monitoring started with user activity monitoring (UAM) and user and entity behavior analytics (UEBA). Understanding user behavior is critical to getting in front of incidents or compromised users. The strategy has been to combine the information with data protection alerts and dump them into a data lake or SIEM to create rules to detect behavior that strays from the norm. In most cases, however, the result is a lot of noise and false positives.
There are new tools available today that correlate both the user and the data that they are interacting with daily. This correlation is a game-changer because it introduces intent – the missing piece of the insider risk puzzle.
Intent is critical because it enables proactive intervention, left of boom. Intent can also be easily reported through a user risk score. By combining multiple behaviors and aggregating the data, insider risk practitioners can predict patterns indicative of insider risk – whether malicious, non-malicious or otherwise – without generating any false positives.
Below is an example of how one of our top partners leveraged DTEX InTERCEPT to this end.
GuidePoint Security addresses insider risk head-on with a programmatic approach that goes beyond assessments and security tool deployment, according to Nic Croucher who leads their Insider Risk Practice.
While both these components are necessary, they function most effectively when combined with actionable efforts to detect, prevent, and deter insider threats.
“What works is a programmatic approach that starts with our insider risk review followed by the adoption or maturation of a formal insider risk program,” Croucher said.
“Protecting things like intellectual property and reputation have significant dollar amounts associated with them, especially during planned workforce cuts in these uncertain times.”
The DTEX InTERCEPT platform provides GuidePoint Security with critical insights and metrics that bridge the technology and resource gap and help us identify and quantify insider risk for our customers.
This example demonstrates the power of correlating behavior and critical data monitoring in an insider risk program.
With DTEX InTERCEPT, the logic and over 200 detections have already been built-in out of the box. All you need to do is customize them suit your needs. If you would like to learn more, please reach out or contact us for a demo.