We all know there is no “silver bullet” to solve address all security threats. Enterprise security professionals use a variety of solutions to reduce risk, including firewalls, intrusion prevention, web application firewalls, and other on-the-network and anti-virus, data loss prevention, and endpoint detection and response on endpoints. These tools need to work in concert. Detecting threats often requires processing, correlating, and triaging data from multiple solutions using SIEM and SOAR tools.
Too much data—whether inaccurate, inconsistent, incomplete, or duplicate—makes this task more difficult for SOC analysts. They are collecting terabytes of post-event machine data that they must analyze as singular alerts. The volume of data passing through an SOC can be overwhelming. When each anomalous action requires triaging and investigation, the result is “alert fatigue”—too many alerts and difficulty separating real issues from the “noise” of inconsequential alerts and false positives.
This highlights a problem when using Insider Threat Surveillance solutions like Proofpoint ITM. With the use of invasive monitoring techniques including video capture, keystroke logging, and file scanning comes an overabundance of unnecessary data that floods SIEM platforms and SOAR tools with non-contextualized alerts. The result is too much data and not enough actionable information, complicating incident prioritization, response, and remediation.
A similar situation occurs with Next-gen Anti-Virus (NGAV) solutions. Insider Threat Surveillance solutions are not architected or optimized to support NGAV platforms with human telemetry that directly correlates to ransomware, malware, and other indicators of attack for accelerated root-cause analysis and incident response.
Insider Risk Management solutions like DTEX InTERCEPT take a different approach. DTEX InTERCEPT is specifically designed to multiply the value of SIEM, SOAR and NGAV toolsets by providing contextualized data accounting for actions and activities of data, machines, applications, and people (DMAP+) in near-real-time, both on and off the corporate network. This results in dynamic behavioral awareness indicators and a trail of user activities to enrich incident response investigations. DTEX’s insider risk intelligence and management technology optimizes intelligence delivery with a streamlined, noise-free escalated behavioral notifications. Here are some examples:
- SIEM Integrations: For Splunk ES, IBM QRadar and Rapid7 InsightIDR, a simple export integration delivers actionable human-behavioral intent data. This can automate event investigation and reduce manual operations required by SOC teams by 80%, accelerating response times and root cause analysis.
- SOAR Integrations: For Splunk Phantom and Rapid7 Connect, DTEX InTERCEPT’s escalated behaviors and risk-scores actionable data needed to accurately inform automated response processes and context-aware decisions.
- NGAV Integrations: For CrowdStrike Falcon, VMWare Carbon Black, Sentinel One, and Microsoft 365 E5, DTEX provides the missing context (How, When, Why, Where and What) before and after the Incidents of Compromise reported by these solutions to enable proactive, behavioral-based Data Loss Prevention capabilities.
When looking to address insider risk, recognize that these solutions do not exist in a vacuum. The data produced by each solution is consumed and processed by a variety of tools. The quality of the data is far more important than the quantity of data. Insider Threat Management solutions like DTEX InTERCEPT focus on the former. Insider Threat Surveillance solutions focus on the latter.
In our next blog post in this series we will discuss total cost of ownership when comparing Insider Risk Management and Insider Threat Surveillance solutions. You can also download the full e-book here.