A Human-centric Approach to Operational Awareness and Risk Management.

Insider Risk Management—A 7 Step Approach to Zero Trust (Part 2)

A few weeks ago we shared with you the first part of our two-part blog series summarizing the key takeaways of the e-book we co-authored with Splunk, “An Insider Risk Management Approach to Zero Trust.” Now that we’ve all taken a moment to digest those learnings, we’re eager to pick back up and share with you the remaining four steps in the process.

As a refresher, in our first post we shared a significant amount of background on Zero Trust, traditional approaches to insider risk management, and the crucial nature of accurate data sources. Without further ado, below are the final steps in the seven-step process to taking an insider risk management approach to Zero Trust.

Step 4: How to Identify and Analyze the Right Data
Detecting threats in a Zero Trust architecture requires processing, correlating, and triaging information from a variety of security solutions. With data from the Zero Trust controls and appropriate analytics, a Zero Trust architecture can detect indicators of intent and attack. With the right orchestration and automation, Zero Trust helps teams respond faster to minimize the impact of an attack.

Too much data—whether inaccurate, inconsistent, incomplete, or duplicate—makes this task more difficult. Data scientists refer to this as “dirty data.” SOC analysts and the processes they follow focus almost exclusively on the output of cyber sensors that detect and analyze malware, vulnerabilities, and IP addresses. As such, they are collecting terabytes of post-event machine data that they must analyze as singular alerts. The volume of data passing through an SOC can be overwhelming. When each anomalous action requires triaging and investigation, the result is “alert fatigue”—too many alerts and difficulty separating real issues from the “noise” of inconsequential alerts and false positives.

The data required to identify and stop insider threats must be precise, timely, valid, and consistent. It must support understanding the human behaviors that trigger machine data capture in the form of log files, Windows Events, and DLP policy violations.

Step 5: How to Understand User Intent
Data with context allows automation that doesn’t cause unnecessary friction and continuously validates and enforces trust relationships. This requires contextual awareness of potential risk from every single user account, whether it be a local, domain, or privileged account, by analyzing each action by continuously risk-scoring that user so that the policies can be proportional to the risks presented by that user’s account.

Unlike data from traditional DLP solutions, DTEX InTERCEPT analyzes accurate, contextual data to identify user intent and help teams respond quickly and appropriately across all threat vectors. Once the context of intent is clear, multiple actions can stop the activity before data is put at risk.

Step 6: Get Started with Zero Trust for Insider Risk Intelligence
The first step in any implementation is to assess risk and understand what data is needed to identify threats. Including the SOC team early in the process will help them understand the monitoring systems and define what data they need to build out the approach for Zero Trust as teams define the controls and policies. A good place to start is by answering the following questions.

  • What are we protecting? If it is sensitive data like trade secrets, customer data, or other critical data, you will need to prioritize it. Part of this is understanding the importance of data, but also understanding the risk to that data and the fallout if the data is leaked.
  • Who and what needs access to the data? Data—even extremely sensitive data —needs to be accessible to some people and processes. Determining who and what needs legitimate access—and when—is critical.
  • How will this access occur and how is it currently being secured? In addition to employees or partners logging in to access data, this includes which applications require access.
  • From where will this access be? This is certainly more difficult in a work-from-anywhere world. There may also be geo-regulatory requirements about from where data can be accessed and stored.

Step 7: Use Risk-based Analytics to Contextualize Risk
Human behavior is not black and white. A negligent employee may take an obvious action that puts data at risk. Malicious insiders’ actions are rarely as clear. Detecting malicious actors requires a solution that analyzes actions in context with what the user has done in the past and continues to monitor activities for indicators of malicious intent. As these accumulate, irrespective of the order of activities, risk increases.

At the highest level, risk-based analytics works by gathering interesting observations called “attributions.” These observations are stored in a Risk Index and associated with the risk object, whether that is a user or device. Risk-based analytics do not generate alerts for discrete events. Instead, it maintains a record of them to contextualize activities and identify patterns or sequences of potentially related attributions that together could provide a higher confidence distinguishing between malicious versus intentional risky behavior.

The result is more concise, actionable, and “clean” data that is available for analysis. So, solutions combining the beneficial functionality of DLP, UAM, and UEBA (without the parts detrimental to productivity and user privacy) can discern malicious intent to help organizations detect, deter, and disrupt careless users, malicious insiders, and compromised accounts.

Finally, Take an Insider Risk Management Approach to Zero Trust
In today’s distributed environment, the human is the perimeter. To defend against insider risk, organizations require a Zero Trust solution that uses evidence to analyze and understand the intent behind each action. DTEX InTERCEPT leverages the strengths of DLP, UEBA, and UAM while maintaining user productivity and protecting user privacy. We’re putting humans at the center of our strategy, as human risk can only be combatted with human intelligence.

It’s why we like to say, “The Difference is Human.”

We hope these blog posts were helpful to those of you who prefer to read the Cliff Notes and learn in broad strokes. We invite you to dive deeper by downloading the full e-book, “An Insider Risk Management Approach to Zero Trust.” Or, if you’d like to speak directly with our team about how to take an insider risk management approach to Zero Trust, you can reach us here: