It is often said that any insider risk program must have a technology component to be effective in today’s enterprise environment, and few would get an argument. The technology stack is a combination of your eyes and your time machine, enabling you to understand the who, what, where, when, why and how of data movement – historically and in real time.
The goal, in every instance, is to sleuth out and mitigate the potential for risk of an error or nefarious act, either of which could end up with sensitive information in the wind.
Let’s investigate the technologies traditionally used for insider threats, and the need for a unified approach underpinned by and starting with the right data.
The Right Data is Actionable Data
Collecting data is easy. Collecting the data that should be collected is another ballgame. If the logs, audit trails, and events don’t provide information that is actionable, then one must question the collection.
DTEX Systems Co-founder and CTO Rajan Koo says the right data simultaneously provides actionable insights, preceding an exfiltration event, and protects employee privacy.
“The trouble with most point solutions is that they only provide data during or after an exfiltration has occurred, by which time most of the damage is done. Often the data collection is highly intrusive and, even then, the data lacks the context that’s needed to genuinely prevent data loss,” says Koo.
“The right data is actionable and affords the privilege of time to choose the best resolution in a way that underpins and uplifts a trusted workforce.”
Data Loss Prevention (DLP)
DLP underestimates the intelligence of people. In other words, it doesn’t take it into account that where there’s a will, there’s a way. If a malicious insider wants to take data, they’re going to find a way to circumvent DLP controls.
All this being said, if a DLP tool is the extent of your investment, you should not be surprised if you always find yourself in reactive mode, as you are alerted that your information is now in the wild.
Unfortunately, DLP tools rarely live up to the promise of preventing data loss; it’s not uncommon for security teams to enforce policy only to disable it following pushback from the employees whose productivity has been inhibited in the process.
The problem is also in the data, which lacks the behavioral context that’s needed to detect and disrupt risk before it turns into a threat. And while the platform might spit out alerts, many are false positives, creating a placebo effect and a false sense of security.
User Activity Monitoring (UAM)
User Activity Monitoring (UAM) serves as the eyes of technology on your user. Do you go all-in and capture and analyze every keystroke of every employee? You can, but don’t expect your workforce to stay loyal.
Insider risk management must be underpinned by a trusted workforce and bidirectional loyalty. Neglecting employee privacy through heavy-handed surveillance capabilities found in UAM only erodes employee trust, increasing insider risk along the way.
When it comes to UAM, you will want to join those who embrace the concept of proportionality, wherein the level of monitoring is commensurate with the sensitivity of the information being protected and/or when probable cause exists that requires investigation and adjudication.
User and Entity Behavior Analytics (UEBA)
The advent of user and entity behavior analytics (UEBA) and the early adoption of AI/ML has the potential to provide insightful data to an insider risk program. But far too often analysts lean in and take the view that an anomalous action is bad when, in reality, it may simply be unusual.
The problem is in the data, not the analytics. Like DLP, UEBA collects data that misses the behavioral context that’s required to paint an accurate picture of risk to enforce appropriate mitigation tactics.
The power of UEBA can only ever be fully realized when the data captured affords context from human, cyber, physical, and organizational sensors.
The Power of Trust
The individual is at the center of every insider risk management (IRM) solution, including those with a tech-heavy component. The level of trust between the IRM team and the employee/contractor must remain high in a successful IRM program.
Any use of technology used to collect data should be communicated back to the employee out of transparency and respect. This will also act as an important deterrent measure and is accomplished through ongoing and in-the-moment training and awareness opportunities that are the hallmark of a mature IRM program.
Employees need to know they are trusted and why the data collected is necessary. It is also worth communicating what data is NOT being collected and why for the same purpose.
Proactive Insider Risk Management: The Time to Consolidate is Now
The insider risk program is there to protect the assets and the personnel of a given entity.
Keeping in mind that the technologies within an insider risk program are the eyes on both activity and the investigative tools, one should envision the technologies as wheel spokes around the wheel hub. The hub fits over the axel and allow the wagon to move down the road successfully. Missing spokes, wrong sized spokes, or poorly fitted spokes all equate to a weak wheel. But, when all the spokes are the right size and fit, the wheel rolls smoothly.
This is what is required for today’s insider risk programs: a smooth-running consolidation.
Consolidating DLP, UAM and UEBA under the one umbrella affords the opportunity to be proactive, instead of reactive – less chasing your information down the road and more keeping the information right where it belongs in your hands.