Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

The Cost of Ownership Demands Attention: Choosing the Right Tool for IRM

cost of ownership right tool for IRM blog post

We have talked a lot about the differences between Insider Risk Management and Insider Threat Surveillance solutions for defending against malicious insiders. Most of the points we have brought up are technical differences, including their impacts on privacy, the benefits of behavioral analytics, and their different levels of support for ecosystem integration. We have also covered more practical issues for organizations that need to support a growing and diverse environment in our posts on scalability, reporting, and time-to-value.

It’s now time to examine an organization’s ability to license and manage these approaches to insider risk. All organizations face budget constraints for people and infrastructure. The total cost of ownership (TCO) should be a critical factor when contemplating a new solution.

As readers undoubtedly know, the total cost of ownership includes the cost of licensing a solution and the costs associated with operating the solution over time. In the case of insider risk solutions, it requires security, compliance, finance, and senior management to look at the costs of a solution compared to its projected value over time.

Insider Threat Surveillance solutions like Proofpoint ITM (formerly ObserveIT) clearly can provide value. They provide advanced video capture capabilities and employee behavior correction workflows that can benefit organizations. However, initial licensing costs are only a portion of the costs of deploying, scaling, and managing these solutions.

While surveillance solutions are manageable for small deployments, when organizations attempt to scale beyond 500 endpoints they often find additional professional services investments are required due to the complex nature of the endpoint agent. As discussed in our time-to-value post, these agents often interfere with existing endpoint agents for anti-virus and identity and access management solutions. They also often require special configurations for cloud management consoles.

Of course, capturing video, screenshots, and keystrokes on endpoints is only the first step. The data needs to be transmitted and processed, consuming extensive system resources and monopolizing network bandwidth. This can require organizations to increase endpoint processing power. Finally, the data needs to be stored and video files, even when compressed, can quickly consume on-prem and cloud storage limits and budgets.

This happens because Insider Threat Surveillance solutions take a “more is better” approach. They need to capture that data because they are looking for malicious actions and use video and keystrokes as their indicators of attack.

DTEX InTERCEPT takes a different approach. DTEX uses a meta-data model that reduces the amount of data capture required to minimize storage costs. It uses a lightweight forwarder with little impact on endpoint performance rather than a full endpoint agent, then leverages techniques like Markov Modeling, Entity Clustering, and Multi-factor Regression to enrich the raw data from activity monitoring and discern between legitimate activities and malicious intent. Instead of singular alerts requiring time-consuming work for analysts, DTEX provides contextual, sequenced notifications.

Scaling DTEX is simple. Unlike Insider Threat Surveillance agents that are typically deployed at the time of investigations and require additional process and resource overhead, DTEX can be deployed enterprise wide using existing software deployment tools as a routine update.

The result is a solution designed to reduce costs and resource requirements while supporting proactive insider risk detection and multiplying the value of existing cyber security tools and platforms.

Selecting a solution to protect organizations against insider threats requires organizations to consider technical capabilities, the solutions’ abilities to grow with the organization, and total cost managing and supporting the solution over time. As you can read in our free e-book, and was explained by our Chief Customer Officer Rajan Koo and Jonathan Care, Gartner veteran and Principal at Mountain Storm Ltd, in our recent webinar, when compared to Insider Threat Surveillance solutions, Insider Risk Management solutions like DTEX InTERCEPT provide clear advantages.

Contact us today to get started!