Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

Understanding Behavioral Intent Doesn’t Equal Invasive Surveillance

Behavioral intent not invasive surveillance insider risk management

One of the realizations of the pandemic-forced Work-From-Anywhere (WFA) movement, and the subsequent “great resignation” (and great data infiltration), for security professionals is the need to understand user behavior better. WFA forced security teams to switch from a corporate perimeter-centric focus to a requirement to protect hundreds of thousands of “remote offices” outside of traditional corporate controls. With everyone working remotely—often using personal hardware and cloud apps—tracking and interpreting user actions with sensitive data became more challenging than ever.

This is particularly true for Insider Threat Surveillance solutions like Proofpoint ITM and others not leveraging behavioral analytics. These are limited to monitoring threshold-based rules such as those used in traditional DLP approaches. The fixed rules must anticipate how each user will need to use each type of data, leading to user pop-ups, user blocks, or the triggering of core surveillance capabilities for manual analyst review. When WFA began, many of the rules became obsolete and new rules were required. While Proofpoint ITM is notable for the ease in which these threshold/trigger-based rules can be created, the lack of behavioral analytics requires regular configuration and tuning of rule sets, which equates to heavy maintenance and administration.

In contrast, DTEX collects the minimum required metadata for analysis. Its analytics capabilities include:

  • Anomaly detection
  • Peer group analytics
  • Multi-factor regression
  • Unsupervised and semi-supervised machine learning

When the pandemic forced us all into WFA, DTEX recognized the need for greater behavioral analytics. Our Insider Intelligence & Investigations team (DTEX i3) conducted research with the MITRE Behavioral Sciences team. This collaborative research project used MITRE’s behavioral experiment methodology to identify and explore how activities differ depending on an insider’s intention (i.e., malicious vs. benign intent) and whether that insider is in a remote working environment or the organization’s work site.

The research informed our understanding of the underlying behavioral indicators that increase insider risk (including the differences in the way malicious and non-malicious users search, aggregate, manipulate, and transfer data), making it possible to detect and disrupt an insider threat before any irreparable harm is caused.

You have a choice when countering insider threats. Adding behavioral analytics to your defenses leads to a more proactive and effective solution.

Register to attend our upcoming live webinar on LinkedIn, “7 Reasons Organizations Choose Insider Intelligence Over Surveillance,” to learn more and make sure to download our e-book for an in-depth review of this critical topic.