WORKFORCE CYBER
INTELLIGENCE AND SECURITY

BLOG

A Human-centric Approach to Operational Awareness and Risk Management.

  • Home
  • Blog
  • Dtex
  • Understanding the Insider Risk Solution Landscape—An Alphabet Soup of Agencies, Technologies, and Vendors

Understanding the Insider Risk Solution Landscape—An Alphabet Soup of Agencies, Technologies, and Vendors

Not unlike the rest of the Internet Technology universe, the Insider Risk solutions landscape is cluttered with an alphabet of acronyms representing government agencies and technologies. As such, it’s not uncommon to be confused. As the great Austin Powers said, “Whoopty do, what does it all mean Basil?

What it all means is that at a time when Remote Work is the new norm, network cyber solutions are diminishing in relevance, and governments are making major commitments to endpoint protection (see CrowdStrike chosen by CISA for government endpoint security initiative). The need to secure data, identify malicious insiders, and protect trusted insiders against compromise is no longer a nice to have. The problem however does not have a simple fix, in fact, one could argue that it is more complicated than ever. Truth is, it’s not, it’s actually becoming clearer.

Let’s start by dissecting the government agencies and other non-commercial groups who are active in the Insider Risk landscape. There is the National Counterintelligence and Security Center (NCSC) who is responsible for the National Insider Threat Task Force (NITTF). There is the Cybersecurity & Infrastructure Security Agency (CISA) and its Insider Risk Self-Assessment Tool. There is the Common Sense Guide to Mitigating Insider Threats which represents the recommendations of the CERT Division of Carnegie Mellon University’s Software Engineering Institute. There is the MITRE Corporation’s on-going research on the behavioral science aspect of Insider Threats. And there are more.

On the commercial side of the Insider Threat landscape there is a similar collection of unconnected, independent technology providers who promote their solutions and tools as the answer to Insider Threat detection and mitigation. Customer security teams find themselves facing a complicated and sometimes frustrating solution landscape. While traditional security tools have their benefits, they’re also facing consistent challenges. And vendor marketing campaigns which attempt to articulate the same message but often have varying underlying capabilities further make technology selection for Insider Risk difficult.

Security Tool

Benefits

Challenges

Security Information & Event Management
Software that collects and aggregates log data from existing IT infrastructure for analysis.
  • Can act as a single pane of glass to collate multiple data sources with analysts only having to learn a single UI
  • Often contains wide array of reporting and dashboarding capabilities
  • Often very noisy and difficult to tune (i.e. false positives)
  • Only as good as the underlying data sources ingested, which is often flawed
User Behavior Analytics (UBA)
Analytics that create user behavior baselines reverse-engineer user behavior insights from log data.
  • Takes into account the fluidity of human behavior
  • Adaptable
  • Specializes in highlighting anomalous behavior and outliers
  • Anomalies highlighted are often difficult to action and require a high level of technical skill to interpret (often leads to a services engagement if in-house data science expertise is not available)
  • Slow: often takes a very long time to tune and see value
Data Loss Prevention (DLP)
Rule-based tools that control what data users can transfer, and how, often through policy enforcement actions (i.e. blocking).
  • Often leveraged to meet compliance mandates regarding the handling of PII, and other customer data
  • Necessary for companies that need to hard-block certain activities under blanket company-wide circumstances.
  • Rule-based, which means you only can detect what you know to look for
  • High impact on end users – Policy enforcement actions are typically disabled due to end user impact and detection of truly malicious activity is often missed
Employee Monitoring / User Activity Monitoring (UAM)
Surveillance tools that monitor user activity, often through measures such as keylogging, video capture and screenshots.
  • Provides a high degree of information into user behavior on an individual level
  • Useful in litigation where physical evidence of actions and intent are required
  • High impact to user privacy and endpoint/network performance (often reliant on highly invasive measures such as keylogging, screenshots, etc.)
  • Point and shoot rather than enterprise-wide visibility – Typically does not scale beyond a few hundred endpoints
Workforce Cyber Security & Insider Risk Management (IRM)
Next generation security tools which combine specific capabilities from tradition UAM/UBA and Endpoint DLP into a single platform. Focused on user behavior visibility specifically for the purposes of detecting insider threats and data loss, utilizing meta-data to identify patterns of known-bad behavior and risk-based analysis for data loss prevention prior to IP exfiltration, fraud, and sabotage.
  • Endpoint user behavior data provides human-readable contextual information
  • Contextual risk scores are then leveraged to inform behavioral DLP policies or monitoring policies in a proportional way
  • Collects meta-data – lightweight, scalable and privacy-conscious
  • Alert stacking & analytics reduce false positives; immediate time to value
  • Highly tailored to insider threat detection, data loss prevention and remote worker protection – not intended for malware detection
  • Enterprise-wide visibility typically requires input from various stakeholders

Our mission at DTEX Systems is simple: Remove the noise. Both in the endpoint and human telemetry we provide customers to understand their workforce strengths, challenges, and risks, as well as help them understand which technologies do what, when, how, and why. In fact, we’ve authored the DTEX Insider Threat Mitigation Guide to offer public and private organizations a simple evaluation guide to help guide considerations when building an effective and efficient Insider Threat Detection & Response program.

In the weeks and months ahead, we will dive deeper into the consolidation of UEBA, DLP and Insider Threat technologies, what it means for your cyber security technology architecture as a whole, and introduce the research being done in the area of behavioral sciences that promises to significantly advance the efficacy of insider risk detection and how you evaluate technology solutions as well as the program development process. Stay tuned and stay in touch with us through our LinkedIn Company Page.