We often see technology solutions described as “next-generation.” Usually, it’s simply “marketing speak” for a product that vendors would like to portray as advanced or technologically superior. But when “next-gen” is used to describe insider threat detection and mitigation, it has a very specific meaning – and significant reach beyond the identification of malicious insiders.
Historically, insider threat management products and services have taken the form of “point solutions” – technologies and software developed to address specific needs related to malicious insider threats. These first-generation solutions include:
- User Activity Monitoring products
- Internal Fraud and Forensics tools
- Data Loss Prevention solutions
- User Behavior Analytics products
The problem is that these legacy solutions, used alone, rely on machine data from cyber sensors. These sensors infer user behavior, injecting noise into a signal that lacks contextual intelligence from its source. Applications, data and machines do not update, move or change themselves – their human operators do. This muddled, noisy signal leaves visibility gaps, creates false positives, slows reaction to real threats, and does nothing to offer “left of boom” (preventive) intelligence regarding compromised credentials, targeted external attacks or negligent user scenarios.
A next-generation Insider Threat platform takes a different approach by collecting metadata that genuinely expresses a human’s activity and intent. This efficient, rich data platform delivers the promised value of all the point products with the capabilities required of today’s 21st century organization, including:
- Enterprise-wide scalability. Insider threats can come from anywhere in the organization, so an effective solution must be able to monitor the entire team – no matter how large – not just a few designated key people.
- Fast deployment. A cloud-first solution is preferable to cumbersome products that require significant time and effort to deploy and maintain.
- Low endpoint and network impact. Traditional endpoint DLP solutions can degrade endpoint performance, inhibiting employee productivity. Because it must be able to scale enterprise-wide, a next-generation Insider Threat solution must not interfere with endpoint or network performance.
- GDPR compliance. With individual privacy increasingly important – and legally mandated – any Insider Threat solution must be able to monitor employee behavior without collecting personally identifiable information.
- Noise-free telemetry with 24×7 audit trail. The more irrelevant data – or “noise” – a solution collects, the more time and effort it takes to sift through the data and find genuine threats. To be effective in today’s environment, an enterprise-wide Insider Threat solution must eliminate the noise and provide a continuous audit trail.
Viewed against these essential requirements, the following products should not be considered next-generation Insider Threat solutions:
- Log-File-Based Behavior Analytics solutions that analyze aggregated log data
- Network Detection and Response (NDR) products that analyze data gathered from network devices
- Endpoint Detection and Response (EDR) products that analyze malware and APT activity from endpoint devices
In short, a next-generation Insider Threat solution is a comprehensive, integrated solution made for today’s enterprise. It delivers “left of boom” human intent intelligence that preludes insider threats and signals forthcoming data exfiltration attempts, sabotage scenarios and internal fraud events. At DTEX, we offer such a solution: it’s called DTEX InTERCEPT. Learn more about it here.