Insider Threat Management

Visibility & Context Are Key To Prevention

The reason DLP and SIEM solutions aren't effective in preventing Insider Threats is because they don’t take history, trends, and context into account. This leaves the question of ‘Why’ unanswered. However, "Why" is often the most important factor in any Insider Threat investigation
DTEX has simplified this by incorporating contextual information of the events leading up to, and following, an Insider Threat event. DTEX tracks each of your employees’ normal behavior and crafts finely tuned alerts based on unusual activity changes to create intelligent insider threat detection that picks up on only the activity that really matters. An analyst can then use these contextual cues to easily investigate, acknowledge or ignore alerts generated by the system.

The Insider Threat Kill Chain and INDICATORS OF InTENT

The DTEX Insider Threat Kill Chain describes the pattern followed by malicious insiders and allows organizations to understand the entry-point and scope of an attack as well as the intent of the insider. The Insider Threat Kill Chain compares real-time user activity against historical individual and peer group baselines to highlight “Indicators of Intent” to differentiate malicious intentions from benign.

When preparing for data theft, a malicious insider typically begins with research. This is where they locate the data that they would like to steal, test security controls, or, in the case of compromised credentials, where the insider will test the limits of the stolen credentials’ privilege. 

  • Suspicious research or innocuous file exfil
  • Unusual network enumeration
  • Anomalous file or device access

Any attempts to bypass existing security controls provide an important indication that subsequent actions were intentional. Many organizations place too much reliance on the ‘locks on their doors’, however an insider typically has sufficient domain knowledge to know which doors are unlocked or simply has access to the key.

  • Tampering with security controls
  • Suspicious off-network activity
  • Unusual privilege escalation

Whether it’s ‘low or slow’ or a ‘smash & grab’, most data exfiltration involves an aggregation step. Data is commonly aggregated on a local workstation or a server with internet access. Data compression is often leveraged for larger transfers.

  • Anomalous clipboard activity
  • Sensitive data archival
  • Anomalous drive mapping or symbolic link creation

The act of ‘covering one’s tracks’ is ultimately the strongest indicator of intent. While there’s countless ways to get data out, there is a finite number of ways concealing malicious activity.

  • Suspicious file renaming
  • Steganography & encryption
  • Anonymous web browsing & disk erasing utilities

Many organizations make the mistake of disproportionately investing in legacy endpoint DLP and UAM tools which attempt to detect and prevent exfiltration routes. However, while rigid rules may stop malware detonation, they almost never stop an insider with malicious intention. InTERCEPT analyzes all activity from the point closest to the user, proving visibility into exfiltration routes that most other tools miss.

  • Unencrypted USB drives
  • Saving data to personal webmail drafts
  • Airdrop or Bluetooth transfers

DTEX InTERCEPT – Next-Gen Insider Threat Management

Powered by DTEX’s patent pending DMAP+ Technology, InTERCEPT continuously collects and synthesizes more than 500 unique elements of enterprise telemetry from data, machines, applications and people to surface dynamic ‘Indicators of Intent’ that combine to deliver holistic, contextual awareness about an enterprise workforce’s activities.

Learn More About DTEX InTERCEPT


Enterprise Visibility | Behavioral Awareness | Actionable Insight | Intelligent Protection


Dtex Systems Partners with Williams Racing Read the News!

Dtex Announces $17.5M in New Funding! Read More!