The DTEX Risk Model

The DTEX Risk Model

How DTEX Fights the Insider Threat

Insider threats can come from just about any angle.
To stop them, the right solution needs to take an intelligence-based approach. DTEX combines unique visibility with actionable analytics to find, target, and identify insider threats with unprecedented accuracy. Here's how DTEX Intercept works.

Intelligent Endpoint Monitoring 

DTEX combines an incredibly lightweight forwarder on each endpoint with a powerful server- based analysis engine to deliver security and visibility.

Contextual User Behavior Analytics 

DTEX automatically builds a user- level profile of activity based on DTEX data not found in any log files, and automatically identifies sudden changes in behavior that indicate high-risk activity.

Leading Insider Threat Protection

Despite massive spending on security tools, the threat from insiders is greater than ever. No combination of existing security tools comes close to the simple, scalable visibility and protection from DTEX.

Context is Key

The reason why DLP and SIEM solutions aren't effective on their own is because they don’t take history, trends, and context into account. This results in lots of false positives, wasted time, and ineffective monitoring. DTEX tracks each of your employees’ normal behavior and crafts finely-tuned alerts based on unusual activity changes. By putting each user’s behavior in context through four distinct steps, we create intelligent insider threat detection that picks up on only the activity that really matters.

Profile Known Risks: Sometimes the threat is known.

Over the past decade, DTEX has continued to evolve and refine its library of known high risk activities. Every endpoint event is parsed through the DTEX library to highlight known high-risk behaviors.

Baseline Normal Behavior: Sometimes the threat is new.

When trying to identify new or unknown threats, DTEX first focuses on what is normal. A baseline of normal activity is created for each user, device and application. Baselining metrics can include: 

  • Endpoint utilization metrics – Cluster analysis of software applications used, working hours, websites visited and task switching behavior 
  • File access metrics – What files are regularly accessed, from where and in what quantities 
  • Account access metrics – What login accounts are regularly accessed (users often have access to multiple accounts) 

To determine whether activities are abnormal, we compare a user’s recent events against themselves (i.e. their own historical baseline), against their peer group (i.e. the baseline of users in similar departments or roles) and against the entire organization.

Understand the Context: The reason WHY is overlooked.

However, "why" is often the most important factor in any Insider Threat investigation and usually can't be answered without the experience of a seasoned security analyst with extensive domain knowledge. 
DTEX has simplified this by incorporating contextual information of the events leading up to, and following, an Insider Threat event. An analyst can then use these contextual cues to easily investigate, acknowledge or ignore alerts generated by the system. 

Evaluate the Risk: A risk is not always a risk.

Some security risks, like malware, are black-and-white problems. Human risks, however, are rarely so simple. DTEX understands this and incorporates the company IT Acceptable Use Policy within the Risk Model so that acceptable behaviors can be ignored and policy breaches highlighted. 

The severity associated with known risky behavior, abnormal behavior and the context behind each event is aggregated into a single Insider Threat score which is used to prioritize alerts.

The Critical Red Flags

While many approaches promise to “solve” Insider Threat, it’s important for organizations to take a risk-based approach when evaluating and selecting an Insider Threat platform.

This is a checklist of important red flags present in real-world Insider Threat attacks. All of the attack vectors described on the following pages are taken from actual Insider Threat attacks that have been discovered by DTEX. DTEX can identify all of these warning signs, and more.

Data Exfiltration: The Malicious Insider

Even in companies with “mature” data loss prevention programs, here are the tactics we’ve found users actually employing when trying to exfiltrate data:

1. File Theft via Allowed Mechanisms

  • Unusual rate of copying/moving files to a local machine
  • Unusual rate of copying/moving files between servers
  • Unusual rate of copying/moving files to off-network servers
  • Unusual rate of copying/moving files to USB drives
  • Unusual rate of writing files to CD/DVD drives
  • Printing sensitive data to a networked printers
  • Printing sensitive data to a local printer
  • Printing sensitive data to an off-site printer (e.g., home office)

2. File Theft via Internet

  • Uploading to cloud services FROM the corporate network
  • Uploading to cloud services OFF the corporate network
  • Uploading to personal webmail from the corporate network
  • Uploading to personal webmail off the corporate network
  • Copying and pasting sensitive data to a website

3. Obfuscation and Covering Tracks

  • Accessing The Onion Router (Tor)
  • Knowing which sites where accessed via Tor
  • Unusual use of encryption software to avoid content inspection
  • Unusual rate of renaming a file to something innocuous
  • Unusual movement of virtual machines in the network
  • Unusual installation / use of virtual machines
  • Unusual admin tool use (e.g., fsutil, alternate data streams)
  • Unusual use of Incognito / Private Browsing mode
  • Researching steganography tools
  • Installing and using steganography tools
  • Unusual disconnects from corporate network

4. Bypassing Security Measures

  • Researching, installing and using proxy bypass / VPN / tunneling
  • Researching, installing and using peer-to-peer applications
  • Use of password cracking applications to get to sensitive data
  • Use of portable applications to bypass security measures
  • Copying and pasting sensitive data to a website
  • Copying and pasting sensitive data to an innocuous file
  • Installation of hacking tools to probe for control weaknesses
  • Attempting to disable / tamper with existing controls (e.g., DLP)
  • Unusual use of non-corporate wifi networks
  • Installing and using steganography tools

5. Privileged User Security

  • Unusual disconnects from corporate network
  • Shared / admin / service account identification
  • Unusual connections using shared / admin accounts
  • Unauthorized use of shared / admin accounts on network
  • Unauthorized use of shared / admin accounts on local machine
  • Unusual applications being run under shared / admin accounts
  • Unusual use of local admin/root accounts
  • Unusual local admin activity (e.g., scripts, file activity)
  • Unusual local or network movement of virtual machines
  • Detect use of shared/generic accounts to copy shared data

Credential & Machine Compromise: The External Insider 

With the rise of zero-day vulnerabilities, phishing attacks, and watering hole attacks, compromised credentials and remotely controlled machines are external attacks that masquerade as insiders. Compromised credentials and machine can be detected by analyzing user activity for anomalies and behavioral changes. 

  • Machine accessing unusual IP addresses
  • Machine accessing unusual network ports
  • Machine accessing unusual or known bad website address
  • Web browser used to access IP address (no DNS) directly
  • Multiple machines attempting to connect to same target
  • Use of port scanning tools for reconnaissance
  • Use of port scanning tools from external machines
  • Unusual failed access to servers or domain names
  • Unusual rate of VPN connections by user
  • “Fast travel” detection of VPN users
  • Lateral movement via network devices / Linux servers
  • Unusual access to devices / Linux servers outside firewall
  • Machine downloading unusual/suspicious file (e.g., .JAR, .PDF)
  • Machine performing network activity during unusual hours
  • Machine performing local activity during unusual hours
  • Machine installing or running unusual application
  • Machine running application from an unusual location
  • Application saving data to an unusual location
  • Machine executing unusual script or privilege escalation
  • Unusual use of packet capture/ proxy/network analysis tools
  • Find machine where known malware was installed
  • Find machine where known malware was run
  • Machine attacked with local keylogger / Rubber Ducky

The Endpoint Advantage 

As you can see, newcomers to the Insider Threat space only have a limited capability to detect the real-world attack vectors that large enterprises face. As you’re building your program, make sure that you have the full visibility that you need to detect insider threats.

DTEX's unique combination of data and analytics makes it a critical component of your Insider Threat approach. It allows enterprises to see threats clearly, without overwhelming analysts with false positives. Most importantly, it doesn't rely on antequated restrictions that are frustrating, difficult to manage, and easy to circumvent.


2021 Remote Workforce Security Report Available Now. Read the News!

Dtex Announces $17.5M in New Funding! Read More!