Workforce Security and Management Software

Data Loss Prevention (DLP) is a set of tools, processes, and policies designed to detect and prevent the exposure or loss of data to unauthorized users. Traditional endpoint DLP uses an agent on every device to monitor and enforce policies regarding the appropriate use of data and block misuse.

Requirements of a DLP solution include the ability to identify and classify data at rest and in motion, across any applications used in the organization, and to apply behavioral analysis to enforce policies. More recently, it has also become imperative to apply machine learning and AI to identify actions that are precursors to data loss (Indicators of Intent).

Network DLP monitors data traffic on a network to enforce policies and prevent data loss. This includes email traffic, browser activity, and cloud storage services. It requires no endpoint agents, but consequently only enforces policies when users are on the corporate network.

Endpoint DLP uses an agent on every endpoint to identify and classify sensitive data as it is created, then enforce policies on and off the corporate network. Like Network DLP, Endpoint DLP can monitor and control email body and attachments, browser activity, and cloud storage services. In addition, it provides visibility and control of local activity, including copy/paste and changing file extensions to obfuscate sensitive data and all interactions with removable storage devices, home printers, and other peripherals.

Endpoint DLP requires a local agent to identify, classify, monitor, and control how users interact with sensitive data. The agent allows Endpoint DLP to enforce policies to prevent data loss on and off the corporate network.

Host-based Data Loss Prevention is another term for Endpoint Data Loss Prevention.

Most insider threat solutions rely on a “lock and block” paradigm; tagging sensitive data and then preventing unauthorized access through complex rules about what actions individuals or groups are allowed to take with specific data types. This requires extensive configurations and constant tweaking of rules as employees are inevitably blocked from unanticipated, but legitimate actions. To avoid user frustration, many are deployed in “monitor” mode, providing alerts only after data is exfiltrated. This traditional type of solution can be difficult to employ at scale and may cause employee mistrust, due to the invasive nature of the tools.

Typically, not. DLP is more focused on what actions individual users are taking with data marked as sensitive. Malicious software - or malware - is more likely to be detected and blocked by network and endpoint anti-malware solutions.

Data Loss Prevention is a strategy focused on malicious insiders seeking to steal sensitive information. Data Leakage Prevention focuses on careless or negligent users who may unintentionally put sensitive data at risk. In a Work-from-Anywhere (WFA) environment, data leakage potential increases. Employees are more likely to use personal devices for work tasks, including printers, removable storage devices, personal phones, and other computing devices.

User and Entity Behavior Analytics (UEBA) is a technology leveraging expert system logic (rules and/or artificial intelligence and machine learning) to detect user threats within their networks. While UEBA solutions have developed useful models for analysis and alerts, their implementation relies on log files, which are a flawed data source for capturing user behavior. They miss abnormal and suspicious user activity on the endpoint, like renaming files and other obfuscation techniques. They’re also blind to user activity off the corporate network. Analyzing the log files and correlating events takes time and is prone to false positives. This also means they cannot respond to common user attacks quickly enough to prevent damage.

User and Entity Behavior Analytics, or UEBA, is an approach to data loss prevention that identifies threats by looking for behavior that differs from a previously established baseline of behavior from that user or entity, such as a server or router. This can include unusual activity with a new set of data, large downloads of data, communication with or from unusual IP addresses, and other anomalous activity.

User and Entity Behavior Analytics (UEBA) is another term for User Behavior Analytics (UBA).

Insider threats are employees, vendors, or partners who plan and execute actions to steal or release data or sabotage corporate systems. Insider threats are distinct from insider risks due to intent.

Insider threats are most often financially motivated. They may wish to personally profit from the sale of sensitive corporate information and IP on the black market, take that data with them to their next employer to quickly "add value," or, in rare cases, are engaged by an external third party who is offering to compensate them financially in exchange for their help exfiltrating data. Insider threats can also include new employees who have stolen information from previous employers and stored it on corporate networks.

Anyone who has access to sensitive information is an insider risk. Humans make mistakes, whether accidentally emailing data to the wrong recipient, misplacing their computer, or having company data stolen from their car. Insider risks are also those who place sensitive data at risk by misusing it with innocent intent, including sending sensitive information to their private email or cloud storage accounts so they can work remotely.

Risk does not imply malicious intent. That is reserved for insider threats - those employees, vendors, or partners who plan and execute actions to steal or release data or sabotage corporate systems.

Malicious insiders are those who seek to harm an organization by stealing sensitive data and can include employees, contractors, and others with access to IP. Their motivations can include espionage, fraud, or IP theft. Examples include employees who bring data with them to their next employer to quickly “add value” or personally profit from the sale of sensitive corporate information and IP on the black market.

2022 gave rise to a new insider threat persona, the super malicious insider. These threat actors have the same motivations as malicious insiders, but also the technical proficiency to carry out attacks.

Super malicious insiders are acutely aware of an organization’s technical limitations in proactively detecting insider threats and often have received training (usually provided by their employers) to understand how traditional cyber security solutions identify threats (i.e., Data Loss Prevention, User Activity Monitoring, Firewalls, Virtual Private Networks, and IAM).

To stop the super malicious insider, organizations need to understand how their actions differ from insiders with benign intent and from malicious insiders with lesser technical skills. To do so, organizations cannot rely on detecting overt actions such as those covered by rule-based DLP solutions.

The key to stopping a malicious insider is to first identify those who intentionally seek to cause harm. By understanding the underlying behavioral indicators that increase insider risk (including the differences in the way malicious and non-malicious users search, aggregate, manipulate, and transfer data), it becomes possible to detect and disrupt an insider threat before any irreparable harm is caused.

Malicious insiders - in particular, super malicious insiders - will provide clues of their intent through their actions. For the former, this could include anomalous behavior like gathering large numbers of files they normally don’t access, taking excessive screen captures, and using TOR browsers or other obfuscation techniques. Super malicious users are more subtle and better able to hide their activities, obfuscate data, and exfiltrate sensitive information without detection. Often, they have received cyber security training and understand data loss prevention, insider threat, and activity monitoring technologies. Likewise, they understand their organization’s cyber security landscape and technology stack and understand the specific configuration of their organization's defenses.

A remote workforce complicates security since users are often using less secure home networks and have access to unapproved software and hardware. A Remote Work Security Policy provides guidance and controls to protect users and corporate IP. This can include:

1. Keep all systems patched and up to date. Unpatched applications and operating systems are easy targets for hackers. Often, exploits are publicly available, making attacks available to even poorly skilled attackers. This includes home routers.

2. Use a VPN. Virtual Private Networks (VPN) encrypt all traffic to and from an endpoint. This is particularly important if you’re on public Wi-Fi at a coffee shop or shared workspace.

3. Use corporate services for email, data storage, video conferencing, and messaging. These corporate-managed services will have better security configurations and are updated by your IT staff.

4. Lock all mobile devices. Smartphones store your email and attachments, including sensitive data like product and financial plans, customer data, and other IP. An adversary with your smartphone may have nearly as much sensitive information as one with your computer.

5. Don’t open attachments from people you don’t know, especially on your corporate devices. Phishing attacks have grown in popularity. Clicking on a malicious attachment or link can launch a ransomware attack or provide an attacker with a foothold in your organization.

6. Use a password manager. Weak passwords can be guessed or brute force attacked by a hacker. Password managers make it simple to use different strong passwords for each website or application.

Rather than building complex rules regarding which actions each user can take with each category of data, DTEX focuses on identifying activities that are precursors to exfiltrating data. These “Indicators of Intent” are identified by observing and correlating activities associated with earlier stages in the Insider Threat Kill Chain.

Monitoring for Indicators of Intent simplifies an organization’s defenses. Rather than attempting to classify every piece of data and role-based rules for legitimate use, organizations monitor all activities by all users (while protecting user privacy) to alert on suspicious, anomalous, and known-bad activities before data exfiltration is attempted. This includes capturing all user, process, and file system activity of data, machines, applications, and people (DMAP+) in near-real-time, both on and off the corporate network.

The second stage of DTEX InTERCEPT’s approach is to enrich the raw data from activity monitoring with behavior analytics, risk profiling, and machine learning to expose Indicators of Intent. DTEX uses techniques, including Markov Modeling, Entity Clustering, and Multifactor Regression, to enrich the raw data from activity monitoring and discern between legitimate activities and malicious intent. Two important stages of behavioral enrichment are Activity Annotation and Activity Correlation.

Step three is predictive analytics. DTEX’s Predictive Analytics engine focuses quickly on those combinations of activities indicative of an attack – before the attack is completed. Provided with complete activity information, behavioral context, and predictive analytics, DTEX InTERCEPT processes and tracks the artifacts produced by these steps - in context with the users, roles, data, and devices - to spot Indicators of Intent and stop attacks long before exfiltration attempts are practical.