A short nine years ago, the reality of insider risk was thrown into the spotlight when Sony Pictures was targeted as an apparent act of revenge. The attackers stated that they had help from Sony staff who were sympathetic to their cause. Prior to this highly publicized event, the idea of insider risk was reserved for spy-thriller movies. Often, the mere mention of insider risk was met with extreme skepticism in many Board rooms.
The realization that insider risk could be so damaging resulted in greater awareness of the problem. However, Insider risk management has experienced an equally difficult path towards acceptance as the fanciful spy-thriller scenarios that were often rejected by corporate management. This is because the traditional risk management tools failed to live up to their expectations.
The first problem with traditional insider risk management solutions is that they analyze behavior, rather than the data being handled. This apparent lack of context creates a disconnect between the behavior and the data or events across time. The result is an abundance of false alerts that waste an analyst’s time, meanwhile, actual insider threats may go unnoticed, if not fully overlooked.
A better insider risk management platform has the ability to operate across platforms. Context becomes clear when a solution examines user behavior across cloud services, devices, messaging, email, apps, and more, then correlating related events across platforms. Integration with user directories both on-premises, and in cloud directory services is also important to get accurate identity information. Along with that, role-based access control increases the ability to better govern and track individual attributes.
Another problem with traditional insider risk management platforms is the default towards inaction. Much like the smoke detector with the chirping dead battery, an alert can be ignored, no matter how annoying it may be. When the problem is compounded by multiple alerts, the lack of automated action becomes overwhelming, forcing an analyst to make choices based on biased criteria. Most people will choose to take the path of least resistance, addressing the easy alarms to deceptively claim many resolved cases, while the more difficult, and potentially damaging ones go unattended.
User watchlists and elevated remediation shifts the burden away from the analyst, offering the benefit of automation to prevent data exfiltration prior to a closer examination. Actions such as blocking uploads to unapproved destinations significantly reduces the risk. Even if the data exfiltration is the result of an error, the resulting responsibility to notify affected individuals can be costly in time and resources. Automated upload prevention adds value to the insider risk management platform.
Traditional insider risk management platforms give just enough information to make assumptions. But, just as an attorney cannot present a case based on postulations, it is similarly required for the analyst to gather supporting evidence to connect an action to a person. The lack of contextual information, particularly that of intent, presents challenges to even the best analysts. Accusations without evidence are not generally actionable.
Meaningful, clear action-tracking can mean the difference between solid evidence of data manipulation, and weak assumptions. A good insider risk management platform can detect subterfuge, such as monitoring changes to the names of sensitive file extensions. Screen captures can also be replayed to witness the attempted data exfiltration. Forensic file capture capabilities also add to the evidence, showing the policy violation that triggered the alert.
According to Gartner, a superior insider risk management solution delivers the advantage of “combining traditional endpoint data loss prevention with incident response capabilities in order to empower cybersecurity teams to discover and detect not just individual instances of real-time sensitive data exposure within applications, but the end user activity leading up to these incidents.”
The idea of insider risk is no longer the whimsical notion of a hyper-paranoid cybersecurity analyst. Recent incidents show that the threat is real. Fortunately, insider risk management has gained wider acceptance, and continues to grow. However, not just any insider risk management platform will do the job adequately. Traditional risk management solutions only provide partial information, leaving a lot to difficult sleuthing, or failing outright due to speculative assumptions. In order to derive true value, an insider risk management platform needs to provide information that is timely and accurate, and can remediate potential problems before they reach crisis levels.