Understanding Insider Threat Before the Breach
2020 accelerated digital transformation projects for many organizations. Cloud adoption and remote access accelerated as well as massive numbers of employees worked from home for extended periods. Many organizations have turned to data loss prevention systems to protect data. But that’s only part of the equation—a modern DLP implementation must also understand activity at the user level. In that sense, not all DLP solutions are created equal.
Two recent examples of insider threat show how incorrect information can lead to bad decisions. In one, a data scientist who previously tracked COVID-19 cases for Florida was recently accused of allegedly hacking into the state’s emergency alert system to send a disruptive message five months after she was fired from her job.
In the other, dozens of postal office employees in the UK were fired because of alleged theft. Each side has maintained their innocence while accusing the system of errors. Both cases remind us the importance of context. A data loss prevention (DLP) system that understood the context behind people’s interactions with data could have validated security concerns or even exonerated employees.
Traditional DLP doesn’t understand the context behind the actions of individuals. Security solutions at times get a bad reputation for being too restrictive or on the other end of the spectrum not effective. The above examples show that there is a need for a behavior-based system that can automatically flag or allow user activities based on the level of risk. Let me walk you through a potential scenario:
What if an employee copied tens of thousands of files to a USB or cloud file share? Did she do this as part of her job? How would IT and security administrators know the difference between approved and unapproved activity? A traditional DLP solution that does not know the difference would resort to blocking the activity altogether.
That’s not a knock on DLP—it’s what the technology is designed to do, especially since traditional security is based on Indicators of Compromise (IoC). But what if it’s part of your employee’s normal routine to frequently move large amounts of data to a third-party cloud service for analysis? A DLP system with intelligent behavior analytics would recognize this behavior as normalized, yet still flag the activity as a potential risk so security has visibility to it while still allowing the employee to do her job.
So now let’s go back to the real-world examples to see how we can make security teams more effective and efficient with this concept. In Florida, the security system should have revoked credentials as soon as the employee departed. However, if the account was active, like the one in the UK, a behavior-based data protection system would elevate the visibility of the risky activity. A system built on Indicators of Behavior (IoBs) would have shown that user activity was normal, which would have validated employee claims they did nothing wrong. If their actions were deemed high risk or illegal, then the system automatically blocks access and alerts the security team.
The first step in developing a behavior-based approach: creating a profile of normal activity as the baseline for Indicators of Behavior to analyze user interactions with data and applications. This approach allows organizations to constantly assess risk so security teams can observe or block potential breaches before they occur. IoBs bring visibility to potential compromise with much more valuable and necessary context.
This context around behavior provides insight into activities that pose risk to employees, critical data and the organization at large. But how can organizations scale real-time monitoring on an ongoing basis? That’s where automation comes in. Our solution automates the process so to allow normal actions that support productivity can continue. It can also flag questionable actions and proactively respond to potential risk without requiring SecOps intervention. That’s why IoBs are important. For Forcepoint, they form the foundation of what we call Risk-Adaptive Data Protection. It represents best-in-class enterprise DLP supercharged with behavior analytics, either delivered as-as-service or on-premises.
Here's an overview of how our risk-adaptive data protection approach works from our Global Governments CTO Petko Stoyanov:
Understanding IoBs and the context of scenarios like these is a huge reason why behavior-based cybersecurity is a vast improvement over traditional data protection methods. To learn more, check out our new eBook on risk-adaptive data protection. It explains how behavior analytics can help flag risky behaviors that are digital signs of potential breaches.