Sentiment-Based Behavioral Analytics Allows This Energy Provider to Safeguard 15,000 Employees and the Power Grid
Greater insight into user behavior at 35,000 endpoints lets the company short-circuit issues inside and out and create a safer environment for the public and its own people
This enterprise was particularly concerned about compromised users who may have been tricked or coerced into sharing their credentials or divulging intellectual property—including sensitive information about power grid functionality and schematics that could open a door to acts of sabotage. As a renewable energy trader, they also faced the added complication of the high stakes, real-time trading market in which their employees participate. For these reasons, they rely on insights from Forcepoint to better understand user intent and ensure safety and reliability in a complex environment.
- Safeguard customer PII and proprietary information on SharePoint
- Protect against compromised users
- Time to investigation resolution decreased from ~4 days to just 2 hours
- Multiple cases referred for prosecution
Gaining awareness of potentially vulnerable employees
In early 2018, the Department of Homeland Security released details on Russian efforts to target U.S. critical infrastructure—just one example of many worldwide. The potential for foreign nation state or terrorist attacks on power grids is only increasing. This major renewable energy provider was particularly concerned about compromised users—those who perhaps had been victims of social engineering or by some other method tricked or coerced into sharing their credentials or divulging sensitive information.
“A lot of companies don’t have to deal with concerns about terrorists. That really raises the stakes,” said Justin Truglio, Forcepoint account executive.
Another challenge was the protection of valuable customer and proprietary information on Microsoft SharePoint, the company’s primary data repository. The only visibility the security team had within the application was the standard activity log, when what they needed was insight into activities that introduce vulnerability. For example, if an employee downloads a SharePoint file, manipulates its contents, then re-uploads it to the application, it could be perfectly innocent and in line with the employee’s job function—or it could be an indicator of something more concerning. Security was only alerted by the most basic threats: obviously malicious activity driven by a virus, caught by antivirus software—all other activity stayed in the dark.
The company also worried about the effect of the energy market’s 24/7 trading environment on its traders’ well-being. The market is so lucrative, and calls for so many split-second decisions, that traders spend long hours at the office under high-pressure conditions. This kind of stress could potentially cause reactions including self-harm or workplace violence. The company wanted insight that would empower it to take proactive measures if necessary, while also allowing traders to continue being productive.
A greater depth of knowledge with accessible endpoint visibility
The traditional cybersecurity approach of reviewing disparate activity logs to assemble pieces of a puzzle was not only inefficient, but was also ineffective. Full visibility of employee behavior and interactions with company data was necessary to understand the bigger picture of what is happening—and what is likely to happen—across the environment.
“A lot of companies don’t have to deal with concerns about terrorists. That really raises the stakes.”
After reviewing potential solutions, the company turned to Forcepoint Insider Threat paired with Forcepoint Behavioral Analytics. This integration promised the holistic visibility, psychological insights, and robust enforcement needed to protect the company’s sensitive workplace ecosystem.
Because Insider Threat lives on the endpoint, it can provide more detailed information. With this deeper visibility, it’s possible to set policies that will trigger in the case of specific actions or events—including psychological indicators of potential burnout, self-harm, or terrorist support. Alerting on these activities then allows a thorough investigation to take place. Unlike competitive solutions, Forcepoint Insider Threat provides evidence and important forensics capabilities during an investigation via color screencapture video recording and playback. Having these activities recorded allows the company to discover if the event was innocuous or, if not, to gather video evidence if legal action is necessary.
Behavioral Analytics expands beyond the endpoint to ingest multiple data sources. It utilizes a powerful analytics engine to create a baseline of behavior—the typical ways in which an individual interacts with data, browses the web, communicates with colleagues, and so on. From there, it’s able to identify combinations of anomalous activities that fall outside users’ usual routines. For example, logging in at unusual hours, accessing data not required for their jobs, or sending files to unauthorized recipients. The Behavioral Analytics risk ranking feature allows the enterprise security team to determine which users most need deeper investigation.
Turning disparate pieces of data into actionable insights
Before using Forcepoint, investigators had to visit multiple servers and check a multitude of proxy logs and data sources to piece together a still-incomplete narrative. But all that has changed. Between Forcepoint Insider Threat endpoint data, SharePoint logs, firewall data, proxy data, antivirus logs, badging/access and other sources, the company is now ingesting about 9.5 million data points into Behavioral Analytics. Behavioral Analytics correlates those data points in a way that gives security teams the context they need to help distinguish a real threat from a false alarm.
“While competitive systems might provide piles of hay, we’re giving them piles of prioritized needles.”
“We are able to consolidate all that information down into one view. And on top of that, we have full visibility at the endpoint so we can see real intent. To complete the picture, we have the video to see what actually happened,” said Truglio. “While competitive systems might provide piles of hay, we’re giving them piles of prioritized needles.”
All of this has combined to decrease time to investigation resolution from approximately four days to just a couple of hours. The increased visibility has also led to multiple cases being referred for prosecution based on the evidence collected with the Forcepoint solution.
Going forward, the company’s insider threat organization is exploring the idea of expanding its scope into proactive data protection. The team is discussing how Forcepoint’s Insider Threat, Behavioral Analytics, and Data Loss Prevention (DLP) can come together to provide more comprehensive security.
The two companies have formed a trusted strategic partnership across several levels of the business, reinforced by their shared approach to cybersecurity as an integrated platform rather than siloed solutions. “The fact that they can come to us for various things to integrate into their security stack is valuable for them,” said Truglio.