Today, we’re excited to announce Cyberhaven for Insider Threats. Built on the data lineage and graph engine that powers our next-generation data loss prevention solution, this new offering brings together analysis of data’s content and context with behavior for the first time. The result is we’re able to more accurately detect data misuse and theft compared with traditional insider threat products. But it’s not enough to accurately detect a threat—and so we not only alert you to an incident, we immediately intervene and stop data exfiltration as it’s happening.
Insider threats are growing more frequent and impactful
As important data spreads within organizations, facilitated by open cultures and cloud apps that make it easier to share and collaborate, employees naturally have access to more data. This is a good thing for productivity, but it can increase the impact of a malicious employee misusing or stealing data or even a careless employee making a mistake that puts data at risk.
There have also been major upheavals to how we work. Remote and hybrid work and The Great Resignation are leading to more insider threats. Earlier this year, we documented these trends in our 2022 Insider Risk Report, analyzing anonymized behavior for over 1.4 million workers, who collectively generated 360,000 data exfiltration incidents in the first half of 2022.
The impact of an insider threat can be enormous. Consider a few recent high-profile examples:
- Former Apple Car engineer Xiaolang Zhang AirDropped 24GB of schematics and other design files to his wife’s laptop the day he quit to join competitor XPeng
- Former Yahoo! Engineer Qian Sang took 570,000 pages of source code the day he quit to join competitor The Trade Desk
- Former Uber executive Mark MacGann leaked over 124,000 company documents to the media igniting a firestorm of controversy and potential regulatory action.
“The key challenge with insider threat tools is that they alert you to threats but don’t stop them. And they don’t detect actual threats, many of their alerts turn out to be false positives. Cyberhaven can take action to stop data exfiltration while an insider threat is happening. That’s a big differentiator.”
– John Harris, Vice President, IT Operations at Day & Zimmermann.
Our unique solution to accurately detect insider threats
We’ve been working on this product for over 18 months. The Cyberhaven Graph already stores every event related to every piece of data, but we completely re-architected our processing engine so that we could extract more insights from these billions of events with trillions of connections. Advancements in our graph processing laid the foundation for what makes our approach so unique. We combine behavioral analysis with data analysis to reveal threats that are invisible to most insider threat tools that look only at behavior (not data).
Behavior + data content and context minimizes false positives
Our approach addresses one of the core problems with insider threat tools today—namely, that they require a lot of tuning to remove false positives. But also, in tuning their detection thresholds you have to make difficult tradeoffs between too many erroneous alerts and not detecting actual threats. Take the example of a user uploading a photo to Whatsapp. A traditional insider threat product might generate an alert because the volume of data is anomalous. If the photo isn’t important, that’s a false positive and if the product keeps detecting too many false positives the security team raises the thresholds, missing actual incidents.
Without any tuning, Cyberhaven precisely distinguishes between an employee uploading a personal photo (e.g. of a dog) and a photo containing schematics of the product. This extra dimension, what the data is, turns out to be the key to accurately detecting threats. Even if the volume of data, or frequency of behavior, or time of day wouldn’t trigger an incident in other tools, our intelligence about what data is being uploaded makes us much more sensitive to this actual insider threat while allowing us to ignore many everyday behaviors with unimportant data.
Identifying threats that unfold over weeks or even months
Another limitation with traditional insider threat tools is that they take a point-in-time view of threats. They operate under the assumption that behavior related to a threat happens all at once, so they focus on individual events in isolation, or maybe look at events co-occurring during a time period measured in hours. What we’ve found is that many incidents unfold over longer periods of time. Consider the example of a user who downloads a report from Salesforce, then holds onto it for 8 months before uploading it to her personal Dropbox. Cyberhaven stores a record of events indefinitely, and we piece them together to identify threats over time.
We don’t just detect insider threats… we stop them
Most insider threat tools today are not architected to stop threats. They’re designed to ingest events and analyze them, but they don’t have any footprint where data lives and where it moves so they can’t take action to intervene when data is at risk. Cyberhaven Sentry, the way we collect every event for every piece of data across cloud and devices, is also designed to take action in real time.
When data is at risk of being exfiltrated, Cyberhaven can instantly take action to stop exfiltration before it happens. At the same time, we surface a popup message to the user educating them on company policy and acceptable behavior. Real-time education is important, because the best security starts with culture, and an educated workforce leads to less risky behavior over time.
Everything security analysts need to quickly investigate
By introducing a new level of accuracy to detecting insider threats, Cyberhaven significantly reduces false positives sent to security analysts. Equally important, when we send alerts to analysts we provide the context they need to quickly investigate. One of the keys to resolving an insider threat investigation is determining user intent, so we provide the entire history of each event leading up to the incident to quickly understand what happened.
In some cases, the events leading to an incident still may be unclear. That’s where Cyberhaven’s Incident Replay comes in. If enabled, Cyberhaven captures the user’s screen for 30 seconds leading up to an incident so that a security analyst can see exactly what they saw and did. Customers store these screenshots in their own cloud, enhancing privacy and security. Together with the other context we provide, analysts can quickly understand what happened.