Back to Blog
5/31/2022
-
XX
Minute Read

Finding Unexpected Security Gems With DDR

Chris Saucier

Cyberhaven combines a complete understanding of what enterprise data is and what is being done to it. This is a powerful combination that allows for a thorough understanding of the context and causes of risks.

In this article

One of the really fun parts of working at Cyberhaven is that we are constantly running into new ways of using the technology that no one really expected. It’s almost like thinking back to the first days of computers – if you had never used a computer before, then you might look at one and decide it’s just a really big calculator or an electronic typewriter. Sure it can do those things – but most of the really important uses are the ones that you’d never thought of yet.

It often feels like Cyberhaven’s Data Detection and Response (DDR) platform is in a similar state when compared to DLP. Sure, it can solve DLP problems in ways that traditional tools never could, but that is just the tip of the iceberg. What Cyberhaven really does is give organizations a new way of seeing and controlling risk that can be used in countless ways.

The underlying game changer is that Cyberhaven combines a complete understanding of what enterprise data is and what is being done to it. It is a full lineage of data x actions. When you can pick any piece of data and know exactly what it is in a business context combined with everything that has been and is being done to that data, you suddenly have a new and very powerful view into enterprise risk.

And when you are armed with a truly new security perspective, you tend to happily bump into new use cases that you never thought of before. Just in the past week, I’ve encountered a few examples:

Employees Using Personal Password Files

Cyberhaven automatically keeps track of every data-related action on an end user’s device. We do this to make sure we can follow the flow of sensitive data in case it is copy/pasted from one file to another, or encrypted, or renamed, or any number of other actions.

This visibility provided some unexpected insight by revealing users who were storing username/password data in plaintext files and copy/pasting them into personal and corporate services. In this case, we were able to notice behavior that wasn’t malicious or related to data loss, but it was still risky behavior that security teams would want to know about. Staff could either choose to reach out to the relevant users to recommend better password security practices, or even could generate automated messages to warn users in real-time.

Detecting Malware Via File Ingress

In addition to seeing where data is going, Cyberhaven can also provide insight into where data is coming from. This popped up when we were able to use Cyberhaven to identify that a user’s laptop was compromised with ad-rotator malware. By monitoring the system, we were able to identify the malware downloading new files from external sources.

Of course, Cyberhaven is not a malware detection tool, but this case again serves to show the ways you can find unseen risk when you combine low-level data and behavior contexts.

The End-User and the Mouse Jiggler

In a more light-hearted example, I happened across a case where a user was using a “mouse jiggler” to prevent the system from hibernating. If you haven’t encountered a mouse jiggler before, they are simple applications whose sole purpose is to periodically move a user’s mouse to prevent the system from going to sleep.

This can serve a practical purpose for things like keeping your laptop awake while showing a long presentation. However, they are often used by remote employees in order to give the impression that they are logged in and active even when away from their laptops.

Admittedly, these apps probably aren’t going to keep many security teams up at night. On the other hand, it highlights the need for organizations to have insight into what users are actually up to during remote work. While a mouse jiggler is pretty benign, there are plenty of riskier apps and behaviors that actually could put the user and the enterprise at risk. And by seeing fine-grained behavior down to the level of mouse movement and other system details, security teams can keep track of what is actually happening on important devices.

To be clear, these are just three examples that have happened to pop up recently. However, they hopefully provide a little food for thought for how Cyberhaven can bring a truly new perspective to the management of enterprise risk. If you’d like to learn more or have your own experiences to share, please contact us.