Introduction and Webinar Overview
Cole Padula: Hello? Hello everybody. Welcome to cyber Haven's cyber Haven's webinar where we're reimagining DLP and Insider threat. My name is Cole Padula. I'm a solutions engineer here at Cyber Haven. I've been here for just just under a year. Today I wanna make this the Jolliest webinar this December for all of our attendees.
Really excited to take you through everything today. A couple of notes about the webinar. We want this to be interactive. I'm going to, we have a live q and a button that you can utilize, a chat function that you can utilize during our conversation today. If you have questions, please be sure to ask them in that chat.
I'll be sure to circle back to q and a towards the end of our conversation today. Currently in this slides slideshow view that I'm currently in, I can't see the chat at all given points in time, but I'll do my best to answer all those questions when we move on to the next portion of the conversation.
Traditional Data Protection Challenges
Cole Padula: Without further ado, let's go ahead and get started and talk about Cyber Haven and how we're reimagining data loss prevention, DS PM, as well as insider threat and getting visibility into how all of your sensitive data is moving environments. I first wanna start and I wanna talk about DLP and traditional data protection as a lot of organizations that I personally work with are most familiar with.
Typically what we see out in the data protection landscape is we're utilizing it to, is highly rely on content based understanding, and then applying rules based at specific egress points, whether that's USB, whether that's specific websites, whether that's different, whether that's different command line utilities.
Prevent users to, from performing specific actions based on a set of rules that it's based on content. So we have a fantastic example, right? It's the holidays, right? We see Bill a member of our sales team uploading a document called Holo Cards, XLSX to a Dropbox account, and it's affiliated to a personal account.
Maybe Bill going around the office, getting names, addresses, phone numbers for folks that he could send a holiday card to him and wife could send a holiday card to for the upcoming holiday season. Unfortunately, bill was unable to perform that action primarily because this file named elements of PII.
Names, addresses, phone. He was prevented from performing that action. The number of times this specific scenario is brought up to me as I work with organizations is very frequent, right? Hey, I need to understand and differentiate based on where my data is coming from, as well as what the data contains to accurately perform data egress data egress control controller data controls based on where users might be sent data to, right?
And this is just one of the many problems that we see with a traditional approach to dlp. First one is we have to focus on known risks, right? We have to go out and we have to explicitly write a rule that I want to, I want visibility. Anytime data that contains element or looks like PII is sent to Dropbox accounts, right?
We don't use Dropbox here at the organization. I wanna be sure that we put controls in place when data matches. PII going this destination. If we didn't have a rule in place, we'd have to utilize native system logs Splunk records. We'd have to utilize a number of different solutions to understand how.
Files may have gone from point A to point B. There's no singular, there's no singular method to understand how that file, how those files may have moved around. Highly reliant on content ation we've touched upon, right? In order to understand exactly how the data is moving to how the data is moving and what it contains.
We have an engine that's actively running on the endpoint, understanding what the content is, and then applying a control based on if it contains or if it's a match based on a specific destination around that rule. That, that, that content inspection tool is primarily on an endpoint, right? It's living on the device itself, and as a result we see users experience performance issues, right?
Slowness, blue screens, things that, our IT and our security teams don't wanna deal with. That's mainly driven by a highly invasive kernel level method of understanding. Again, running that content inspection engine, utilizing things like, web proxying proxying, any type of traffic to understand and capability and control around these specific events.
The results, right? What we don't know what we don't know, right? When we don't have visibility into unknown risk areas, we don't get, we don't get visibility around those specific actions. We have to go to third party tools to understand how files may have moved around in situations like this, right? An analyst might review this and say, this is potentially a false positive, right?
It's December 17th today. Maybe Bill is just running a little bit late, getting his holiday cards uploaded so that him and his wife can get them uploaded into the Shutterfly and then sent out to all of their friends and family and coworkers. I might look at this and go on the next one on the cycle.
And also a poor end user experience, right? Maybe Bill is trying to upload this, consistently, right? It's hey, this is just a list of addresses of coworkers. Work with as a result, right? I'm getting blocked. I'm getting prevented from performing this legitimate action.
I have to go to the security team, get a bypass, getting over, I go to my manager. It's a long list, and it creates other, it creates work for other individuals.
Cyber Haven's Approach to Data Protection
Cole Padula: So how does Cyber Haven approach this problem? We understand that this data contains PII. We know it contains name, addresses, and phone numbers.
We see that it's going to Dropbox. Our differentiation is that we can see this file's entire lifecycle. We know where it came from. We know who touched it, and we know how Bill got access to it. If we look at the lineage for this specific example, we can see that this data actually changed from Salesforce.
Now, last time I checked, I don't keep my, I don't keep my CEO's address phone number and name inside of Salesforce. That's usually where I keep my client records. And Bill is actively working within the sales team. So that's a thing of note. We mentioned that earlier. We're gonna come back to that in just a few moments.
We see that Bill didn't, wasn't even the one that originally downloaded it, it was originally downloaded by Allison. She shared that with two of her colleagues, sent it to Liam and Emma. Emma takes that file, uploads it into the corporate Google Sheets repository, which Bill has direct access to, right? So he has overshared access to a desk, to a specific location within Google Sheets, or he has direct access to this for to performance day-to-day operations, right?
Cyber Haven gives you visibility around who might have access to a specific site or a specific solution. As a result, bill downloads his Q4 customers document, right? He renames it, the holiday cards xlsx and he uploads it to Dropbox. What we don't know is that there are other events occurring earlier on in the day that showed bill also uploading resumes to LinkedIn to Indeed applying for new jobs, right?
That's an indicator of risk. Bill actively looking for new employment. And now we see this event where data came from Salesforce and now it's going to Bill's personal Dropbox account. And now it's, and now Cyber Haven is stepping in and blocking that action from occurring. So we give you full visibility into all these actions.
We compare and contrast against other events that this employee bill may have performed, and we give you full insight into both data. Data's full lifecycle, it's full lineage, as well as a deeper understanding around a user's intent utilizing both context and content basis muscles for the files that your employees are utilizing.
Three-Pronged Approach: Endpoint, Browser, API
Cole Padula: I like to talk about how this all works. I'm gonna cover architecture in just a few moments, but from a high level. From a high level, right? Cyber haven takes a three-pronged approach. Those three prongs are an end, are an endpoint agent, right? Endpoint, DLP. Everyone on this call is likely familiar with that with that with that concept, right?
What Cyber Haven does is a little bit differently is our agent operates in the user space. We're not tied, we're not living in the kernel slowing down pro, slowing down actions, understanding it, performing traditional method way method traditional ways of performing content inspection as a traditional data protection solution might do.
That's a performance positive for the endpoints within your organization. So for your folks in your development teams who have complained that the DLP solution is slowing them down, cyber Haven can be implemented, giving you full visibility to what your developers are doing without slowing their productive workflows down in any way, shape, or form.
The second prong is a browser extension that gives us visibility into the web apps that your employees might be utilizing, right? Maybe you're an O 365 shop, right? And you want to help differentiate between a personal OneDrive versus an enterprise version of OneDrive. That browser extension gives us that visibility.
I always love to give the example, right? I can show you mail.google.com, right? If you're a G Suite shop, that domain looks exactly the same. You might be implementing a level of control utilizing a swig or a CSB or a firewall rules to permit actions to go to mail.google.com, but it's very difficult to differentiate between the user account that might be logged into that solution.
With Cyber Haven, we, we pull that information in and we can put controls in place when I might be trying to send that data to Cole Doula at gmail do com versus Cole [email protected]. And then finally our third prong, our API connections, this is what powers our DS PM, our DSPM platform. So what we're actively doing is we're creating connections to your O 365, your GitHubs, your your Azure, your A WSS threes to, and then scanning the data both historically and forward to understand what content is actively living in those solutions.
We label that content when it goes into motion. We utilize those labels to understand what the content already can. So we don't have to rely on a traditional approach of performing content inspection. Once the fog goes into motion. We already know that data coming from S3 is gonna contain customer records, raw customer data.
We're gonna apply controls on that just based on where it's coming from in a previous scans that have already been done. Those API connections also give you visibility into how employees might be accessing corporate resources from personal devices. I talk to a lot of organizations that allow employees to access sensitive data or corporate data from their phone.
How do I know when that data is being downloaded to that device? With Cyber Haven, we can create monitoring rules to let you know when Bill might be, download a number of different a number of different reports that have been stored within Office 365 services and then maybe potentially emailing that to a, to an external destination utilizing its corporate web mail account from its phone.
We can give you visibility around all of these different actions.
Data Visibility and Control
Cole Padula: So this three-pronged approach, what are we doing with all this information that we're capturing? We effectively act as a flight recorder. Again, going back to a few slides, right? One of the traditional, one of the, one of the main problems with traditional data protection is I don't have visibility into my unknowns.
So instead of lying on predefined rules to capture to signal that event has occurred, we're capturing every single event, but only notifying you when data comes from a specific location and that you care about and it goes to a specific destination that you're worried about, right? Sensitive IP going to generative AI solutions.
Great example, right? But then we have all these other events that you can search against and utilize to tune and understand historical information. I'm gonna give you a few examples of that when we get later in the demonstration today. But effectively what we're doing is we're capturing nonsensitive metadata and storing that information within a graph database.
And then what we're doing is we're utilizing links between events to understand how file got from point A to point B to point C. Which we can see here in our screen, right? So we utilize these strong and weak links within the metadata to understand how files have moved around historically. And then we give you the opportunity to search against that and then apply controls at the egress point when that data reaches a when that data reaches a certain destination at a specific point in time.
So with Cyber Haven all of your data is visible. We see every action. We understand where it's stored, what it looks like when it's at risk. Controls to that data when it goes into motion, and then when that data reaches a specific destination, applying an egress based control, right? Whether that's a block, whether that's a warning, whether that's a, whether that's a monitor that notifies your sim or your security team via Slack integration, you have full visibility to every action that occurs across your environment.
One key point that I always like to talk about is call, what types of data can you detect? The answer is yes. And what I mean by that is we don't we, cyber Haven has visibility into all these different actions and we're data agnostic, right? Your data might take many different forms, right?
If you're manufacturing company or you have a manufacturing arm of your business, your data might be generated from cad. Solutions, right? Like SolidWorks or AutoCAD, right? You're going to be generating CAD based documents that data's gonna be coming from PS Z, might be May. You might be utilizing OnPrem, right?
We can classify all these locations and look for data that's generated by these solutions or stored in specific locations. Your data might be unstructured. Maybe you have a development arm with your organization as well. We can target specific repos, then GitHub scan that data at rest. And then when users or employees are fetching that data and then trying to push it to external GitHub repos, we can give you visibility and apply controls to that data.
Once it's going into motion. Your customer data might come from a number of different places. Right here I utilize Salesforce a lot in the demotions that I give, right? Maybe you wanna know when your Salesforce data is going to unsanctioned un unsanctioned destinations like personal cloud storage.
We can differentiate between your tenant. We can trigger, we can. We can focus all the way down to the types of reports that you want to get visibility into or the types of data that you wanna get visibility into. And on top of all of this utilizing context, identifying your data at the source, utilizing a combination of both DSPM and Cyber Haven's data lineage technology.
We give you full visibility around how all this data is moving around. And then on top of that, we can marry in content-based rules to reduce the total number of false positives that you might have within your organization. So you might send me coal, right? All of my customer, PII, is stored in this specific S3 bucket, right?
So we can, we classify that location contextually. We confirm with a content rule to understand, hey, we wanna look for at least one reference of a name and address, a phone number, a social security number, a credit card number, whatever you wanna look for. And then when that data goes into motion, right? We know that what it contains, we know where it came from.
We're gonna apply a set of egress controls to that data once it goes into motion. And as a result, what that means is you get more accurate data classification right over here on the left hand side, right? We have the traditional way of approaching this, right? Hey, I saw this user perform a copy and paste to WhatsApp.
This copy and paste contained 10 social security numbers, five names unaddressed, a credit card number in this specific, workflow, right? This could, this data could come from a number of different, a number of different sources, right? If you look at this, you don't know where the, what the source is.
You just know what the file contents are. That data might be coming from TurboTax, right? Or that data might be coming from your internal HR solution, right? For a DP, right? Maybe it's instead of 10 social security numbers, it's three Social security numbers, one name, but it's referenced three separate times.
Three separate, three addresses one unique address mentioned three separate times. That's a W2. Maybe that user is downloading, getting everything ready to prepare for taxes, right? We wanna allow our employees to perform actions where they might move that data to a WhatsApp or to a third party solution.
'cause we don't wanna restrict personal data flows on our devices, right? Maybe we do in some scenarios, but in this case, right? We wanna allow our employees or empower employees to get their tax documents out through the channel that they prefer. When data comes from Snowflake when that contains sensitive customer information, we know that Snowflake is a repository, a database of very sensitive client records.
We wanna step in and prevent that copy paste action from occurring when it's going to WhatsApp. Cyber Haven knows, Hey, we saw, X number of social security numbers, X number of addresses in this copy paste action to WhatsApp. The origination the origin of this data was Snowflake. We wanna put controls around that specific flow, so again, more accurate data classification instead of relying at the egress point what this content contains.
Differentiating between true non-malicious use versus true potential malicious use, and then generating an incident for those true events. And that data can go to a number of different places. And I always stop on this slide. I always like to ask, right? Hey, what are the top, destinations that you wanna get deeper visibility into?
Oh, Cole, we allow our employees utilize WhatsApp because not gonna be working with clients that are, that, that primarily utilize that as their communication method. But I want to control. Specific elements of content from going to that destination or specific types of data from gonna that destination.
Maybe that's intellectual property, right? Like I don't want product designs being sent to WhatsApp. We can create rules that allow for things like customer data to be shared via WhatsApp, but then prevent data types like intellectual property from going to those destinations. Maybe we wanna get visibility into financial data, right?
Going to removal media devices, right? We don't want someone taking sensitive corporate financials and then plugging in a USB stick. That's unencrypted and then taking that data with them, right? We might wanna put some specific controls in place. Maybe we won't wanna permit that action to go to a USB device that is managed by the organization.
We can ingest a list of sanctioned devices or a sanctioned destinations that you permit data to go to allow that action to occur. And then for any other type of action where the USB is not recognizable, step in, throw a block, prevent the employee from performing that action. Now we get into the good stuff.
Architecture Deep Dive
Cole Padula: We're gonna talk a little bit about architecture and how Cyber Haven has given you full visibility, right? We've talked about, we've talked about this from a 30,000 foot view, but we're gonna hone in and get a little bit deeper here. Let's draw our attention to the bottom left hand corner of this slide, right Monitoring Control.
We talked about how Cyber Haven operates from a three-pronged approach, endpoint agent, browser extension, API, connections. That Endpoint agent is monitoring every single action that is occurring across all of your management. Points across every, across your entire environment. We're looking for actions taken against data.
We're inspecting the metadata properties of that data. Again, capturing the strong and weak links between how that file, was originally copied from an internal file share. Then maybe opened up with Excel. Maybe that data was then copied and pasted to a new document saved and then uploaded to a Dropbox account.
We give you full visibility into each one of these actions utilizing that endpoint agent. We're primarily doing that within the user space, utilizing frameworks that are needed. Excuse me, native to the operating system that your organization supports. So if you're a Windows shop, we're actively utilizing event tracing for Windows, commonly abbreviated as ETW for MAC OS shops.
We're actively utilizing the endpoint security framework. For Linux. We're utilizing EDPF. All of these different methods can be applicable in VDI based environments as well. So if you are doing Azure based v, Azure based vdms, Citrix based VDIs Citrix share space we can give you visibility into all these different environments and how your employees might be accessing or handling sensitive information.
On top of that, an implementation of a browser extension. This can be directly managed by you, your organization, or you can rely on the endpoint agent to automatically deploy it. It's built directly into the packaging. So if you want to, control the usage of browsers within your company, right?
You only want your employees utilize Chrome Enterprise, you can deploy our extension via, via the Chrome Enterprise browser Chrome Enterprise Browser Management Administrative Center. And then control the other usage of browsers via MDM or local EDR solutions. Or you can have the endpoint agent deploy out to these to these brow, to these browsers automatically.
And then when we see potential new browsers pop up, right? Let's say a Vivaldi shows up or a comment or OpenAI just really just release just release Atlas maybe we wanna get visibility and allow and permit our employees to utilize these solutions. We have methods of of applying our extension into different chromium based browsers.
And then finally we have our API connectors, which give us visibility into the data at rest, as well as how employees might be accessing this data from an unmanaged device. This API connection does, tho does those two items a little bit differently, right? So for our data at rest, what we're doing is we're configuring an API connection and then connecting directly to these databases or these solutions, identifying which sites or destinations or sources we wanna actively scan.
Maybe we want to scan all employee OneDrive locations to understand exactly what they're storing in their personal OneDrive. Maybe we wanna scan specific sites within SharePoint or we wanna scan specific repositories within GitHub. Once our configurations have been set, we do a historical scan, understand what the content that's actively living there, and then for any new content that's generated to perform a forward scan on that data as well.
We then apply a a data identifier to that data, which is stored in the Cyber Haven database, the same methodology that we utilize for data lineage. So we might see, elements of source code. Associated to GitHub. Maybe we want to, maybe we wanna put in a sub-label associated to that, right?
Hey, this is, this specific repository, right? Contains source code that's related to x, y, Z project, right? We can create sub labels, identify that data, and then upload examples of that source code to Cyber Haven directly to train our classification engine to understand what that, to understand and properly identify that data for any feature scans that might occur so it's properly associated to the correct label.
Once that scanning process has occurred, everything's done right. We understand, we give you a full visualization as to what your data at address situation looks like, and then you can take that information and build out new rules and new policies to prevent that data or to to create con context based rules to prevent that data from going to external destinations that you might be concerned about.
That connector is also giving us visibility into unmanaged devices. So how are my employees accessing our, our crown jewels from a device that they actively own or they actively manage? Cyber Haven gives you visibility around all of that information. As data is going into motion, right?
We talked about how Cyber Haven is capturing that metadata, building out data lineage, giving you a full data view as to how you know where that data originated from every hop that it went through, and then eventually how it reached a destination that you might, might you might consider as risky or destination that isn't risky at all.
User downloaded from SharePoint opened up Excel, re-uploaded back to SharePoint. That's totally normal. We're capturing all of that. We're only gonna raise alerts to you when it goes to a destination that you've defined as risky. We're also inspecting that content going into motion as well. Right now we're doing that data at risk scan.
If the data comes from a place that we haven't, that we, where we haven't performed a scan yet or it's coming from a location where we don't have a, we don't have a configuration in place, we scan that content asynchronously. We're not doing it on the endpoint again. Performance positive. It's not slowing down your end users.
We're scanning that data in memory instead of your dedicated cyber haven environment within a, with an encrypted container to get an understanding as to what the data contains. Hey, this file contains, five elements of, five elements of PII two, social security numbers, three names and address or contains, five credit card numbers, elements of PCI.
Once we perform that content scan, we tear that container down. We don't wanna hold onto your data anymore than you want us to hold onto your data. But what Cyber Haven does. As when you need to perform a forensic investigation, you need to have data on hand to prove that somebody did something wrong.
We can store any type of data that you want. We can create custom capture rules and then store that data in a storage bucket that you own and manage that remains that, that keeps you as custodian of your sensitive information. That way you have a file on hand of the data that the employee was potentially trying to exfiltrate.
And if you so wished, you can actually have Cyber Haven read this information back into the console. So you can see this information side by side. The incident.
We talked about monitoring control. What Cyber Haven also provides is visibility into every single, again, all these different events that are occurring across your environment, and then surfacing to you the incidents that are truly malicious in nature. We're seeing users take data from Snowflake and try to put it into an externally an external cloud storage solution.
We block these users from performing that action. But as a result we've generated an incident for your review so that you can follow up with these users or their managers or HR or IT or legal. So we sort based on the severity or the sensitivity of the data, it's timestamped, it's oriented in timestamp order, so you know which are the most recent versus which are the old.
You can directly assign these incidents to employees within your SOC or your analyst team. If you want specific individuals to review specific incidents or specific employees, if you've defined them as risky. We also bake in a number of different dashboards for live for real-time reporting around the organization and around individuals or specific destinations.
So if you wanted to, if you're a, if you're in the C-suite, right? And you want to say, Hey, I want to know how my organization is handling sensitive data as a whole, you can pull an organizational risk report. What's my risk score by day over the last 90 days? Who are my top riskiest users? What are the data types that are most at risk based on policy violations?
Oh, okay. I see. Cole is, the third riskiest user. What has he been doing? You can drill down and you can look at user summaries, get an understanding as to what Cole has done within that same 90 day timeframe. And then drill down into each one of his different events and again, try to understand exactly what types of data that he's working with, how is he putting it at risk, so on and so forth.
And then when you've identified a risky destination, being able to drill into that data as well. Hey, I'm seeing chat GBT show up a lot. What accounts for the actively logged into, oh, they logged into Gmail accounts. Okay. Let's take this info and build out a customer a custom policy that prevents, our customer data, our intellectual property from being shared to these locations.
Policy Management and Customization
Cole Padula: With that, right? You get access to a very highly highly configurable policy management engine with a native ui, right? Garner the days of uploading XML rules in reverse order to understand how that to understand what that data might look like in the destinations. You wanna prevent that data from going to now.
Instead, you give visibility into, okay, I know that these are my sanctioned cloud apps, right? OneDrive, SharePoint, Microsoft 365 services. I want to prevent data coming from these locations, going to any other type of cloud app when the user is not affiliated with, when it's not affiliated to my organization.
We can create a rule based on that. We can create rules based on content, right? Hey, I want to prevent PII or pc or more than three references of a credit card number from going to an to an external destination or from being printed. We can put controls in place around that as well. And then finally we're giving you all this information.
We give you the ability to go back and search dynamically against all this information. That's a lot of work to maintain. So what we've done is we've actually built an a customized and dedicated LLM on top of your, on top of your tenant to understand what normal versus abnormal looks like for your organization.
We call that Linea. Linea is a two part solution. First, it's a, it's an analyst by trade, right? So it's another member of your team. When incidents come in, it summarizes everything for you. Hey, we saw Kohler try to take data from Snowflake, upload it to his personal Google Cloud account. The data contains, 17 references of a social security number.
15 names 12, 12 credit, 12 credit card numbers 10 addresses, right? We believe that this was a data exfiltration event. Here's the content. We're pulling it in from your storage bucket. We're giving you action items. We feel that since this was a data exposure event, that you should notify hr. So we give you an analyst piece, right?
It's gonna help you understand exactly what occurred. The next is a detection piece. So this flight recorder aspect of Cyber Haven capturing all these different events. We take those, that event information, we flow it through linear to establish baselines for each one of your employees based on the department that they work in, what they do for, what their normal workflow's and then when employees go outside of those normal workflows, we can raise anomalous events, right? So let's say let's say Katie, right? Katie works in marketing. She primarily takes data that is actively being worked on. She takes copy from our internal SharePoint site. She might utilize things like Chat, CBT or philanthropic to, enhance or make that copy even better.
But all of a sudden she starts using deep Seeq, right? We don't have a control in place for deep seek. We wanna encourage our employees to utilize whatever journey AI tool that they think is best, but Cyber Haven believes that. Deeps seek is a critical risk. So when we see data go to deep seek right, we raise an alert, right?
Hey, Katie never sends data to deep seek. But we just saw her take this internal only marketing copy and upload it into Deeps seek, and then she took data out and then uploaded it back into SharePoint. We believe that this is a sensitive this is a sensitive flow of data. We believe that you should create a policy to prevent data from going to this destination.
Again, we wanna empower employees to utilize the generative AI solutions that they prefer utilizing, but there are certain ones that we might not want based on, how that how that solution handles or store sensitive information, how safe it is. And we give you a lot of insights into that, which I'll show to you when we get into the console.
Last two points on architecture. Everything we capture within Cyber Haven events, the status of endpoints, incidents the ability to dynamically update policies or data classifications that can all be done via API from your simmer source solution of choice. So if you wanted to, if you told me, Cole, I want to get all this, all of this incident information into Splunk.
We set up a Splunk configuration utilizing HEC, pull that information in. Boom, you have all of that information within Splunk, alongside everything else that you're capturing within your security stack. Next, we also provide the capabilities to integrate directly into IDP or identity, right? So maybe utilizing an RA or Google Workspace as your primary source of employee identity.
We can pull in the values and the me and the attribute groups that your employees are a part of, and we can create dynamic groups based on that information. We've been using sales a lot lately, right? Maybe we want to elevate the risk profile of a sales employee because we want to make sure that we get in front of a potential issue if they start sharing, customer contact looks, lists ahead of the ahead of them leaving or preparing to leave the organization.
Or maybe we want to get deeper visibility into our employees who might be departing soon, right? Maybe Cole, right? Myself. Maybe I'm gonna leave the organization in two weeks. I go to hr, hand 'em my notice, right? We can integrate into solutions like Id I'm sorry, like Workday. We pull those values in from Workday.
We look for a termination date existing. If one does, we elevate that employee's risk. We look at their historical performance and see. Roughly two weeks before col his notice, he tried to take a bunch of customer information or property information and sending it to a, and sending it to destinations that were defined as risky, right?
His personal Google Cloud he tried uploading it to Dropbox. He tried exfiltrating it using Curl. We give you visibility into all those different events, right? And utilizing the historical lookback allocate his risk as an employee, as a result. On top of that, right?
Leveraging Office 365 and Purview for Data Classification
Cole Padula: Office 365, always in play. You might have E five or you may have started or in the middle of, or completed a purview implementation project at some point in, at some point in the past, right?
That work doesn't all go to waste, right? Purview is fantastic. It's very good at understanding documents that are associated to Microsoft Office. We can pull in all of the work that Purview has done. We can automatically look for specific labels or tags. Based on the work, that purview is ident based on the the items that purview has identified.
And when you can, we can use that as additional layers of classification. Cole, I want you to look for restricted labels regardless of the source. If you see one, I wanna prevent that from going to this external destination at any point in time. We can do that in real time with an integration directly into your purview org purview account.
As a result, I'll go through these next few slides. I wanna get into the console. We have about 15 minutes left. I wanna make sure that you guys see as much as you possibly can today.
Real-Time Data Exfiltration Prevention
Cole Padula: This is a great example of data that's potent, that's coming from GitHub, right? We're actively building a prediction engine, and we're storing some of that source code within GitHub.
We see Jackie download the some source code, right? Some Python source code. Maybe this is done a native download action utilizing ui or it's via fetch or clone to this endpoint. Maybe they compress this data and they rename it to something like family photo png. Maybe they try pushing it to an external can have repository or in this case, right?
They try uploading it to Google Drive. So we get timestamped order as to what occurred, right? The initial event happened on the 10th. The user tried to exfiltrate it on the 12th. We apply controls at the egress point because we know where this file came from. We know what it contains. We're not gonna let it go to a personal Google Drive account.
As a result you get full visibility into the full lineage of the file throughout its entire lifecycle, and you can apply controls based on that information in real time.
Introducing Linea: Insider Risk Management Solution
Cole Padula: Talk a little bit about linear for just a few moments before we get into the fun stuff. Again, Linea is our superhuman Insider risk management solution.
This is going to help you summarize your knowns and identify your unknowns. What we've seen is that when organizations are actively utilizing Linea, we're solving and resolving incidents up to five times faster, right? This is primarily driven based on the incident summaries that linea, that lineage generates giving us full context and understanding around user intent.
Which helps us accelerate investigations. So again, it's like your, it's like your human analyst team, right? Is already getting a jumpstart on an incident, right? They come in, they have the linear summary, they already know where to go and what happened, right? They have, they already have, 5, 10, 20 5% of the work done, right?
They can utilize that, take that information, and then put it into a put it into a risk report. Share it with the relevant people, saves them time. Saves some time, gets them back, focusing on other incidents or other items that they might actively need to work on. Helps us detect our unknown risks, right?
Hey, we don't have policies in place for certain situations, or we have employees that are performing abnormal workflows, right? As a result, we can detect, up to 40% more critical incidents, which some policies might miss, or some policies might have been created yet because we understand what a corporate workflow looks like versus what a personal workflow works like, and we can help find risk without, even, without policies being present.
And then finally can take all the insights that we generate utilizing linear and we can help prevent future incidents from occurring. A little bit of a breakdown of what Linea is broken out into, right? So on the left hand side, we have our automated analysts. This is, full content summarization and analysis, right?
What are the data contained? What does it look like? What utilizing computer vision for deeper content, understanding prioritization based on AI classification, right? You might have a rule in place of, Hey, I, when data goes to chat GBT, that's a low risk incident. You might start seeing employees upload very sensitive source code to that location.
Si Cyber Haven or Linear might say Hey, this is actually a critical severity incident, right? This is actually very concerning. John is trying to copy and paste data. That's coming from our internal GitHub repositories, which are clearly labeled as private which we are actively blocking from gonna external destinations.
And he's sending it into CHATT unaffiliated with our organization. And he's trying to copy and paste that to back into our source code platform or back into GitHub. That's a high risk, that's a high risk action. We definitely wanna get visibility into those flows. Concise summaries, escalation suggestions, right?
We give you the next the next steps that you might need to investigate this user a little bit further as well. And then on the linear detection side the ability to understand anomaly versus what a normal workflow might look like. So when a policy might be missed or an employee steps outside of their normal behavior, we can step in and say, Hey, we saw this user do X, Y, Z.
We believe that it is risky. We give you the opportunity to decide whether that should be enforced or not enforced. And as a result all this information that we're providing to the administrators of Cyber Haven, it can be not, it can be sent via notification via api. It can be sent via web, through Slack, email, whatever.
Now that's it for this part of the presentation. What I'm going to do is I'm just going to move back to the I'm gonna move back to the the gold cast and I'm just going to reshare my screen really quick. Just have to find this button. Sorry. There we go.
Go ahead and we're gonna jump into the console. Okay.
Console Walkthrough: Data Protection for AI
Cole Padula: So for our last 10 minutes, I'm gonna take us through two specific scenarios, right? During our conversation today, I talked about a lot of items. I talked about generative ai I talked about unsanctioned cloud storage. I'm gonna build, I'm gonna build our console walkthrough around that.
Our landing page for Cyber Haven is on this dashboards page, right? I typically like to start on data protection for ai. What are we doing here? Data protection for AI is accurately classifying and giving you an understanding of all AI applications that are actively in use within your organization.
You might actively be utilizing chatt, right? CHATT Enterprise, right? Cyber Haven can help you differentiate between Chat t Personal and a CHATT Enterprise account that you're actively paying for, right? We can see here. We have 14 employees utilizing a personal version of chat PT versus two people utilizing the enterprise version of chat pt.
That's concerning. We can take this information, right? We can we can, update our generative AI policy. We can notify our users, Hey, please utilize this sanction versions of chat. Next, we're associating a risk profile to the application that your employees are actively utilizing, right? We do it based on critical, high, medium, low, or very low, right?
For our mediums, right? These are our enterprise solutions, our medium to low ranges, right? This helps us understand exactly how how these solutions handle sensitive information, right? Maybe we wanna get visibility into all critical level applications in play, right? I can quickly pivot. Filter based on critical use applications.
And here at the top of my list I see Deeps Seeq, right? That's concerning. I've got four separate employees utilizing Deeps seek. I've got 3.8 megs of data being sent to that destination. Our usage over time is on the downswing, but still, I've had sent, I've had data sent to this location in the past, right?
Why are we associating a critical risk to Deeps seeq, though I wanna understand that a little bit better. If I knew nothing about Deeps, SEEQ Cyber Haven is going to help you understand why we believe that this is a critical risk application. We give you a quick summary. We believe that this is critical based on significant systemic weaknesses identified across all five risk categories, which are data sensitivity and security model security, risk compliance, user authentication, and access controls and security infrastructure and practices.
Maybe I really care about security infrastructure and practices. Okay. The vulnerability management lacks proactive scanning and patching, evidenced by outdated encryption protocols like 3D ES with hard-coded keys and unencrypted transmission unencrypted data transmissions. Each one of these provides these sources to where we got this information from.
It's a mix of both publicly made information and research reports that we're able to find off the internet to generate these specific risk overviews. So we would look at this and we would say, okay, we've had 40 events in the last 30 days. Of data going to deeps, seeq, I've got four users actively utilizing it.
Maybe I need to understand exactly what types of data are being shared with Deeps. Seeq. This is just giving me a general overview, right? It's looking at all data, but we are we actively classify data that contains elements of P-I-I-P-H-I-P-C-I and we build those out and a data classification maybe I wanna understand what types of data are going there.
We scroll down in the dashboard and then we can start looking at exactly what types of data are being shared with Deeps. Seeq, I noticed that six AI apps are in use for customer data. I might wanna understand exactly what those AI apps are. I can see that Deeps, SEEQ is in this list. I actively pay for Claude Copilot, Gemini, and chat Bt.
That's okay. I'm gonna handle that later. I wanna make sure that, personal versions of these applications aren't being utilized, but I see deep seeds. I might wanna, I might take this, I might take this information and say, okay, I wanna build a rule that prevents customer data from going to deep seeq.
I can go back up to the top, identify deep seek, scroll over to the right, select this little shield, and we automatically start crafting a policy that gives me visibility into where my data is coming from and when it's going to deep seek, right? In this case, we automatically classify, okay, we're looking at all events where the generative AI app in question was deep seek.
I wanna convert this to a policy. Now I want to, now I want to select the types of data I wanna prevent from going to this destination. I specifically care about customer data, right? I have strict compliance rules as to how customer data is handled. We can see over here on the right hand side, in the last 30 days, I've had 14 events.
Customer data went to deep seek. I can look at these events in real time. Again, we're utilizing this historical lookback function. We're utilizing historical information to understand how effective our policies will be once we push them out into production. I would, I just wanna do a quick check. Hey, show me the types of data that went to this location.
I can see that Steven is primarily the one that's sending customer data to this location, right? He's a critical level user. I might wanna look and see exactly where he's getting this data from. I can see that he's got this, he's got access to this decline transaction Excel document. It came from our internal SharePoint.
It's coming from our customer data site within SharePoint. When we performed a content inspection scan on this data, we saw five elements of credit card numbers. We saw five elements of a social security number in a name. That's highly sensitive information. We do not want that going to deep seek. We can see here within the lineage, he's actively sending that data to deep seek via a copy PAYE action.
I can see that content here. I can see credit card numbers, names, the reason for the declined action and as well as everything else that he did with this data leading up to him sending it to deep seek, right? It looks like he also tried utilizing a personal version of chat CCP T. And then he ended up just he deleted this file from his device after he finished working on it.
I can also see everything that happened historically, right? Steven isn't the only one interacting with this file. I can see that Brian originally uploaded this file to our internal SharePoint. He tried emailing it to his personal Gmail account. I can see that Steven has previously tried uploading this directly to his personal Gmail account versus utilizing.
Email to send it to himself so we can see all these different events to this specific file. Look, looking back at its full lineage and understanding the difference the different attempts of egress that may have occurred against this data. So I look back, I'm gonna create a role that prevents this data type from going to.
Agenda of AI solution like deep seek. But I might also utilize this information and start another investigation. Why was Brian trying to email it to himself? Why was Steven trying to upload it to his personal Gmail account? Each one of these red banners indicates Cyber Haven stepped in and we blocked that action from occurring.
'cause we had a rule in place already. If for any reason we didn't have a red banner, that means the action went through, right? In this case, Steven moved a file within our internal SharePoint. That's a permitted action. We didn't stop him from doing that, right? But here these malicious actions, we stepped in and prevented the use from performing that action.
So we have about four minutes left. I think this is a I think this is a fantastic stopping point. And I'm gonna, I'm gonna go ahead and pivot.
Q&A Session
Cole Padula: I'm gonna go over to the q and a. If there are any open questions or any open items that you'd like me to discuss, I'd be happy to go over those. Now. Just gonna close this down really quick and I'm gonna stop sharing my screen.
There we go. Just gonna look through q and a. All right, I'm gonna start from the top and work my way down. What is the default retention period? The default retention period for Cyber Haven is 13 months. We can extend that as well as we can reduce that based on your organization's needs.
Depending on what you, depending on what your organization needs for retention, 13 months is default. That can be extended or reduced based on based on that information. For storage, right? When Cyber Haven performs content inspection, then we store it in your storage bucket. That retention is managed by yourself, right?
So if you wanted to have active storage for three months and then move it to cold storage or delete it, you could create your own retention rules within that area. Can the DLP policies be tested before they're deploying them? That is a fantastic question We touched upon very briefly, but one of the items we talked about.
Was assigning was utilizing identity to associate to associate user roles to policies or risk groups. What we can do in that regard is we can create a policy and then restrict it to a subset of employees at the company, right? Maybe the security team then we can dynamically associate that policy to to sample there, right?
Maybe we wanna look at data generated from maa roof, from going, being sent via curl, right via the command line. We can associate that policy directly to the security team, test it in real time, and then apply it to the risk of production once we've tested. How effective it's we don't offer sandbox environments and in that way we do have some capabilities of offering a staging environment where you can test this, these items out as well.
But primarily in a production environment, that's typically the approach. A lot of the organizations that I. If someone was comparing us to our top three competitors, what were your top three B? It's really we play in so many different spaces, so it's really hard to pin that down.
Last I checked there's, there's more, there's so many D LP vendors. There's more than can count. DSPM is, is a, is a burgeoning is not a burgeoning a, a, a very hot and upcoming industry within cybersecurity as a result, right? The, the number of different vendors that you can work with were artless, I would say, I would actually approach section a little bit differently, right?
What are our differentiators? Full data lineage. There are other solutions out there that will tell you what the source of where your sensitive data came from. But it's not gonna give you the full files lineage. It's not gonna show you how that file how that traverse the environment, how it might have changed or went through, different cha different different cycles throughout.
Its, throughout its entire throughout its entire period with your organization. Cyber is gonna show you absolutely everything. Go back to, its going back to its creation all the way to when it reaches its final point or final destination. What we so data lineage number one. I would say number two the policy creation engine, right?
Native easy to use, ey being able to call out specific level layers of criteria that you actively wanna look for, right? I click and choose versus crafting XML, or, other different methods you might utilize. Number three, the ability to classify both contextually and based on content.
Being able to marry those two together to understand exactly where that data is coming from, as well as what it. What it contains as well as DSPN capabilities, right? There are many DSPN vendors that offer DLP, but a number of they, some of their controls can be a little bit limiting.
They're f they're fantastic at what they do in terms of understanding the data at rest, but being able to apply controls to that data in motion is very difficult. We started within motion and then we worked backwards, the DSPM, so now we have a full understanding as to what our data is at rest, and then.
Based on that information, we can apply controls to that data once it goes into motion. So four, four key differentiators, right? If there are specific, if there are specific vendors that you've looked at in the past and you want to go a little bit deeper around direct differentiation happy to.
What we're gonna do at the end of this, at the end of this call today, we're gonna send out a survey link. We'd be happy to set up a conversation with with you or with your team to talk through some additional differentiators between other players within the industry. Let me open this up. Could Linea be utilized for automated workflows within the platform?
Example, confidential data being sent to an unauthorized file sharing app block raise, incident ticket, and notifying hr? Absolutely, yes. We can absolutely create automated workflows based on what based on what lineage generates. I would do that through, I would do that through a Soar. So when linear generates an incident we reach out to, a tines, a torque whatever you might be utilizing Internally, cyber haven and linear are automatically associating content classification and associating provenance as well as data type to that data flow.
We didn't look at any linear generated incidents today but one of the items that we, you might see is hey confidential document, right? That might be an internal planning or resourcing document. You want to notify HR when that data goes to an un unauthorized file sharing solution, right?
Based on what we send to the source solution, right? We can parse that JSO down if the file type matches a specific list, right? Corporate resourcing, intellectual property, whatever types of data you wanna find HR on, you can trigger a workflow, send that data, send that information to hr. Hey, here's the employee that tried exfiltrating it.
Here's the destination, here's the data that it contained. Here's the, here are the insights that Cyber Haven provided. All within that workflow, right? And that could be sent to Slack, that could be sent to email it could be sent to a ticketing system whatever. You prefer, right?
But there's a number of different ways that we could approach that. One, one example that I've done recently is a Slack integration workflow based on the data that's being sent or be, or the data that was affiliated in the incident, right? Hey I wanna notify HR when data of this type is sent to an external destination when that policy was hit, cyber Haven would reach out to tines.
Tines would then notify Slack. Slack would then message that relevant. People within a channel are via direct message.
Just going through these, going through this list can the user action be blocked and prevented the u prevent the user from uploading, sending, et cetera? Absolutely. So one of the one of the, one of the keys of our policy management engine is our ability to classify based on action. So let's use upload as an example.
Hey, I wanna allow my employees to upload data to websites, right? SaaS is the name of the game. These days, you're likely managing an allow list, right? We can integrate again into a sim. We can pull that allow list in, Hey, these are where upload actions are allowed to occur. When an upload action occurs, we confirm the website that they're sending the data to.
If it's not within that allow list, we block that action from occurring. Same thing on email, right? I attach an email to my corporate email account. I send that data, right? We're gonna review and understand who the set, who the receiver of that email is, both CCCB, CC, and to field. If it's not in a list of domains that's approved to receive that type of data, right?
Let's say. Intellectual property, we've been talking about it a lot. Intellectual property gets sent to a, to an email domain that's not affiliated with acme corp.com. I wanna block that user from performing that action. Boom. User is blocked from performing that action. We can also go broad, right?
Maybe you wanna block copy, paste actions and uploads to to google.com. Whether that's a subdomain of Google or if it's, docs, Google Drive, Google, right? We don't need to rely, we can call out other different, we can call out multiple actions within the policy itself.
Hey I wanna block all of my employees from taking customer information and copy pasting or uploading to drive.google.com. We utilize Office 365. We can create a rule that, that combines both of those two items together. User gets blocked from the from performing that set action. Next question.
Can you classify and protect things like JPEGs or other types of screenshots, pictures, or et cetera? Absolutely. So part of our part of our base inspection engine utilizes OCR, so we can utilize we can scan images to understand what the image actually contains. If it's a screenshot that contains sensitive information.
We wanna create a content rule that looks for elements of PII within a screenshot, right? We can we scan that document and then prevent it from going to an external destination. We can also implement Fail Close. So if I take a screenshot of something and then try to paste it to an external channel before content inspection has been completed, we can stop the user from performing that action until CI has been complete ci.
So we'll display a message to the end user. Hey Cole, I'm gonna have you wait just a few seconds. We're performing content inspection on this data. Once it's complete, we'll let you perform your action. If the data isn't sensitive in nature if it's not sensitive, we allow the screenshot to go through.
If it is sensitive, we'll just continue to block the user and tell them that they're not allowed to perform that action. Will we be sharing the recording? Absolutely. We can definitely provide, we can definitely provide a link to this recording after the fact. Also, if you'd like to have a deeper conversation with me or if there are additional questions that I haven't answered yet maybe they come to you after the holiday season.
Personally, I'm thinking about my wife's cooking. My wife is cooking up an amazing meal for Christmas. I'm really thinking about that, so I might be more focused on that versus the questions in this webinar. Totally fine. Feel, please feel free to email me again. My email address is my first name dot last [email protected].
Cole, do [email protected]. I'm reachable through that channel. I'd be happy to do a more in-depth demonstration for you and your wider team. Whatever is preferred for for for everybody. But yeah yeah, outside of that we will be sharing, we can share this recording, absolutely.
And let me go to the, going to the top again. I'll answer a few more questions. I'm gonna answer two more questions and then I'm gonna send a survey and then I'll send everyone on their merry way. Next question. Can we create custom policies for users? Absolutely. So we talked about dynamic risk groups, right?
We tie into identity, we pull in information based on the attributes that are part of, we can associate those policies to those attributes. Hey, we don't want our sales team to upload data to unsanctioned cloud storage, right? Or utilize. Or send emails to or send customer data to emails that, end at gmail com, right?
We can absolutely build that out, right? So we can pull that in dynamically based on the attributes that the user's a part of. We can also create manual risk groups. So if an employee if you've identified an employee, that might be a flight risk, right? Based on historical information, you can create a manual risk group.
Associate that employee to that risk group and then associate that risk group to a policy, right? Whether that policy is block upload actions, block download actions, block sharing actions you can configure it based on how you see fit.
Just a moment here.
Just reviewing these other questions.
Simone, I'm gonna get back to you on the that's the last question I wanted to cover on the SCM front I'm gonna capture your, I'm gonna capture your I'm gonna capture your information. After this call, I'll send you an email. We can go a little bit deeper on that one.
I just don't know off the top. I just don't know off the top of my head. I for, in terms of the, in terms of the abbreviation, it's not ringing, it's not ringing a bell right now. But I. Be sure to circle back and ask that question offline so that we can get that answered. But yeah, guys, outside of that we've got about five minutes left.
I want to give some time back to the folks who attended this call today. Thank you so much. In just a few moments within our chat, you're going to have a survey link. Please fill this survey out. We would love to, we would love to have your feedback as well as talk about the Uber Eats or the charity based option that we are offering for for attending this webinar today.
Also, yes, everyone. Thank you so much. I wanted, I saw it earlier, I wanted to make a mention. Someone said they liked my hat. Thank you so much. My son saw it at the store the other day and he said, daddy, you gotta buy that hat. I want you to look like Santa can't say no to that. But yeah, it was great talking to all of you, right?
We'll share the present. We'll share the presentation with everybody at the end of this call, at the end of our call today. If you have any questions, please email me directly. Happy to answer anything that might come to you or to be, might be top.
.avif)
.avif)
