Why Insider Risk Management Needs to be Proactive Not Reactive
Most organizations know that they have an insider risk problem, whether due to employees leaving the company, a disgruntled or malicious employee, or the simple mistakes made by busy or careless users. But while the risk is relatively obvious, most organizations have limited options when it comes to taking action to stop it.
Data loss prevention (DLP) tools don’t have a particularly great track record even when controlling highly predictable data and fail almost entirely at protecting intellectual property and trade secrets. Monitoring and analytics tools can find anomalous or potentially risky behaviors, but they are rarely conclusive and generally lack the ability to take real-time preventative action.
Organizations need new approaches to insider risks that allow them to do more than simply document their risk, but to actually do something about it. At a high level this includes:
- Better intelligence in order to make smart, reliable decisions to protect any data.
- Real-time action to proactively prevent the loss or risky spread of data.
- Real-time user engagement to drive better user behavior while preserving productivity.
Let’s take a closer look at each of these areas and how Cyberhaven’s Data Detection and Response (DDR) platform can arm organizations to take real action against their insider risks.
Building Better Intelligence
One of the challenges of managing insider risk is that it requires policies and security tools that understand the business. You have to know what data and information is valuable to the business (or at least harmful if exposed). You have to understand business processes and complex workflows. These are not areas that traditional security tools excel at. Threat detection tools look for a wide range of malicious files, techniques, IOCs, and behaviors. Threats may be complex, but they by and large do the same things across all enterprises. Ransomware in one organization will behave like ransomware in another. An attacker performing pass-the-hash will be pretty much the same regardless of where they do it.
Insider risks are very different because the most important contexts are highly specific to each individual organization. Every enterprise has Office documents, emails, and application data, but which ones are sensitive? Where does an organization’s intellectual property reside? In design files and images? In source code? In financial statements? In product plans? All the above? Security tools can’t just zero in on a specific type of content or behavior because the data that really matters will vary from organization to organization.
This same concept applies and gets even more complicated when it comes to business processes and workflows. Teams often collaborate on important data, make changes, share the data with other users and apps, make copies, and so on. Understanding and controlling this complex flow of data is fundamental to the task of managing insider risks. Simply looking for basic actions such as a user downloading abnormally large amounts of data doesn’t even scratch the surface of addressing this problem.
Cyberhaven’s DDR platform introduces a truly new approach that understands the business value of virtually any data and can continuously follow the flow of that data across virtually any business workflow. Much like an EDR product monitors actions on an endpoint, Cyberhaven DDR monitors everything that happens to an organization’s data — both on an individual user’s machine as well across all the devices and applications of the enterprise. No matter how the data moves or is transformed, Cyberhaven never loses context. The platform always understands what the data is and all the actions around it. And since this is done for all data, automatically, security teams always have a clear picture of their risk.
Taking Real-Time Action
Once insider risks can be seen in business terms, the natural next step is to mitigate that risk. Unfortunately for enterprises, this is much easier said than done. Analytics-based insider risk tools often depend on out-of-band data sources and analysis, meaning that the data has often already moved by the time a risk is identified. Even when blocking is an option, algorithms that rely solely on analytics or behavior-based models are often inconclusive. They may provide an analyst with a starting point for an investigation, but are not nearly reliable enough in order to drive enforcement decisions because they would interrupt users’ everyday work. Traditional DLP tools have the option to enforce but have long been plagued by false positives and false negatives even when trying to control the simplest and most predictable forms of data.
Cyberhaven changes this by enabling HR and security teams to proactively control the flow of sensitive information and assets based on the full history and context of the data to the business. This is a massive step forward because instead of just analyzing the content of a file, Cyberhaven can make a real-time allow/deny decision based on the full history of where the data was originally created, who has worked on the data, how it has been modified, how it is attempting to be shared, and more.
This not only helps to control data loss, but it also enables organizations to proactively manage their risk and exposure. Instead of just trying to manage insider risk at the eleventh hour when the data is leaving the enterprise, teams can now preemptively control the risky sharing and sprawl of data in the first place. Policies can ensure that data is only available to team members that need it while preventing oversharing or sharing via risky channels. In a very real sense, this allows an organization to manage and reduce their insider risk attack surface. In the same way that patching operating system vulnerabilities limits the attack surface from malware and exploits, Cyberhaven can continuously protect data to reduce the attack surface from insider risks and threats.
Real-Time User Engagement
While blocking is the most aggressive option, teams also need other options that can manage risk without getting in the way of productivity. In the same way that Cyberhaven can block a risky action, the platform can also engage users before they make a mistake. This can give users a warning that they are about to violate policy, and if applicable, redirect them to an approved alternate application for sharing. When appropriate, policies can give users the option to acknowledge the risk and proceed with an action to ensure that they can get urgent, time-sensitive work done.
This sort of in-context engagement provides a far more effective way of driving better end-user behaviors as compared to periodic out-of-band training. While training is important in terms of spelling out the corporate rules and expectations of users, it is far too easy for users to slip into bad habits, particularly when in a rush to get work done quickly. Cyberhaven can change this dynamic by providing real-time coaching that engages users in the context of their regular workflow. This provides a far more effective way of driving better, more secure end-user behaviors and can even help to dissuade potential malicious insiders by demonstrating that the organization is actively monitoring for these risks.
Ultimately, all of these capabilities work together to give organizations a far more practical and proactive approach to managing insider risks. Instead of time-consuming, manual investigations that trail behind the risk, Cyberhaven gives teams a way to understand risk and take business-appropriate action in real-time. This finally allows organizations to actively mitigate their insider risks in much the same way they mitigate risks from external threats. Now instead of talking or worrying about insider risks, enterprises are armed to do something about it.