Insider Threat vs Insider Risk

Source: Code42

Words matter — especially in the buzzword utopia that is information security marketing. Let’s add another term to an ever-growing list — insider risk. While insider risk and insider threat are often considered synonymous, in all actuality, there is a difference. And the difference is in the very problem you are trying to solve. Here’s my take.

Insider Threat is a “User Problem”

Probably the most respected definition was written (and updated in 2017) by Carnegie Mellon’s CERT Insider Threat Center:

“Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

According to CERT, insider threat is all about the individual, the person, the employee, the user. Every possible user action that may cause harm to an organization is covered. That includes fraud, IP theft, sabotage, espionage, workplace violence, social engineering, accidental disclosure and accidental loss or disposal of equipment or documents. 

Given this widely accepted user-centric definition, security buyers often look to user-centric tools — like user behavior analytics (UBA), user and entity behavior analytics (UEBA) or user activity monitoring (UAM). Tools like these collect and analyze mountains of user activity metadata that gets pumped into a SIEM, correlated with other data and automated through a SOAR. Voila — your insider threat problem is solved.  

If only it were that simple. The truth is that user-behavior and monitoring tools are just one piece of the puzzle. Relying solely on UBA, UEBA or UAM tools can keep you guessing at what, I mean who, is a real threat.  

Insider Risk is a “Data Problem”

Insider risk is a different ball game. When it comes to managing or mitigating insider risk, the focus shifts from centering solely on the user, to taking a broader, holistic approach to understanding data risk. No standards body, to my knowledge (unless you consider Microsoft a “standards body”), has defined insider risk. So, we created a (short and sweet) definition:

“Insider risk occurs when data exposure jeopardizes the well-being
of a company and its employees, customers or partners.”

The keywords are “data exposure.” Insider threat is a user problem. Insider risk is a data problem. At Code42, we solve for both, but our approach centers on the risks of data exposure. Heck, our product’s console is called the “Risk Exposure Dashboard” and our annual research report is titled the “Data Exposure Report.” The fundamental difference between user-centric insider threat tools (UBA, UEBA, UAM) and an insider risk solution like ours is that they take a policy-based approach, whereas we take a math-based approach. Our approach takes into account all sides of the equation:  

File + Vector + User = Risk

  • We look at all data (not just classified data) 
  • We factor in vector detail (endpoint, cloud, email, trusted vs. untrusted domains, corporate vs. personal) 
  • We consider every user (not just users with current or past privileged access)

When all three variables of the equation are taken into account, you end up with an insider risk signal that is — dare I say — real. Here is an example:

File +Vector +User =Risk 
Sales Strategy  presentation not labeled or tagged as sensitiveUploaded to Dropbox – an unsanctioned cloud serviceThe user changed the file type, zipped it and encrypted it

The indicators of insider risk resulting from data exposure are stronger when factoring in the data, vector and user file activity (threat context). There are dozens of insider risk use cases like the one above that completely fly under the radar of most security tools, hence the reason to approach insider risk holistically:

  1. The tool by rule watches labeled or tagged data (e.g. DLP)
  2. The tool by rule watches specified vectors (e.g. CASB)
  3. The tool by rule watches on-network employee application usage (e.g. UBA, UAM)

Now, you could take your DLP solutions for endpoint and email, your CASB, add UBA for users, and pull in network logs, identity and access management logs, etc. into your SIEM, run all kinds of policy-based correlations and queries and say you’re covered. This rules-based approach is designed for large, sophisticated and mature security teams — and even the most sophisticated security teams are strapped for time and frustrated with all of the complexity and noise involved in maintaining such systems. And after it’s all said and done, are the systems even working? There are countless examples that they are not.  

Insider threat or insider risk? It comes down to deciding to take a policy-based approach centered on human foresight or a math-based approach centered on data exposure.  When it comes to solving for insider risk, follow a simple formula and do the math. Because at the end of the day, math — as opposed to guesswork — always wins.

A lot less hype and a lot more humanity-please.


Three principles that are just good practice when it comes to the buyer experience:
Be compassionate, be succinct, be helpful. This have never been more true, more relevant, more needed.

Compassion not Fear:

Buyers no matter the industry don’t need more fear – especially security buyers (the industry we operate in). Think about the security industry and the security buyer. Their work is rooted in risk, threat and vulnerability, so by nature, they operate in fear 24 x 7 x 365.  Today, arguably this is true for all buyers.  Security leaders often say say they are “always on”  and feel personally responsible when something goes awry. So, why in the heck would messaging rooted in fear ever work with these buyers? Until we as marketers walk in their shoes, we have no right fear mongering.  Show some damn compassion for what they are dealing with on a daily, hourly, minute by minute basis.  In the end, they really don’t have time for us which brings we to our second principle.

Succinct not Sermon:

This is nothing new, yet we in marketing are guilty of this all of the time.  We have all sent those 3 to 4 paragraph emails and pushed the 1500 word blog posts and content pieces that we are so proud of and want to believe buyers have the time to read ( guilty as charged – I promise to keep this post to less than 500 words). Cut to the chase people – please. Stop spending 2 paragraphs (or 2  minutes) selling the problem and loading buyers up with shocking stats and another 2 paragraphs (or minutes) on the pitch. Buyers are thinking “why are you calling” me and “what can you do to help me right now?” This brings me to our third point.

Help not Hype:

This one is should be a no brainer.  Stop the marketing hype and just talk about what you are doing to help your buyer.  It doesn’t even have to be rooted in the product or service you deliver.  Simple tweaks to the buying process and the customer experience are helpful.  It’s less about how great we feel about ourselves and more about how our buyers feel about themselves. Be compassionate about where they need help, be succinct in how we can help them, and then just help them.  There’s no hype in that.  It’s called humanity.

Good enough is no longer good enough


Seventy-seven percent of information security leaders say that the most significant risk to an organization is employees doing their jobs however they want, with no regard to data security protocols or rules. When asked if your company experienced a data breach in the last 18 months, what was the cause of the data breach? 50% of information security leaders said it manifested inside the company as a result of an employee action. Incidentally, only 28% cited external actors (e.g. hackers, ransomware, malware).

89% of information security leaders believe the fast paced cultural model of their business puts their company at greater risk of data security threats.

Knowing their stance on culture, we then asked Chief Information Security Officers (CISOs) about their priorities. Despite CISOs’ belief that fast paced culture models, employee risk and workforce culture changes rank last in terms of their priorities.  So we asked, how good is your security for data risks that manifest inside an organization (aka those “no one wants to admit they exist” –  insider threats).

Their answer: It’s good enough.

“Good enough” is probably the worst answer you want to hear to any question about security, yet that’s often the “brutal truth” and it’s no longer good enough.

I’m sure CISOs love it when vendors say, “it’s not a matter of if insider threat happens,  it’s a matter of when.”  I argue it’s not even a matter of when – it’s a matter of fact.  It’s already happening and happening everyday. Working for a security company that focuses on data risk detection, we do a ton of research and our research draws a clear correlation between growing insider threats the very culture change many CEOs are driving.

80% of enterprises will change their culture by 2021 as a way to accelerate their digital business strategy

The external forces of culture change are too strong to ignore: Boomers are retiring. GenX is climbing the ranks. GenY is now the largest segment of the workforce, and Gen Z is beginning to enter the workforce in mass. Such forces are defining the new digital workforce, and with it, new attitudes about data:

  • 72% of employees believe their work is their property
  • 60% of employees admit to taking data with them from job to job
  • 8 of the top 10  collaboration tools employees use are in the cloud

Given the attitudes of this next-gen workforce around data and the growing insider threat problem, shouldn’t the CISO take a proactive security strategy to future proof the digital business culture? Shouldn’t CISOs be at the center of the culture change?   Shouldn’t the CISO have a seat at the culture change table?

We say yes. It’s time for CISOs to be viewed as business enablers and not blockers. It’s time the CISO is viewed as a partner in driving the very data-driven, performance-based and collaborative culture digital businesses need to succeed. If 80% of enterprises will change their culture by 2021, then the CISO is there to secure it.

(Source: Code42)


Security that enables collaboration – now there’s an idea

As much as we may not like to talk about it, half of the major threats to the security of our corporate data come from the inside. That doesn’t mean that our employees are malicious — insider risk can surface in numerous ways: user errors and accidents, lost or stolen devices, even hardware failures — and the list goes on. In fact, a report by International Data Group (IDC) showed that three of the top five most common high-value information incidents involve insiders.

Given this, it’s no surprise that for years, organizations have been using data loss prevention (DLP) solutions to try to prevent data loss from happening. The problem is that the prevention-first approach of DLP solutions no longer meets the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed. The rigid “trust no one” policies of legacy DLP block user productivity and are often riddled with exceptions and loopholes. For IT, legacy DLP solutions can be expensive to deploy and manage — and only protect selected subsets of files.

A fresh start

A prevention-based security focus forces a productivity trade-off that isn’t right for all companies — and isn’t successfully stopping data breaches. That’s why it’s time for organizations to rethink the very concept and shift their focus from prevention to data risk detection and response. Data Risk Detection & Response enables security, IT and legal teams to more quickly (and together) to easily protect their organization’s data while fostering and maintaining the open and collaborative culture their employees need to get their work done.

Rather than enforcing strict prevention policies that block the day-to-day work of employees, an approach focused on fast, simple and accurate detection and response clears the way for innovation and collaboration by providing real-time visibility to when data is put at risk.

Security: from Police to Partner

By focusing on all files in an organization, Data Risk Detection & Response (we’ll call it DRDR for simplicity sake) offers additional benefits for Security’s partners in IT, Legal and HR:

  • Fosters employee productivity: Data Risk Detection & Response enables employees to work without hindering productivity and collaboration. Workers are not slowed down by “prevention-first” policies that inevitably misdiagnose events and interfere with their ability to access and use data to do their work. This is music to the ears of IT and HR leaders who are empowered by the CEO to build and foster a collaborative, innovative and results oriented culture.
  • Simplifies risk investigation and remediation: Unlike DLP solutions, DRDR does not require policies — so there is no complex policy management. Because DRDR continuously watches ALL files and file activity, it can automatically assess risk by correlating metadata based on file type, owner, event, source, destination, and dozens more.  While DRDR doesn’t require policies, security and legal teams can still use it to verify data use. For example, administrators can be alerted when an unusually large number of files are transferred to removable media or cloud services. If the files have already left the organization, DRDR can see exactly what was taken and restore those files for rapid investigation and legal response.  Long-term file retention helps satisfy legal and compliance requirements too – providing a complete data history for as long a time period as an organization requires.
  • Lives in the cloud: As a cloud-native solution, DRDR frees IT from expensive and challenging hardware management, as well as the complex and costly modular architectures that are common with DLP. Because DRDR is a cloud-native solution, IT can rapidly deploy, and since the extensive time and effort required to create and refine policies is not needed – security can rapidly reap the rewards. This is especially important for resource constrained Security teams or IT teams that also wear the security hat.

A new paradigm for Insider Risk

Data Risk Detection & Response is a huge departure from legacy prevention solutions, but it’s a logical and necessary evolution of data protection given the growth of insider threat and the changing corporate cultures and work preferences of today’s IP-rich and culturally progressive organizations — small, mid-size and large. Companies today are looking for better ways to protect their data while freeing employees to create the ideas that drive the business.  Security that enables collaboration – now that’s an idea worth exploring.

Original post appeared on Code42

Debunking Data Loss Prevention

It’s all about the data.

Ultimately, people are looking for solutions to their security challenges. They are looking for the technologies that will help them manage their security posture and answer fundamental questions about data: Where is my data? Who has access to my data? How can I monitor when data is leaving my network? How do I know what data is leaving my organization? Bottom line—how can I protect my data?

“I love my DLP.” Said no one ever.

At Code42, we’ve been talking about a new approach to data security. In fact, it’s a whole new take on Data Loss Prevention (DLP). At its core, our approach debunks the fundamental requirements of policies, classifications and blocking — the things that we’ve learned to love to hate about DLP. And there are other major advantages to our new solution. It lives in the cloud, eliminates long deployments, and gives security teams visibility to every version of every file. We call it “Data Risk Detection & Response— a solution that is defined not by what you can prevent, but rather by how quickly you can detect, investigate and respond to data risk and thus reduce business risk.

Let’s face it. Gone are the days where you can build walls big enough to prevent data from getting outside your organization. Traditional DLP solutions aren’t working. The reality is that complicated and policy-laden security strategies run counter to the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed to get work done. Yes, the endgame of data risk detection & response is a direct challenge to the status quo. But you cannot argue the fact that we as an industry need  a quicker, easier way to protect data from loss, leak, misuse and theft. Just Google “stolen trade secrets” or “intellectual property leak” and read the headlines. It doesn’t seem like we are preventing much these days.

Original post appeared on  Code42