Insider Threat vs Insider Risk

Source: Code42

Words matter — especially in the buzzword utopia that is information security marketing. Let’s add another term to an ever-growing list — insider risk. While insider risk and insider threat are often considered synonymous, in all actuality, there is a difference. And the difference is in the very problem you are trying to solve. Here’s my take.

Insider Threat is a “User Problem”

Probably the most respected definition was written (and updated in 2017) by Carnegie Mellon’s CERT Insider Threat Center:

“Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

According to CERT, insider threat is all about the individual, the person, the employee, the user. Every possible user action that may cause harm to an organization is covered. That includes fraud, IP theft, sabotage, espionage, workplace violence, social engineering, accidental disclosure and accidental loss or disposal of equipment or documents. 

Given this widely accepted user-centric definition, security buyers often look to user-centric tools — like user behavior analytics (UBA), user and entity behavior analytics (UEBA) or user activity monitoring (UAM). Tools like these collect and analyze mountains of user activity metadata that gets pumped into a SIEM, correlated with other data and automated through a SOAR. Voila — your insider threat problem is solved.  

If only it were that simple. The truth is that user-behavior and monitoring tools are just one piece of the puzzle. Relying solely on UBA, UEBA or UAM tools can keep you guessing at what, I mean who, is a real threat.  

Insider Risk is a “Data Problem”

Insider risk is a different ball game. When it comes to managing or mitigating insider risk, the focus shifts from centering solely on the user, to taking a broader, holistic approach to understanding data risk. No standards body, to my knowledge (unless you consider Microsoft a “standards body”), has defined insider risk. So, we created a (short and sweet) definition:

“Insider risk occurs when data exposure jeopardizes the well-being
of a company and its employees, customers or partners.”

The keywords are “data exposure.” Insider threat is a user problem. Insider risk is a data problem. At Code42, we solve for both, but our approach centers on the risks of data exposure. Heck, our product’s console is called the “Risk Exposure Dashboard” and our annual research report is titled the “Data Exposure Report.” The fundamental difference between user-centric insider threat tools (UBA, UEBA, UAM) and an insider risk solution like ours is that they take a policy-based approach, whereas we take a math-based approach. Our approach takes into account all sides of the equation:  

File + Vector + User = Risk

  • We look at all data (not just classified data) 
  • We factor in vector detail (endpoint, cloud, email, trusted vs. untrusted domains, corporate vs. personal) 
  • We consider every user (not just users with current or past privileged access)

When all three variables of the equation are taken into account, you end up with an insider risk signal that is — dare I say — real. Here is an example:

File +Vector +User =Risk 
Sales Strategy  presentation not labeled or tagged as sensitiveUploaded to Dropbox – an unsanctioned cloud serviceThe user changed the file type, zipped it and encrypted it

The indicators of insider risk resulting from data exposure are stronger when factoring in the data, vector and user file activity (threat context). There are dozens of insider risk use cases like the one above that completely fly under the radar of most security tools, hence the reason to approach insider risk holistically:

  1. The tool by rule watches labeled or tagged data (e.g. DLP)
  2. The tool by rule watches specified vectors (e.g. CASB)
  3. The tool by rule watches on-network employee application usage (e.g. UBA, UAM)

Now, you could take your DLP solutions for endpoint and email, your CASB, add UBA for users, and pull in network logs, identity and access management logs, etc. into your SIEM, run all kinds of policy-based correlations and queries and say you’re covered. This rules-based approach is designed for large, sophisticated and mature security teams — and even the most sophisticated security teams are strapped for time and frustrated with all of the complexity and noise involved in maintaining such systems. And after it’s all said and done, are the systems even working? There are countless examples that they are not.  

Insider threat or insider risk? It comes down to deciding to take a policy-based approach centered on human foresight or a math-based approach centered on data exposure.  When it comes to solving for insider risk, follow a simple formula and do the math. Because at the end of the day, math — as opposed to guesswork — always wins.

Security that enables collaboration – now there’s an idea

As much as we may not like to talk about it, half of the major threats to the security of our corporate data come from the inside. That doesn’t mean that our employees are malicious — insider risk can surface in numerous ways: user errors and accidents, lost or stolen devices, even hardware failures — and the list goes on. In fact, a report by International Data Group (IDC) showed that three of the top five most common high-value information incidents involve insiders.

Given this, it’s no surprise that for years, organizations have been using data loss prevention (DLP) solutions to try to prevent data loss from happening. The problem is that the prevention-first approach of DLP solutions no longer meets the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed. The rigid “trust no one” policies of legacy DLP block user productivity and are often riddled with exceptions and loopholes. For IT, legacy DLP solutions can be expensive to deploy and manage — and only protect selected subsets of files.

A fresh start

A prevention-based security focus forces a productivity trade-off that isn’t right for all companies — and isn’t successfully stopping data breaches. That’s why it’s time for organizations to rethink the very concept and shift their focus from prevention to data risk detection and response. Data Risk Detection & Response enables security, IT and legal teams to more quickly (and together) to easily protect their organization’s data while fostering and maintaining the open and collaborative culture their employees need to get their work done.

Rather than enforcing strict prevention policies that block the day-to-day work of employees, an approach focused on fast, simple and accurate detection and response clears the way for innovation and collaboration by providing real-time visibility to when data is put at risk.

Security: from Police to Partner

By focusing on all files in an organization, Data Risk Detection & Response (we’ll call it DRDR for simplicity sake) offers additional benefits for Security’s partners in IT, Legal and HR:

  • Fosters employee productivity: Data Risk Detection & Response enables employees to work without hindering productivity and collaboration. Workers are not slowed down by “prevention-first” policies that inevitably misdiagnose events and interfere with their ability to access and use data to do their work. This is music to the ears of IT and HR leaders who are empowered by the CEO to build and foster a collaborative, innovative and results oriented culture.
  • Simplifies risk investigation and remediation: Unlike DLP solutions, DRDR does not require policies — so there is no complex policy management. Because DRDR continuously watches ALL files and file activity, it can automatically assess risk by correlating metadata based on file type, owner, event, source, destination, and dozens more.  While DRDR doesn’t require policies, security and legal teams can still use it to verify data use. For example, administrators can be alerted when an unusually large number of files are transferred to removable media or cloud services. If the files have already left the organization, DRDR can see exactly what was taken and restore those files for rapid investigation and legal response.  Long-term file retention helps satisfy legal and compliance requirements too – providing a complete data history for as long a time period as an organization requires.
  • Lives in the cloud: As a cloud-native solution, DRDR frees IT from expensive and challenging hardware management, as well as the complex and costly modular architectures that are common with DLP. Because DRDR is a cloud-native solution, IT can rapidly deploy, and since the extensive time and effort required to create and refine policies is not needed – security can rapidly reap the rewards. This is especially important for resource constrained Security teams or IT teams that also wear the security hat.

A new paradigm for Insider Risk

Data Risk Detection & Response is a huge departure from legacy prevention solutions, but it’s a logical and necessary evolution of data protection given the growth of insider threat and the changing corporate cultures and work preferences of today’s IP-rich and culturally progressive organizations — small, mid-size and large. Companies today are looking for better ways to protect their data while freeing employees to create the ideas that drive the business.  Security that enables collaboration – now that’s an idea worth exploring.

Original post appeared on Code42

Debunking Data Loss Prevention

It’s all about the data.

Ultimately, people are looking for solutions to their security challenges. They are looking for the technologies that will help them manage their security posture and answer fundamental questions about data: Where is my data? Who has access to my data? How can I monitor when data is leaving my network? How do I know what data is leaving my organization? Bottom line—how can I protect my data?

“I love my DLP.” Said no one ever.

At Code42, we’ve been talking about a new approach to data security. In fact, it’s a whole new take on Data Loss Prevention (DLP). At its core, our approach debunks the fundamental requirements of policies, classifications and blocking — the things that we’ve learned to love to hate about DLP. And there are other major advantages to our new solution. It lives in the cloud, eliminates long deployments, and gives security teams visibility to every version of every file. We call it “Data Risk Detection & Response— a solution that is defined not by what you can prevent, but rather by how quickly you can detect, investigate and respond to data risk and thus reduce business risk.

Let’s face it. Gone are the days where you can build walls big enough to prevent data from getting outside your organization. Traditional DLP solutions aren’t working. The reality is that complicated and policy-laden security strategies run counter to the needs of today’s IP-rich, culturally progressive organizations, which thrive on mobility, collaboration and speed to get work done. Yes, the endgame of data risk detection & response is a direct challenge to the status quo. But you cannot argue the fact that we as an industry need  a quicker, easier way to protect data from loss, leak, misuse and theft. Just Google “stolen trade secrets” or “intellectual property leak” and read the headlines. It doesn’t seem like we are preventing much these days.

Original post appeared on  Code42