To combat insider threats, arm yourself with a 3-pronged strategy

Data loss prevention, endpoint encryption and analytics combine to help you stay alert and safeguard your most sensitive information.

4 standardize three locks
Thinkstock

The annual Insider Threat Report offers a good snapshot of how executives and IT specialists at companies big and small are trying to secure their most precious data. With heightened awareness that attacks from within—both malicious and inadvertent—are an organization’s biggest threat, businesses are spending more and more to protect themselves.

But are they spending wisely?

The latest report suggests they are not. While 90% of organizations say they feel exposed to insider threats and 49% plan to increase their budgets on security next year, nearly half of those surveyed (48%) believe their solutions are only somewhat effective at stopping threats and 13% say they’re not working.

What kinds of prevention systems are they buying? According to a recent survey of cybersecurity executives commissioned by the LinkedIn group, Cybersecurity Insiders, companies are implementing such systems as log management (62%), data loss prevention, or DLP (60%), identify and access management (IAM)(56%), and security information and event management (51%). But only 39% actually track their employees by means of user behavior analytics (UBA).

Focus on the data and the device(s) it is accessible from is essential. Solutions like DLP and Endpoint Protection are indispensable elements of a strong defense. What’s too often missing, and what IAM and logs only touch on, is focus on the user. Without being able to detect patterns of user behavior, both legitimate and illegitimate, a security system is incomplete. “To identify and prevent insider attacks, you have to have all three legs of the stool working together,” says Mike Tierney, CEO of Veriato, a company that provides employee activity monitoring and behavior analytics software. “You want all solutions to share intelligence and interact with each other.”

Why? You can tag and classify sensitive data. You can encrypt the right laptops, tablets, and mobile devices. But suppose an authorized user with valid access to the data does something unusual. How can you tell whether it’s done inadvertently or deliberately? Is there a reasonable explanation for that incident—or is it something nefarious? There’s no way to tell with just DLP and endpoint security. You also need a baseline pattern of behavior to put this particular incident in context.

Consider each solution separately.

1. DLP

DLP recognizes and classifies sensitive information. That data can be either structured in fields such as spreadsheets or unstructured, like text documents, pdf files, and videos. These can be classified through content inspection (recognizing a nine-digit social security number or a 16-digit credit card, for example); identification of classified information, or through contextual analysis that examines the origin of sensitive data, as well as what users have legitimate access. Some DLP systems are flexible enough to prevent exfiltration of information without interfering with legitimate use or business process.

Having a DLP solution in place is crucial for organizations. DLP systems can help classify what data is sensitive and needs to be secured. The right solution can also help reduce the stress and chaos associated with breaches by ensuring critical data can’t be removed – by insider or outsider threats. A robust DLP system works quickly and accurately, with a low false positive rate. “Not everything that's removed from an organization is done maliciously. Data classification can help bring both content and context awareness to data and determine how each file should be handled,” explains Dave Karp, chief product officer at Digital Guardian, a data loss prevention software company.

2. Endpoint security

When it comes to endpoint security, having security protocols in place for employee mobile devices, laptops, and desktops - all potential attack vectors – is essential too. A good endpoint security solution can help visualize real time threat data, secure endpoints on a network, block access attempts, and reveal other risky activity. DLP solutions can help encrypt enterprise data across removable storage devices like CDs and USB drives as well. A fine-tuned system can detect if a user tries to manipulate a sensitive file or email an important document. “E-mail is the most abused threat factor,” says Karp. “Endpoint security allows you to monitor what’s moving through email and through defined settings and policies, encrypt data or block it from moving through the gateway.”

Having endpoint security is imperative, just as DLP is. But by themselves, you can’t tell you whether an authorized insider is using data in a legitimate or unauthorized way. That’s where User Behavior Analytics (UBA) comes in: It gives you an accurate picture of someone’s activity and suggests what appropriate actions to take. And that’s why all three systems are vital in protecting your most valuable assets.

3. UBA

UBA establishes patterns of normal behavior for all inside users—and immediately triggers an alert during an unusual event. “It helps you look for abnormal usage, the thing that Larry in accounting—a guy who normally has access to the finance system—is doing that he doesn’t normally do,” explains Tierney of Veriato. “He may be accessing the system more frequently or printing way more than usual. Perhaps he’s preparing for an audit—or, maybe, not.” In this case a DLP solution may be irrelevant. Encrypted data won’t help you either. Only network behavior analysis can equip you with the right information to take the appropriate action.

In an era of constant attacks from insiders, a data loss prevention program is essential. So is the encryption of endpoint devices. But protecting your most essential data assets is incomplete without analytics that track user behavior. You need all three to stay alert and safeguard your most sensitive information.

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
NEW! State of the CIO, 2018: IT-business alignment (finally) gets real