Insider Threat

Insider threat is increasingly taking center stage with security teams, and for good reason. Despite heavy investments in perimeter security, breaches are still on the rise. As workforces become more dynamic and distributed, security teams are actually finding their existing visibility and controls eroding. With these changes, the new focus is on finding new ways to secure each user.

The classic definition of "insider threat" is the malicious insider who is looking to steal data or sabotage systems. However, most security teams now realize that they need to widen their definition. Insider threat now covers three areas:

• The malicious insider; malicious insiders intentionally set out to harm or steal from their employer.
• The infiltrator; infiltrators are outside attackers who gain unauthorized access to internal systems.
• The ignorant insider; the ignorant insider is a well-meaning user who accidentally puts the company at risk.

These three cases are individually quite different. Each insider has different motivations and intentions. All three, however, ultimately put the enterprise at risk due to the actions of an internal actor. It's critical to be aware of how broad the term "insider threat" can be, since knowing the differences between these types of insiders highlights the need for a flexible, adaptive solution. Ignorant users are by far the largest risk to an organization. These are typically hardworking employees with good intentions that lack capacity or knowledge that may result in impacting the organization.

There is no one-size-fits-all solution to protect against the insider element – especially since insider threats can come in so many wildly different forms, from the traditional malicious insider, to simple human error or negligence, to outside infiltrators or credential thieves.

Yet, dozens of solutions have emerged in recent years that claim to "stop" insider threats. Many of these tools have little in common with each other, each exhibiting extremely different technology and approaches.

Many of these solutions fall into one of several broad categories:

• Endpoint Detection and Response (EDR) / Endpoint Protection Platforms (EPP) - Endpoint-based tools that monitor endpoint activity and alert on indicators of compromise, largely with the goal of catching and stopping viruses and malware.
• Cloud Access Security Brokers (CASB) - Network-focused tools that enforce security policies by monitoring how cloud-based resources are accessed.
• Data Loss Prevention (DLP) - Endpoint-based tools that rely on rules and data classification to enforce how users interact with data (such as by blocking certain files or file locations from certain types of users, etc).
• Legacy Employee Monitoring - Tools that record all employee activity, often with heavy measures like continuous screen recordings, keylogging, and screenshots.

The portfolio of iSOC24 has the DTEX InTERCEPT solution for Insider Threat Protection. The DTEX InTERCEPT solution, however, falls into none of the above mentioned categories. It is the only insider threat protection platform built from the ground-up to detect, understand, and investigate insider threats, and it does this through User Behavior Intelligence:

• DTEX's Workforce Cyber Security - DTEX monitors user activity from the endpoint in the form of metadata to establish a full audit trail, and then uses machine learning and field-tested user behavioral models to alert on abnormal user and identity activity.

In a landscape full of vendors building completely different solutions that all claim to solve the same problem, building an effective insider threat posture means truly understanding what each of these solutions do and don't do – and then addressing the gaps.

The key is choosing a purpose-built solution, developed from the ground up with a specific goal in mind: shining a light on insider threats. In order to find a purpose-built solution, however, there must be a clear understanding of the elements that comprise one. The answer lies in these five keystones:

• Visibility
• Intelligence
• Scalability
• Agility
• Privacy