Our story starts back in late 2019 — which seems like eons ago, for a number of reasons. Like most security teams, at Rakuten, we’d had insider threat on our long list of priorities, but it was a customer requirement for a “valid DLP solution” that pushed us into action as we headed into 2020. Then COVID hit — and it just accelerated everything. Our workforce embraced the work-from-home shift wholeheartedly, and that increased the urgency to implement an insider threat program. Rakuten is a large organization with multiple business units in just about every segment, so we have disparate types of critical assets and critical information. We needed to better understand what IP was where — and what data mattered for our business.
We’ve accomplished a lot in the past year — implementing and scaling up a modern approach to insider risk management — and, looking back, here are the big lessons we learned along the way:
1. We needed to take a more modern approach
As we got started, we knew we wanted to embrace a more modern cybersecurity approach — one focused on detection and prioritizing risk, as opposed to the traditional reliance on prevention-based controls. Especially with the distributed workforce that we’re now embracing, it’s just not tenable for us to implement some of these preventive controls across our large organization. In our case, we wanted to be able to see all file activity and have all that file information coming into Exabeam, our security management platform, so we could model alerts on anomalous activity — as opposed to setting up the “prevent all” defense where we’re guessing what that risky activity might look like ahead of time. Leveraging Code42 Incydr with Exabeam Advanced Analytics would help us mitigate IP theft and accidental data leaks – and also allow us to operationalize how we handled our insider threat investigations without the data classification and policy challenges that come with a conventional DLP approach.
2. You don’t know what you don’t know
Of course, when embarking on any big initiative, you expect to learn new things along the way, so we had to start from a place of saying, “We don’t know what we don’t know.” Early in the process, we worked with the Code42 team to complete a very comprehensive Insider Risk Management assessment, which involved my CISO and cross-functional stakeholders in Legal and HR. That discovery opened our eyes and gave us a good blueprint for the program we needed to build for our organization. We saw that we had some decent policies and governance for some types of data, but the lifecycle management of our employees and access controls weren’t very mature. That initial assessment took us down multiple tangents that we hadn’t really thought through – and it definitely evolved the scope of what we needed to do. We needed to build a more comprehensive program and risk-aware culture – it was much bigger than installing software to solve the problem. We started small with IT and security operations, and we’ve gradually expanded that and pushed it out to the enterprise.
3. Opening Pandora’s Box
Once we set up the cloud connector into Exabeam, I joked that Code42 Incydr is like opening Pandora’s Box because you’re suddenly going to see all of the activity, along with a lot of great telemetry data points. Our eyes were opened to things we weren’t expecting to see. For example, we already knew we had to focus on departing employees and high-risk employees, but one thing we hadn’t even considered and is now top of mind is new hires: watching for a new hire that comes in and does something quite suspicious and then is gone in 60-90 days, or a new hire that plugs in a thumb drive and infiltrates a bunch of potentially stolen files and data. That’s been one of our biggest learning curves — seeing the Insider Risks we weren’t looking for.
4. Leveraging Incydr with Exabeam to tune out the noise
For us, with a company of 40,000 people, the noise could quickly get overwhelming. But we leverage the Incydr lenses religiously to help develop our risk analysis. And we’re working toward automating more of it. For example, we have APIs built in with our HR applications that let us pull in new employees, departing employees and create other watch lists. Then, we can combine Incydr’s capabilities with Exabeam’s, so we can say, “When an employee is on this watch list and does X, then it triggers an incident in our system, so we can investigate.” For honing our focus, one of the things we really love is the file hashes that Incydr gives us on every file. We’ve used those file hashes to create a database of critical files. So, now we can run queries to find out where a given critical file lives within the environment — and we can see the suspicious anomalies. Here’s another way we tune out the noise and focus on our real risks: We know source code file types. So we can establish baselines for normal activity around source code. This essentially enables us to answer (typically very expensive questions) up front, with no investigation: Is this abnormal? What is the exposure of this file?
5. Building a more risk-aware culture
We were fortunate to have HR and Legal’s involvement from the start. Based on the findings from our assessment with Code42, implementing the right security tech was just the tip of the spear. Implementing our Insider Risk program would not be successful without them – from getting end user buy-in (because let’s be honest, no one likes a big brother) to carrying out the “human” actions involved in right-sized incident response. HR and Legal also helped us define policies and played a heavy influence in how we built our case-management workflows. Since these were the teams who were going to carry out the human response element of our program, it was important to ask the questions upfront: When we see something (and we will), then what? Because at the end of the day, if our security team surfaces a risk and it goes nowhere, what’s the point?
What our Insider Risk management process looks like today
I like to say that our security team is an objective sensor. We view HR and Legal as our customers. The Incydr product feeds high fidelity signal and context for all our file activity into the Exabeam Security Management Platform. We use that integrated solution to detect, analyze and provide context and ultimately respond to identified Insider Risk. Then, when the situation warrants, we package that and hand it off to HR and Legal to make the final decision on whether and how to resolve the case, whether that be a corrective conversation, involving the employee’s manager, or something more serious.
My three biggest takeaways
If I’m talking to a peer who is just starting this journey, here are the three things I’d tell them:
- You have to figure out where you’re at on the map before you can figure out how you’re going to get where you want to go.
- You need stakeholder buy-in — security can’t do it alone. The more collaboration you have with key cross-functional stakeholders like HR and Legal, the more successful your program will be.
- Insider Risk Management is a people-powered process — not a standalone software solution.