Five years ago, the toughest part of my job was convincing the world that insider threat was a big problem. Fast forward to today, and everyone knows insider threat is the biggest everyday data security risk they face. But a new problem has emerged: with widespread awareness of insider threat has come a false sense of confidence. Many CISOs I talk to tell me that they’ve put tools in place — DLP, EDR, CASB, etc. — to stop data exfiltration, and they’re confident they’ve got insider threat covered. But the brutal truth is that “better than we used to be” often isn’t enough. There’s still a major gap in the typical security stack — and it’s putting their data and business at risk.
Overconfidence is rampant, but
the statistics tell a different story
Most companies have beefed up their
security stack in the past few years. I don’t want to take away from the value
of these efforts, but I do want to point to the statistics showing the
continual upward trend in insider threat incidents. Every week, that harsh
truth hits home for another company, as we read about the latest high-profile
insider threat incident that surprised, embarrassed and damaged a company that
had been quite confident in their airtight security stack. Like I said, better
than before isn’t enough.
The fatal flaw in the
policy-based security stack
Almost all conventional data security tools are guided by policies, rules or other admin-defined parameters. DLP, EDR, CASB and the like do an excellent job of hunting down, flagging and sometimes even stopping actions based on defined rules and policies. But therein lies the problem: they can only look for what you tell them to look for. The reality is that you can’t think of everything. No one can. You can’t think of every possible way that an insider could take a given file or data type, so they will always be one (or several) steps ahead. (As a side note, there are now many ways of exfiltrating data that traditional DLP solutions simply cannot cover. Traditional DLP focuses on devices and networks; but things like Bluetooth, Airdrop, etc., don’t always show up on either the device or the network.)
Moreover, a lot of companies think
their tools are focused on the right files and the right data. But users create
new files every day, and the dynamic nature of modern work means that a given
file can go from a low-value work-in-progress to a highly sensitive
innovation-in-progress within the course of a single day. It’s almost
impossible to think of (and stay current with) all the valuable, sensitive and
vulnerable files and data types across your entire organization.
Case in point: the recent McAfee insider data theft incident. Three departing employees copied company trade secrets onto USB drives and simply walked out the door. How did a leader in data loss prevention not catch and stop this obvious theft? Because the data they took — sales and marketing files — were not traditionally tagged as IP. The bottom line: If traditional DLP doesn’t stop data loss for McAfee, it won’t stop data loss for you.
You can’t lock down all your trade secrets & IP
Even if you could account for every
potentially valuable or sensitive file in your organization, you
can’t just lock all these files down. A lot of this information needs
to move. Things like source code, customer lists and collaborative
development projects need to move between users and even outside your
organization in order to keep work moving forward. So you end up writing all
sorts of exceptions to your security policies – and in the process, take the
teeth out of your policy-based security tools. This makes it much easier for an
employee to find a workaround, or a way to take files that look normal.
You don’t know what you can’t
see – so you don’t know when you’ve been beaten
The second fatal flaw of conventional
security tools like DLP: they don’t know when they’ve been beaten. They’re
focused on seeing specific user actions. If the user action falls outside those
defined rules, they don’t see it — and that means you don’t see it. In
practice, that means that when users (inevitably) find ways around DLP, you
most likely will have no idea until it’s too late to do anything about it. In
fact, most companies only discover the data loss because of the proximate
damage it causes to their business — weeks, months or years down the line —
when a competitor beats them to the market with copycat technology or poaches
clients with a leaked customer list.
You need to start with data
behavior, not user behavior
All the problem with rigid rules
points to an obvious solution: consider the context and behavior surrounding a
specific action. There are a lot of solutions that focus on user behavior —
trying to pull out context and identify risk by monitoring every keystroke of
their employees. But that kind of intrusive employee monitoring comes with its
own set of issues. There are ethical privacy concerns, as well as the
increasing legal precedents that suggest you need a discrete reason to monitor
an employee. Legality aside, invasive monitoring can hurt workplace culture, reduce
staff satisfaction and even impact productivity. Moreover, we’ve already
established that users’ creativity is often one step ahead of even the best
pattern recognition software.
At Code42, we take a different
approach: We watch the data — how it changes and where it moves. Users
can trick you, but data doesn’t lie. Our underlying real-time backup technology
means we’re able to watch all your data, all the time — so we understand what
“normal” looks like. If we see something unusual, only then do we enable
security to associate it back to the user. We start with cause, then
investigate. This eliminates the privacy concerns, and ultimately keeps your
attention focused on what you’re really trying to protect: the data.
The big objection: I can’t watch
all my data, all the time
All-encompassing data visibility sounds nice, but that alone doesn’t solve the problem of seeing the actual risks and threats amid the ocean of normal activity. When I explain how Code42 is different, I normally get a flood of objections like: Won’t we have to configure the system to provide alerts? Won’t someone have to manage all those alerts? My team is already buried in alert management – you’re just adding to my problem. Here’s what I tell them…
Code42 gives you a clear signal
of your risk
Comprehensive data visibility is
the foundation of Code42. We know what normal looks like, and we know what your
biggest risks look like. For example, we know that departing
employees account for around half of all insider data loss incidents. We
also know that M&A,
or another type of company re-organization, creates one of the most acute risks
of insider data loss. So, we focus our attention on these high-risk situations.
We’ve already developed the algorithms and defined the parameters on our end —
building simple tools like our departing employee
lens that focus on these risks — so we’re not placing that burden on you.
Ultimately, we’re watching the
behavior of all your data and using our deep data visibility to put relevant
context around that activity before triggering an alert — instead
of leaving that contextual analysis burden to your team. This minimizes alerts,
so your team gets alerts you can trust and act on.
Giving you instant information
to investigate immediately
Detecting risky user actions that
have slipped past policy-based security tools is an incredibly important
capability. But detection is just the first step; you need to be able to
determine exactly what happened, if it’s risky, and what needs to be done. And
you can’t afford to spend multiple days piecing together that story while your
data is still at risk.
Code42 pulls together all that file
activity and contextual information to give you distinct answers: this file was
copied to this cloud with this browser tab URL, or this USB drive with this
serial number, at this exact time. In essence, we give you an immediate answer
to the question, “Where’d
my file go?” And because Code42 automatically captures every version of
every file, with the proper authorizations, you can even open the actual file
in question to evaluate its contents and determine the risk. You get the
definitive information you need to take action, faster.
Are you comfortable with “good
enough”?
It’s always hard to change the
status quo — especially when you’ve done a lot of work and made major
improvements to achieve the current state. CISOs have done an admirable job of
bulking up their security stances with tools designed to prevent both internal
and external data risks. But here’s the brutal truth: even the strongest
prevention will fail sometimes. Because prevention tools can only stop what you
tell them to stop. You can’t think of everything, you can’t lock down all your
data (exceptions just create blind spots), and creative (or malicious, or industrious
or simply self-serving) users will always stay one step ahead of policy. When
user activities inevitably slip past prevention tools, they fall into a
dangerous gap in your security stack. You don’t know what’s happened; you
typically don’t know anything has happened at all. Your security team is flying
blind.
Considering that insider threats like these account for 50% of data breaches, are you really comfortable with leaving this risk uncovered? Or is it time to re-think “good enough?”