Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the tools that provide the best detection, investigation, and response capabilities and offer the appropriate level of insight into data breach incidents.
You should also select tools that integrate well within your environment. Consider how they work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.
With the wide range of security tools that already exist, where does Code42 Incydr fit in a security stack?
A paradigm shift is causing a change in the security stack
Today, a well-defined security stack might include some combination of EDR (or EPP), CASB and DLP to help prevent security breaches, along with a SIEM solution to help correlate and alert on events. Add to the mix a SOAR to build an incident response playbook. Despite this relatively mature tech stack, insider threat incidents are on the rise. Why?
This tech stack is built around network, endpoints and applications instead of the data itself. In a conventional data security paradigm, you lock down the ways employees can work with data. You buy more tech as new risks emerge. Employees find their way around your controls. Managing the stack and processes is complex and noisy. Response time is measured in days, weeks and months. And ultimately, your core problem remains. You still don’t know where data lives, when it moves and whether that movement represents measurable risk.
Today’s security tech stack is evolving into detection, investigation and response
Today’s security stack is built on the pillar of faster response. When prevention fails (and it’s often a case of when and not if), a tech stack that can balance the needs of an increasingly mobile workforce along with data security becomes integral.
- Detection: Organizations need to cover any and all possible data portability vectors via “data sources” such as Box, Dropbox, Microsoft OneDrive, email, GitHub, Slack etc. Detection ensures timely and customized alerts to risk vs impeding collaboration and productivity by outright blocking.
- Investigation: There’s a lot of data to scrutinize when it comes to investigating insider threat situations. Workflows that guide organizations through situations like onboarding employees, or managing high-risk users and departing employees offer faster and simpler context to assess data risk.
- Response: Organizations may have an existing security stack that combines elements of detection and investigation to correlate and automate the incident response process. For example, integrations with Splunk Phantom, IBM Resilient and Palo Alto Networks Cortex XSOAR take data generated by Incydr to help build playbooks for incident response scenarios.
To Continue Reading…
Share a few pieces of information and we’ll personalize your experience with us