Skip to main content

3 Common Approaches to Insider Threat and How They Fall Flat

Insider threat isn’t slowing down

Insider threat mitigation has been on the priority list for most security teams for several years now. But more and more, it’s working its way into the C-suite, as top-level business leaders recognize that figuring out how to stop insider threats is critical to both protecting and enabling business growth. Despite the increased awareness, the scary reality is that the insider threat problem isn’t slowing down. Insider threat incidents are increasing — and they’re growing more costly for companies to deal with. Every week, a new high-profile case makes headlines, spanning every industry: Two of America’s most recognizable names, Hershey and Coca Cola, are fighting back against former employees that stole trade secrets. A disgruntled Capital One engineer put millions of customer records at risk. Apple has been mired in various IP theft lawsuits with former employees. Even the biggest name in data loss protection (DLP), McAfee, couldn’t stop departing employees from walking out the door with valuable trade secrets.


Insider threat is embarrassing companies — and hurting their business in measurable ways — with increasing frequency. So, what are most security teams doing about it?


The dominant response: prevention

Naturally, the first response to a threat is to try to stop it. Most companies are still in this stage of their insider threat program — going all-in on prevention. Conventional DLP is the most common tool, but new tools like user behavior analytics (UBA) are gaining widespread adoption, thanks to the exciting promise of AI-driven pattern recognition. All of these prevention tools have value in protecting your data and your business. But when used alone to stop insider threat, they ultimately fail. Let’s take a look at three of the most common approaches to insider threat prevention — and how they fall flat in the real world:


1. Go all-in on prevention (DLP)

The essence of conventional DLP is to identify a user doing something deemed wrong or risky and stop that activity. Cutting straight to the point: in today’s collaborative enterprise work environment, you simply cannot prevent everything. We encourage employees to be creative in finding ways around barriers in their work — and they creatively find ways around DLP rules, as well. Technology evolves too rapidly, meaning that there are always new ways of moving data that DLP rules don’t account for.


Prevention tools like DLP can only look for what you tell them to look for. In short, between data portability and user creativity, security teams just can’t think of everything that they need to watch for. So, risk slips through the cracks of the prevention-alone approach. And because DLP tools don’t know when they’ve been beaten, it’s not the security team that alerts the company to data loss — it’s the legal team, or it’s an embarrassing headline, or it’s a year later, when a competitor comes to market with a copycat product.


To add insult to injury, conventional prevention tools not only fail to stop every risky action — they often end up stopping plenty of legitimate actions, as well. Overcompensating with strict DLP policies ends up stifling user productivity, collaboration and innovation — impacts which cause their own damage to the business. Because of the way DLP blocks or flags actions without full context, it often ends up framing a non-malicious action by an authorized user as a malicious action by a user with dangerous intentions. This isn’t just a waste of security and user time — it can significantly damage culture and trust within the workplace.

The Code42 View: Prevention alone isn’t enough.

DLP, CASB and other prevention tools are an important part of the security stack. They do an excellent job of protecting regulated, structured data. And they do stop some of the most obvious and accidental risky user actions. But they can’t stop everything — and when a risky action falls through the cracks, a prevention-alone approach leaves security teams flying blind — unable to detect, investigate and respond before the damage is done.



2. Focus on the user instead of the data

As security teams increasingly recognize that rigid DLP policies can’t handle evolving, unstructured data and dynamic, creative users, user-focused tools (e.g., UAM, UEBA) are gaining popularity. It makes sense: it’s your users that perpetrate insider theft; data doesn’t steal itself.


The problem is that users do so much stuff every single day — and 99% of it is completely legitimate and harmless. User behavior tools try to use AI to tease out normal vs. abnormal behavior — which sounds great in theory. But these tools remain largely unproven — and they’re just as complex to manage as conventional DLP. Ultimately, they leave security teams dealing with far too much noise. Even if they correctly identify normal vs. abnormal behavior, abnormal is not synonymous with risky. So, security teams are still overburdened with false positives.


But you can’t ignore the other major problem with user monitoring tools: employee privacy. The evolution of privacy regulations like GDPR and CCA call many user monitoring practices into question. Then there’s the Big Brother implications. User surveillance unquestionably hurts company and workplace culture, damaging employee trust and empowerment at a time when embracing and supporting new ways of working can provide a powerful competitive advantage for a business. It also creates a problematic, adversarial relationship between security teams and users, jeopardizing the most critical element in any insider threat program — employee buy-in and adherence.


The Code42 View: It’s the data that matters, because ultimately it’s all about context

At the end of the day, the user-focused approach falls flat because of a simple truth: User-focused tools are looking in the wrong direction. Security teams don’t really care what employees do on the web; they care what the company’s data does. It’s the data that matters — and an insider threat solution needs to focus on the data.


3. Cull the data

The third most common approach to insider threat — and a direct response to the problem of “too much noise” — is to cull or filter out the data that’s “not important.” This requires the dreaded-by-all data classification exercise — painful, time-consuming and costly. But as discussed earlier, the reality is that security teams cannot think of everything. In this case, it is increasingly impossible to account for all of your valuable and vulnerable data in real time. That’s because the data is not static — it’s evolving, moving, being shared and iterated on as part of modern collaboration culture. And the value and vulnerability changes as the data changes.


Sure, a company could try to account for the dynamic nature of their data with regular data classification. But most security leaders recoil in fear at the time and cost of just one data classification exercise. Moreover, no matter how recently you classified your data, the dynamic nature of your valuable, unstructured data leaves you with the distinct possibility that something you’ve ignored as “not important” ends up becoming incredibly valuable to your business. Too often, the first time the security team realizes the oversight is when they learn that valuable, overlooked data has been taken. By then, it’s too late — they’ve been blindsided by insider threat.


The Code42 View: All data matters.

Collaboration culture is fueled by the rapid evolution of unstructured data. Businesses can no longer distinguish between “important” and “unimportant” data. They need to capture and monitor all pieces of data to ensure your business’ most valuable assets are continually protected. Moreover, considering that we have reached an era of truly unlimited storage, the logic behind culling of classifying data is now flawed. The speed to investigate and respond is essentially the same, if not faster, so why filter out what may become critical data evidence at a later date?


Dealing with the inevitable insider threat

Companies in every sector today are striving to achieve the kind of dynamic, agile, flexible culture that encourages, enables and empowers new ways of working and unlocks powerful innovation. In this environment, it’s a mistake to view increasing insider threat as a problem that can be fully snuffed out. In fact, insider threat is a natural byproduct of successful collaboration culture. It stands as a serious threat to the business — one that must be proactively and diligently monitored and mitigated.


Prevention is undoubtedly the first step in an insider threat prevention program. Without some form of walls around your valuable and vulnerable data, your organization is completely exposed to attack — from the inside or outside. But prevention alone isn’t enough. Going all-in on prevention leaves an enormous gap in the security stack — and leaves you flying blind on investigating and responding before damage is done.


You need purpose-built data risk detection and response

Effective prevention tools need to be complemented with a purpose-built detection and response solution that’s designed to deliver what matters most. You need a tool that’s built for collaboration culture — to embrace and secure it. That means a tool that’s focused on what really matters — the data activity, not your users’ activity. You need to hone in on a reliable signal of risk and tune out the noise. That means a tool that puts your data in context — letting you focus on your biggest insider threat risks, such as departing employees and high-value data. And because the risk isn’t slowing down, you don’t have time for a lengthy, complicated roll-out. You need a tool that deploys in days — and gives you the visibility you need in seconds.