The Code42 Insider Risk Management Framework
Do you want to understand how you can leverage Code42's Incydr™ to reduce Insider Risk at your organization? Get your answers in this white paper:
Video transcript:
The employee endpoint. The crack in today's security armor. Powered by the latest technologies, employees download, upload, email, airdrop, message, post, sync, and share corporate data 24/7, mainly from their company-issued laptop. The upside? All these collaboration and sharing tools make us more productive. The downside? These same tools make it easier to exfiltrate data and expose the company to risk.
Insider Risk is a direct result of employees having the means and motive to do whatever they feel is necessary with corporate data to get their jobs done. Every employee endpoint has now become its own perimeter. And security teams have the daunting task of protecting thousands of perimeters from data leaks.
Traditional data loss prevention technology – the identify, classify, and block methodology that aims to obstruct data movement in real time – well, that flies in the face of a people-first, innovative, and collaborative company. Thankfully, there's a better way to protect data, one that fuels a transformative company's purpose and protects its competitive edge.
This new approach to data protection prioritizes continual improvement of your Insider Risk posture. Security teams can accomplish this by leveraging risk intelligence and applying learnings to optimize effectiveness over time. Gartner has termed this Insider Risk Management. And in their December 2020 Market Guide for Insider Risk Management Solutions, Code42 is recognized as a representative vendor.
And our approach to Insider Risk Management is focused on five core stages. Let's take a look. First, we need to Identify our risk exposure. The first stage is perhaps the most critical. It's where most organizations have their biggest blind spots, because most security stacks still use technology is built to work with outdated methodologies.
To get the full context of Insider Risk exposure security teams need to know where and when their data is exposed. Insider Risk Management technology should identify three dimensions of data risk – file, vector, and user – by monitoring all files to detect abnormal movement and collect context, monitoring use of exfiltration vectors, so you can see when, where, and how data is moving, and monitoring changes in user attributes or behaviors.
Once you have the context on your Insider Risk exposure, you can then define your risk tolerance. Risk is mostly relative to an organization's tolerance. That tolerance can be understood as weighing the relative benefit of a given activity – for example, employees' ability to collaborate – against the cost in terms of the business risk they present.
For example, many organizations trust employees to work remotely because it's increasingly essential to an employee's ability to be productive. At the same time, that organization may not trust certain off-network activities, such as using unsanctioned cloud applications. Security teams will need tools that can recognize trusted corporate activities and identify both remote and in-network activity. Likewise, teams will need the ability to monitor corporate cloud storage and email services to distinguish between sanctioned and unsanctioned use.
The art of defining your tolerance to risk paves the way for the science that is prioritizing risk indicators. Insider Risk Indicators are activities or characteristics that suggest data is at a higher likelihood of exposure or exfiltration. For example, suppose an engineer moves photos to personal cloud storage. In that case, that event may not warrant immediate attention compared to that same engineer moving source code to an unsanctioned removable media device.
By prioritizing these indicators, the combined weights of the file context, where the file's moved, and the user's behavior can surface the few events and users which indicate the most significant risk. And Insider Risk Management strategy requires technology that can triangulate these individual aspects of file, vector, and user, and allow you to determine the severity of that risk based on your organization's risk appetite. And all of that then leads to automating right-size remediation.
At its core, Insider Risk Management promises to protect data from Insider Risk without compromising employees' ability to innovate. To accomplish this requires the coordination of both human and technical responses, depending on the event severity and the situation context. After prioritizing your Insider Risk Indicators, an Insider Risk Management approach should automate the security analyst's intuition and trigger response workflows and cross-functional processes customized to your organization's unique needs.
Responses to insider activity aren't the same as responses to external threats. Employees and contractors that put data at risk are people the security team knows and works with. Does a user need a gentle reminder about what cloud sharing permissions to use? Or do multiple teams need to start working their checklists when a high-impact employee gives their two-week notice?
Security teams will need tools that can accurately compile and discretely share investigation details with stakeholders to make fast and informed decisions on how to respond. Of course, not all Insider Risk is malicious. When there's evidence that the Insider Risk was caused by negligence rather than malicious intent, security awareness training effectively reduces gaps in employee knowledge that can cause data risk, which plays a big part in continually improving your Insider Risk posture.
Continual improvement is core to the effectiveness of any Insider Risk Management approach. This isn't just set and forget. By taking all the risk intelligence you've gathered and combine that with everything you've learned about your organization's Insider Risk posture, you can assess how well you're doing, and optimize your effectiveness over time.
Based on what you see, maybe you'll tweak your definition of risk tolerance, or adjust the prioritization of your risk indicators. Perhaps you'll rewrite your playbooks. While you implement these improvements don't forget to continually improve your security culture with effective security awareness training.
Insider Risk Management promises that organizations never have to compromise their speed of innovation or their data safety. Code42's approach bridges the gap between an innovative, collaborative, and cloud-based culture, and data risk by focusing on five core stages – identify risk exposure by monitoring all file, vector, and user activity for context on your exposure to Insider Risk.
With that context, define risk tolerance by defining trusted versus untrusted activity, and what the organization as a whole can tolerate. Then you can prioritize risk indicators, so you know what activity is riskiest. With that intelligence, you can automate right-sized remediation to accelerate and streamline response. And finally, improve your risk posture by measuring and assessing and optimizing where needed.
Unlike old-school policy or controls-based approaches that disrupt employee productivity, Code42's approach allows security teams to shift their focus from maintaining technology like DLP to actually maturing the organization's overall data risk posture. Organizations that identify risk exposure, define risk tolerance, prioritize risk indicators, and automate risk remediation can actually get ahead of data security, instead of investigating and reacting after the fact.