Five years ago, the toughest part of my job was convincing the world that insider threat was a big problem. Fast forward to today, and everyone knows insider threat is the biggest everyday data security risk they face. But a new problem has emerged: with widespread awareness of insider threat has come a false sense of confidence. Many CISOs I talk to tell me that they’ve put tools in place — DLP, EDR, CASB, etc. — to stop data exfiltration, and they’re confident they’ve got insider threat covered. But the brutal truth is that “better than we used to be” often isn’t enough. There’s still a major gap in the typical security stack — and it’s putting their data and business at risk.
Overconfidence is rampant, but the statistics tell a different story
Most companies have beefed up their security stack in the past few years. I don’t want to take away from the value of these efforts, but I do want to point to the statistics showing the continual upward trend in insider threat incidents. Every week, that harsh truth hits home for another company, as we read about the latest high-profile insider threat incident that surprised, embarrassed and damaged a company that had been quite confident in their airtight security stack. Like I said, better than before isn’t enough.
The fatal flaw in the policy-based security stack
Almost all conventional data security tools are guided by policies, rules or other admin-defined parameters. DLP, EDR, CASB and the like do an excellent job of hunting down, flagging and sometimes even stopping actions based on defined rules and policies. But therein lies the problem: they can only look for what you tell them to look for. The reality is that you can’t think of everything. No one can. You can’t think of every possible way that an insider could take a given file or data type, so they will always be one (or several) steps ahead. (As a side note, there are now many ways of exfiltrating data that traditional DLP solutions simply cannot cover. Traditional DLP focuses on devices and networks; but things like Bluetooth, Airdrop, etc., don’t always show up on either the device or the network.)
Moreover, a lot of companies think their tools are focused on the right files and the right data. But users create new files every day, and the dynamic nature of modern work means that a given file can go from a low-value work-in-progress to a highly sensitive innovation-in-progress within the course of a single day. It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization.
Case in point: the recent McAfee insider data theft incident. Three departing employees copied company trade secrets onto USB drives and simply walked out the door. How did a leader in data loss prevention not catch and stop this obvious theft? Because the data they took — sales and marketing files — were not traditionally tagged as IP. The bottom line: If traditional DLP doesn’t stop data loss for McAfee, it won’t stop data loss for you.
You can’t lock down all your trade secrets & IP
Even if you could account for every potentially valuable or sensitive file in your organization, you can’t just lock all these files down. A lot of this information needs to move. Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. This makes it much easier for an employee to find a workaround, or a way to take files that look normal.
“ Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. ”
You don’t know what you can’t see – so you don’t know when you’ve been beaten
The second fatal flaw of conventional security tools like DLP: they don’t know when they’ve been beaten. They’re focused on seeing specific user actions. If the user action falls outside those defined rules, they don’t see it — and that means you don’t see it. In practice, that means that when users (inevitably) find ways around DLP, you most likely will have no idea until it’s too late to do anything about it. In fact, most companies only discover the data loss because of the proximate damage it causes to their business — weeks, months or years down the line — when a competitor beats them to the market with copycat technology or poaches clients with a leaked customer list.
You need to start with data behavior, not user behavior
All the problem with rigid rules points to an obvious solution: consider the context and behavior surrounding a specific action. There are a lot of solutions that focus on user behavior — trying to pull out context and identify risk by monitoring every keystroke of their employees. But that kind of intrusive employee monitoring comes with its own set of issues. There are ethical privacy concerns, as well as the increasing legal precedents that suggest you need a discrete reason to monitor an employee. Legality aside, invasive monitoring can hurt workplace culture, reduce staff satisfaction and even impact productivity. Moreover, we’ve already established that users’ creativity is often one step ahead of even the best pattern recognition software.
At Code42, we take a different approach: We watch the data — how it changes and where it moves. Users can trick you, but data doesn’t lie. Our underlying real-time backup technology means we’re able to watch all your data, all the time — so we understand what “normal” looks like. If we see something unusual, only then do we enable security to associate it back to the user. We start with cause, then investigate. This eliminates the privacy concerns, and ultimately keeps your attention focused on what you’re really trying to protect: the data.
The big objection: I can’t watch all my data, all the time
All-encompassing data visibility sounds nice, but that alone doesn’t solve the problem of seeing the actual risks and threats amid the ocean of normal activity. When I explain how Code42 is different, I normally get a flood of objections like: Won’t we have to configure the system to provide alerts? Won’t someone have to manage all those alerts? My team is already buried in alert management – you’re just adding to my problem. Here’s what I tell them…
Code42 gives you a clear signal of your risk
Comprehensive data visibility is the foundation of Code42. We know what normal looks like, and we know what your biggest risks look like. For example, we know that departing employees account for around half of all insider data loss incidents. We also know that M&A, or another type of company re-organization, creates one of the most acute risks of insider data loss. So, we focus our attention on these high-risk situations. We’ve already developed the algorithms and defined the parameters on our end — building simple tools like our departing employee lens that focus on these risks — so we’re not placing that burden on you.
Ultimately, we’re watching the behavior of all your data and using our deep data visibility to put relevant context around that activity before triggering an alert — instead of leaving that contextual analysis burden to your team. This minimizes alerts, so your team gets alerts you can trust and act on.
Giving you instant information to investigate immediately
Detecting risky user actions that have slipped past policy-based security tools is an incredibly important capability. But detection is just the first step; you need to be able to determine exactly what happened, if it’s risky, and what needs to be done. And you can’t afford to spend multiple days piecing together that story while your data is still at risk.
Code42 pulls together all that file activity and contextual information to give you distinct answers: this file was copied to this cloud with this browser tab URL, or this USB drive with this serial number, at this exact time. In essence, we give you an immediate answer to the question, “Where’d my file go?” And because Code42 automatically captures every version of every file, with the proper authorizations, you can even open the actual file in question to evaluate its contents and determine the risk. You get the definitive information you need to take action, faster.
Are you comfortable with “good enough”?
It’s always hard to change the status quo — especially when you’ve done a lot of work and made major improvements to achieve the current state. CISOs have done an admirable job of bulking up their security stances with tools designed to prevent both internal and external data risks. But here’s the brutal truth: even the strongest prevention will fail sometimes. Because prevention tools can only stop what you tell them to stop. You can’t think of everything, you can’t lock down all your data (exceptions just create blind spots), and creative (or malicious, or industrious or simply self-serving) users will always stay one step ahead of policy. When user activities inevitably slip past prevention tools, they fall into a dangerous gap in your security stack. You don’t know what’s happened; you typically don’t know anything has happened at all. Your security team is flying blind.
Considering that insider threats like these account for 50% of data breaches, are you really comfortable with leaving this risk uncovered? Or is it time to re-think “good enough?”
3 Ways to Protect Data from Insider Threats