3 Steps to Building a Successful Insider Threat Program in the Age of Data Privacy

Data privacy laws are picking up steam – think the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) – and there is a lot of concern about what security and privacy teams can and should do to enforce policies that protect the business. From a data privacy standpoint, consumers – and employees for that matter – historically have been largely left in the dark about what personal information a business may have about them and how that information is being used, stored and shared. With GDPR and CCPA, consumers and employees now are more emboldened to ask questions and provide direction on how their data is used.

In this new world with data privacy top of mind, corporate insider threat programs are especially under the microscope – and they’re getting an (undeserved) bad rap. There is a misconception that insider threat programs impinge on personal data privacy rules. As a result, some employees have very strong reactions against insider threat programs. To that end, many security teams end up having conversations around insider threat that end with comments such as, “I don’t want to be Big Brother!” or “Having a program implies I don’t trust my fellow co-workers.”

The reality is that data drives businesses and data is leaving companies every day (read more on this topic in our 2019 Data Exposure Report). Even though data loss by employees can take different forms, it’s important to take them all seriously. Sometimes employees take data accidentally. Other times, they take it intentionally without realizing the harm their actions could cause. Still other times, employees take data maliciously. Regardless of intent, the damages of data loss are real and it’s important we consider these risks to our businesses.

Insider threat programs are necessary and very effective in protecting corporate IP.  To run an insider threat program while keeping employee privacy concerns in check, consider these three important steps:

Decide what you need to monitor

What does insider threat mean to you? I like to use a simple definition that removes intent and focuses on impact: insider threat is any type of threat to an organization’s security posture from within. Focus on the systems that manage your sensitive information, the departments that are more likely to handle sensitive information, or on the workflows that increase the probability that information is leaving the company (think departing employees, mergers & acquisitions, etc.).

Build out a program around it

Once you’ve defined what matters, build out an insider threat program around it. Programs are typically built out in one of three ways (though often a combination of these):

  • Logging and alerting: If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging  activities (this is sometimes tricky with SaaS applications) and set up alerts for activity that may be deemed more risky.
  • Special tools: You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
  • Defined processes: As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

As with all things security, remember that there is very little “black and white.” Build your program to allow for additional context, account for the potential of human error, and incorporate other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately.

If you are looking for additional guidance on the mechanics of building or maturing an insider threat program, here are a couple of great resources to check out:

Tell your employees

Finally, no matter how you decide to build out your program, let your employees know what you are doing. Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. I often see this in the form of a log-in banner, an employee privacy statement or policy, or as part of security awareness training. Also, have a feedback process for people to reach out to you for more information.

My best advice when deciding what information to share is to put yourself in the shoes of an employee. What would you want to know, and would you find the data monitoring to be reasonable? At the end of the day, while you may be the owner of your organization’s insider threat program, you are also likely the subject of someone else’s.

From the Desk of a CISO – Leadership Lessons

Quite a bit has changed in information security since I began my career more than a decade ago. 

Talk of cloud being the primary enterprise development platform was based on complete speculation. Mobile computing had yet to hit full stride. Software as a service (SaaS) was in its infancy. Since then, we have seen the rise of the nation-state attacker, extensive malware attacks, highly-publicized insider threat cases, exponential growth of data due to the declining costs of storage and considerable digital transformation investments. As all of these trends evolved and took hold, the nature of information security also changed.

Throughout all of these changes, I have worked in information security; previously, at a national retail enterprise and, more recently, as a CISO here at Code42. Over the years, I’ve learned a few important lessons about how to be successful in information security that I’d like to share here.

Lesson 1 – Be Part of the Solution

Too often security teams do a great job at identifying and pointing out risks and then handing them off to others to solve. In their earnest desire to eliminate those risks, they forget how important it is to understand how people go about getting their work done. So, rather than try to help others deliver their work or projects in a secure way, they identify risks and throw them over the fence for other teams to fix. That has to stop. We need to create partnerships, build empathy and become part of the solution. Building empathy helps us understand how others deliver work and the struggles they might go through to get their jobs done.

Because we are developing software at Code42, our top risks lie in the software development cycle. That’s why my team works very closely with our developers to help identify and address security gaps. To build greater empathy, I have challenged my team to learn the basics of a coding language. This has helped us gain a fuller understanding of the challenges developers face everyday and, more importantly, how we need to work with them to be part of the solution.

Lesson 2 – Balance Risk

In security, it is less about eliminating risks— and more about balancing risks. Think of a retail floor. Sure, everything on a shelf that isn’t locked down is at risk of being stolen. But if you lock everything up behind glass, your sales are going to plummet. At the end of the day, you are in the business of selling goods, which is why retailers don’t lock up everything. It’s the same with all business risks. You have to balance the business benefit with the business risk and put reasonable risk mitigations in place. For a retailer, this could be cameras, security guards, and/or only locking down items with a high risk of theft.

As a security leader, we don’t want to place overly aggressive security controls on everything. We are trying to tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization.

In a lot of cases, security leaders push forward with their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization.

Lesson 3 – Build a Strong Team

While a bit more obvious, I can’t stress enough the importance of building and retaining a strong team. The team here at Code42 is close-knit. I have worked with many of these people for more than a decade. It’s hard to place a value on that. It’s a lot like professional athletes who know the moves their teammates are going to make before they do. That makes it possible to build a well-tuned, committed and effective team, not to mention retain talent in a talent-deficit industry. When you have a team you trust, it makes security much more effective and laser focused on the overall mission of the organization. I am thankful to be a part of such a strong, dedicated team that trusts one another and has a high degree of respect for one another. 

Lesson 4 – Transparency Trumps

To be effective in this industry, security professionals need to be transparent. In some cases, security teams still operate like the man behind the curtain: No one knows what magic they are operating, and  budget is gained by claiming that the sky is falling. But with today’s skepticism, seeing is believing. That’s why it’s so important to demonstrate how risks could be exploited. I recommend having your red team perform an exercise to determine exactly how easily a risk may be exploited, and share the results with other decision makers. 

In the same vein of transparency, it’s important to explain risks as they really are. Many security professionals will overhype a risk in an attempt to get attention or budget for a project. That tack may work in the short-term, but it will diminish trust in the long run.

As a security team, we are 100% transparent on the risks we see and the areas where we are digging deeper. This way, when a threat or new risk arises, we have a tremendous amount of trust and support to mitigate the risk. 

Lesson 5 – Provide Value, Don’t Fear Failure

Finally, being a CISO, or data security professional in general, is a stressful job. There is a lot of discussion around stress in the information security profession and how, as a result, the average tenure for CISOs is about two years or less. CISOs must balance the stress by focusing on the good, which is the value they’re providing to their business. At Code42, we strive for a blameless culture – one where we learn lessons rather than fear failure. This type of a culture helps contextualize stress. 

In my job, I want to feel challenged throughout the workday. I’m energized and get a lot of joy knowing that we are providing value and actually helping our company and customers address their security risks. We are working for a company that helps all of our customers deliver on security with the software we develop. For a security professional, it doesn’t get more exciting than that.

2020: The Cybersecurity Year Ahead

Security never stops. As 2019 comes to an end, security professionals are looking to what is in store for the year ahead. To get some answers, we reached out to Code42 leadership and security experts to get a sense of their cybersecurity expectations for the coming year.

While they expect plenty of tough challenges when it comes to protecting data, there is some good news in the mix. The team anticipates that enterprises will take steps toward formalizing (and automating) their security programs where gaps exist.

Here’s what the Code42 team had to say:

Insider threat programs grow more prevalent

Relentless reports of new, high-profile insider breaches will push many more businesses to finally take insider threat seriously enough to formalize programs and allocate a larger budget dedicated to protecting their intellectual property. This year, at least half of data breaches involved an insider, but in 2020, that figure could exceed 60%.

When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. Finally, more than 20% of organizations will begin actively measuring what departing employees take from their organization.
Joe Payne, president and CEO at Code42

“ When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. ”

The role of security will increasingly integrate within IT

With the continued cybersecurity talent gap, along with increased regulatory demands and security threats, security and IT will have to work more closely together. What I mean by this is traditional IT will be expected to take on security responsibilities, while security roles will evolve to become more hands-on and step into actual problem-solving rather than problem-identification mode. 

Security has always been positioned to cover confidentiality, integrity and availability – the well-known security CIA triad. While IT has traditionally been focused on availability, it’s increasingly recognized that data integrity and confidentiality need to be a part of the broader IT strategy. There has always been an opportunity for a natural fit between IT and security, and 2020 will prove to be the year that we recognize the similarities and start to benefit from the combined focus from these two disciplines.
Jadee Hanson, CISO and VP of Information Systems, Code42

Collaborative tools get security department green light

Progressive organizations thrive on collaboration. After all, we are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster, and collaborate. CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. In 2020, progressive CISOs will stop blocking and will start focusing on enabling collaboration by adopting new approaches that better address insider risk.
Joe Payne, president and CEO at Code42

“ CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. ”

DevOps teams embrace security

Organizations have adopted DevOps, but security hasn’t always kept pace. As DevOps grows, so does the desire (and the need) for security to become embedded within these teams. In the next year, organizations will increasingly seek ways to build the skills, tools, and knowledge they need to build security directly into DevOps teams.
Michelle Killian, director, information security, Code42

The security talent shortage continues

By nearly all estimates, the industry is millions of cybersecurity jobs short of what’s needed to adequately secure enterprise data. This shortage will push security teams to automate as much as they can to stretch their capabilities. Hopefully, teams will focus on optimizing the basics because it remains true that the vast majority of breaches could have been prevented if security 101 practices were followed. Areas that will be automated include manual operations tasks, application security testing, data monitoring, and more.
Todd Thorsen, senior manager information security, risk management and compliance, Code42

Security ‘solutions’ continue to grow in complexity

The complexity of security vendor solutions remains too high in cybersecurity. Many vendors continue to proudly talk about how sophisticated their products are and how they can solve complex problems. The problem is: using these security tools themselves is an overly complex and unwieldy process. At the same time, the security industry struggles with a serious shortage of skilled cybersecurity personnel. Something has to give.

In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations.
Joe Payne, president and CEO at Code42

“ In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. ”

Move from reactive to proactive security

Companies are so busy reacting to incidents and putting out fires that they are missing opportunities to proactively reduce risk. One area is how staff and others will continue to be a highly exploited threat vector, yet companies will continue to trail behind mitigating their human risks. One thing is for sure: training alone is not going to work, as companies need to create security-minded cultures in their workplaces.
Chrysa Freeman, program manager, security awareness, training and culture, Code42

Expect a major breach within a federal agency

A federal agency will experience a large-scale data breach at the hands of an insider. This will highlight the growing insider threat blind spot for all large organizations.

Also, foreign hackers and the election take center stage. There will be proposed federal regulations requiring encryption back-doors and FCC regulation of social media in advance of the elections. As the elections approach, there will be reports of hacks and vulnerabilities, many with grand claims. All of these claims will be unsubstantiated, viciously spun, yet cause no direct or measurable harm. But they will create enough doubt and disruption to further the nation’s political divide.
Andrew Moravec, principal security architect, Code42

The return of ransomware

It used to be that cryptojacking—using someone else’s computing to mine cryptocurrency—was a relatively easy path to profit. But as the price of bitcoin continues to fluctuate wildly, those profits are no longer such a sure thing. As a result, adversaries will shift their attacks to optimize their efforts. Once their malware is deployed onto endpoints, they may decide ransomware is the way to go, which would very well lead to a resurgence in ransomware attacks.
Jeff Holschuh, senior manager of identity, Code42

A renewed focus on data privacy

The CCPA (California Consumer Privacy Act) goes into effect at the beginning of 2020. The act will have a substantial impact on companies that don’t yet have mature data security and privacy programs in place. As enforcement actions are brought under this new law, companies will scramble to ensure they are meeting all of the law’s requirements.

Essentially, CCPA focuses on data collection rules, breach disclosure, and the selling of consumer personal data. Expect not only CCPA-driven lawsuits and fines, but also a nationwide rush by companies to ensure they can comply.
Nathan Hunstad, principal security engineer and researcher, Code42

Building an Insider Threat Program Without Becoming Big Brother

I don’t believe that there’s an enterprise in existence that wouldn’t benefit from an insider threat program. Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. I know that’s not easy to hear, but it’s true.

Consider a survey conducted by Osterman Research. The survey found that 69% of respondents experienced significant data or knowledge loss as a result of employees taking information with them when they left, as Andy Patrizio wrote in his CIO story, Sensitive data often follows former employees out the door.

“ Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. ”

Despite how pervasive and serious the risks posed by insider threat are today, few organizations have an insider threat program in place, and fewer still have an effective insider threat program.

There are a number of reasons insider threat programs aren’t very common. The first is that getting started in building an insider threat program can be overwhelming – even though it doesn’t have to be. Some of these challenges are technical, such as the failings of traditional data leak prevention products. Other challenges are cultural; for instance, many organizations fear that their insider threat program could turn into a Big Brother level of oversight.

However, when done right, an insider threat program doesn’t have to become Big Brother. In fact, it doesn’t have to become overbearing or negatively affect culture. In this post, I share the key insights I’ve learned that will help any organization get started with an effective insider threat program that won’t turn into Big Brother.

Earn the support of your executives

It’s true of any data security program, but especially for an insider threat program: to succeed, you need to have the support of business leadership. It will be your organizational leadership that ensure the program gets the continuous funding it needs as well as the political backing to overcome any speed bumps that arise.

Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces and the strategy for mitigating those risks.

Earn the support of stakeholders throughout the organization

Partnership from other business stakeholders, such as the legal department and human resources, also are essential. If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. If these departments are not engaged with the insider threat program, you run the risk of having an ineffective program on your hands.

“ If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. ”

Prepare for culture shocks

One of the reasons insider threat programs can appear authoritarian is they are designed without the existing internal culture in mind.

When it came to managing insider risks at a former employer, it was common for me to run into cultural issues. We were always working closely with our vendors, many of whom were based in Silicon Valley. While discussing data risks with these organizations, we often learned that they did not have even the most basic controls pertaining to insider threat, including not bothering with employee background checks. They often didn’t understand who was joining the organization. “We trust our people,” they’d say. “We only hire the best, most talented people. Everybody wants to work here. Why would anybody do anything bad here?”

In building an insider threat program, you’ll have to deal with such cultural barriers, and the challenges to overcome them are real. Essentially, to overcome those challenges, you will need to convince staff and everyone throughout the organization that the focus isn’t on punishing people doing things they shouldn’t, but rather protecting the organization’s data and its business viability.

For those in regulated industries, this conversation is likely a lot easier to have with executives and staff. When you work in a regulated industry, it’s evident why certain types of data must be watched and protected, and it’s easier to extend that to other kinds of data.

For those working outside of regulated industries, where it’s not mandated that data be protected, it’s undoubtedly a much more challenging argument to win. But it’s an argument that executives will be receptive to if you explain the costs to the business associated with losing data or intellectual property that is important to the organization.  

Make sure the program is transparent

Another reason insider threat programs can appear oppressive is when they are built in secret. When staff are aware of the insider threat program, but they don’t understand why it is in place, they are more likely to grow resentful and even fearful of the program. Also, when staff aren’t at all aware about the insider threat program, they can be very brazen in taking data that belongs to the company. There is no reason to take either of these counterproductive approaches.

When organizations are transparent about the insider threat program and why it’s necessary, then staff, contractors, and business leaders will be more supportive of the effort to protect intellectual property and confidential and valuable information. 

Establish acceptable data use policies

Everyone will feel better about the program if they are not finding themselves second guessing whether or not they are acting within protocol. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? What about sharing data on corporate collaborative platforms such as Slack or Microsoft Chatter? What’s the policy for taking data home and/or keeping it on their notebooks?

Staff and contractors need clear demarcation lines of what is an acceptable use of the organization’s systems and data and who owns the organization’s data. Employees must be made aware of these policies.

Data risk will vary depending on the organization

The specific type of data that is protected will be dependent on the nature of the organization and the industry in which it works. The types of data and roles that will pose more significant risks will vary among different types of organizations. An aerospace engineering firm or defense contractor will have a different risk posture than a law firm, financial services firm, or pharmaceutical company. Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary.

“ Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary. ”

Put the right data protection tools in place

Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the best tools to provide the capability to detect, investigate, and respond to data breach incidents with the appropriate level of insight.

Another consideration is how well the tools you select will integrate within your environment. This must be viewed from the standpoint of how well it will work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.

Provide ongoing training and awareness

Ongoing security training and awareness exercises are essential for maintaining good data security practices and muscle memory for all employees across the organization. If your organization has an existing security training and awareness function, you can integrate insider threat messaging into awareness exercises.

Incorporating insider threat scenarios into ongoing security training and awareness will also help employees understand the importance of the risks you’re trying to manage. This will help employees understand the rationale and can also create allies within your organization.  

Build a sustainable program that will change with the times

Just as your organization and business environment evolve over time, so will your organization’s risks. So, it is important to ensure that your insider threat program can keep pace with the changes in your business and risks. Fundamentally it’s about keeping your focus on effectively managing data exfiltration and insider risk as your organization evolves.

All of this may seem straightforward—and it is—but that doesn’t make it easy or swift to accomplish. Like so many effective processes, the important thing is to keep your insider threat program risk-based, aligned with your organization’s culture and nimble enough to evolve with your organization.  

If you’re building an insider threat program from scratch, start small, keep it simple and be open to making changes. Early wins are important and will help drive the success of the program. Furthermore, they will keep the support of executives and staff who understand that the organization’s long-term success depends on protecting its data. Because it certainly does.

“Good Enough” Isn’t Enough to Stop Data Loss

Five years ago, the toughest part of my job was convincing the world that insider threat was a big problem. Fast forward to today, and everyone knows insider threat is the biggest everyday data security risk they face. But a new problem has emerged: with widespread awareness of insider threat has come a false sense of confidence. Many CISOs I talk to tell me that they’ve put tools in place — DLP, EDR, CASB, etc. — to stop data exfiltration, and they’re confident they’ve got insider threat covered. But the brutal truth is that “better than we used to be” often isn’t enough. There’s still a major gap in the typical security stack — and it’s putting their data and business at risk.

Overconfidence is rampant, but the statistics tell a different story

Most companies have beefed up their security stack in the past few years. I don’t want to take away from the value of these efforts, but I do want to point to the statistics showing the continual upward trend in insider threat incidents. Every week, that harsh truth hits home for another company, as we read about the latest high-profile insider threat incident that surprised, embarrassed and damaged a company that had been quite confident in their airtight security stack. Like I said, better than before isn’t enough.

The fatal flaw in the policy-based security stack

Almost all conventional data security tools are guided by policies, rules or other admin-defined parameters. DLP, EDR, CASB and the like do an excellent job of hunting down, flagging and sometimes even stopping actions based on defined rules and policies. But therein lies the problem: they can only look for what you tell them to look for. The reality is that you can’t think of everything. No one can. You can’t think of every possible way that an insider could take a given file or data type, so they will always be one (or several) steps ahead. (As a side note, there are now many ways of exfiltrating data that traditional DLP solutions simply cannot cover. Traditional DLP focuses on devices and networks; but things like Bluetooth, Airdrop, etc., don’t always show up on either the device or the network.)

“ It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization. ”

Moreover, a lot of companies think their tools are focused on the right files and the right data. But users create new files every day, and the dynamic nature of modern work means that a given file can go from a low-value work-in-progress to a highly sensitive innovation-in-progress within the course of a single day. It’s almost impossible to think of (and stay current with) all the valuable, sensitive and vulnerable files and data types across your entire organization.

Case in point: the recent McAfee insider data theft incident. Three departing employees copied company trade secrets onto USB drives and simply walked out the door. How did a leader in data loss prevention not catch and stop this obvious theft? Because the data they took — sales and marketing files — were not traditionally tagged as IP. The bottom line: If traditional DLP doesn’t stop data loss for McAfee, it won’t stop data loss for you.

You can’t lock down all your trade secrets & IP

Even if you could account for every potentially valuable or sensitive file in your organization, you can’t just lock all these files down. A lot of this information needs to move. Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. This makes it much easier for an employee to find a workaround, or a way to take files that look normal.

“ Things like source code, customer lists and collaborative development projects need to move between users and even outside your organization in order to keep work moving forward. So you end up writing all sorts of exceptions to your security policies – and in the process, take the teeth out of your policy-based security tools. ”

You don’t know what you can’t see – so you don’t know when you’ve been beaten

The second fatal flaw of conventional security tools like DLP: they don’t know when they’ve been beaten. They’re focused on seeing specific user actions. If the user action falls outside those defined rules, they don’t see it — and that means you don’t see it. In practice, that means that when users (inevitably) find ways around DLP, you most likely will have no idea until it’s too late to do anything about it. In fact, most companies only discover the data loss because of the proximate damage it causes to their business — weeks, months or years down the line — when a competitor beats them to the market with copycat technology or poaches clients with a leaked customer list.

You need to start with data behavior, not user behavior

All the problem with rigid rules points to an obvious solution: consider the context and behavior surrounding a specific action. There are a lot of solutions that focus on user behavior — trying to pull out context and identify risk by monitoring every keystroke of their employees. But that kind of intrusive employee monitoring comes with its own set of issues. There are ethical privacy concerns, as well as the increasing legal precedents that suggest you need a discrete reason to monitor an employee. Legality aside, invasive monitoring can hurt workplace culture, reduce staff satisfaction and even impact productivity. Moreover, we’ve already established that users’ creativity is often one step ahead of even the best pattern recognition software.

At Code42, we take a different approach: We watch the data — how it changes and where it moves. Users can trick you, but data doesn’t lie. Our underlying real-time backup technology means we’re able to watch all your data, all the time — so we understand what “normal” looks like. If we see something unusual, only then do we enable security to associate it back to the user. We start with cause, then investigate. This eliminates the privacy concerns, and ultimately keeps your attention focused on what you’re really trying to protect: the data.

The big objection: I can’t watch all my data, all the time

All-encompassing data visibility sounds nice, but that alone doesn’t solve the problem of seeing the actual risks and threats amid the ocean of normal activity. When I explain how Code42 is different, I normally get a flood of objections like: Won’t we have to configure the system to provide alerts? Won’t someone have to manage all those alerts? My team is already buried in alert management – you’re just adding to my problem. Here’s what I tell them…

Code42 gives you a clear signal of your risk

Comprehensive data visibility is the foundation of Code42. We know what normal looks like, and we know what your biggest risks look like. For example, we know that departing employees account for around half of all insider data loss incidents. We also know that M&A, or another type of company re-organization, creates one of the most acute risks of insider data loss. So, we focus our attention on these high-risk situations. We’ve already developed the algorithms and defined the parameters on our end — building simple tools like our departing employee lens that focus on these risks — so we’re not placing that burden on you.

Ultimately, we’re watching the behavior of all your data and using our deep data visibility to put relevant context around that activity before triggering an alert — instead of leaving that contextual analysis burden to your team. This minimizes alerts, so your team gets alerts you can trust and act on.

Giving you instant information to investigate immediately

Detecting risky user actions that have slipped past policy-based security tools is an incredibly important capability. But detection is just the first step; you need to be able to determine exactly what happened, if it’s risky, and what needs to be done. And you can’t afford to spend multiple days piecing together that story while your data is still at risk.

Code42 pulls together all that file activity and contextual information to give you distinct answers: this file was copied to this cloud with this browser tab URL, or this USB drive with this serial number, at this exact time. In essence, we give you an immediate answer to the question, “Where’d my file go?” And because Code42 automatically captures every version of every file, with the proper authorizations, you can even open the actual file in question to evaluate its contents and determine the risk. You get the definitive information you need to take action, faster.

Are you comfortable with “good enough”?

It’s always hard to change the status quo — especially when you’ve done a lot of work and made major improvements to achieve the current state. CISOs have done an admirable job of bulking up their security stances with tools designed to prevent both internal and external data risks. But here’s the brutal truth: even the strongest prevention will fail sometimes. Because prevention tools can only stop what you tell them to stop. You can’t think of everything, you can’t lock down all your data (exceptions just create blind spots), and creative (or malicious, or industrious or simply self-serving) users will always stay one step ahead of policy. When user activities inevitably slip past prevention tools, they fall into a dangerous gap in your security stack. You don’t know what’s happened; you typically don’t know anything has happened at all. Your security team is flying blind.

Considering that insider threats like these account for 50% of data breaches, are you really comfortable with leaving this risk uncovered? Or is it time to re-think “good enough?”

Microsoft and Code42 Ignite the Focus on Insider Threat

The entire Code42 team had a great time attending Microsoft Ignite in Orlando. Microsoft Ignite brings together more than 25,000 attendees who have keen interests in software development, security, architecture and IT. I have to tell you, before going to Ignite, I held preconceived notions that attendees would hold a clear bias toward IT challenges and not the broader challenges facing enterprise security.

Fortunately, I was mistaken, and it quickly became apparent that security and cloud concerns were a big part of the conversation. For all of us at Code42, that meant we were in store for an exciting week. We came to Ignite with a significant announcement – our new integration with Office 365 email.

More tools to mitigate insider threat

Why integrate Code42 with Office 365 email? There are a couple of reasons. First, while there’s been plenty of talk about the demise of email as the top communication platform, the reality is the amount of confidential and proprietary information sent via attachments every day in email is mind-boggling and enterprises need better controls. Second, while Office 365 email does provide ways to create email policies and flag risky emails, Code42 provides complementary insights and valuable investigative information into the who what, when and why (as I like to call it) around the files. This is just another way Code42 helps our customers to mitigate insider risks.

We also showcased some new Code42 capabilities that enhance the workflow for departing employee data exfiltration detection. As you may already know, managing the data exfiltration risks associated with departing employees has been a significant effort for Code42. When it comes to mitigating insider threats and data breaches, it turns out that departing employees are notorious for taking trade secrets, confidential information, and other types of intellectual property with them as they leave organizations for new companies.

The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. This is precisely why Code42 developed and released its new departing employee workflow capabilities.

“ The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. ”

Being able to showcase such powerful new capabilities and seeing the positive reactions from such a large crowd, was one of the most rewarding parts of Ignite for me. Of course, Code42 SVP Rob Juncker got us off to the ideal start with a session mainly dedicated to insider threat and the importance of having a well-defined off-boarding process to protect valuable IP when employees leave.

The new capabilities were a hit among attendees. But, more importantly, to me, the new departing employee capabilities were the catalyst for conversations into understanding current departing employee workflows. These conversations largely confirmed what we’ve been saying here at Code42: that typical departing employee workflows are either under-developed or non-existent. No wonder insider threat continues to be on the upswing!

While Ignite gathers an IT-centric audience, what we learned is that when it comes to insider threat, multiple departments are part of the conversation. It isn’t uncommon to expect IT, security, compliance as well as HR teams to be in the mix when figuring out the best course of action to manage insider threat.

Demos, doughnuts and a customer’s personal account

We were also fortunate to be joined by one of our customers, David Chiang, an IT system engineer at semiconductor provider MACOM. David presented on how MACOM relies on Code42 to detect, investigate and respond to insider threats and file exfiltration. He framed the departing employee threat perfectly when explained how, when a departing employee tells MACOM that they’re “just taking personal pictures,” MACOM can now (thanks to Code42) look back and validate if that’s so. “If we access the files and find that it was company property, the conversation changes,” he explained.

And under those circumstances, that conversation should change. The problem is that too many – actually, the vast majority of organizations – don’t have such process and technology in place to provide themselves that level of visibility. Hopefully, our data security and departing employee announcements, an excellent and in-depth story from one of our customers on their success (over some excellent mini donuts) resonated and will change some of the status quo for the better.

While Code42 went into Microsoft Ignite with an intent to learn and educate around regarding the insider threat, it turned out we weren’t alone. There were two other significant announcements that reinforced the importance of mitigating insider threats. The first of those was Proofpoint’s acquisition of ObserveIT. Why? Because ObserveIT has been in the insider threat space for quite some time, and this acquisition is clear validation that Proofpoint views insider threat as an integral expansion of their security portfolio moving forward. The second announcement was from Microsoft itself. Microsoft unveiled its Insider Risk Management tool within Office 365 that is designed to help identify and remediate threats coming from within an organization.

I’m happy to say that the many announcements, as well as attendee interest and conversation around the issue, give me hope that insider threat programs are about to take center stage when it comes to managing enterprise data risk. And next year, Microsoft Ignite 2020, is bound to dig even deeper into the insider threat and all of the associated risks. We can’t wait to be there.

Code42 Blog about macOS Catalina compatibility with legacy DLP

macOS Catalina Creates Kernel Crisis for Legacy DLP

Apple released the new macOS Catalina on October 7, setting IT and security teams abuzz about the logistics of upgrading their users, excitement about new features and concerns about the pains that always come with change. But security experts have revealed a troubling impact: macOS Catalina entirely disallows kernel extensions (kexts). This isn’t just another instance of “kernel panic” — this is a full-blown kernel crisis: Legacy DLP products will cease to work in the Mac environment going forward.

“ Legacy DLP products will cease to work in the Mac environment going forward. ”

Catalina goes read-only — disallows kexts

With the release of Catalina, Apple shifts the entire macOS to read-only, regardless of permissions. Kernel extensions are completely disabled. This change strengthens the overall security stance of the macOS. But it’s a major problem for legacy DLP products like Symantec and McAfee, which depend on kernel extensions for their core functionality.

Legacy DLP simply won’t work in Catalina

Disallowing kernel extensions disables the blocking functionality of legacy DLP products. The products will technically still “run” on Catalina (with the usual kernel panics and other pains), but they’ll no longer be able to work the way they have — no more blocking risky user actions. In effect, legacy DLP will cease to work altogether. At a time when insider threat continues to escalate, companies simply can’t afford to risk leaving their data exposed.

You can’t afford not to upgrade

Most legacy DLP vendors are approaching the kernel crisis carefully. They’re reaching out to customers with one-to-one communications, trying to convince them not to upgrade to Catalina so they can retain the functionality of their DLP products (for example, reference the table on Symantec’s support page). But not upgrading is not viable in the long-term. You need to give your users access to the latest features of Catalina; moreover, your users will demand the upgrade. And your security team can’t afford the security risks of lagging behind.

Code42 Blog about macOS Catalina not working with legacy DLP
Current recommendation found on the Symantec support page. The latest Catalina release makes the security gap evident for legacy DLP customers.

There’s not a ton of time to waste, either. Apple will end updates, security patches and support of macOS Mojave in less than 24 months. That means most organizations need to begin planning their upgrades—including how they’ll fill the enormous security gap — now.

DLP for Macs has always been painful

Running legacy DLP on macOS has always been frustrating—a “square-peg-round-hole” problem that creates more work for security teams and increases the potential for dangerous gaps in visibility and protection. But the clear trend is that Apple is making it even harder for DLP to function in macOS — leading to more kernel panics, frustrations and potential security gaps. So the “kernel crisis” of the Catalina upgrade isn’t coming out of nowhere. The reality is that legacy DLP was not built with Macs in mind, and this disconnect is coming to an urgent head.

Code42 is next-gen data loss protection built for Macs

At Code42, we know the pains of legacy DLP for Macs firsthand — and built our Code42® Next-Gen Data Loss Protection solution to mesh seamlessly with macOS. We understand macOS better, so we approach things differently by:

  • Working at the file-system level to focus on what really matters — your file data         
  • Monitoring the applications that access, interact with and touch those files
  • Giving you deeper, broader visibility into all file activity — across your endpoints, in the cloud and in applications

We don’t have to muck around at the kernel level, playing the whack-a-mole game of activity-blocking. All of this means that the robust functionality of Code42 Next-Gen Data Loss Protection is completely unimpacted by the security improvements of the Catalina upgrade.

Providing the business-critical push to move to next-gen data loss protection

Most security pros already know the many pains of running legacy DLP products on Macs. So, the good news is that the Catalina kernel crisis will give many security teams the final push they need, providing a business-critical reason to move to a better data loss protection solution. In fact, several of the world’s leading tech companies anticipated the Catalina kernel crisis and have turned to Code42 Next-Gen Data Loss Protection: not just to fill the gap created by the Catalina upgrade — but to help them build a more forward-thinking, future-ready data loss protection strategy.

Code42 Evolutionary Awards 2019

2019 Evolutionary Award Winners Showcase Innovation in Data Loss Protection

With all the scary statistics out there about the growing data security threats in the enterprise world, it’s easy to lose sight of a more optimistic fact: Enterprise data security is getting better — and organizations everywhere are building smarter data loss protection programs. Each year, the Code42 Evolutionary Awards celebrate the smart, innovative and just-plain-cool ways that organizations are protecting their data. This year, we recognized 10 organizations for their extraordinary innovation in data loss protection. Let’s take a look at the 2019 Evolutionary Award winners:

Evolutionary Award: BAYADA Home Health Care

BAYADA Home Health Care won the namesake Evolutionary Award for completely evolving the way their company secures data, protects IP, and enables users. Their data security journey began with safeguarding training videos in the cloud for their mobile workforce, then expanded to protecting data from the threat of lost and stolen laptops. BAYADA’s current project is to ensure that their proprietary and regulated data is secured and monitored for loss and proper usage. “Protecting data is impossible if you don’t have comprehensive visibility into where your data is, and to accomplish this you need the right tools,” says Craig Petrosky, director of Desktop Equipment Services for BAYADA. “That’s why it was critical for us to implement a solution that provides near real-time detection and the ability to respond to cases of data loss, leakage, misuse, or potential exposure.”

Guardian Award: Cisco

Cisco won the Guardian Award for a security team that creatively and effectively fends off an array of threats —from ransomware to malicious insider actors — to protect its valuable data. Cisco has developed countless data protection workflows by using Splunk to develop actionable insights about how data may be infiltrated and exfiltrated from the organization. “In today’s data landscape, it is important to have a solid data collection agent, one that offers insight into where data is, where it’s moving, and where it’s been. A tool that can offer this is an invaluable tool for Insider Threat investigations” says Kevin Currie, investigator CSIRT of Cisco.

Rookie Award: Ironwood Pharmaceuticals 

Ironwood Pharmaceuticals won the Rookie Award for an organization that has successfully deployed a new software product within the past year. Deploying new software is never a small feat, Ironwood Pharmaceuticals did so with a de-merger on the horizon, knowing that they would soon have to split their deployment in two. “When our organization was going through the de-merger, we needed a simple and flexible solution to ensure our data is protected,” says Lian Barry, manager, end user support for Ironwood. “We found a solution that has provided constant assurance that our data is protected throughout this period of increased organizational change. 

Harmony Award: MacDonald-Miller 

MacDonald-Miller won the Harmony Award for striking a balance between data protection and empowering employees to be productive and collaborative in order to deliver results to the company’s bottom line. Two of MacDonald-Miller’s top security priorities are that users never experience downtime from data loss, and that valuable data is not leaving with departing employees. “Our data is our competitive advantage,” said Eddie Anderson, technical business analyst at MacDonald-Miller. “It’s critical for us to protect data from loss, leak and theft, while enabling our employees to collaborate and work at the speed of business.”

Evangelist Award: David Chiang, MACOM

David Chiang, IT system engineer of MACOM, won the Evangelist Award for an individual with expertise in data loss protection who sets industry best practices and actively shares them with peers. Chiang’s passion for software deployment and systems integration began with an intern project and has evolved into deep expertise on protecting data in the midst of a digital transformation. “Digital transformations are exciting, but they can put data at an elevated risk,” says Chiang. “It’s important for organizations to take steps to protect their most important asset — their data — during these times.”

Atlas Award: Proofpoint

Proofpoint won the Atlas Award, honoring an organization for deploying and protecting an expansive global workforce. As the Proofpoint organization grew quickly through M&A, business continuity and user productivity were top priorities set by the CIO. “With help from professional services, we were able to quickly go from nothing to a fully deployed data collection agent that can support our global workforce, ensuring we never experience data loss. We had a very successful deployment and it proved ROI within four months.” says Brock Chapin, systems admin for Proofpoint.  

Trailblazer Award: Schneider Electric 

Schneider Electric won the Trailblazer Award for improving a critical workflow or process for its organization. The company developed a custom app, used as part of their computer depot service, which collects and recovers data — in order to streamline, expedite and standardize the service. The results: time saved for technicians, reduced end-user downtime and improved user experiences. “As anyone in IT knows, positive user experience is critical to the effectiveness of any technical program. Our custom app not only provides that user experience, but it also lets them get back to work faster through decreased down time,” says Austin Joe, end point solutions senior engineer, enterprise IT of Schneider Electric. “We couldn’t be happier with the results.” 

We’re in this together

Join us in giving a virtual round of applause for these successful and innovative organizations. These examples not only represent major achievements for the organizations themselves, but the overall progress of the collective community of enterprise data security professionals. As your security team tackles emerging and evolving data loss challenges, don’t forget that you have a powerful resource in your Code42 peer network. From looking to examples like the customers highlighted here as inspiration or blueprints for your own initiatives, to consulting with other data security professionals to get answers, advice and guidance, we encourage you to leverage this valuable connection to some of the enterprise security world’s best minds and biggest thinkers. While the details differ, we face the same threats, manage the same challenges and share the same goals. We’re in this together.

Today’s Five Biggest Overlooked Data Security Trends

In the weeks following Black Hat USA 2019, I’ve done a little traveling from conference to conference – and, in between all that, met with a few customers. In those conversations, I’ve noticed that the key themes that emerged at this year’s Black Hat (all of which I’ve outlined below) have been holding strong throughout customer conversations. I believe these will be the trends we’ll continue to see throughout the last leg of this year, and well into 2020.

1: Complex Solutions

The first trend that stuck out is how complexity remains too high in cybersecurity. Many vendors continue to talk about how sophisticated their products are and how they can solve complex problems. In doing so, these tools become inherently very complex and unwieldy themselves. There’s a large and relevant inconsistency here: on one hand, the security industry, and really all enterprises, struggle with a serious shortage of skilled cybersecurity personnel. On the other hand, the complexity of the toolsets continues to rise. Something has to give.

Of course, these tools are aimed at people who are assumed to be masters of their trade, and who are able to make informed decisions as they examine data subtleties. Finding people with such talents continues to be one of the biggest challenges in the security industry, and without such staff, these tools end up being misused, or even unused.

2: Skills Gap

The second trend is how vendor complexity exacerbates the skills gap. As more organizations look to hire security staff who are less skilled and experienced with the hopes of quickly training these personnel, security vendors still need to provide the market with products that enable newcomers to be as effective as experienced security professionals.

If we want to get information security right in the next 10, 15 or 20 years, the industry must make products and tools that are easier for this next generation of security professionals to consume. Innovative technologies like machine learning and AI are indeed exciting, but they need to be coupled with easy and prescriptive solutions that new security professionals can start using right away without having to be experts first.

3: Communication is Key

The third trend: security vendors need to improve how they communicate their value. By walking the show floor at Black Hat and engaging with various security vendors, you’ll quickly realize that they don’t communicate their value propositions very clearly. It’s a real challenge to determine what many vendors actually do and make sense of whether or not these “solutions” actually solve specific challenges.

This is an area where the entire security industry can improve. The focus needs to be on how to better communicate the value of products and services, and how they provide better business outcomes. However, it’s not just security vendors that should be thinking about how they impact business outcome versus just tools and technologies; security engineers, architects, directors and CISOs must also do a better job of discussing business outcomes and how their investments will improve those outcomes.

4: Management Challenges

The fourth trend is that the challenges associated with managing data loss remain high. There is a considerable amount of continued frustration when it comes to managing data loss.

In fact, all of the leading data loss prevention vendors still talk about how they use AI to help classify data and automatically create data-loss policies. However, none have crossed the threshold where they can help security teams that don’t have the wherewithal to undertake a monumental project lasting several months or years to classify all of their data so that they can begin to deploy DLP.

Related to this is how understaffed and stressed most security teams seem to be. At the conference, I met with growing enterprises that have staffing ratios so low that one internal person supports 100+ employees. That ratio is far too low, and it’s why it doesn’t matter how cool the technology is; if it doesn’t help security teams that are under constant stress, then it simply doesn’t matter.

“ Making data-loss protection seamless and able to be managed by security teams of any size is something that we think a lot about at Code42. We focus on solving real-world cases, such as dealing with data loss risk by departing employees and high-risk employees in ways that don’t require hundreds to thousands of staff work hours to get right. ”

5: Product Consolidation

The final trend is the continued high level of technological and product consolidation occurring within the security market. This has been going on for some years now, and it’s continuing to accelerate. Security vendors continue to expand to adjacent problem spaces with complementary solutions – be it a DLP vendor acquiring CASB products, or a next-gen firewall solution adding EDR and SOAR capabilities to their portfolio. Elevating the business value to customers is one of the biggest drivers to increase user adoption of these new products and technologies.

These are the trends I noticed while exploring the show floor, speaking with vendors about the issues they are trying to solve, as well as meeting with customers and prospects. While the challenges are steep, I’m convinced that the industry and security professionals alike are motivated to learn, adapt and improve in order to solve the intricate obstacles we face, such as insider threat. We should expect to see solid progress in these areas in the next year.

Zero Trust Starts with Data Security

Recently, I joined co-presenter Chase Cunningham from Forrester for a webinar titled, “Zero Trust starts with Data Security.” You can’t be in security and not have heard of Zero Trust. It’s become marketing fodder to a lot of folks, so our goal was to present a very real-world scenario of what was driving the Zero Trust movement. Recently, Code42 commissioned Forrester Consulting to evaluate challenges that organizations face using traditional data loss prevention solutions. They surveyed 200+ security budget decision makers in the U.S. at organizations with 1,000 to 4,999 employees.

Here is a summary of the key takeaways from the webinar: 

It’s war! 

Make no mistake, we are living in a warfighting domain in cyberspace. In fact, in 2010 the U.S. Department of Defense declared cyberspace a warfighting domain. Simply put, your business and its associated data is in the middle of a war zone.

Compliance is more than a checkbox!

You can be compliant or you can be secure. Often organizations that choose to just be compliant are still setting themselves up for major security breaches. The analogy Chase used to explain this idea in the webinar is reason enough to watch the replay.

DLP isn’t the second coming. Prevention isn’t enough.

There is plenty of market frustration about the current state of DLP. Users have essentially checked out and are recognizing that there is a critical protection layer missing from the security stack.

Insider threat is on the rise. 

Here’s a stat to ponder: Ninety percent of insider data loss, leak and theft goes undetected internally.

Departing employees are taking your data.

Fifty percent of the labor force is already looking for new employment, half of which have been with their current employer for less than a year. They are quitting at alarming rates, and they are taking your data when they go! 

Workflows don’t exist.

We asked a very simple question of today’s organizations: Do you have a departing employee workflow? While badge and device collection are standard HR protocols, we heard crickets when it came to “collecting the data.” Simply put, organizations do not have a process for protecting corporate data when employees leave. 

Data is no longer the core focus. Everything else is.

Solutions and training have shifted the focus away from the core problem of the “data” itself. Prevention-oriented solutions are so focused on policies, classification and blocking, etc., that they are ignoring data altogether, which is a critical element in the Zero Trust approach. 

Zero Trust is a timely reminder…

To focus on the data! 

All data matters

At the core of Zero Trust is an approach rooted in collecting all data, not culling it out. 

It’s about data loss protection 

You have to complement a prevention-focused approach with protection measures because ultimately it is imperative to reduce the time to detect, investigate and respond to a data breach. 

Follow the data, not the employee!

While it can be easy to get suckered into a “Big Brother” mindset of monitoring employee movement patterns, all you really need to do is understand data movement patterns. After all, it’s the data the employee is after! 

To dive into the details of this webinar some more, catch the entire on-demand version here.