How to Spot Insider Threat—Without Slowing Users Down

Imagine you’re driving to a destination, but at every turn, you’re forced to stop and explain yourself to a police officer. Why are you taking this turn? Where are you going? Are you sure you should be going this route? Are you sure you should even be going to that destination?

Beyond driving you crazy, it would take forever to get somewhere. You might even try going a sneaky back route—or coming up with a few effective lies—to help you avoid the constant stops and interrogations.

This is currently the most popular approach to mitigating insider threat in the enterprise world—the “trust no one” approach. It’s incredibly frustrating for end users. It significantly impedes productivity. It leads to dangerous user workarounds. But there’s a better way.

The “Trust No One” Approach Helps No One

The key challenge with insider threat detection: How do you differentiate legitimate everyday user activity from malicious or accidentally harmful actions? Traditional security tools rely on rigid rules. Lock down the most sensitive or valuable files. Limit access to the smallest possible group of users. Ultimately, this approach impedes end-user productivity, creating constant barriers and bottlenecks within legitimate everyday workflows. At the same time, this approach leads to alert fatigue for the IT and InfoSecurity teams tasked with monitoring user activity. It’s a “Boy Who Cried Wolf” situation: If you can’t trust that your alerts are real threats, then they’re pretty useless alerts.

Businesses Need to Protect Intellectual Property (IP)—But Locking It Down Isn’t the Answer

IP is now the most valuable asset to the digital business, making up around 80 percent of the average company’s value. But IP doesn’t sit in a vault­—it’s part of everyday workflows. Users are creating, editing, sharing and collaborating on IP files all day, every day. And their use patterns don’t always fit rigid rules—users must be fluid. As a project progresses and roles evolve, different users may access different types of files or data. Enabling this kind of fluid collaboration is critical to the success of the digital enterprise, so tools and rules that take an always-or-never approach just won’t work.

Moving Toward the “Trust But  Verify” Approach

Leveraging new data security tools and advanced analytics capabilities, forward-thinking companies are moving toward a new paradigm in insider threat migitation: trust but verify. This approach is based on the concept of freedom through transparency. Going back to our car driving analogy, here are the three key steps:

  1. See all endpoint activity/See all the cars moving: With a foundation of complete endpoint data visibility, IT and InfoSecurity teams can monitor all data in the enterprise as users move it between endpoints, servers, external and cloud storage devices and more.
  2. Understand “normal”/See the common routes: With complete visibility, teams can better understand what normal use patterns look like—the common routes—including how they evolve over time as projects progress and roles shift.
  3. Spot the anomalies/See the “wrong turns”: With a map of what normal activity looks like, it’s a lot easier to see when a user takes a wrong, suspicious or dangerous turn. That’s when you stop them and ask them to explain themselves.

Ready to put a better insider threat program in place? Read the new white paper, 3 Steps to Mitigating Insider Threat Without Slowing Down Users.