insider threat detection

How to Get the Most Out of Data Loss Prevention Technology to Improve Insider Threat Detection

Yesterday, I attended our webinar, “How to Unlock the Full Potential of Insider Threat Tools,” and it got me thinking about the relationship between technology and past successes of insider threats. Rich Burke, Vice President of Public Sector, made a critical point during the webinar that failure to detect insiders isn’t exclusively a technology issue. There are plenty of good technologies out there, but it really takes people and processes to make them even more effective.

For example, how many times do we hear people complain that antivirus company XYZ is ineffective in detecting threats? I hear it quite often. Over the last 15 years, antivirus software has gone from one of the most effective security solutions to just another piece of software auditors tell us we need. In those 15 years, we’ve witnessed the adoption of endpoint firewalls, web proxies, user behavior analytics, and other tools to detect and prevent sensitive information from leaving your organization’s boundaries – yet we’re still seeing data breaches and information leaks.

One of the more effective tools that Rich touched on in the webinar that can help close the gap is Data Loss Prevention (DLP). Let’s dig a little deeper into why DLP technologies can help improve insider threat detection, and how these solutions can be configured, integrated, and tested by users to maximize their capabilities.

DLP Technologies: A Look at the Past and the Present

Technologists created DLP solutions to cut down on leaks. Coming into widespread adoption in 2006, DLP was designed to prevent end users from sending sensitive or critical information outside the corporate network. DLP functions on the basic premise that administrators provide business rules to identify what information is sensitive, and DLP solutions send alerts whenever that information leaves the network.

The first generation of DLP solutions focused on protecting data at rest. You entered specific file names and folders into a configuration file, and when users accessed that information, an alert would go out. While this was a very effective process to increase visibility into user behavior, it was time-consuming for organizations that produced many new files or stored files in various locations.

Most DLP solutions now focus on protecting data in transit. Instead of zeroing in on file names and folders, effective protection hinges on labeling data when it’s created. These DLP solutions make it relatively straightforward to label data, but not all users label data consistently.

Here are some additional steps to ensure your DLP is not a standalone solution but is seamlessly integrated within your Insider Threat Program for a more holistic detection approach.

Categorize Information as It’s Being Created

Organizations need to answer three questions to successfully categorize and integrate their DLP solutions:

  • What’s sensitive to us?
  • Where does sensitive information reside?
  • Who requires access to the sensitive information?

Configure and Test Your Solution

First and foremost, security products should be configured specifically for your environment. Too often we observe security products in default, out-of-the-box configurations in enterprise networks.

To be effective, DLP solutions require you to identify what information is important. Incorrectly setting up tools gives a false sense of security or coverage. Also, you must test your DLP solution, so you can understand the alerts it’s sending and determine the situations in which it fails to send an alert.

Account for Unknown Exfiltration Paths

There are many ways people can remove information from an organization. They can email a file, upload a file, take a picture of a file, and print a file. One innovative method I’ve observed was an insider who printed hundreds of files, then scanned them into low-quality PDF files and emailed them out of the organization to try to avoid detection.

Although the organization had a DLP solution, it didn’t trigger an alert since it couldn’t adequately read the information in the PDFs. Instead of thinking about all the ways data can leave the organization, focus on points where users can change data formats (e.g., from email to PDF).

If you can print documents, make sure you set up and maintain logs to capture the username, filename, IP address, and time of printing. The NSA used a similar method to determine the source of a classified information leak in 2017.

Summary

Given enough time with any security product, users will find a way to circumvent it. Technology can certainly be effective and should be integrated into your Insider Threat Programs. But let’s not leave out the importance of people and process.

Larger gains in your Insider Threat Program will come by understanding your tools, training analysts on the limitations of those tools, and learning how to address those limitations.