Insider threats have always been a focus of information protection teams working to protect valuable intellectual property and sensitive data. As the enterprise workforce has become more global, more mobile, more connected the complexity of protecting enterprise information has grown. This complexity has grown substantially in the past few months as the world rapidly shifts to work-from-home models.
The notions of people-centric security and context-aware Insider Threat Management (ITM) are informing new approaches to safeguarding intellectual property that address limitations of traditional endpoint Data Loss Protection. Security teams are adopting people-centric ITM to complement existing information protection programs while gaining greater insight into the behavior and risks of authorized users with approved access to sensitive information.
This blog looks at the key differences between ITM and traditional approaches to protecting sensitive data and intellectual property.
Looking back: Let’s guard data with perimeters and fences that keep people out and keep data in
Historically, cybersecurity teams have relied on an extensive set of perimeter based security and access management technologies to keep bad actors away from protected infrastructure, resources and data. In order to protect from insider threats – whether negligent, malicious, or compromised, endpoint DLP tools have been relied on to protect regulated and easily identifiable information, such as PII,PHI, and PCI-related data. Compliance regulations require such approaches to protect consumers and the broader economy from theft and fraud.
The theory of this approach was limit access to protected data to a select number of individuals and then rely fences to prevent exfiltration of data or files that had been classified as being sensitive.
Practical challenges to this approach have emerged over the years including:
- The number and diversity of authorized users with access to sensitive information – beyond employees, we see third party contractors, supply chain partners, and service providers with access to corporate resources
- The digitalization of intellectual property and growth in digital commerce has led to explosive growth the amount of protected data any and every IT organization must protect and manage.
- The inherent complexity of classifying all data and files
- The complexity of scanning content in flight (e.g. figuring out if a file is sensitive as it is uploading to a USB) in real time results in productivity drags – whether by draconian rules (e.g. no personal webmail use) and/or compute-intensive processes that drag down endpoint performance.
Looking ahead: Leveraging people-centric security to deliver context about data, alerts and incidents
The reality is that we are all working with sensitive data whether we are developing, marketing, selling or manufacturing products and services. Think of sales conversations in which roadmaps and case studies are commonly shared. The sensitivity of a given document can change depending on the recipient (whether it is a customer, a partner, or prospect), on the time (whether it’s in the “quiet period” after an IPO, during a product launch or during a regular customer meeting) and the mode of transfer (corporate email, sanctioned USB vs. personal webmail or unregistered USB). Organizations need a context-aware approach to detect and protect against insiders leaking intellectual property and sensitive data, by accident or with intent.
ITM solutions focus on detection and response by providing the “who, what, where, when and why” around user interaction with sensitive data. Beyond the prevention-focused approach of traditional endpoint DLP, ITM focuses on identifying user risk and accelerating investigations related to potential data exfiltration leveraging a rich set of contextual data utilities. In contrast to the heavy agents required for deep content scanning, ITM leverages lightweight endpoint agents with little impact to performance and simple deployment and maintenance.
Bridging past and present
It is important to understand that ITM is an alternative paradigm for protecting intellectual property and sensitive data – not a direct competitor to traditional endpoint DLP. There are use cases where DLP approaches are required – particularly around enforcing specific compliance requirements. ITM provides capabilities that complement broader information protection initiatives that augment broader people-centric security strategies. The able below summarizes the comparison between the DLP and ITM data protection paradigms.
|Insider Threat Management (ITM)||Traditional endpoint Data Loss Prevention (DLP)|
|Detection: User risk context|
|Detection: File movement context|
|Detection: Insider threat alerts|
|Investigation: User context aware|
|Investigation: Irrefutable & easy to understand evidence|
|Investigation: Context aware to other security alerts|
|Response Actions: Real-time user education|
|Visibility: Discover & classify regulated & structured data||Through lists|
|Visibility: Identify Intellectual Property (IP), business documents & unstructured data||Through partnerships|
Proofpoint’s ObserveIT ITM platform is deployed with more than 1200 customers and has proven track record on delivering context awareness to insider threat, data loss, incident response and HR investigation programs. Learn more about ObserveIT’s people-centric approach to protecting from data loss by insiders.