Guest blog by Eric Lackey, Principal Advisor, Insider Threat, Flashpoint
When it comes to combating insider threats, timing is everything.
It can take as little as a few minutes or even seconds for an insider to exfiltrate sensitive data or infect critical systems with malware, for example—no matter whether their actions are intentional or accidental. And in most cases, the longer it takes for an organization to detect and investigate such a threat, the greater the resulting damages are likely to be.
Timely detection and investigation of insider threats, however, is far easier said than done. For many organizations, this is due largely to a lack of the right tools, the right expertise, or both.
On the tools front, there’s a common misconception that the same tools security operations centers and incident response teams use to detect and respond to external threats are just as suitable for insider threats. In reality, many such tools provide mostly network visibility or are signature-based and thus can only identify indicators of known threats that require an initial exploit or breach to penetrate a targeted network. Since insiders, unlike external threat actors, already have network privileges, their activities lack these indicators and are unlikely to be detected by these tools.
But even for organizations that do seek out the right tools for detecting and investigating insider threats, the market is oversaturated and tricky to navigate. Misleading claims and confusing marketing are abundant. Tools ranging from user and entity behavior analytics platforms, data loss prevention, to user activity monitoring solutions are frequently, and falsely, touted as panaceas of sorts, making it all the more difficult for prospective customers to determine which offerings are suitable for their needs.
Meanwhile, on the expertise front, the issue for many organizations is that they’ve long been accustomed to prioritizing—and allocating most of their security resources toward—combating external threats. As a result, not only is insider threat activity a common blindspot, but so are the various fundamental elements and integrative composition of an insider threat program (ITP)—otherwise known as the means through which such activity can be detected and investigated most efficiently and effectively.
Developing an ITP is not just a matter of throwing another tool at the problem, however. It requires building a strong foundation that integrates various resources and stakeholders throughout the organization, identifies an organization’s critical assets and vulnerabilities, and drives policy and governance to protect the organization and its stakeholders from this threat.
All of these challenges are precisely what fueled a new collaboration between Flashpoint Professional Services (FPS) and ObserveIT. By combining the FPS team’s unmatched expertise in building and strengthening in-house ITPs with ObserveIT’s innovative Insider Threat Management platform, this collaboration is designed to help customers—regardless of size, industry, or ITP maturity level—overcome the myriad challenges inherent to detecting and investigating insider threats.
If you’d like to learn more about this new collaboration, Flashpoint Professional Services, or ObserveIT, please click here or contact us at firstname.lastname@example.org.