Slack had a very successful IPO but email is not going anywhere, any time soon. In the work world, it is still the most common means to communicate and exchange information. Sometimes it’s an employee innocuously emailing an attachment to their personal email to work on it remotely, while at other times, it could be a disgruntled or departing employee sending files to themselves or other external recipients. Irrespective of intent, these actions may expose the organization to data exfiltration risks with their intellectual property (IP), sensitive data and fellow employees’ personal data. Traditionally, security teams had to rely rely on email DLP and email security providers. During incident investigations, these solutions require significant manual analysis of email logs yet don’t provide the critical user context. With ObserveIT, security teams can detect data exfiltration from email in real-time and investigate such alerts in minutes with the full context about the user, file and email activity during, before and after the email was sent or received.
ObserveIT 7.8 has now extended the whole story we provide with selective recording around triggered alerts, more control over fine-tuning alerts and more capabilities for monitoring Mac endpoints alongside detecting and responding to data exfiltration by email applications. In this post, we’ll take a deep dive into the new features and share how your organization can put them to work to intelligently manage insider threats.
Email Monitoring for Data Exfiltration
Email is a key exit and entry point of sensitive data within any organization so it’s necessary to have the visibility into user and file activity related to the email. With ObserveIT 7.8, organizations can now monitor the desktop Microsoft Outlook application on Windows and on Mac, and the Mac Mail application with comprehensive visibility into users sending sensitive files over email and saving attachments received over email.
Organizations can detect, investigate, and respond faster to email-related insider threat incidents by gaining full context into the email activity. ObserveIT 7.8 provides granular visibility into:
- Sender and recipients domains (including to, cc and bcc addresses)
- Subject line
- File Attachments, capturing information on
- File names
- File size
- Number of attachments
The rich metadata captured in ObserveIT 7.8 can be used to detect a wide variety of patterns of email data exfiltration. Some examples are:
- Sending and receiving sensitive data to and from unauthorized domains
- Unusually large file movement by users
- High-risk users exfiltrating sensitive data outside the organization
- Files downloaded or saved from corporate emails and exfiltrated through other channels
- Users downloading or saving files from known bad domains (e.g.: phishing and malware originating domains)
ObserveIT provides the whole context of the user’s activity before and after the email exfiltration activity. Timeline view provides a chronological view of a user’s email actions in along with other user activity before and after the email event.
Email Diary showcases all email metadata in a dedicated view and email attachments are linked to the File Diary view.
Each of these views indicates user actions that caused email alerts to be triggered and offers flexible searching and cross reference to the other diaries for easier investigations. The new features cover both Outlook and Mac Mail clients.
Screenshot of the File Diary view. Emails filtered by sender or receiver.
Activity Replay for Selective Recording
Traditionally, incident investigations have been time consuming and even then user attribution is very difficult. Recording user actions when they are engaged in high risk activity is the clearest evidence of intent and action that provides irrefutable proof of harmful intent or establishes innocent nature of actions. Yet, it’s often untenable to record all activity all the time, as this can drive up storage requirements (and costs) significantly and doesn’t follow the latest regional privacy standards.
For these reasons, ObserveIT 7.8 provides the ability to selectively capture screenshots just before and after a policy violation: Activity Replay. This way, teams have access to replay user activity without the privacy concerns and overhead of no strings attached, full session recording.
Here’s a visualization of how this works:
Activity Replay in this manner provides improved context before and after suspicious user and data activity. As you can see above, ObserveIT continually records metadata but, when an alert is triggered, the platform also records video from before, during, and after the event.
ObserveIT 7.8 empowers teams with a flexible session recording policy that they can fine tune to meet their exact requirements, whether that’s upholding specific privacy laws, maintaining internal corporate norms, or reducing costs. ObserveIT specifically enables organizations to exclude monitoring of any private employee activity (e.g. the use of a personal financial account or social media) should the organization so choose. With the new features, organizations can save up to 80% in storage per day per agent (assuming average user and alert activity), in turn leading to potentially large reduction in total cost of ownership.
Here’s a screenshot that shows how to create a new recording policy:
With this flexible recording policy, teams can make exceptions to the policy based on certain applications, websites, or types of web category. Activity Replay can also be triggered alongside user education or blocking, so that organizations not only gather the information they need for investigations and response, but also immediately neutralize risky user activities.
Note: This is currently a Windows-only feature.
Alert Tuning for Improved Detection
For security teams familiar with the problem of too many alerts, ObserveIT 7.8 provides new tools to fine tune all types of alerts from one single screen in eight easy steps. Alert tuning can be used to clean up false positives from the past, reduce noise, and make alerts more accurate for the future, as depicted below:
Security analysts are able to execute their tasks with more efficiency using a single “Alerts” screen to fine tune all of their insider threat alerts within ObserveIT.
For future alerts, analysts can choose to:
- Exclude users
- Exclude active directory groups
For previous alerts, analysts can choose to:
- Change status
These features enable ObserveIT users to take advantage of the full horsepower of the platform without being bogged down by extraneous alerts. (One more step in the right direction when it comes to reducing alert fatigue for analysts.)
Other New Features and Benefits
In addition to the major updates above, ObserveIT 7.8 includes:
Enhanced Mac support
- New Mac Endpoints group
- New Mac Recording Policy Type with Mac-related fields only
- Search by OS type (=Mac)
- Recapture only the window in focus
- Monitor Firefox and TOR browsers on Mac endpoints
File Activity Monitoring (FAM) Usability Improvements
- Faster investigations with improved usability in File Diary
- Batched events grouped
- File size information available
- Easier navigation
Insider Threat Library Updates
- Five new alert rules on email activity
- Only the top 60 valuable alert rules are active by default
- Switch timestamp display to make local time of user clearer
- Toggle activity timestamps between server or endpoint local time zones
- Switch is available in all diaries, alerts, search
- New Reports fields allow users to view timing in endpoint local time zone
You can find the full product update documentation here, should you require more details.
Less Noise, More Signal
When it comes to insider threat protection, less is often more. In other words, fewer and higher-fidelity alerts are often the key to catching threats quickly. We’re thrilled to let ObserveIT 7.8 out into the wild so more teams can have access to these email-based data exfiltration features, Activity Replay, alert tuning, and other new additions to the platform that will make defenders more productive and effective against insider threats.
Ready to give ObserveIT 7.8 a shot?