Grounding Insider Threats

Aircastle Recruits ObserveIT to Safeguard Sensitive Information While Protecting Privacy

Aircastle: Fast Facts

  • 2005: Founded
  • 2006: Public on NYSE (AYR)
  • $7.2 billion in assets
  • 100 employees
  • 277 aircraft
  • 87 lessees
  • 48 countries

Aircastle is one of those businesses that sounds simple enough on the surface. However, that veneer masks quite a bit of complexity. The publicly traded company acquires, leases and sells commercial jet aircraft to airlines throughout the world. 

“It’s a boring business,” claims their SVP of Information Technology, Bill Duenges, laughing. “But someone’s gotta do it.”

Duenges’ modesty aside, Aircastle has built a highly successful organization with a lean and dedicated team of employees. In fact, as of 2019, Aircastle owns and manages 277 aircraft, leased to 87 lessees located in 48 countries. Aircastle has earned its reputation as a company with a unique and necessary position in the commercial aircraft leasing industry. 

However, to preserve their success, they must take security threats seriously. This ultimately led to their investment in ObserveIT, a solution that has enabled them to protect valuable financial information from data leakage, while simultaneously respecting the privacy of their users. 

“We like to think of Aircastle as a family business, and we hope that no one would do anything to harm the organization. But at the end of the day you have to take a realistic view of how common Insider Threats are and what it takes to mitigate those risks,” says Duenges.

Insider Threats Vary—Mitigation Should Not

Every organization has a different set of Insider Threat concerns to worry about.

From industry type to customer profile to intellectual property, every business has a completely unique set of Insider Threat concerns. For some, it’s seasonal third-party contractors who come and go, sometimes attempting to take customer information with them. For others, it’s a small crew of database administrators, IT help desk employees, and other superusers who manage the organization’s infrastructure crown jewels—and who may occasionally misuse that privilege. 

“The workplace is evolving quickly and so are the threats that put our organization’s most valuable data at risk,” explains Duenges.

Aircastle has its own highly specific Insider Threat risks to contend with. As Duenges puts it, “Quite frankly, no one’s going to break in and steal information about our jet leases.” 

However, as a public company, Aircastle must carefully safeguard key financial information—everything from earnings to details of mergers and acquisitions—to ensure it is not leaked prior to regulated disclosure dates. Leaks could endanger the business, exposing them to financial and legal headwinds. 

Additionally, Aircastle is beholden to the Sarbanes-Oxley Act, or SOX compliance, another burden of being a publicly held company. These mandates require the company to continually maintain detailed financial and IT records for regulatory bodies. 


On top of these requirements, as a company with offices located internationally, they must uphold certain privacy regulations. Even outside these laws, Aircastle values their culture of privacy and respect for their employees and contractors.

So, what to do? How to ensure that sensitive information stays put, at least until the appropriate time, without overstepping the bounds of privacy and becoming Big Brother?

DLP Turbulence

The Aircastle team had been using a traditional endpoint DLP for data loss prevention, but had run into significant issues with time-consuming set-up, constant monitoring requirements, and system crashes. 

They tried two different DLP solutions, but both were overly file-focused and required constant hands-on maintenance, straining their small IT team. DLPs are driven by up-front data classification and ongoing content inspection based on policies and rules organizations must manually set up and maintain. This is time- and resource-intensive. Even after the upfront setup is complete, every alert triaged means manually contextualizing alerts with logs from applications and endpoints. 

“I have a small IT team of six people,” says Duenges. “So it’s very difficult to have a product you have to constantly babysit like a DLP.”

On top of that, users were far from thrilled with the DLP’s effect on their endpoints. “As soon as we started using a DLP, all our users knew it was there, because of the instant slowdown.” Some figured out how to bypass the DLPs, and even when they didn’t, the tools created mountains of work for Duenges’ team while slowing down investigations.

Put simply: This just wasn’t working.

So Duenges went back to the drawing board. “I realized what we really needed was an Insider Threat management solution,” he says. “Something that would give us detailed context if a data leakage issue arose, but that would still enable us to provide our users with robust privacy.”

“Insider Threat investigations that used to take days now take 15-20 minutes on average.”

Bill Duenges, SVP of Information Technology, Aircastle

a new co-pilot

After an extensive search process, Duenges and his team conducted a proof of concept with ObserveIT. They were pleased with the results and settled on ObserveIT as a means to help Aircastle gain more context into user activity within the organization. This would let them receive immediate alerts if, for example, an employee attempted to exfiltrate confidential financial information via a cloud storage service. 

Initially, Duenges admits, “My team saw ObserveIT as a ‘nice-to-have’ product. We thought it was just something we’d layer into our existing security stack.” However, two years into their engagement with ObserveIT, Duenges now describes the platform as a “must-have” that will be part of their security stack “forever.” 

ObserveIT enables Aircastle’s small IT and security team to receive rapid alerts on suspicious user activity and conduct investigations in a matter of minutes, rather than days. They are now aware of any insider activity impacting sensitive financial data and other valuable business files in near real time. Additionally, team members sometimes report out-of-policy behavior they witness, and now Duenges’ team has a tool that can help him verify the claims.

“With a small IT team, we do not have time to constantly babysit a product like DLP. With ObserveIT, there is no babysitting. I receive good, solid alerts. The information is relevant and doesn’t waste my time with searching.” – Bill Duenges, SVP of Information Technology, Aircastle

“The first tool I go to for investigations is ObserveIT,” says Duenges. “We get alerts from other tools, but ultimately use ObserveIT for full context around various incidents. With ObserveIT’s easy-to-use, quick-to-set-up and lightweight solution, my team is more productive, users aren’t impacted and our valuable assets are better protected.” 

Finally, ObserveIT’s fine-grained privacy settings enable the team to ensure that only the appropriate team members have access, and only after clearing access with their chief legal officer. This ensures user privacy is protected without sacrificing security.

“On top of all that, ObserveIT helps us meet SOX compliance,” says Duenges. “So that’s one more thing off my plate.”

Flying at the Speed of Insider Threats

With ObserveIT on board, Aircastle has been able to dramatically increase the velocity of Insider Threat investigations.

“Insider Threat investigations that used to take days now take 15-20 minutes on average.” – Bill Duenges, SVP of Information Technology, Aircastle

The Aircastle team now has full visibility into user activity across endpoints. When an alert fires, they are able to rapidly determine what happened and understand what took place before and after the incident to place it in context.

When actual insider-caused data exfiltration incidents take place, the team can rapidly investigate and respond to them with complete context around user and data activity from ObserveIT. 

ObserveIT enables the Aircastle security team to clearly understand not just what happened but why. In several cases, this has enabled them to exonerate employees who were acting in good faith but may have exceeded the boundaries of security policy. 

As a side benefit, Aircastle has even improved their NIST benchmark security score dramatically through demonstration of the features that ObserveIT has added to their security stack.


Ready to see how ObserveIT can help You?