Putting the Brakes on Insider Threats

Automotive SaaS Provider CCC Information Services
Uses ObserveIT for Proactive Detection and Cultural Shifts

CCCIS: Fast Facts

  • 1980: Founded
  • 2,000 employees
  • Customers
    • 350+ insurers
    • 24K+ automotive repairers
    • 100s of part suppliers

On a Collision Course

While no two days at work are exactly the same for Daryl Brouwer, his mandate never changes: Protect the data and intellectual property that powers CCC Information Services (CCC). Brouwer, the Chief Information Security Officer at CCC, plays a central role in building, maintaining, and improving the company’s security program. 

Founded in 1980 as the Certified Collateral Corporation, the company now known as CCC is a leading software as a service (SaaS) provider to automotive-related industries. Through its CCC ONE™ platform, the company services insurance providers, auto manufacturers, collision repairers, part suppliers, and others with data, tools, and solutions to do business efficiently and to create a better experience for end-users. CCC’s customers include brands like Nissan North America, BMW North America, and more. 

CCC handles sensitive enterprise and consumer data around car owners, rentals, auto claims and collisions. They also employ almost 1,700 people and work with many outside companies, all of whom need to transact and work in a secure environment.

In 2016, something strange happened…. After the Insider Threat was resolved, Brouwer and his team were determined to not only understand how the incident occurred, but to put a system in place to better detect, investigate, and respond to similar incidents in the future.

A Roadmap for Insider Threat Management

To support future investigations and mitigate their Insider Threat risk, Brouwer began to look for solutions to monitor what was happening within CCC’s firewalls and on their workstations and to gather as much context as possible in a timely manner when incident investigations are required.

Brouwer assessed data loss prevention (DLP) and user behaviour analytics (UBA) tools, among others. However, these tools required significant administration and did not reach the level of accuracy CCC required.

Plus, Brouwer had a key insight: “Security is not something we can do solely in a technological way,” he says. “It’s something that helps me grow my organization and change my organization.” 

The company required a solution that would monitor and record activity in a user’s environment, send alerts for out-of-policy behavior, and integrate with other security measures already in place. But, perhaps most importantly, they needed a tool that would support the security-conscious culture they were working to build at CCC.

“ObserveIT has reduced the amount of time we spend on things dramatically. Something that would take 6-7 hours, we now do in 10-15 minutes. It’s a real advantage from a staffing and meantime-to-detection standpoint. It is key for investigations.”

Daryl Brouwer, CISO, CCC Information Services

Hitting the Gas on Security

CCC began using ObserveIT in 2016. With ObserveIT, CCC is able to both respond to and take proactive action against Insider Threats. When an incident occurs, Brouwer’s team supports investigations with a real-time record of user behavior. On the proactive side, they are able to monitor patterns of behavior and curtail potential risks before an actual incident occurs. 

In one case, Brouwer’s team discovered an employee engaging in behavior that was contrary to CCC’s security policies and culture; the company had a discussion with the employee, and the situation was rectified. CCC is also able to monitor potentially risky trends in user behavior, such as the use of USB keys or cloud solutions, and take corrective measures.

“ObserveIT has a unique perspective,” notes Brouwer. “The company looks at how it can become a part of my business, not just a technological tool. When looking at the future, it’s about how we integrate ObserveIT with people and process.”

ObserveIT has decreased the amount of time CCC’s security team spends investigating Insider Threat incidents. Before using ObserveIT, the team often spent six to seven hours researching whether a situation required further action. That type of investigation now takes 10 to 15 minutes. In addition, the company has seen dramatically lower mean time to detection. 

“It’s a real advantage from a staffing and mean time-to-detection standpoint,” says Brouwer. “It is key for us going forward as part of investigations.”

CCC is also able to use data from ObserveIT to enrich other network or systems data to develop a single source of truth and better understand the context around any incidents that arise. 

Driving Cross-Team Collaboration

Beyond the security team’s concerns with preventing data loss and other Insider Threat risks, ObserveIT provides valuable and easy to decipher context for other functions within the company, including legal and HR.

“Every department has different requirements when it comes to either addressing problems or looking at security incidents,” Brouwer explains. “From a legal perspective, they want a certain level of evidence to support a legal case or criminal investigation. HR needs to satisfy employment law. On the security side, we’re always looking for data leak prevention, exfiltration of data, or things that will impact brand or reputation.”

Ready to see how ObserveIT can help you?