At a Glance
Aerospace & Defense Sector
- Data exfiltration of sensitive intellectual property
- Highly regulated industry
- Investigations too slow and reactive
- Nation-state actors infiltrating the ranks to steal data
- ObserveIT Insider Threat Management Platform
This U.S.-based company is a defense and aerospace contractor, as well as providing information technology services to a variety of fields. They develop a range of services, software and products, including avionics and electronic systems, for government, defense and commercial usage. They also specialize in technology and various types of weaponry. With a broad portfolio of offerings and massive customer base, this company is one of the largest defense contractors in the world.
Due to their industry and customer base, it is no surprise that this company handles a massive amount of sensitive data and information in the course of business. Their primary concern was avoiding exfiltration of sensitive intellectual property and data, including by nation-state actors. They found USB drives and other removable media in particular to be a common exfiltration channel. They also needed a way to enrich alerts from other tools to build context and speed up investigations in the event of an Insider Threat incident.
Previously, the team had used a traditional DLP solution to attempt to monitor and respond to data loss scenarios. While their security analysts liked the granular detail provided by the DLP, it was difficult to set up and maintain, and their IT team and CISO were frustrated with the product. They felt that they were sacrificing performance and user frustration for data collection, and the balance between those concerns was tenuous at best.
At the outset, the team decided to test out ObserveIT in their environment to determine how it stood up to their DLP, and found that ObserveIT could be used for nearly twice as many relevant use cases as their DLP. After a six-week pilot, they brought ObserveIT on board to augment their Insider Threat program with increased visibility and context into security events. ObserveIT has now been an integral part of their Insider Threat program for years.
“If I could sum up the value of ObserveIT in one word, it would be: visibility. That is what really differentiates the platform and adds so much value to our organization when it comes to detecting, investigating, and responding to Insider Threats.”
– Cybersecurity Architect, Major Defense Contractor
With ObserveIT as part of their security arsenal, the company now has user visibility into risky events in one place. Previously this data was dispersed across disparate tools, and it was difficult to reconcile the information to build a complete picture.
At enterprise scale of over 30,000 endpoints, a single truth on user driven events is an absolute requirement to mitigate Insider Threats before they spread and put the organization at risk. The easy-to-understand timeline of user activity, applications, endpoints, files, and data associated with a security event in ObserveIT enables the security team to quickly demonstrate to stakeholders what happened, why it happened, and why it is concerning. Their cybersecurity architect describes ObserveIT as a “storyboard” that helps them easily convey out-of-policy activity to legal, HR, and even authorities in extreme cases.
Previously, when the team’s endpoint detection and response (EDR) tool fired an alert, a security analyst had to dig in and study multiple processes. It often took 30 minutes to two hours for them to understand what had happened. With ObserveIT, this takes minutes.
Using ObserveIT, the team can search for user activity on the endpoint or using the process name in the EDR alert. ObserveIT’s powerful search capability will highlight users and any risky behavior on the endpoint, on applications and in files they’ve interacted with. Security teams can see the context of what the user did on that endpoint or application before and after the EDR alert fired.
All this is served in an easy-to-read timeline of events, so the security team knows the context in minutes without log analysis. ObserveIT serves as a diagnostic tool that enables them to deep-dive into what happened before, during, and after an alert was triggered. This gives them the rich context they need to determine how to respond.
One of the key metrics that the team tracks is time to close an investigation; in other words, from the moment it becomes clear an investigation is needed to the moment it is officially closed.
Many cybersecurity teams focus on “mean time to detect” or “mean time to response.” Both of these are useful metrics. However, resolution of insider threats in a timely fashion is very important, and goes beyond a technical blog or mitigation. Hence this company’s decision to prioritize the “time to close investigations” metric, an indication of a very mature security program.
They have been able to dramatically decrease this metric using the increased visibility and context achievable through the ObserveIT platform. They have also found that the quality of “leads” and fidelity of alerts in general is much higher because ObserveIT enables them to avoid most false positives and to quickly get to the root of whether user activity was negligent or malicious in nature.
observeit in action:
a real-world incident
The Incident: The team has set up alerts so they are notified when someone uninstalls ObserveIT on an endpoint. If this happens, the team reinstalls ObserveIT and then puts focused observation on that team member. In this case, an employee was discovered uninstalling ObserveIT and using LogMeIn to avoid the security stack and VPN. They were connecting their personal computer to their work endpoint.
The Response: With ObserveIT, the security team kicked off an investigation. They quickly learned at the employee was doing work to support the business mission. It was someone on-call from home who was subverting security protocols in order to get work done. While it was out-of-policy behavior and not secure, it was not malicious. They were able to provide the employee with a warning and guidance to avoid the behavior in future.