It’s easy to understand why insider threats are one of the top cybersecurity challenges for security leaders. The shift to remote and hybrid work combined with data growth and cloud adoption has meant it’s easier than ever for insiders to lose or steal data. Legacy systems simply don’t provide the visibility into user behavior that’s needed to detect and prevent insider threats.
With so much potential for brand and financial damage, insider threats are now an issue for the C-suite. As a result, businesses are on the lookout for tools that can help them to better manage these threats.
To help businesses understand what to look for, Gartner has recently released Market Guide for Insider Risk Management Solutions. In this report, Gartner explores what security and risk leaders should look for in an insider risk management (IRM) solution. It also provides guidance on how to implement a formal IRM program. Let’s dive into some of its highlights.
Must-have capabilities for IRM tools
Gartner states that IRM “refers to the use of technical solutions to solve a fundamentally human problem.” And it defines IRM as “a methodology that includes the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts in the organization.”
Gartner identifies three distinct types of users—careless, malicious and compromised.
That, we feel, is in line with our view at Proofpoint. And the 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that most insider risks can be attributed to errors and carelessness, followed by malicious and compromised users.
In its Market Guide, Gartner identifies the mandatory capabilities of enterprise IRM platforms:
- Orchestration with other cybersecurity tooling
- Monitoring of employee activity and assimilating into a behavior-based risk model
- Dashboarding and alerting of high-risk activity
- Orchestration and initiation of intervention workflows
This is the third consecutive year that Proofpoint is a Representative Vendor in the Market Guide.
Proofpoint was an early and established leader in the market for IRM solutions. Our platform:
- Integrates with a broad ecosystem of cybersecurity tools. Our API-driven architecture means it’s easy for you to feed alerts into your security tools. That includes security information and event management (SIEM) as well as SOAR and service management platforms, such as Splunk and ServiceNow. That, in turn, helps you gain a complete picture of potential threats.
- Provides a single lightweight agent with a dual purpose. With Proofpoint, you get the benefit of data loss prevention (DLP) and ITM in a single solution. This helps you protect against data loss and get deep visibility into user activities. With one agent, you can monitor everyday users. That includes low-risk and regular business users, risky users, such as departing employees, privileged users and targeted users.
- Offers one centralized dashboard. This saves you time and effort by allowing you to monitor users, correlate alerts and triage investigations from one place. You no longer need to waste your time switching between tools. You can quickly see your riskiest users, top alerts and file exfiltration activity in customizable dashboards.
- Includes tools to organize and streamline tasks. Proofpoint ITM lets you change the status of events with ease, streamline workflows and better collaborate with team members. Plus, you can add tags to help group and organize your alerts and work with more efficiency.
DLP and IRM are converging
In its latest Market Guide, Gartner says: “Data loss prevention (DLP) and insider risk strategies are increasingly converging into a unified solution. The convergence is driven by the recognition that preventing data loss and managing insider risks are interconnected goals.”
A legacy approach relies on tracking data activity. But that approach is no longer sufficient because the modern way of working is more complex. Employees and third parties have access to more data than ever before. And external threat actors are increasingly more sophisticated in their attack methods. If security teams want to be more effective at detecting and preventing insider threats, then they need to get context into user behavior. Those insights can help them determine the best response—and minimize brand and financial damage for the business, too.
That’s why Proofpoint Insider Threat Management (ITM) provides greater visibility into what both everyday users and risky users are doing. And it gives you context so you know whether there’s cause for concern. Proofpoint ITM provides details into the who, what, where and when of user activity with timeline-based views and screenshots. That means a security analyst has access to actionable insight that helps them determine if a user’s behavior is risky or not.
Increasing visibility and collaboration with a formal IRM program
In this year’s Market Guide, Gartner reinforces its recommendation from last year: “Develop a formal insider risk program to increase visibility into risks from careless or malicious associates and partners.” It recommends that security leaders “work in collaboration with cross-functional partners, in appropriate areas, including legal, HR, and privacy.”
ITM is often referred to as a “team sport,” given the wide-ranging implications of insider threats.
Proofpoint reiterates this approach through our program design services that can help you build your own program. Through Proofpoint Managed Information Protection, we provide proactive expertise, staff continuity, and executives to help enhance your security posture and maximize your return on investment.
When you have a formal IRM program, you have a chance to clearly articulate your program’s goals. This, in turn, can get executives behind your efforts. Oftentimes, efforts to monitor employee productivity can be conflated with insider threat monitoring. That’s why it is essential for an IRM program to communicate clearly with employees, document acceptable use policies and implement privacy controls.
Proofpoint ITM collects data on the riskiest users while maintaining user privacy. It meets the most stringent privacy requirements. And it anonymizes user data, masks content snippets and manages regional data residency to eliminate bias. Proofpoint ITM also helps you better collaborate with non-security team members by providing easy-to-use, exportable user reports.
Looking ahead: the role of artificial intelligence (AI) in IRM
In its latest Market Guide, Gartner states that “most organizations believe artificial intelligence will play a central role in insider risk management, even though the market has not fully adopted AI into the solutions.” Given the momentum of generative AI during the past year, this is not surprising. Both security vendors and users believe that AI can help with insider threat management challenges.
A potential—as well as substantial—benefit of AI is the ability to solve one of cybersecurity’s most pressing problems: helping security analysts work more efficiently. When you enable predictive models with AI and machine learning, your security analysts can quickly distinguish the noise—the false positives—from the true positive alerts. This, in turn, ensures your data and systems are better protected.
Proofpoint Sigma information protection uses AI throughout its platform. With AI-generated classifiers, for example, you can prioritize which data you want to protect based on business category and confidentiality level. This also helps you to augment DLP and add context to your investigations.
Learn more about what to look for in an IRM solution by downloading the Market Guide for Insider Risk Management Solutions from Gartner. And you can explore Proofpoint Insider Threat Management to see how we deliver on its recommendations and key findings.
Gartner, Market Guide for Insider Risk Management Solutions, Brent Predovich, 13 November 2023.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.