Insider Threat Management

Information Protection for the Modern People Perimeter

Share with your network!

Work-from-home mandates due to the COVID-19 pandemic greatly expanded the remote workforce almost overnight, changing the dynamics of corporate life—and corporate security. And now, the reality of today’s remote and hybrid work environment is that data isn’t bound by the traditional perimeter; people are the new perimeter. 

Corporate data can live in lots of places, but it doesn’t get to those places on its own. People move data. And they can put data where it’s not supposed to be—and hence, create risk. Insiders who put data where it shouldn’t be are:

  • Negligent users (people who are typically well-meaning but sometimes cut corners to get the job done)
  • Compromised users (people with elevated privileges or who’ve clicked on a phishing link)
  • Malicious users (departing employees looking to steal intellectual property and people on human resources watch lists are examples of these insiders)

So, how do you protect sensitive data when data can live anywhere and be accessed from everywhere? With a people-centric approach to security

This strategy is necessary to protect sensitive data and respond effectively to the various data risks insiders create. For example, if a user simply makes a mistake, educating the user on safeguarding data properly may be the right approach. But if you’re dealing with a compromised user, or a user intentionally doing bad things, you might need to augment education with a prevention-based approach.

Additionally, users can interact with data across various channels, such as email, endpoint, cloud and network. So, understanding the data exfiltration paths across multiple channels is important to ensure the people perimeter is fully protected.  

Understanding users and their interactions

There are three pillars of context — content, behavior and threat — in a people-centric security approach. These pillars can help us establish the full context for information protection. Let’s look at each one individually:

Content awareness

To establish content awareness, you must be able to understand when someone is handling sensitive data. This is important for compliance as well as protection of intellectual property. Classification and labelling using technologies like Microsoft Information Protection (MIP) is one way to build content awareness. 

Content scanning is another approach—for cases where data may not already be classified. Performance impact on the endpoint is an important consideration with content scanning. Any endpoint solution that gives the administrator granular control for judicious content scanning should be preferred over an endpoint solution that might do brute-force scanning and impact endpoint performance.

Behavior awareness

To understand user behavior, you need to look at user activity and determine, “Is that user negligent, malicious or compromised?” 

Collecting data from the endpoint using an insider threat tool can provide valuable insights into user behavior and identify which type of insider risk that behavior poses.  

An endpoint monitoring solution that combines data visibility with user visibility in a single agent can reduce the administrative overhead in managing disparate data loss prevention (DLP) and insider threat tools.

 Threat awareness

You can establish threat awareness by integrating with advanced threat intelligence gathered from third-party sources, as well as internal telemetry from a broader user population. 

When establishing threat awareness, take care to summarize and obfuscate the data so that sensitive information is never exposed. 

A people-centric approach to information protection

Together, the three pillars outlined above can provide a full information protection picture. Unfortunately, traditional data loss prevention (DLP) tools haven’t done well in establishing the proper context. They don’t take a people-centric view of the world; instead, they take a data-centric view. As a result, they don’t really understand why data is at risk.

The information protection solutions Proofpoint provides are different because they:

  • Collect data from all channels into a single platform
  • Use the context pillars in the platform to determine risky user behavior
  • Remediate the risks and put controls in place to reduce future risk vectors

This people-centric platform brings together both a data-centric view and the user-centric view into a single pane of glass, providing a complete picture of how users are interacting with data. This approach to information protection can help your organization understand whether negligence, compromise or malicious intent is at the root of a threat.

For more details, watch our recent webinar on this topic, which is available on-demand: “Information Protection for the Modern People Perimeter.”