Insider Threat Management

3 Reasons to Supplement a DLP with Insider Threat Management

Share with your network!

Many organisations spend years investing significant resources into data loss prevention (DLP) tools designed to identify, classify, and monitor data, in an effort to prevent data exfiltration.

But the fact of the matter isdata doesn't exfiltrate itself. People, or the insider threats, exfiltrate data.

Unfortunately, DLP tools alone aren’t stemming the consistent rise of insider threat-related incidents. Trusted insiders (your employees and third-party contractors) are still finding ways to get around the system.

For many organisations, the solution to the insider threat problem isn’t as simple as ripping and replacing a DLP software already in place. These tools often take a great deal of time and resources to implement; including an extensive data classification process; which requires an in-depth audit of all data, and then fine-tuning that classification architecture year after year.

Instead, supplementing a DLP with an Insider Threat Management solution focused on user activity solves both the data and the people sides of the insider threat equation -- and could be the best way to detect and prevent insider threats.



    These days, IT has become increasingly decentralised, meaning that it’s a lot harder to for DLP tools to get a comprehensive look at data, and how it moves. To get a clearer picture of how and why data is being exfiltrated, companies need to understand how insiders are using that data.

    Traditional DLP tools require organisations to know where the data is located, and how to categorise it with the appropriate tags, policies, and rules. If employees are accessing data via software-as-a-service (SaaS) applications, sharing it with external vendors and contractors, and tapping into corporate systems with different devices, the task of knowing exactly where the sensitive data lies becomes infinitely more complicated.

    A more holistic, user activity-centric approach can serve as a compliment to a DLP solution, by giving security professionals visibility into how users are most commonly accessing, interacting with, and sharing data, rather than just locking it down.

    This level of visibility empowers the security team to be more proactive with educating and training users on the appropriate use of digital systems in real time -- which becomes even more important when you consider that two out of three insider threat incidents are caused by user error.


    Many users, whether they’re privileged or non-technical power users, can circumvent a DLP solution -- especially if it’s impeding their productivity.

    Heavyweight DLP agents can bog down endpoints for individual employees, causing them to find workarounds that might involve out-of-policy actions or unauthorised use of technologies. If a DLP tool is only applied to perimeter, the potential for an insider workaround becomes even higher.

    Ultimately, data doesn’t move itself; people move data. With user activity monitoring, security teams can track access and interactions with sensitive databases, files, and applications, delivering a more complete picture of activity over time. This is particularly useful for speeding up insider threat investigations and eliminating the guesswork.

    What’s more, if there’s a system in place that sets up guardrails rather than barriers, people will be less likely to try to find a workaround in the first place.


    In cases where data does leave an organisation through a data leak or exfiltration event, cybersecurity professionals are inevitably faced with the question: “How did this happen?”

    Unfortunately, investigating an incident can get complicated quickly after a DLP alert is triggered. In many cases, the systems aren’t always meticulously maintained, increasing the likelihood of false positives or sending security teams on a wild goose chase to discover the root cause of a potential incident.

    By supplementing your DLP tools with a bonafide user-centric Insider Threat Management solution, you can improve upon key functionality to validate incidents, gather forensic data, and verify DLP alarms from a user activity standpoint. This validation should include data on the behaviours that indicate a risk of data loss, such as a user’s file, application, Internet, and window activity.

    Since people are unpredictable, strict data monitoring rules and policies aren’t always fail-safe -- it’s important to allow for some flexibility to detect suspicious or out-of-policy behaviour from the people using your corporate systems on a daily basis.


We get it. A "rip and replace" isn't always the best option for improving your internal systems. The phrase says it all - ripping something out doesn't sound pleasant, or particularly easy. So why do it?

If you still find value with your DLP solution for compliance or locking down data, that's just fine. Just be sure that you also consider the people-side of the data exfiltration equation with user activity monitoring, so you can fully prevent sensitive data from leaving your organisation, once and for all.


Don't just take our word for it: give Proofpoint a try for free.