Insider threats are on the rise. The modern way of working—from anywhere and everywhere—combined with increased cloud adoption and employee turnover have created more vulnerabilities and opportunities for data loss and insider threats. And legacy systems can’t keep up.
Given these dynamics, it’s no surprise that organizations are looking for solutions to help manage insider threats more effectively—and avoid potential brand and financial damage. In its recently published “Market Guide for Insider Risk Management Solutions,” Gartner explores the capabilities that security and risk leaders should look for in an insider threat management (ITM) solution and provides guidance on implementing a formal insider risk management (IRM) program.
Let’s dive into some of the highlights of the guide.
Starting point: Identifying the must-have capabilities of IRM platforms
Gartner defines IRM as “the tools and capabilities to measure, detect, and contain undesirable behavior of trusted accounts within the organization.” Similar to last year, Gartner considers insider risk a superset of insider threats: “Not every insider risk becomes an insider threat; however, every insider threat started as an insider risk.”
Gartner identifies three distinct types of users—careless, malicious and compromised—which is in line with our view at Proofpoint. And according to the “2022 Cost of Insider Threats Global Report” from Ponemon Institute, which is referenced in the Gartner guide, most insider risks can be attributed to errors and carelessness, followed by malicious and compromised users.
Gartner elaborates further in its report to identify the mandatory capabilities of enterprise IRM platforms:
- Orchestration with other cybersecurity tooling (including SOAR)
- Monitoring of employee activity and assimilating into a behavior-based risk model
- Dashboarding and alerting of high-risk activity
- Orchestration and initiation of intervention workflows
Proofpoint is recognized as a Representative Vendor in the Gartner Market Guide for the second consecutive year.
An early and established leader in the market for IRM solutions, Proofpoint Insider Threat Management (ITM) expands on the required capabilities to help customers manage insider threats by:
- Integrating with a broad ecosystem of cybersecurity tools with its API-driven architecture. You can easily feed alerts into your SIEM, SOAR and service management platforms, such as Splunk and ServiceNow, to provide a complete picture of potential threats.
- Providing a single lightweight agent with a dual purpose: protecting against data loss and providing deep visibility into user activities. With one agent, you have the flexibility to monitor everyday users, such as low-risk and regular business users, and risky users, such as departing employees, privileged users and targeted users. Proofpoint gives you the benefit of data loss prevention (DLP) and ITM in a single solution.
- Saving time and effort by allowing you to monitor users, correlate alerts and triage investigations all from one centralized console. No more wasting time pivoting between tools. You can quickly see your riskiest users, top alerts and file exfiltration activity in customizable dashboards.
Additionally, Proofpoint ITM lets you easily change the status of events to streamline workflows and facilitate collaboration with team members. You can also add tags to help group and organize your alerts and work more efficiently.
Where the market is heading: the convergence of DLP and ITM
It’s no longer sufficient to have insights into data activity alone in a world where ways of working are more complex, and employees and third parties have access to more data than ever before. Organizations need deeper understanding of the context of user behavior.
That’s why we believe the markets for ITM and DLP are converging. Organizations are undergoing a fundamental shift in their approach to information protection—from one focused solely on content to one driven by understanding risky behavior.
The integrated approach Proofpoint provides brings greater visibility and context to prevent data loss from careless, compromised and malicious users, which is critical to determining the appropriate response. With Proofpoint ITM, you can monitor everyday users and risky users with one solution.
Gartner recognizes that “the market is moving in a direction where additional threat intelligence is demanded in order to enrich the user analytics process, allowing a timely and appropriate response.” As part of our people-centric approach, Proofpoint agrees that threat intelligence is important to understanding context: Is a user accessing sensitive data as part of their job or is there a potential threat via a compromised account?
Proofpoint ITM provides details into the who, what, where and when of user activity with timeline-based views and screenshots so a security analyst has actionable insight to determine if a user’s behavior is risky or not. The solution is also part of the Proofpoint Information and Cloud Security Platform, which provides visibility into email- and cloud-delivered threats targeting your users.
IRM benefits from a formal program
In its latest market guide, Gartner also makes a new recommendation: “increase visibility and data protection in the organization by developing a formal insider risk management program.”
A formal program to manage insider risk goes beyond technology to include people and processes. As Gartner states , it’s critical to gain buy-in from executives on the objectives of the IRM program and guidelines for data handling, involving human resources (HR), legal and other stakeholders. Equally important is determining a strategy for information protection that is either strict or flexible, depending on what will work best for your organization’s culture.
Proofpoint ITM provides the flexibility that security teams need to balance employee productivity and security controls. With easy-to-build, customizable rules, end-user coaching and people-centric controls, security teams can adjust their approach to meet the organization’s objectives and compliance needs. Intuitive and easily exported reports also help facilitate collaboration with stakeholders in HR and legal as part of their forensic investigations.
Reduce Insider Risk with Security Awareness Training
Given the largest portion of insider-led incidents are due to careless users, it’s not surprising that Gartner recommends that security and risk leaders “reduce insider risk by implementing comprehensive security awareness training.” Employees are often trying to take the shortest path to get their work done, although they may be violating corporate policy in the process. Bringing to their attention what is – and what’s not – allowed, why these controls exist, and reminding them of the due diligence needed before clicking on a suspicious link or opening content can help to decrease risky behavior. Proofpoint Security Awareness Training provides you with a proven framework that educates users and drives behavior change to help reduce insider-led incidents.
Download the “Market Guide for Insider Risk Management Solutions” from Gartner today to learn more about what to look for in an IRM solution. Also, explore Proofpoint Insider Threat Management to see how we deliver on Gartner’s recommendations and key findings.
You can also listen to the Proofpoint webinar with ISSA, “Manage Insider Threats with a People-Centric Approach,” to get details on the benefits of a modern, people-centric approach to insider threats and data loss.
Gartner, Market Guide for Insider Risk Management Solutions, Jonathan Care, Paul Furtado, Brent Predovich, 18 April 2022
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.