Insider Threat Management

Financial Services Insider Threat Program Use Case

Kris Kormany, Techway, Cybersecurity & IT Business Consulting

In daily discussions with IT teams, it is usually apparent most of their systems are well established. Firewalls are used extensively, the anti-virus system is efficiently configured, and servers have the latest updates. "State of the art", one would think. But is something missing? Is all of their sensitive data protected?

If you have a nagging feeling your data is not optimally protected, chances are, you are right and you should take action. Visibility into user activity and data activity is a key component to ensuring your data is protected.

To get the full view of user actions, Proofpoint offers unmatched visibility, especially as it relates to sensitive files and IP. However, implementing the right technology is only one part of the solution. Building a true Insider Threat Program is imperative and a critical issue to be addressed.

How to Build a Successful Insider Threat Program

Communicate Insider Threat Program Goals

Processes that impact the security of your company’s data are the responsibility of the entire organization. At an early stage, be as inclusive as possible and communicate your goals and motivations for introducing an Insider Threat Program openly and transparently.

Establish Internal and External Support

As CISO, you determine the requirements and the scope, but you are not the only stakeholder. Every employee is invested in the success of the company and values a secure workplace. Your customers, too, are happy to know that you have their personal information protected.

Respond Quickly & Effectively

In forensics, every second counts. Do you suspect users of your IT systems have obtained unauthorized access to data? Or, is the access legitimate but the users are misusing their rights? Only fast, automated countermeasures can prevent major damage.

Why Use Proofpoint?

As a Proofpoint partner, many of our customers use Proofpoint to gain visibility into both the activities of external partners and internal IT users. For many, it is critically important to adhere to the “four-eyes principle” to ensure appropriate visibility into user activity and prevent unauthorized activities. If any questions around user activity arise, our customers need to be informed immediately.

Additionally, Proofpoint helps many of our customers support their compliance requirements by incorporating the solution into their systems as part of EU-GDPR, PCI-DSS, and many others.

Our customers have been able to increase the security of their systems containing critical data - such as their CRM - with Proofpoint. The simple export of sensitive customer data may not make a staff member a risky user; however, the situation looks different if this data is then encrypted, renamed and copied to a cloud or USB stick - actions which would trigger an alert within Proofpoint ITM.

With Proofpoint ITM, CISOs and other key team members have real time visibility into risky user actions.

Insider Threat Program Use Case

A Swiss organization in the financial services sector regularly depends upon external partners to support their IT systems. They wanted to ensure access was not being abused. With ITM, they have full visibility into and are able to monitor all partner actions.

Internal employees are responsible for reviewing sessions for misconduct and risky actions. These employees receive automated e-mails noting the login of the external partners and, as a result, are always up-to-date on who accessed which endpoints and when. In addition, they automatically receive real-time notification about risky or unauthorized user actions on the systems. Real-time, automated notifications let the software do its job and allow them to focus on the daily business.

Financial Services Use Case Details:

The customer has approximately 400 Windows servers in use, of which 250 endpoints are considered mission critical. 250 Windows Servers host sensitive customer data of a Swiss financial service provider. With that sentence, it becomes immediately clear why ITM is used.

  • The organization works with several external trusted service providers and wants a full view of their activities on internal systems.
  • This customer sought to transfer the responsibility of monitoring access (away from IT) to another internal department.
  • Swiss financial companies are subject to regulations such as those of the Swiss Financial Market Supervisory Authority. For example, in the Authority's most recent circular (section V.B.20): "The outsourced function is to be integrated into the internal control system of the company. The material risks associated with outsourcing are to be systematically identified, monitored, quantified and managed. Within the company, a responsible body is to be defined, which is responsible for the supervision and control of the service provider. Its services must be continuously monitored and assessed so that any necessary measures can be taken promptly. "

Final Thoughts

External service providers access the internal systems via two jump hosts. The channeling, with the help of these hosts, serves to help control access at any time and the user activities are already tracked with Proofpoint and automatically analyzed. The visibility does not end here; it continues on the actual endpoint.

Most external partners are “application managers”. With the login of such an external user, an internal coworker receives a notification - in real time - about the login and can monitor the session live. Proofpoint's automatic alerts make this scenario possible. The responsible internal employee only has permission to view the records of an external partner assigned to him, but not those of other external partners. This internal policy was easily implemented with Proofpoint.

Proofpoint enabled this organization to have an overview of all contractor access for which a service account or shared account has been used. Proofpoint allows the customer to ask their users for their identity as soon as they log on to a system with a general account rather than allowing them to log on with a general login («* \ Administrator», «service-mssql», etc.). This function of Secondary Authentication is, in our experience, a very strong tool that most of our customers actively use.

Learn more about how Proofpoint can help you build a successful Insider Threat Program.

Learn More 

 

Subscribe to the Proofpoint Blog