Insider Threat Management

Identifying the Data Loss Source of Risk

When the digital safety of intellectual property is at risk to data loss (i.e. data exfiltration) and misuse, cybersecurity teams want to know three things:

  1. Can they detect potential problems
  2. How quickly and thoroughly can they investigate them
  3. Are there ways to prevent the problem from occurring (or growing)

It seems like there should be a simple solution. So long as there is visibility into the primary source of risk, teams should be able to detect, investigate, and prevent data loss and data misuse, right?

Ironically, it depends on what you’re trying to look at (or gain visibility into). What is the determined primary source of risk for data loss, and misuse in your organization?

Differing Views on Risk Sourcing

The goal of using a tool like a DLP or an Insider Threat Management solution is to minimize the scope and cost of risk to intellectual property by obtaining visibility into the source of risk.

But what if the means betrayed the authenticity and value of the end result? That's often the case when it comes to deploying a DLP solution.


Data Loss Prevention tools detect potential data loss or misuse through the monitoring of files, which requires the use of an installable kernel-based agent on the endpoint. These agents are capable of understanding the value and basic context of a file’s contents (based on user applied classifications and tags), as well as individual file movements.

The problem is two-fold: kernel-based DLP agents often slow down the endpoint they sit on, and users are required to manually classify and tag files as they create, modify, and share them. This combination can frustrate users, and potentially force them to find alternative ways to do their work that could bypass the DLP altogether.

Insider Threat Management

Proofpoint ITM can detect potential insider threats by monitoring user and file activity, through the use of a user mode agent. This agent helps capture robust amounts of session metadata, so that security teams can understand who is doing what, when, and why. In short, it can deliver context for any series of actions.

And unlike the DLP’s kernel-based agent, Proofpoint ITM's user mode agent doesn’t have to process anything on the endpoint, avoiding the performance and usability problem altogether.

Defining Risk Visibility

Traditional Data Loss Prevention (DLP) solutions define the primary source of risk as the way that data, particularly files, move within an organization’s systems and networks. As such, they function through the tagging, categorizing, monitoring, and control of file and data movement.

We at Proofpoint; as an Insider Threat Management solution provider; define the primary source of risk as the people behind the activity that cause data loss and misuse. These insider threats; your employees and third-party vendors/contractors; are the ones who either maliciously or accidentally take the actions that result in a potential incident.

In other words: our view is that data can’t exfiltrate or misuse itself. It needs people for that! And as the 80’s band The Fixx once said: “One thing leads to another…”

Subscribe to the Proofpoint Blog