Insider Threat Management

Part 2: The DLP Solutions You Already Have Are Not Obsolete

This is part two in our three-part series about the problems with DLP.

A lot of the companies we meet with are using data loss prevention for web and email, but they have exhausted all efforts to justify ROI. Every day, we speak with cyber security professionals who want to rip it out in frustration after encountering troubled installations, blue screens, fruitless classifications and hundreds of high-maintenance rules.

So, how do you fix the problem?

You know the pain points and shortcomings of your endpoint DLP solution, however, convincing C-Level Management to augment it can be tough, because you don’t want to seem incompetent. Bring up Insider Threat, and management may respond with, “Hey, we don’t have disgruntled employees here. Everyone is happy and nobody’s stealing our data! We haven’t had a security breach yet, so keep doing a great job of protecting our data!”

The problem is people.

Explain that data doesn’t leave the company by itself. It’s actually people that are taking the data out. DLP doesn’t take into consideration the person as much as they take into consideration the actual data. It’s sort of like trying to catch bullets coming out of a gun instead of trying to stop the person pulling the trigger. So, you have to convey to your C-Level Management that if they actually want to stop data from leaving the company, they can’t ignore the Insider Threat.

Consider this: a Verizon 2015 Data Breach Investigation Report found that Insiders are responsible for 90% of Security Incidents.

  • 29% of Insider Threats are from the deliberate and malicious insider.
  • 71% of Insider Threats are unintentional, with misuse of systems, log-in/log-out failures and cloud storage leading the way.

 And because DLP solutions aren’t looking for insider threat – it will always be “too little, too late” to prevent it

  • 97% of all insider threats have early indicators *2015 Verzion DBIR report
  • Suspicious Behaviors Are Often Observable Before Insiders Become a Threat

It can take months before an employee or contractor attempts to remove information from the company via email, unauthorized cloud applications or thumb drives. Prior to reaching the data extraction phase, most employees are able to hide the sensitive information they plan on stealing, and have tested their means of extraction so that risky behavior will elude DLP. They will do something as simple as encrypt information with trigger terms from articles that contain Social Security numbers. They will next create several tests with this “dummy data,” such as pasting the information into a notepad and renaming it, zipping the file with a password, uploading it to DropBox, and then send it to themselves using Gmail or a cloud file transfer application.

They will repeat this risky behavior, with some variations, and continue to use the “dummy data,” so that if they are caught, they can say they were only sending themselves articles to read on the weekend – or some other excuse. If they’re not caught, and have established a level of comfort, they will start stealing data.

They can download and send customer lists to themselves, with plans to provide the lists to competitors.

Wouldn’t it be great to be able to detect someone who searches for “How to disable DLP” or know when an employee adds sensitive files to DropBox? This would give you the context you need to spot a disgruntled or malicious employee before they leak sensitive data.

And what about employees who make mistakes and inadvertently cause harm? Another component of insider threat is honest people with admin access who are put in the position of assessing threats on their own; the ones who accidentally click on a malicious email attachment because they are trying to get through their inbox quickly; the ones who download a software program from the internet to help them perform their jobs more efficiently, not realizing a malware program is also attached.

Wouldn’t it be great to stop these employees from downloading suspicious files and let them know they are acting outside of your company’s established Information Security Policies?

If you’re not currently dealing with the Insider Threat, you need to! Get on the Road to a Comprehensive Data Loss Prevention Program. Download a free 15-day Trial of Proofpoint ITM now.

This is part two in our three-part series about the problems with DLP. Stay tuned for part three, 7 Security Controls to Deal with Insiders Before They Become Threats.

Subscribe to the Proofpoint Blog