Most Data Loss Prevention (DLP) solutions are unable to determine what type of user behavior is risky and who is becoming a threat. It can take months before an employee or trusted third-party user attempts to remove information from the company via emails, unauthorized cloud applications or thumb drives – but many DLP solutions can’t follow the steps insiders took before they stole sensitive information and organizations typically find out only after a data breach has already occurred.
In this blog – the final post in a three-part series that examines inside threat and the tools that can be used to stop it – we’ll review how Proofpoint’s Insider Threat Solution provides unparalleled visibility into the users who are putting your organization at risk.
With Proofpoint, you can detect data exposure, data theft and out-of-policy activities long before data is stolen. By monitoring and sending alerts about field-level application usage, scoring users based on their imposed risk, and analyzing user behavior, you can detect and mitigate the risk of data loss across all users in an organization: privileged users, third-party vendors and business users.
Deter Users from Stealing Data
Proofpoint ITM provides customizable messaging to deter users from stealing data. This can be done in two ways. When logging into a server, workstation or desktop, a user can be prompted with a message stating a specific corporate or regulatory policy (Something like, “Please note that PCI requirements mandate that no database traces be implemented on this server”). This message can be configured to require a user response, and can also lock down the user's desktop until he replies. It can be configured per user/user group/server/server group.
In addition to the message that can be displayed upon logging in, Proofpoint ITM can also display a banner across the top of a user's desktop (For example, “All activity on this machine is recorded and monitored”).
Report on USB and Removable Storage Use
Proofpoint ITM not only records and monitors when USB devices and removable storage devices are used, but can also send alerts on these actions in real time. Canned and customized alerts can be configured to detect, alert and associate risk with insiders using removable media, especially when they’re trying to exfiltrate data. The alerts can be configured from window titles, application names, process names, in-application elements like fields and buttons and many other elements. When an alert is triggered, Proofpoint ITM console users can react in real time by either messaging the user or terminating her interactive session.
Report on Document Printing
Proofpoint ITM has the ability to record, monitor, audit and report on document printing. All interactive sessions are recorded and monitored visually to see exactly what took place leading up to, at the moment of, and following printing. With Proofpoint ITM’s alert function, users are notified in real time about document printing and can either message the insider or terminate the session. Reports can be generated daily, weekly or monthly, displaying all sessions where a document was printed with the visual session recording for forensic evidence.
Report on Uploads to email and File Sharing Services
With Proofpoint ITM’s unique ability to capture window titles, application names and URLs, any type of uploading or access to public or private file-sharing services can be recorded, monitored, audited and reported upon. This can be implemented on a user or server level, or across the entire enterprise.
Ability to Look at File Movement but Nothing Beyond the File Extension
Proofpoint ITM captures and monitors users’ access to files. This includes the deletion and movement of files, copy and paste operations, and uploading to file sharing sites like WeTransfer.com. Proofpoint ITM can also alert and report on access to sensitive files throughout the enterprise.
Ability to Watch User Data and Information Activity When They Are Leaving
Proofpoint ITM can be deployed on any user’s server, workstation or desktop. Proofpoint ITM starts recording user activity once an interactive session is initialized and works like a motion sensor camera, capturing screenshots based upon user activity (mouse clicks and keystrokes) while excluding idle time. (Proofpoint ITM can be configured to also record idle time if necessary). Proofpoint ITM comes with canned alerts that highlight risky behavior, especially the actions of employees who have given their notice.
Ad-hoc User Monitoring and Searches When Needed
Proofpoint ITM can be deployed fast using software distribution tools such as SCCM, GPO or Proofpoint ITM’s stand-alone deployment tool. Proofpoint ITM can also be configured to be dormant on a user’s machine and activated only when needed. Proofpoint ITM records all user activity by default (it can also be configured to exclude specific applications, websites, or users) and logs information such as client IP address, window titles, application names, process names, and in-application elements like fields and buttons. All of these logs are indexed and searchable, and can also be fed into SIEM and log management tools like QRadar or ArcSight.
Well, we’ve wrapped up this series. If you’d like to share your thoughts on data loss prevention or want to know more about Proofpoint, please reach out.
Read part 1 of this blog series - The Connection Between Insider Threat and Data Loss Prevention
Read part 2 of this blog series - The Insider Threat Chain and Proactively Preventing Data Loss
Subscribe to the Proofpoint Blog