As we wind down 2020, we can all safely say that the world is operating quite differently from a year ago. Many organizations have had to pivot to remote or hybrid workforces, with little-to-no-time for security teams to react. People are connecting from their home offices and accessing sensitive data and corporate IP from a variety of endpoints. Working from everywhere has redefined the security perimeter as we know it. People are the new perimeter.
With the changing nature of the way people interact and share data, traditional approaches to managing data loss should also be challenged. Here are three common myths about protecting data and sensitive IP from insider threats.
Myth 1: Insider threat management is about protecting data
In the past, traditional data loss prevention (DLP) tools were mostly data centric. What’s been lacking with these tools is bringing the user context into the mix. With insiders, it’s critical to monitor not just the data, but how users are interacting with it.
For example, say a user uploads a file to an unsanctioned site like Dropbox. If that file originated from a sanctioned application, such as SharePoint, it could potentially signal a risky user behavior. But not all uploads are bad. What if the user is trying to upload a personal file to Dropbox or a company file to OneDrive? This additional context is crucial in distinguishing between risky and non-risky behavior. Traditional DLP tools don’t necessarily give you the level of context needed to understand the full chain of events when it comes to user behaviors. Combining DLP tools with a dedicated insider threat management platform provides that context, thus reducing the likelihood of false positives.
Myth 2: Endpoint scanning is the be-all and end-all
If you look back to a decade ago, most data lived on the endpoint. It made sense, then, that security teams relied on endpoint DLP monitoring to get visibility into sensitive data and IP loss. These tools had to scan the data on the endpoint, which often led to frustrating slowdowns and productivity loss for users.
Fast forward to today, most user data lives in the cloud, whether it’s stored within SharePoint, Microsoft Teams, G Suite and more. If you were to scan all of that data, especially when you have some of these locations mapped as drives, it would severely impact user performance.
Sometimes, people actually turn off endpoint scanning so that it doesn't impact their jobs – which defeats the purpose.
A more modern way to attack this problem is to scan the data in the cloud, label it using data classification technologies like MIP and then have the endpoint read that label to serve as the enforcement point. Scanning and labeling data in the cloud can alleviate the performance concerns at the endpoint. In fact, shifting scanning to the cloud can actually make DLP faster and more effective, without compromising security.
Myth 3: Incident response has to be a lengthy process
Incident response is a complex, multi-step process that involves many stakeholders. Unfortunately, the longer an insider threat incident lingers, the costlier it gets for organizations. Traditionally, investigations have dragged on because DLP tools lack context into the user activity surrounding an alert. With security operations bombarded by false positives, they can't always figure out the signals from the noise. Once they do start the response process, it’s difficult to understand if an incident is caused by user error or an intentional malicious insider. With cross-functional teams such as HR, legal, and compliance involved, this context is critical when investigating an insider threat incident.
However, gathering this context doesn’t have to take weeks, or even months. It all comes down to correlating user activity with data movement. A full incident response process is about looking at user and data interactions across multiple channels like email, cloud, endpoint, and then putting the user in context in a unified view. A dedicated insider threat management solution can help the security operations team understand exactly who did what, when, where and why – sometimes within minutes. From there, they can generate an easy-to-understand report to share with stakeholders outside of the security team.
Learn more about protecting sensitive data and IP
Interested in learning how a modern approach to insider threat management can help protect your organization from sensitive data and IP loss? Check out our latest on-demand webinar, which dives into these myths in more detail and covers a practical way to manage insider risk within the modern workforce.
Subscribe to the Proofpoint Blog