Renowned research and advisory firm Forrester has just released The Insider Risk Solutions Landscape, Q2 2024. DoControl is thrilled to have been included among the vendors in the report.
The Insider Risk Solutions Landscape, Q2 2024 names 36 notable Insider Risk Solutions vendors, and describes each vendor’s capabilities as regards the core and extended use cases of insider risk management. Their extensive research and presentation is invaluable for security professionals who realize the unique security risk posed by insiders.
Insiders: Not Just Another Security Risk
As the Forrester report points out, “Insiders have knowledge of systems, data, and, often, security controls. This makes them difficult to detect.”
When an employee, partner or contractor interacts with data assets to which they have valid access permissions, how can you tell if their interaction is acceptable or risky?
For example, it is reasonable to assume that employees in your accounting department would have access to company financial data. Sometimes they may have to share that data with other parties, for legitimate workflow reasons. How can you tell the difference between:
- a legitimate share or edit
- a mistaken share with too broad an audience
- an intentionally deceptive edit or a share in order to leak information
A dramatic example of insider risk is the case of Nikolas Sharp, a senior developer who stole gigabytes of confidential files from Ubiquiti, the technology company where he worked. He then posed as an anonymous hacker and issued a ransom demand for the data, while simultaneously “leading the investigation” of the incident. When the ransom demands weren’t met, Sharp contacted news outlets and acted as a whistleblower about Ubiquiti’s “cybersecurity incompetence.” Ubiquiti’s stock price fell approximately 20% overnight between March 30 and March 31, 2021, losing over $4 billion in market capitalization.
To be fair, this is an extreme case, but plenty of damage can be caused by a departing sales team member copying lists of leads to use in a new position elsewhere - or even a careless employee who sets broad access permissions on sensitive data assets.
What You Need to Combat Insider Risk
Forrester’s overview notes that “Stopping insider incidents requires quick detection and response.” To that end, The Insider Risk Solutions Landscape report identifies the top disruptor contributed by insider risk vendors as the combination of “user behavior, data context, and identity intelligence to make risk-based, automated data access and security decisions.”
At DoControl, we agree wholeheartedly with Forrester’s statement. We’ve dedicated resources to making sure that DoControl enables:
- Identity threat detection and response
- Taking data context into account
- Automated workflows to address data access issues
Identity threat detection and response
Only a holistic picture of an insider’s activity will support an accurate risk assessment for any given interaction of theirs with your data and systems. This picture - often known as an identity risk profile - is based on aggregated data that includes the user’s:
- System logins
- Data asset access
- Asset interaction
- User permissions
From analysis of the data, an identity threat detection and response (ITDR) tool can benchmark user behavior and establish baselines. Behavior anomalies can then be identified as such and investigated to see if they constitute an insider threat.
DoControl’s Identity Threat Detection and Response solution provides these capabilities, from comprehensive identity risk profiles and analysis that allows for true risk prioritization, to automated and on-demand remediation of concerning actions on a per-user or per-asset level.
Taking data context into account
Data asset interaction does not happen in a vacuum. The identity aspects of the user sharing the data (as above) is one important type of context to take into account when evaluating whether interaction with a data asset is legitimate and safe. But there are other contexts that also need to be considered.
One such context is the data’s business context. If a company is being considered for acquisition, it makes sense that some sensitive financial data (that ordinarily would never have been shared externally) will be shared with those performing due diligence for the acquiring company.
There is also HR context to consider. Is the user sharing or downloading the data about to leave the company? If so, even if those actions would normally have been within the user’s job purview, and not considered risky at all from a user behavior benchmarking perspective, the current HR context would indicate that there should be more suspicion present and care taken.
DoControl’s integrations with HRIS, IdP and other business systems are an integral part of enriching the data context and making accurate calls on insider risk.
Automated workflows to address data access issues
How do you accomplish the “quick detection and response” that Forrester notes is important for stopping insider risks? Incident alerts are only part of the solution. If the alert needs to wait for a human information security team member to notice, investigate and respond, too much time is available for the data to be accessed, copied and moved elsewhere.
Automated security workflows are critical when it comes to data access control, and especially as relates to insiders. That’s the reason why DoControl enables easy setup of granular automated workflows for fast, cost-effective security policy enforcement.
Insider Risk: Can’t Do With It, Can’t Do Without It
Unless you are a solopreneur who never allows anyone access to business data assets, you will have insiders at your organization. And that’s a good thing. Insiders are the employees, partners and contractors who enable your business to run smoothly. Without them, your organization is doomed to remain small and limited.
But the more people you bring inside, the greater the risk of one of them turning out to be a bad apple. Insider risk solutions are the key to enabling your people to contribute to your organization’s success while preventing them from intentionally or unintentionally sabotaging that success. If you haven’t yet looked into insider risk solutions, it’s time to join the forward-thinking security professionals who recognize insider risk management as an essential cybersecurity measure.
