With insider threats increasing by 50% over two years[1], your business is likely taking action to strengthen its detection, investigation, and containment capabilities. However, there may be blind spots. Here is one area I would consider revisiting: if the questions in your request for proposal (RFP) do not take into account the most innovative insider threat management technologies currently available, your RFP may actually prevent you from developing the best insider threat program.
Every RFP tries to ask precise questions to ascertain whether a solution can help address a need. For insider threat management, data that solutions provide is typically derived from post-fact audit logs or agent-based recordings. Today, however, next-generation insider threat management exists, founded upon network-based data capture that enables proactive monitoring, real time alert generation and streamlines incident investigation. The key points about next-generation solutions are provided below, along with my suggested questions to make your next insider threat RFP more robust.
Non-Invasive Data Capture
In a non-invasive data capture approach, user activity on business-critical systems and applications can be captured for analysis directly from the corporate network, including mainframes, web-based applications, and SaaS applications. Importantly, this approach enables you to:
- Select specific systems and applications for protection, rather than automatically recording all activity on a server, device, or endpoint.
- Capture both event and non-event actions that take place within a monitored business system or application, including activities such as searches, browsing, and device fingerprints.
- Evaluate an incident with rich detail and context via a visual screen-by-screen record that can be “replayed” like a movie.
- Extract field values from the screens a user accessed and incorporate them into analytics for deeper insights.
- Avoid employee privacy issues by only monitoring user activity related to sensitive company data, not employee emails, instant messages, or general website activity.
Targeted RFP Questions: Data
Does your solution capture user activity on business-critical systems and applications across the mainframe, web-based applications, and SaaS applications?
Does your solution allow for the selective monitoring of specific systems and applications?
What types of user activities, both event-based and non-event actions, can your solution capture within monitored business systems or applications?
Can your solution capture a screen-by-screen record of user activity? If so, how can that record be viewed or replayed?
Can your solution capture the field values on the screens a user views and import those values into the analytical engine?
How does your solution ensure the privacy of employee communications and activities outside monitored business systems and applications?
Proactive Monitoring
A non-invasive data capture approach facilitates reactive responses to data exfiltration events and empowers proactive evaluation of employee behaviors, potentially uncovering nascent fraud or theft attempts.
For example, suppose an employee looks up customer accounts with high balances in preparation for embezzlement. I suspect a log- or agent-based solution would not flag this behavior since no transaction has occurred. However, analytics that include non-event user behavior and field values from the screens accessed can alert investigators to this suspicious activity, giving them time to stop theft and fraud in its tracks.
Targeted RFP Questions: Monitoring
How does your solution empower proactive evaluation of employee behaviors to detect potential insider threats where no event (e.g., a transaction) has taken place?
Can you provide examples or use cases illustrating instances where your solution has successfully identified suspicious behavior, leading to the prevention of fraud or theft?
Can you explain the analytics capabilities of your solution, especially those related to non-event user behavior?
Streamlined Investigations
Investigations into potential insider threat incidents can be dramatically sped up when a platform can facilitate the procurement of data, alert generation all the way to alert disposition:
- Screen-by-screen data capture coupled with record-and-replay capabilities that eliminate the need for laborious and time-consuming searches through log files to find relevant data.
- Google-like index search enables investigators to look up any data – e.g., a phone number, social security number, last name, etc. – to see what screens the data was shown on, the context of the activity, and who engaged in the screen interaction.
- Link analysis can establish and contextualize relationships to visually expose connections or collusion that might otherwise remain concealed.
All of this information can be used as documented evidence for various purposes, including questioning or confronting employees, mitigating vulnerabilities, and pursuing legal or civil action.
Targeted RFP Questions: Investigation
Can investigators replay employee actions via a screen-by-screen record to gain a contextual understanding of events?
Does your solution offer link analysis capabilities? If so, explain the breadth of these capabilities.
Does your solution offer investigators a Google-like index search feature to find specific data points and screen activity?
How does your solution support investigators in gathering documentary evidence of insider threat incidents?
Identifying the Best Insider Threat Prevention
As insider threats continue to grow in complexity and frequency, embracing the latest technology advancements is a necessity. By asking these targeted questions in your next RFP, you can identify the best insider threat prevention solution for your business: safeguarding your company, your assets, and your customers.
[1] Ponemon Institute, 2022 Cost of Insider Threats
Related topics
insider fraud
Posted by
Albert Laino
