Transform Endpoint Data Security with People-Centric Protection

Richard Zaluski

Hello, my name is Richard Zaluski, and I'm here with Carl Leonard from Proofpoint. Today, we're going to be talking about insider threats, most notably credential theft, identity theft within a corporation. The way attackers approach attacking corporations these days is attacking the people - it's been like that for a while, it's just progressing to really encompass a lot of the third party pieces of technology that people are bringing in like their phones and other devices like USB sticks and things of that nature, which really put the endpoint of what threats are inside the perimeter. The perimeter has gone. So what we're facing now is trying to isolate this and really get a handle on what's going on inside the corporation and making sure that the person who's actually working with the technology and the databases and the data, is actually the person who should be working with the technology - the databases and the data, and making sure that they are who they are.

That's where Proofpoint comes in - they can actually go in, monitor things and make sure that the people who are working with the technologies and the data and the datasets, are the actual people working on what they should be working on. One of the biggest issues that has been going on for a long time has been the insider threat. But as I just stated, the big threat from the inside is people are the weakest link in the security chain. You can have all the technology you want around them but if people continue clicking on things and doing things that they may not know better when they're doing it, then we have an issue.

So we're talking about identity abuse. So these days when attackers are going in, that's the key aspect of what they're trying to do and this is all caused by the way the workforce has changed over a number of years, especially through the pandemic - people are working from home more, people are really connected much more from outside the corporation going in, and that causes a lot of issues going forward for corporations.

So Carl, looking forward to talking to you about this and off to you.

Carl Leonard

Thanks Rich. I think you’ve summed it up very well there, that attackers - external attackers that we are used to, cyber criminals - they no longer seek to, or they still do exploit software vulnerabilities, but they find a much easier route into organisations, and that's just a login.

Our employees have usernames, credentials, an associated identity with that and we need to be in a position where we can identify if that combination, that identity, that account, is being misused by an external attacker, or maybe it's an employee who's made an honest mistake and overshared a piece of data, because as we know, certainly the last three years really, work has changed. I think it's going to continue to be the way it is for some time now. Workforces are remote, you know, you and I speaking to each other now in different countries, different continents, they're very dispersed around the globe.

In addition, the amount of data that any given organisation generates is vast and will continue to expand, and lots of that is sensitive. So we've got remote teams, we've got individuals all accessing this data, and as you've said, the perimeter is dissolved, the traditional perimeter, and the actual employees have got access to all of this sensitive information through email - the endpoint that you've mentioned, and now cloud as well, as many businesses start to become cloud first. And if you're trying to set up a security programme, a data security programme, that looks at all those channels there might be inconsistencies around how you handle certain file sharings, there might be misconfigurations in your underlying systems, and that gives opportunity to present a threat - whether an external attacker or that employee that might have some malicious intent.

itectures. We did a survey in: 2023

So now the question is how do you develop a people-centric security now we know that external attackers are wishing to log in as your own employees. Your own employees have access to that data, you've got so much data flowing in and out of your enterprise using lots of cloud-native architectures, you can have that data, as I said, moving in and out, but it also resides within your environments, as well, so you've really got to be able to understand what data is critical, the workflow of the data, and then to identify any weird stuff happening, any anomalies.

That's where Proofpoint comes in. We have a platform, an information protection platform called Sigma, and that encompasses endpoint data loss prevention tool ( DLP) and insider threat management (ITM).

We have a people centric approach. Endpoint DLP protects against data loss by the everyday user. It looks at files, it looks at data. Proofpoint ITM, the insider threat management, also looks at files and data, which embellishes it with behaviour and threats context, so we can look at risky users because we really have visibility into the activity, the specific actions with file renames for trying to disguise a medical document as holiday pictures. We can see that happening and record that.

So we've got this information production platform called Sigma. It is shipped with preset policies, so it makes immediate return on investment of it very obvious. You can see what's happening straightaway upon deployment. We can have the analyst triage alerts and understand the priority of those, and we can rank those with different severities. It can be used as a threat hunting tool, because when you're looking at the insider threats versus the traditional ransomware, phishing, spam type of threat, intelligence, malware approach, we need to sort of look inwards and capture visibility on the employees and the actions they're doing. So we might wish to proactively hunt for what actions our own users are doing. All this is captured in a centralised console.

Good thing about Proofpoint is that we can do this, the DLP for everyday users and ITM for the riskiest users, as a single endpoint agent, pretty lightweight; it doesn't really impact the performance of the endpoint machines, and we find that this is a really smart way to do things because you can have the agents deployed across your employee base of everyday users interacting with data as they normally do, but then if you have a group of users, maybe it's a particular scenario that you're worried about people leaving your organisation and taking data with them, so you can flip the agent then to operate into insider threat management mode.

It talks to the problem that you mentioned at the start, and I also did, around how the workforce has changed - people are leaving organisations. We ran a survey and around one in four people have been at their employer for less than two years, so there's lots of churn in the employee base, and those folks can leave the organisation, and take data with them, because they feel they have a right to it, whether they worked on a project, they put a lot of brainpower into generating this data and they feel it's theirs to, whether to progress their career or what have you. Obviously this breaches policies - you can't take that data with you, it doesn't belong to you - it belongs to your employer. But malicious employees, malicious insiders try to take that with them. So it's very important to notice when they are accessing particular datasets, especially when there's a trigger. In this case, it would be perhaps that person's handed in their notice and working out that notice period.

So we've got this lightweight agent, that you can switch modes and you can point it at risky users as you see fit. This is quite powerful because it then gives you that context and insight. Let's take the example of the leaver - the person who's departing the organisation. You can take a more proactive approach; you might realise that they are sending files, sending data, to an unsanctioned USB device. Now we might want to see what else they were doing beforehand, so we can perhaps see any alerts that might be generated from their browser activity. We might have noticed that they're downloading a new tool onto their corporate machine, maybe FileZilla or something like that, to join FTP files out of the organisation, or maybe an encryption tool to try and hide their activities. But the key thing is that you can see that with an insider threat management tool, and you can begin to build up an evidential picture of the users intent. And excuse the pun there, because we do actually take screenshots as well of that activity so you can then bring the necessary teams and work with the HR, the legal teams, as necessary, should this happen.

Now, as I mentioned, we've got two primary aspects of Sigma DLP (data loss prevention) and ITM endpoint. DLP can see when users move files, manipulate files, and it documents when they move sensitive data around and in and out of the organisation. ITM, the Insider Threat Management, gives you a much clearer view, a more precise view, that oftentimes a so called Legacy DLP misses, because legacy DLP was born out data centres around trying to understand what the average user might do across all of the users in an organisation - the users being the employees. ITM is very much designed to help with looking at the risky users.

You've now got an understanding, hopefully, that we can have these two approaches – data loss prevention and ITM – and we can also factor in, the compromised user. So external attackers try to get hold of the credentials of an employee so they can move around the organisation and looks like a genuine employee. If an attacker, an external attacker has compromised a user and behaves like that user, they will just do a good day's work. But what we're trying to do is identify anomalies. So if they start to connect to database servers or access files that they haven't done before, then we might want to be able to set up a better defence for that. So you can maybe challenge that user. By challenge, I mean, pop up a dialogue box to ask them to justify their behaviour, so you can have that logged. You might wish to see how they authenticated themselves, where did they log in from, and bring that into a central console, so you can then identify, this person is compromised, the legitimate user clicked on a phishing link a few days before, gave up their credentials and now we can see their credentials being abused.

So I've mentioned how you can have sort of user interaction in all of this - you can have a pop up box, challenge the user's behaviour, and this helps with user education. You can then have the user think twice before performing an action that might have a person with malicious intents to steal data sort of back out from that action and realise that they shouldn't do this and it's not a good idea and it will breach the organization's policies. And then for a careless user, one who has maybe good intents to just work at the weekend but they don't have security in mind, they're maybe sending files over plaintext email, we'd rather have them do that more securely so that's your opportunity to pop up, advise the user that we know what they're doing and perhaps guide them towards a better way to do it.

Further, once we've collected all this telemetry, Proofpoint can then send that intelligence through to your favourite SIEM, or other tool to ingest those logs and be able to do that more proactive approach to insider threats, and ultimately, incidents investigations. Because you're able to search for that risky behaviour, correlate all of the actions – the before actions, the after actions – of a particular incident so you're not just stuck in a reactive approach where you can see that the data has been stolen. Instead, you can begin to gain contextualised insights, which can be mighty powerful.

So, in summary, I think we've touched on some of the main key components of our information protection platform - gain visibility, give you those contextualised insights, and be more proactive in handling insider threats that we know accounts for 30% of data loss.

Richard Zaluski

Thanks, Carl, that was really interesting. One of the things I really found stood out for me was the pop ups. It really shows how technology monitors stuff at a deeper level. Usually traditional intrusion detection prevention systems monitor just the perimeters and making sure that, you know, bad stuffs not getting in and some stuffs not getting out, but this goes a layer down further and it really shows them. I really liked that pop up part.

It kind of trains users as well so they understand that, oh, I'm touching stuff I shouldn't be touching, but it gives them a chance to, you know, I'm actually working on a project, so okay, well, then you're okay. But when you get into the anomalous stuff where they shouldn't be going to like an insider attack, when the outside person says, hey, we need to get these files over there, go snoop around, then that's where the anomaly part really comes in.

I think that's the magic mix for what Proofpoint is; it goes down that that level, because as we mentioned earlier - and I think you touched on it a few times - you know, the more channels, the more people are interconnected outside the company, the disappearing perimeter, tools and technologies are abundant these days, so I think really protecting your data from the inside from a people centric position, as you said, is really the key part. This monitoring that this is doing right here, I think that's really the key to the whole thing. You don't do that, and then you're just another technology. But if you can do this as Proofpoint is showing here, with tracking data and tracking behaviour, I think putting those two together, it's a really powerful technology that can really do a lot.

Carl Leonard

We certainly think so. Yeah.

Richard Zaluski

So I think that's it from our standpoint. Thank you for listening, and on behalf of Carl and myself at Proofpoint, thank you very much.