Even as many companies try to plug security holes by introducing ever-tighter endpoint management tools, some security pundits are advocating for a higher level of protection that takes the surveillance state to the employee desktop.
Such surveillance becomes possible through the application of technologies like Forcepoint SureView – which the company launched in Australia late last year after many years of usage in other geographies – to record regular screen shots and metadata records of user activity.
Screen shot archives like this were once used for remote support and process monitoring, but Forcepoint director of product management Kelly Harward believes the concept of “DVR-like video capture and playback” is taking on new life as companies warm to the growing and significant threat of data loss from internal users’ malicious or accidental actions.
Paired with metadata describing users’ application, Web site and data accessions, the technique can be used to proactively identify employees who may be at higher risk for questionable security activity.
“It’s important to be able to sit close to where these activities occur, and the endpoint really is an ideal place to be able to get visibility,” Harward told CSO Australia. “By baselining user behaviour, companies can potentially identify anomalous behaviour that could present a risk.”
Using the surveillance technique, that behaviour can be qualified better than through metadata alone: “Based on that,” she continued, “you can identify a short list of potentially risky users based on their behaviour within the organisation. Monitoring provides lots of context around that to enable humans to quickly make decisions about what’s going on, and what is the best way to respond.”
SureView maintains a rolling buffer of user screenshots, which allows forensic security staff to see exactly what a malicious insider had gotten up to. Once primarily used within sensitive government environments, the technology represents a new opportunity for Forcepoint, which was spun out of defence contractor Raytheon and merged with Websense a year ago.
The risk posed by malicious insiders has quietly increased in urgency in the shadow of higher-profile nation-state attacks and data breaches – but when it happens, it can be devastating for businesses. UK business software provider Sage, for one, went into damage control mode last year after an employee was arrested for alleged fraud. And an insider breach at law firm Mossack Fonseca proved devastating for the firm and its high-profile clients.
Security experts warn of the threat posed by breaches of the so-called ‘human firewall’, although businesses have been somewhat slower to catch up: in one recent Mimecast survey, just 12 percent of security decision makers said they saw malicious insiders as their biggest security threat – even though 40 percent of respondents admitted they would be unprepared to cope with a malicious insider.
Ever-improving threat-intelligence platforms offer some respite but ultimately are just one more tool in a technical toolbox that is increasingly being filled with user behaviour monitoring and other capabilities.
Many businesses are authoring and implementing formal insider threat programs but monitoring technology will play an important role in enforcing them, says Rehan Jalil, CEO and founder of cloud-application security firm Elastica, which now sits within Symantec after that company bought Elastica acquirer Blue Coat Systems last year.
DVR-like visibility into user activity is crucial if businesses are going to secure ever more-complex cloud environments, Jalil warned.
“Instead of starting from the bottom up by looking at logs you can start from the top down by navigating to the incident and its click trail,” he explained. “With a DVR you can go back in time 12 months, or 6 months, then zoom in and find the issues right there. That is only possible when you bring the information coming from many different things into one place.”
As with any surveillance technology, companies implementing user behaviour monitoring need to consider privacy implications and manage employee expectations accordingly. Positioned correctly, it can be an invaluable tool for picking up on behaviour that might otherwise have gone unnoticed.
“Conversation after conversation is driven by the lack of visibility that security leaders in organisations have,” Forcepoint’s Harward said, noting that a lack of skilled staff is also hindering threat-intelligence and enforcement activities.
“Every organisation is suffering from some sort of cybersecurity skills gap,” she explained. “This technology is going to enable them to make decisions about remediation in a number of minutes, rather than pulling data from disparate log sources and trying to piece together a narrative. That can take weeks.”