Protective Monitoring’s Role in Mature Security Programs
Continuous end-point visibility has a massive role to play in mature security programs. Our customers with mature security programs have invested heavily in perimeter secu¬rity, logging, and enhanced server / endpoint controls, and still see significant improve¬ment in their security posture from the endpoint visibility and risk scoring delivered by Dtex’s SystemSkan.
I can provide some examples of customer findings in locked-down companies:
Misconfiguration and Bypass
An expensive DLP system is installed, but SystemSkan still detects corporate data stored on removable media. This is a very common finding, usually due to the DLP system being improperly config¬ured, a lenient exception process, or a failed deployment due to performance issues.
Some clients have set their web filtering solution to block all non-work categories, but during our risk assessment we still find employees visiting “blocked” sites. This is usually because of improper configuration, a larg¬er-than-needed population of people with exceptions, or employees who have fig¬ured out a way to bypass a web filter.
During our risk assessments we often find that when employees take laptops home they visit and use risky websites and will often be down¬loading risky files/applications. This then causes major risk because when these machines are brought back into the corporate network all malware which was downloaded is now inside the firewall.
Employees who maliciously exfiltrate sensitive data will take multiple steps to cover their tracks. Each step, if viewed alone in a siloed security system, appears innocuous. But putting the story together from the endpoint shows clear intent.
Let’s go through a common example: (1) employee searches for “how to encrypt and rename a zip file” online, (2) copies an unusual number of files to their endpoint device, (3) splits them up, zips, and encrypts them, (4) renames them, and (5) emails them to a personal address. This sequence is impossible to piece together from disparate security systems. Dtex’s SystemSkan gives you this view instantly.
While corporate web filters typically block cloud services like file sharing and person¬al web mail, employees still use these services when they’re off the corporate net¬work. Dtex provides visibility into what they upload and download.
Also, every company has a list of users who are partially or entirely exempt from the restrictions on using cloud services. Dtex provides visibility into their activity and alerts security if someone is abusing their privileges.
Super Users and Admin Rights
Super users tend to have the fewest security controls in place, even in organisations that have partial or full deployments of privileged account management
Dtex provides visibility into all super user activity, and helps enterprises to under¬stand where controls need to be tightened vs. where they can be relaxed.
Some customers find that the enhanced visibility provided by Dtex allows them pro¬vide super user and admin rights to more users, increasing efficiency and trust.
Historically, it’s been difficult to measure the effects of security training. Dtex cus¬tomers use endpoint visibility to objectively measure behavioural changes, and make corrections as needed.
Similarly, customers use Dtex to quantify when new security controls are needed vs. more basic remediation steps. For example, typically only 1.7% of employees use pirated media and applications. With this data-driven visibility, a company can make a risk-based decision about whether to implement application whitelisting or simply keep a closer eye on this small population.
HR, Legal, and Privacy departments often raise concerns about monitoring endpoints, especially from an employee privacy perspective. Dtex’s anonymisation process and strong insider-focused heritage maintains employee priva¬cy. Users can be “demasked” only once there is legitimate suspicion of wrong-doing.
In the modern technologically driven world we work in, we no longer can use the excuse that we didn’t know what was happening! New laws and compliance codes makes it an obligation to know what is really happening with your machines, information and systems.
This is why it is vital that you get the unique user visibility offered by Dtex Systems’ SystemSkan. I am often asked ‘where do we start?’ and my answer is really simple: “Just start somewhere. Every step taken to secure your internal environment is a good step.”
Make sure that you get the capability to have total end user visibility – whether that user in on the network or not. You cannot measure what you cannot see – so total end-point visibility is key.
In order to further strengthen your mature security program – you must know what is happening with your internal, trusted users. Understanding how the users are actually using their machines, the data they are actually accessing and how they move it around will give you the information you need to make better decisions, ensure policy compliance, reduce risk and cut costs.
By John Mc Loughlin, Managing Director of J2 Software
- Hits: 2437