The days of perimeter and legacy device-based security need to give way to practices that revolve around your employees, while also protecting their privacy.
Your employees are at the core of everything your organization does. They have access to your most sensitive mission-critical data and they are the source of your greatest security risks. You must protect that data, but not at the expense of losing the trust of those employees or hurting their morale.
This seeming conundrum requires a new approach to security, one that protects the identity and privacy of employees when monitoring behavior but only exposing an individual if corrective action is required. But those same employees are also your best asset when it comes to protecting your data.
By collecting your network metadata and analyzing that for security impact, you can see events when they happen. This continuing data analysis allows you to watch the actions of your employees and others on your networks. You can see when errors or deliberate actions as well as unintentional acts such as poor configuration lead to data loss.
The Role of Data
Nearly every device and application on the network produces telemetry that can be part of a data stream capable of exposing risks. This telemetry can be used to create a picture of exactly what’s happening over time, and that can allow an AI-based monitoring system to watch for suspicious behavior, and once found, analyze it for the nature and level of the risk.
Because many (but not all) of those risks can be linked to human behavior, it’s possible to create a real-time picture of who or what is creating the risk, determine exactly what the risk is, and allow further investigation as to whether the actions being noted are significant.
For example, your company’s email server can track when an employee sends emails outside of your network. Your data server or your cloud account can track when someone downloads data from a critical file. Putting the two together can flag a suspicious action. Likewise, so can moving sensitive data out of the company to an external email or cloud server.
Of course, most security risks are much more complex than just sending data out through email. The data may reflect the activity that results from clicking on a link in an email, subsequently launching a Trojan or a worm that then launches malware, which in turn may begin collecting data while also implanting ransomware. Each of the actions and the subsequent actions by the malware leaves a unique trace on the network.
By analyzing those traces, and by working backwards through a series of events, it then becomes possible to trace what happens, and in some cases prevent the final parts of the attack, such as exfiltrating important data or launching the ransomware. If necessary, the actions leading up to the fatal click can be identified and employees can be given additional training in responding to phishing attacks.
The Employee Role in Security
The majority of employees would never do anything to harm their organization intentionally. But that doesn’t mean they don’t make mistakes, in some cases a lot of mistakes. In addition to clicking on phishing emails, employees may forget to secure their passwords, they may save critical data to an insecure device or they may send secure information over an insecure email service. Likewise, they may take company data home on a personal device so they can work at home.
And of course, there’s always lack of training. Employees may write down passwords on sticky notes, they may let others in their household use company computers or they may leave thumb drives containing corporate information in public places. Such actions are unlikely to be an intentional attack on the organization, but they are still security risks that can be tracked by the data.
Unfortunately, there are also employees who cause data loss intentionally. These might be disgruntled employees, or they may be seeking jobs with another organization, thinking that the proprietary information may help them in their next job. And of course, there are people, employees or not, who may be determined to attack the company.
All of these security risks can be found by looking at the telemetry data provided by the network devices and software and by watching human activity. When this activity is combined with other network events, it can show a clear picture of where the risks to the company are and how they happened. But there also needs to be a means of tracking the data back to its source so that the organization has the audit trail it needs to prevent future risks, and if necessary, to take action against the perpetrator.
Protecting the Employees
It’s important that the employees know that the network is being monitored, but it’s also important for them to know that their personal activity is being protected. By using metadata, and by avoiding the inclusion of personally identifiable information during the monitoring process, your employees are much more likely to feel comfortable with the process. This comfort level is important, because your employees are critical when it comes to security.
Frontline employees are the ones who see the phishing emails first, they are the people who need to know not to let their family use the company laptop and they are most likely to notice another employee loading data onto a thumb drive. They are your first line for protecting your data, and they’re more likely to help if they feel comfortable with your approach.