Good morning, good afternoon, wherever you are in the world. Welcome to our webinar today. The topic is The Anatomy of Insider Threats, understanding the Risks to Financial Institutions. I'm John Tolbert, director of Cybersecurity Research here at KuppingerCole, and today I'm joined by Eugene Lymar, who's the Chief Product Officer at Ekran System.
Welcome, and good morning. Good afternoon, Eugene.
Hi, John. Nice to meet you.
Glad to have you and welcome everyone. Thank you.
So, a little bit of logistics information before we get started. Everyone's muted, there's no need to mute or unmet, unmute yourself. We're gonna do a couple of poll questions throughout the webinar, and we'll take a look at the results at the end. We'll do a q and a session at the end, and we invite you to put your questions in the CNT control panel at any time.
There's a, a questions blank, so feel free to put those in there and we'll take them. And then lastly, this is being recorded and both the recording and the slide decks will be available in a couple of days. So I'm gonna start off and give a, just a brief background on insider threats, the, the major types or the categories that, you know, fall under insider threat. Then I'm gonna turn it over to Eugene to talk for a while, and then we'll come back and do a joint discussion on, on some governing regulations and technologies.
And we'll take a look at the poll results and then take your questions too. So again, please feel free to submit them.
So let's start off and talk about some definitions and examples of insider threats.
You know, this is a, an overarching term, but it really covers three major different scenarios. The first one is, you know, sometimes not really thought about that much, but accidents or in negligence on the part of employees can be a pretty big risk in and of itself. Examples of this would be oversharing.
You know, you've got information that you know should be limited to a subset of all of your users. Well, most information should be limited to a subset of all your available users, but not always do appropriate entitlements or permissions get assigned to those. And in those cases, you know, people who really don't have any business with data sometimes find it on their screens even accidentally. There's also a case or cases where, you know, failure to follow your own security policies can lead to accidental disclosure of sensitive information or corporate secrets.
This can be not using encryption, not using secure storage, not using things like screen locks or, you know, allowing the use of weak passwords or shared passwords. Group accounts.
You know, oftentimes these violate policies and those policies there are there for a good reason. We'll talk about security policies in more detail a little bit later, but you can see that, you know, not following standard security best practices can often put information at, at a greater risk of being compromised. Simple things like encryption are, are very important for, you know, preventing information from being disclosed in case it gets moved outside of, you know, whatever access control system, whether or not it's, you know, sufficient, you know, encryption can help with that.
And again, we'll go into some more detail on these in a few minutes. Account takeover is exactly what it sounds like. Taking over a, a provisioned account inside an organization.
You know, this can come about through a number of different vectors. Social engineering is, is a pretty prominent one that's used these days.
Phishing, phishing, you know, getting phishing emails, trying to get an employee to disclose their credentials, passwords and whatnot, to be able to get access to other things by an outsider. Once they get those credentials, they effectively become an insider and then they're an insider threat. And a PT campaigns, advanced persistent threats, you know, this is a term that came about probably 12, 13 years ago.
These are cases where there are state intelligence actors acting on behalf of governments to take information from not only other governments, but corporations, contractors, those who make up the, you know, a defense supply chain for example, or, or any, any organization that's got sensitive competitive information. And again, once they take over a legitimate account, then they can use that to try to escalate privileges and get information from, from many different systems with the goal of trying to exfiltrate that data.
Lastly here we've got malicious intent.
And this is probably what most people think about when you hear the word insider threat. This is, you know, a disgruntled employee or a contractor, you know, for whatever reason they're not not happy with the work environment, they may see an opportunity to use information that is at their disposal for their own financial gain, perhaps.
There are also cases where, you know, we call it co-opetition, where you may be members of a, a broader supply chain and in some cases you compete with other companies that, that may have access to certain bits of your data, and in other cases you're collaborating with them. So there may be data that's shared, you know, with the supply chain that is necessary for, for collaboration on certain projects, but you certainly would not want to allow the competition to have more access than necessary to be able to do that.
There are also cases of just plain old sabotage.
Again, this could be a disgruntled employee, this could be, you know, an adversarial actor that gets access, you know, through account takeover. There's also many cases of fraud, you know, with the emphasis in this webinar on financial institutions. That's a huge risk.
You know, there have been many cases in the past where insiders have been able to commit fraud, you know, getting account information from customers or even just personally identifiable information from customers and, and selling that. So, you know, that's, that's a, a serious problem that exists across the world today.
And then lastly, you know, industrial espionage, just cases where you know, your competition, maybe not in the co-option scenario, but competition may hire or try to get, you know, a bad actor into an organization just for the purpose of stealing trade secrets or other valuable information. So with that, let's take our first poll question. Does your organization have an insider threat and risk detection and prevention program? And we'll give you a few seconds to get that up and, and answer that. Just three, three choices here.
Yes, no, and not quite yet, but it's in development.
John, I wanted to add that you gave a very concise definition of what insider threats are. I really like it.
And next, when we finish, I will tell how we in EQU system help our customers manage and prevent this insider threats.
Excellent, thank you.
Okay, well you'll still have an opportunity to answer this poll question while it's on screen, but yes, Eugene, let's go ahead and turn it over to you. Just a quick reminder, if you're, if you're thinking of questions, feel free to submit them in the CNT control panel. And now Eugene, it's all yours.
Good evening everyone.
Again, my name is Eugene, I'm, as John already told, I'm the Chief product officer at Econ system and today I would like to tell you a little bit about our platform and how we do help our customers deal with insider threats.
First of all, a few words about us. Our company was founded in 2013 as a small cybersecurity project. Since then, we have grown much and became the industry recognized leader among inside the risk management solutions. We have almost 3000 happy customers all over the world, and we have four offices established in four countries.
Our headquarters is located in the United States. A little bit about recognition. Iran system is recognized by the world cybersecurity experts. We are the active member of the CU coupon Girl call and Gartner product communities. And recently we became the Amazon qualified software because we are already doing SaaS not only on premise solution, we are listed in the CU coupon girl call Leadership compass for privileged access management, which is with without doubt a great achievement for us.
And additionally, a month ago, Gartner released the updated version of the market guide for insider Risk Management solutions, where we are listed as one of the top vendors on on this market use cases.
When I was preparing this presentation, I wanted to find, and I wanted to go through some specific use cases for the financial industry.
However, I found that our customers Byron system for completely different reasons. You can see all, at least maybe not all, but many of them on the screen.
Of course, the most important use case is compliance. Compliance requirements are obligatory in the financial industry. I think John will tell more about compliance later. At this point, Aron system helps to cover the most important financial regulations such as, for example, P-C-I-D-S-S or Swift SCP, or for example, I want to mention generally GDPR as a regulation. We have all this information on our website and we show how exactly we cover these regulations using our software.
One more important use case is employee and subcontractor monitoring companies.
Financial companies are using us whenever they must have a clear and structural evidence of employee activity. So how do we cover all these use cases? I will show you that our software comprise us of three powerful modules which work organically within one ecosystem. Let me please show them to you. The first one is identity and access management. So security begins with proper authentication. Since we are the agent, agent-based software, we can force users to use different types of authentication options.
This might be, for example, multifactor authentication using the authenticator software, or this might be secondary authentication when several users work on the same endpoint.
Additionally, we may impose time-based restrictions on the endpoint or require approval of of the login request. We even do have native integration with different ticketing systems. The identity and access management module helps to neutralize the attack vector associated with the compromised credentials. Next one is user activity monitoring. So after a user logs into the endpoint, we begin monitoring all the actions.
We do this by capturing user screen and recording all user actions in the form of human, human readable metadata. At this point, we can deal with negligent or malicious insiders by preventing them from performing certain actions. Let me please give you a simple example.
Our platform may trigger an alert when a user tries to copy and paste sensitive information. Depending on the severity of the event, we can either educate a user that they are performing a prohibited action or even block them automatically and inform the security team.
E current system has more than 100 redefined alerts for the most common attack scenarios. Privileged account and session management. This is my favorite module and I think this is a so wide topic that we could do several webinars on privileged account and session management. But let us be short. So who is a privileged user? This might be an any individual or account with elevated access rights that can perform critical system tasks or access sensitive data. For example, I can name server or database administrators who work with critical resources, privileged users.
They are the highest priority targets for cyber criminals. And to protect them, we offer the complete use case of privileged account and session management. We call it possum, which starts by finding and onboarding privileged accounts wherever they are in the network and finishes with the detailed audit of any privileged session. In contrast to other palm solutions, other palm software, our palm is very lightweight, intuitive and is in incorporated into other modules of the platform. Just one more slide please.
This is not a separate module, but I would like to mention about our reporting agent. So we have reporting, extensive reporting agent for all above mentioned modules. We provide manual and scheduled reports. We do have native integration with Microsoft Power bi or for example, with any other business intelligence software, which can use our API. And of course we have visual dashboards which currently offer different employee productivity widgets. Thank you very much for listening to my presentation. I hope it was brief enough.
I hope you were not bored and I am looking forward to see you as our partners or our customers. Thank you very much.
Now I want to talk about preventing insider threats, but you know, I thought maybe we could talk about some cases that have, you know, made the news in the last few years, particularly on the financial industry side, cases of insider threat. I'll try to, you know, pseudonymized as best as possible.
You know, in, in one case this was a social media company. There was a conviction last year of an employee who had taken bribes to get information on, on particular individuals and and sell theirs. Of course government cases where intelligence agents have taken information from their governments and those publicly there.
You know, on the supply chain side, there is a, a fairly recent case where a military officer turned civilian contractor took payment from a foreign government for information on aviation information from that employer.
In the software business, there was an award to a software manufacturer from a supply chain member. That supply chain member had hired a person pretty much specifically to spy on the other software manufacturer and disclose their trade secrets. The award there was $2 billion. So we talk about loss.
There's also cases where obviously cases where these have been successfully prosecuted and the perpetrators have faced significant fines. You know, when you think of spies, we, we think of what we see in the movies often, but you know, in many of these cases, spies are not really spies. They're just employees who for whatever reason find an opportunity to make money off of the information that they have access to in the financial industry.
There are several cases against banks where an employee had, you know, similar to these previous cases, used their access to get personally identifiable information about specific clients and sold that information on the dark web. There have been cases of fraud where, you know, upwards of, you know, $20 million has been stolen from accounts and other cases where an employee monitored accounts and new when, when, when people died and, and, and took money out of the accounts specifically, you know, at that time.
So I mean there's, there's some pretty case cases that are, you know, very unpleasant to think about. A million dollar fine for failure to protect, protect customer information, hit another major bank, you know, and the losses accrued as well as the, the fines themselves.
So yeah, many different cases where banks have to and credit card companies, others in the financial sector really need to keep an eye on potential insider threats and make sure that information's not being leaked and that funds are not being fraudulently transferred between accounts.
So after setting that in context, yeah, let's talk about how do we prevent insider threats, you know, and we believe multiple approaches are needed. So first up, you know, we were asking a question earlier, the poll question about do you have an insider threat prevention program? So what really is involved with that security training is a great place to start training them on your policies.
And of course you have to have the policies in place already, but you know, some of the bases of policies are things like enforcing the principle of least privilege, and this is where you only give the appropriate amount of access to an employee or contractor in order to be able to get their job done.
Don't over-provision, give them access to things they don't need access to. And this too is, you know, the foundation of zero trust, which we often talk about. I mentioned encryption earlier.
Encryption is, is really key for protecting sensitive data of all kinds, whether it be PII or, or trade secrets or, or financial information. Because oftentimes organizations depend on access control systems. And if the data is exported from the access control system, then you probably don't have nearly as good access control over it. So encryption could be sort of a, you know, a last line of defense for preventing information from accidentally being shared. This should not have been, Eugene talked about IAM identity and access management. I think that's very, very important. Foundation.
We often tell people that, you know, multi-factor authentication and risk-based authentication are the, the beginnings of, you know, good IAM practices. I mean there's also authorization, but you have to properly authenticate a user and a device in order to be able to authorize access to data as well.
And, you know, even multifactor authentication, even like introducing this type of, it's very easy control, but it reduces the insider risk, I think maybe by 90% when for example, you just have this authenticator device and same like proper security you wrote here, security training, security awareness. So also many cases of negligent behavior might be reduced only by telling people and showing them how they should act in different situations.
Like, for example, phish and emails or sharing passwords or all this stuff.
Yep, very true.
I mean we, we also often say it's best to get away from passwords altogether, but also realizing there are a few cases of course where that's unfortunately not possible. If you have to use passwords, please enforce the use of strong passwords, no sharing, no reuse.
And, and, and whenever feasible move to MFA, because you're absolutely right, it can dramatically reduce the risk of inadvertent disclosure, particularly early. Another one, sometimes we does not get mentioned nearly enough is unsanctioned use of SaaS tools. And this is where tools like CASB cloud access security brokers can help. Sometimes business units may take it upon themselves to start using a SaaS and, and users may move sensitive data into that, then it sort of gets beyond the control of the IT department.
So this is, you know, something that's important to put in policy and also make the users aware of that.
Are you talking now about the information that might get into the different SaaS tools?
Yes,
Yes, exactly. So all the policies are, you know, essentially good ideas, but they need to be enforced. So policy enforcement needs to happen via technical controls. And we can get into that a bit more detail in a few minutes too. So let's look at, you know, some of the components of a security architecture that can help prevent insider threats. We've been talking about access controls. There's obviously a good link to zero trust that's, you know, the embodiment of the principle of least privilege.
Eugene mentioned having a good IAM system is a good place to start, particularly with privileged access management, privileged session management. We also need to do monitoring, you know, look at logins, look at network usage, resource access, you know, to be able to develop a baseline of what's normal for user behavior.
We've talked about training a bit, training to recognize phishing and other forms of social engineering that can help prevent the account takeover vector that we talked about earlier.
I hinted at CA CSB and you know, cloud access security brokers and D-L-P-D-L-P being data leakage prevention. This is, you know, sort of a good adjunct for IAM. This is being able to control the sharing or copying of data all the way down to the device level.
You know, being able to prevent users safe from taking information and putting it on a USB drive or uploading it, you know, to a personal email account or sending it outside, you know, via email or through some third party website. This is, you know, a necessary component, I believe for helping to shut down insider threats to identity verification and background checks.
You know, most organizations are doing this to, to some extent, you know, with employees, but I think the point I'd like to make here is we also need to consider that for contractors and other members of the supply chain that may, that you may grant access to through some sort of collaborative working relationship, you need to be able to make sure that the people that are getting access, you know, should be able to get access.
So identity verification is becoming a much stronger requirement. We see in IAM systems, particularly for people who are going to get privileged access.
Number six here kind of puts quite a few things together, but in order to be able to prevent insider risks, you've really gotta be able to do detection or response, do user behavioral analysis. This links back to number two here where we're talking about doing monitoring and developing a baseline of what's normal for a user to use.
You know, studies have shown that, let's say for example, if an employee makes a decision to leave, the likelihood of, you know, any nefarious activity is gonna happen in the last two weeks. So if you can, you know, understand what normal activities are for a user, then you can more easily figure out when, you know, they're accessing a bunch of files that they haven't tried to access before or maybe they're trying to copy 'em to another location so that they can exfiltrate it themselves.
But in order to be able to do that, you've, you've gotta build that baseline first and you also have to be able to do incident response. Let's say your security systems are able to detect a deviation from normal behavior, what then at the very least, it should be able to alert the security team to be able to, to respond, if not be, you know, also being able to take automated actions too to prevent that copying or maybe shut down access to, to files and, and resources that the user doesn't need access to.
And lastly, I mean you could say it goes without saying, but I think it's important to say it, create a positive work environment. Don't, don't give people a reason to become disgruntled in the first place and that, that that will help as well. Definitely. So let's take another poll question. Is your organization actively looking, looking for security controls to prevent insider threats? This is a little bit different from the previous question where we were talking about having an insider threat detection and prevention program.
This is, you know, are you really looking for ways to enforce policy specifically to prevent insider threat? And our choices are yes, no, and not yet, but we're planning on doing that.
I'll give you a few seconds for that to come up and answer the question.
Okay, now Eugene, let's, let's kind of walk through some of the regulations and, and technical controls in a little bit more detail. You know, I think it's important to think about the regulations because most of you probably feel the same way. If we're in the, the business of doing security, we use regulations as a motivation for, you know, updating and outfitting our security architecture properly because regulatory compliance or non-compliance can be costly. So I thought we'd just talk about a couple of different regulations.
You know, there's NIST two in the eu, it's very interesting. It's getting a lot of airplay these days because of its recency and, and you know what, it's, what it's driving in terms of obligations here.
You know, there, this applies to a lot of different industries.
This isn't a complete list, but you know, telecom, mobile network operators, critical manufacturing, the food supply chain, various digital services, banking services can be included there.
Postal and courier services and government, public administration, you know, at a high level NTU lays out the need for governance, cyber risk management, supply chain security, which we've been talking about already, cybersecurity certifications, you know, these can, excuse me, this can help, you can help compliance here by relying on other industry standard certifications. Things like the ISO series, the 27 0 0 1 and so forth, as well as SOC two, and then reporting in cases of some sort of cybersecurity incident. There are reporting requirements in both 24 and 72 hours.
Sort of reading between the lines here. Would you say that that N two is more or less mandating insider threat protection programs? Eugene?
I think yes. And I can tell you that in all these regulations, usually, like there are many, many in many these regulations, like users must be monitored, data must be protected and users must be properly authenticated. So like not only these two but all, all other regulations, they have very common requirements to the systems to, to the companies. And I told that in some cases we can help to cover these regulations.
Yeah, I would agree. I think a regulation such or a directive such as this does provide good justification for insider threat protection as well.
You know, you mentioned P-C-I-D-S-S-A little bit earlier, P-C-I-D-S-S being, you know, a payment security standard. It's not, not a government enforced regulation, but it's a, a set of standards that,
Or for the, I think for the bank, for the different banks,
Right?
For and, and other members of sort of the, the, the financial market, the credit card industry payment services. And again, you know, at a high level it requires things like network security, encryption of cardholder data, both in transit and in storage. Strict access control to card data vulnerability, this is what we do. Yeah. Vulnerability management using anti-malware solutions in monitoring and testing. Would you say, Eugene, that insider threat detection can help with P-C-I-D-S-S compliance?
Partial partial.
We, I have read this compliance and of course we, it, it is I think very extensive and we can cover at least some pieces of this compliance, but I think it's a customer will need to work over several solutions to be compliant completely. So no, no solution. We can cover all the requirements for this compliance.
Yeah, I think that's true. I mean the, there's a variety of different kinds of technologies that are needed to be able to help with P-C-I-D-S-S compliance.
I mean, obviously you look at, you know, network security, database security, you know, you might not find all, all the capabilities in a single package.
And from our point of view and insider will be everyone a anyone who works with the bank data, with the customer data and the data that must be protected from sharing it with some third parties.
You know, the goal with something like P-C-I-D-S-S is to protect cardholder data.
So I think, yeah, I mean that, that's sort of indirectly saying you have to have an insider threat detection program too, because it's irrespective of what the source of the threat is. So if it's an insider threat, if it's a hacker on the outside cyber criminal gang outside of the, the payment security infrastructure, it's not really about where the attack originates. It's protecting the information where it lies.
Exactly.
And also I can mention, for example, I had conversation with one of the banks and they were asking, okay, our employee works with the cardholder how holder data, so how can you, how can you do in such way, so they don't see this data in real time. So every everyone who will be wor looking on the screenshots later. So how this data is protected and for this purpose we can do, we can enable anonymization. So whatever information is gathered by e system, it will be obfuscated unless there is strict permission from the data protection officers to uncover this information.
Yeah, that's a really good point. Okay, let's look at one more NIST cybersecurity framework is something that gets a lot of attention these days because, you know, it's, it's a really comprehensive framework.
I i it, it, you know, covers everything that we've talked about more or less, you know, access control encryption as well as configural configuration and vulnerability and patch management using intrusion detection and prevention systems, network segmentation monitoring via sim, anti-malware or you know, endpoint protection, detection response. You know, just a, a full list of things that you know, really cover what, what should be in a modern security architecture.
Do you find that organizations are using NIST cybersecurity framework compliance as a justification for initiating an insider threat program if they don't have one today?
No, I think they are more using, no, I think the companies which are oblique to comply with, for example, nist, they don't think of it like applying for the cybersecurity program. They just say, okay, we need to be compliant so we need to buy this and that software and this is how then they, during the audit, they will show that everything is fine and totally compliant with the standards.
So I'm not sure that there are really many organization organizations mature enough to implement inside the risk management programs on the organizational level.
Hmm. Okay. So now let's dive a little deeper on some of the technologies that we've both been talking about.
You know, multi-factor authentication, user behavioral analysis and privileged access management. So multi-factor risk-based authentication.
You know, these are things that we've been discussing in the IM and cybersecurity world for, for many years now. You know, and there are lots of good different kinds of technologies that can be used for multifactor. There are biometrics, you know, Fido is a good standard for authentication.
It, it promotes interoperability and then risk-based authentication, risk-based, you know, really taking a look at not just the act of authenticating, but looking at the context around the authentication request. You know, it, where is this coming from?
You know, can you take in geolocation information? Can you take in network information?
You know, that in itself can help prevent an insider threat if you see that a request is coming from a location that it shouldn't be, you can do geofencing lockout authentication requests from outside, you know, very approved areas. Do you think MFA risk-based authentication are, are ways that can help prevent malicious insiders that are already authenticated or
Not?
Not, not for those who are already authenticated, but it can prevent malicious insider from, even if for example, they know cred, active directory credentials and the user then must do some kind of additional authentication, this might prevent malicious insiders. And I want to tell you, I read about where interesting trends. So what is right now is continuous authentication, which means, for example, a user a software, they know they type in DNA, how a user types words.
And as long as a user continues typing, he's authenticated as, as long as they don't, do not type anything, they are the authenticated. And it is very difficult to know the exact pattern of how a user types something for a malicious insider. I I I love this way.
Yeah, yeah. That's, you know, behavioral biometrics.
That's, that's, yes, that's been a lot of development in the last few years and I think there are great use cases, you know, on the consumer side, but also on the enterprise and workforce side too. It's like you said, it's a, a method for continuous authentication.
It's, it's fairly unobtrusive. Users don't, aren't really bothered by it. The don't have to, you know, input passwords or
So, so many, so many times during the day.
Yeah. You know what I, what I was trying to get at here, the question is, you know, you can, I think use especially risk-based authentication and MFA to set authentication level policy. So that can then be used for, you know, specific authorization.
So if you require a higher authentication level, higher identity assurance level for access to your most sensitive information, then you can sort of set MFA and risk-based authentication, you know, as a bar that has to be crossed to be able to gain access to the most sensitive information. So UBA, we've kind of been talking about this a bit too, user behavioral analysis, how does UBA help detect, you know, possible insider threats? Do you have any, any other examples on that you might like to share?
Yes, we have basic UBA functionality at current system. So we can detect unusual working hours and for example, if we know that a user works from Monday to Friday from 8:00 AM to 5:00 PM and then suddenly begins working for example on Saturdays or begins working in the night, this is definitely something suspicious and this might not be our employee but an insider or someone who had stolen credentials.
And of course we will trigger an alert on such behavior and I want to tell you that we will imply apply additional development resources into the UBA for more intricate scenarios other than unusual working hours because UBA is becoming more and more trendy on the insider risk management market.
Yeah, I really think it's a necessity. I mean we talked about monitoring and sim earlier too. Exactly.
You need a system that can proactively, you know, using things like AI ML help determine what, what's normal and what's not an alert on that because yes, systems are probably logging all that to your sim, but unless you build the logic in there to detect that, you know, you'll be in doing a forensic investigation after the fact instead of being able to more proactively alert and potentially shut down insider risks as they're happening.
So I think UBA is is a really important part of insider threat detection and prevention
And of course it is much cheaper to prevent than to investigate and do some suffer from consequences of the insider incident.
Yes, definitely. Privileged access management, you know, we've both talked about that a bit. Do you think over provisioning of entitlements is, is still a contributing factor in insider threat cases?
Well I can tell you that privileged access management is, I think it is already a mature market and it is becoming a must have for privileged users.
And now it is all also extending to non-privileged users because for example, many users are using business applications and these users are not privileged, but you don't want to be data shared uncontrollably. And yes PAM as it is good for insider risk management for critical scenarios where you work, for example, with critical servers or databases where you cannot allow yourself to lose the data.
Agreed. Last one I wanna talk about is DLP, you know, I've kind of described it a little bit also its relationship to CASB cloud access security brokers.
Do you think DLP can help stop authenticated and authorized users from committing fraud or exfiltrating data?
Definitely DLP is an important component of the insider risk management program.
I can, I cannot tell you all the details now, but we are partnering with the really well-known DLP solution. So we will co-sell each other our insider risk management software from one side and DLP software from another side working together. But definitely it is very, very important part of the security program.
Yeah, definitely. I think as we've said, you know, an authenticated user, an authorized user should be able to get just the level of access they need to be able to do their job.
But, but yeah, once they have the data, let's say the data can be exported, you need to be able to control what the user can do with that because simply controlling access within the application isn't, isn't enough to be able to guarantee that that data isn't going to be leaked whether intentionally or unintentionally. And then, and then you know, you've gotta face the consequences of that
And, but you know, sorry, users might be very tricky. They can like, okay, hide files, rename them zip unzip, relocate many times just to somehow mask them and then to exfiltrate from the system.
Yeah, yeah. That, that has happened. I was gonna say that can happen, but we know that's happened already many times before. Yes.
Okay, let's take a look at our poll results. First question, does your organization have an insider threat program? Good news is 62% say yes. Only about 20% say no and 20% say in development. So this is, you know, reasonably good results. Especially if that 20% that's in development can can make it come to fruition soon. Does this sort of line up with what you would've expected, Eugene?
No, these results are unexpectedly good, but I really expected much lower results.
Yeah, this is good news. Well congratulations for those who have done that already. Next question, is your organization actively looking for security controls to prevent insider threat? 33% say yes, 50% say no and 17 say not yet but planned this one, yeah, this is kind of opposite of what I would've expected too. I would've thought more would be actively looking for controls. Any thoughts on this one Eugene?
I think insider risk management is a fairly new market and companies must be educated on how to deal with insider risks. And this is why I think many organizations, they simply do not know what, what insider risks are and what to do with them. And I think this is why we see such percentages on the screen. So we still need to educate users.
So let's take a look at some of the questions that we've got. Do banks and financial institutions use privileged access management to enhance their insider risk management program? I feel free to jump in there, Eugene. I would say yes.
I think that's
Very important. Me either I would, we have customers who use our PAM module, our banks who using our PAM module for the privilege access management program.
Then I, I could say yes de definitely, yes.
Cool. Next one. How long do you think the EU based orgs in the BFSI sector will wait to be DORA compliant?
Well, I would, you know, I I, I think good intentions, I think most organizations probably want to become compliant as as soon as possible, but there's often a need for grace period for getting fully compliant. Any thoughts on this one, Eugene?
I don't have any thoughts, but I read, this is Digital Operations Resilience Act, if I remember correctly. And it's something like 200 pages, so I cannot tell you when, when the companies will be compliant to all this 200 pages of, you know, very small text.
Yeah, yeah, it's, it's quite complicated. You know, most of these frameworks and regulations that we've talked about are, like you said, about 200 pages.
They're, they're pretty deep. There's a need for, hang on a second, something's not quite right here,
You know, and to, sorry. And the definitions inside this X are often very wag, so they like no, no straightforward definitions and many companies implement these policies, how they see them.
Yeah, yeah, I mean in some cases, like, you know, when PSD two came out there were technical specifications for how to implement the, the spirit of the, the directive as well. So you know, I think guidance is often necessary technical guidance necessary as well as just trying to comply with the regulation. Let's see. How do you correctly comply with user rights during user sessions monitoring? And does EKRON system meet the GDPR requirements?
This is question to me.
I say yes, we have data anonymization functionality in econ system and this is particularly required by the European customers. The GB GDPR says that all the data must be anonymized as much as possible.
So we can, yes, we can obfuscate everything what is on the screen. We can obfuscate real names, host names, client name, client names, and we have special approval request workflow. So the data will be the anonymized only by the strict permission of the data protection officer?
Yes, we are A-G-D-P-R compliant.
Okay. What do you think about the trend of using ML and AI in the insider risk management products?
I think this is question more to you because we do not currently use AI in our product.
Well you know, I think it's particularly important like we were saying for user behavioral analysis.
You know, that'd be one good example since we're kind of running outta time here. But being able to sort through the mounds of data that get generated by day-to-day user interactions with applications and other resources that, you know, there's so much information that you really can't sort through it manually. This is something that requires machine learning algorithms to be able to detect what's normal or or deviations from what's normal. So user behavioral analysis is, you know, one key area where I think it would be very beneficial.
I agree with you.
So we're almost at time here.
Lemme see one last quick look at the questions. I think that's, that's all we've got here in terms of questions. So thanks everyone for attending and thanks.
Thank you very much
For your participation.
Any, any final comments?
No, I don't have any more comments. Thank you very much. It was a pleasure to talk to you today. The topic was really interesting and I hope for more webinars in the future.
Sounds great. Well thank you and thank you. Have a nice rest of your day.
You too. Thank you everybody. Bye-Bye.
