All right. Welcome to another co call ladies, gentleman. My name is Alexei Belski. I am lead Analyst at co call and today I am joined by Simon sharp, who is the vice president for international developments at observe it. The topic for today is five steps to building an effective insider threat program. But before we dive into the topic, let me give you a few words about Cole organizer of this webinar.
We are an international independent Analyst Analyst company based in Germany, but with a pretty strong global reach all the way from the us to Europe and Australia and Singapore for almost 15 years now, we have been offering vendor neutral guidance and expertise to both vendors and users in all areas of cybersecurity, identity and access management, governance, risk management, and compliance among other things we do or we offer are what else events ranging from this online only free events like this webinar or the way to major industry conferences are for example, our flagship event.
If you build a European identity cloud conference will be taking place for the 13th year in the role. Next main Munich. We have other events as well. You will see a couple of them on this slide and even more on, on our website com if you guidelines for the webinar we control on the audio features of the platform, you don't have to worry about it, your own muted. We will do a recording and we will publish it as a webcast in our website. And we attend the we'll get an email with a link to access.
It we'll have a Q a session at the webinar, but I urge you submit your questions as soon have at time using the question box in the go panel. You probably on as usual, our webinar is structured in three parts. First. It's my job as an Analyst to provide you with an neutral overview of the particular topic, this case.
So inside the threat types and actors, and then I will handle what Simon sharp, we will give you real life use cases and best practices for implementing a proper inside of a management platform within your company.
And as I mentioned at the end, we will use the rest of our time for questions and answers. And without further dual let's dive into the topic. I usually like to start my presentation with this slide. I am pretty proud of which shows, how far have we as a society, if you will have progressed from the traditional perimeter based mindset, perimeter based security approach, maybe even 10 years ago or longer, if you remember it, each corporate network was seen as a castle with a wall and the mold in with only single gate, the firewall and everything has been safely hidden behind the walls.
And nobody actually had to think much about protecting that information from any real major threats.
Then of course came digital information. And nowadays there is almost no trace left over that perimeter or other Euro network is probably spread across different parameters, different environments, both on premises in the cloud or clouds, or maybe you even have an industrial network segment. And of course you all have your partners, contractors, employees on the go, as well as multiple types of smart, connected devices.
All this has led to a major explosion of in complexity of our it infrastructures, hugely huge growth of amounts of data, which has to be managed transmitted exchanged with your partners. And of course secured from different threats.
And, or of course, nowadays we, so periodized infrastructure, you have many more touch actors which are out there or even in there after your data. Of course, the whole notion of insider threat is way, way longer than it. And computers even well known Macedonian key.
Phillip, the second two and half thousand years ago has said that there is no wall that's high enough to stop a horse with the cart field with gold. So even then he was worrying about insider threats in his cities, but nowadays of course the situation is completely different.
And in a way the whole information security has shifted from this perimeter protection approach towards accepting the set reality that your network is probably already breached, maybe by an external hacker who managed to obtain someone's credentials, or maybe just someone within your company having malicious thoughts or, and malicious plans, or so basically there is no way to protect your resources from this, with any kind of wall.
And you have to focus on your, your efforts on not on preventing something from happen, something happening, but detecting it as soon as possible and trying to mitigate it before the, the splash radios, if you will ex expand beyond your company and go all the way into the press and to the auditors and the regulators in a way or the biggest insider threat nowadays is actually almost everyone within your company.
Of course, you probably remember the, the, the term privileged access and privileged users and mine still believe that those users are mostly admins, the root users, the windows administrators, maybe sometimes even the third party administrators who have to access your critical systems to just to maintain it, to ensure that it's working without problems. But again, the times have changed a lot. And now everyone, including hackers understand that exploiting human vulnerabilities is much easier and much cheaper than targeting to infrastructures and software.
And of course there are many more privileged users nowadays, and those users are typically business users who have way less experience with it, security, but way more influence on your financial processes on your daily business workflows. And in fact are the best part of this whole new types of attack that victims do all the works themselves.
And what 10 years ago used to be a joke about the probable Albanian virus, which urges a user to break something himself because the virus is not advanced enough nowadays, it's a sad reality, unfortunately, and on those inside of, as I mentioned are by no means just the admins or it can be anyone or, and, or they don't even have to be malicious.
Quite frankly, the recent study, the Polyon 2018 cost of inside the third study, which I believe was actually sponsored by commissioned by OIT has shown that our in fact, negligent employees are, are the root cause of most inside of threats.
Those people who have even who have no idea that they are acting maliciously. And on this slide, I would like to you, the, a couple of diagrams, which show that according to that study, most, as I mentioned, most of those are incidents were caused by negligence. And although they are significantly cheaper to fix, if you will, on the losses caused by typical negligence incident are way, way lower than the malicious actor or professional hacker.
If you will obtain someone else's credentials, the share amount of those incidents pile up quickly, and the total losses of those negligence incidents at the end of the year is much higher. So in fact, when you are thinking about whom should I be actually protecting against first, you have to think about everyone, all of them.
And one more diagram, just strain that yes, indeed or the admins are, are by far not the most, not the most lucrative targets. Sure. They are still traditionally considered privileged, but they have way, way fewer opportunities to actually exploit those capabilities.
And we all know that one of the best part of being a fear for inability to make large financial transactions without any. And again, it's said reality without any regulatory mechanisms in place. So hacking your CFO or C actually gives way, way more possibilities for hacker to, to get away with a, with a massive loo. And then the question, of course I don't. So how do you even start planning your strategy against this insider threats if they actually affect everyone across any environment? And there is actually very few existing technology solutions, which can block all of those incidents.
First of all, you have to think strategically.
And you have to think in exactly in the order are, I've listed three pillars.
First, you have to start with educating the users. Then you have to start with rechecking and strengthening your business processes. And only after that, you should start thinking about technology and when it comes to education or the biggest part of it is a so-called security culture. We've actually done a separate webinar just on that topic quite recently, and security culture, something which many companies believe comes for granted, as soon as you buy in antivirus. And somehow you, every of, of your employees magically become expertly protected from a viruses.
It can be, can be further from truth. Unfortunately, security culture is something which has to be actively pushed into everyone's heads. If you will. It always starts with making everyone aware of the potential issues and problems, but at the same time, it has to be leadership driven.
So basically you start with everyone, but you always have to assign specific people, ideally the ones who can really drive all the rest of your employee workforce after them, and, or make sure that every employee is not just aware of all the potential risks, but it's actually, they're actually trained against trained in dealing against those risks. And again, this is never something that just happens once it's really continued process, and it has to involve every team, every business unit and or horse, or every administrator in it, personality company.
And on the right side of slide, you can, you consider just a few aspects of security. At least your administrator have to be trained about starts from physical security, like never leave USB line around and never become those. You do not trust all the way to some really advanced topless like integration security into your DevOps practices and stuff like that.
And when it comes to processes or it's, again, I'm really sorry. I have to reiterate things, which for everyone of attendees already knows, but unfortunately not everyone out there actually follow them.
First of all, of course, you have to know what you are protecting and you have to understand which risks are there. So you always start from, you always start with cataloging your assets, understanding which types of information are your crown rules and have to not have to be protected at all costs.
And those, the others, which probably are not that important. And for every risk you have to understand or know it's probability and impact. And of course, or you have to review your existing security and compliance policies. And it really goes not just towards advanced staff, like which security tools you are using, but really all the way down to the basic hygiene.
Like what happens if CFO gets a phone call during the night, him to make a transaction to a Chinese bank? Is it really something which is supposed to be happening your company? Do you have any controls against it?
Do you really know? I mean, does your CFO really know for sure that he knows his CEO's phone number, voice? It really sounds silly, but for many companies, this is where they have to start before moving to more advanced staff. And of course, again, to reiterate, you have to involve everyone in the company, but you have to design the readers who we drive everyone after them. You have to continuously invest in employee trainings and continued education for your it personnel. And of course you have to prepare for all the potential scenarios, catastrophic scenarios.
Do you really know what to do when the breach happens? Do you really, if you are say a member of a board of directors, do you really know what to tell to the press when they meet your tomorrow morning? Right? And the elevator in the office, do you know what to say and more about, do you know what not to say to them?
You have to train, you have to not just have the script. You have to run through it and you have to train until you can do it during the night or during the location time, time. And of course, trust no one testing validate we're seeing. And finally, we come to the technology.
I am really not supposed to go deep into analyzing the individual capabilities. It's actually what Simon will do in his part. But what I'd like to show on this slide that a quote inside the threat management platform is supposed unique. Glass of software solutions should actually combine many aspects of other existing security tools like endpoint protection. And of course, user behavior analytics, cloud compliance, and security tools like case base, email security, of course, email is still the biggest threat factor for multiple types of insider threats.
D O P how do you prevent sensitive data from leaking?
Even if there is an insider manage insider acting in your network. And of course, even that already happens, you have to know what happened. So you have to have forensic capabilities and response capabilities, those S and scripts and automation tools. But even with given all that things, even there is a magic solution, which managed to combine all those software tools into a single seamless platform, which probably never happened before. It won't happened in the future. This platform can never function in a vacuum.
It has to be a part of your security ecosystem. It has to integrate with other tools, which somehow are not yet in the core of the platform. It has to rely on external threat intelligence on external brand reputation feeds, if you will. And of course it has to be continuously expanded, updated, and improved, and last but not least, it has to be built from scratch with privacy in mind. When you think about the latest compliance regulations like GDPR in Europe, such a solution by its nature, it has to go very, very deep into every new and cranny of your network.
It has to monitor every employee's actions, how to do it in a sensible, sensitive and compliant way. It's a huge challenge for both for the vendor and you implementing the solution. So think about it. And on that note, I am given the stage to Simon sharp Simon. It's your turn now.
Thanks Alexei Alexei. Good afternoon. Good evening. Good morning. Wherever you are around the world. Nice to meet everybody on, on the call today. Thanks very much Alexei for that great presentation. I just want to introduce myself briefly here and, and observe it, the company that, that I work for here.
So I'm the VP of international business here at observe it. And we focus on the insider threat management area of, of cybersecurity posture.
So from an insider threat perspective, we, we see that people in the business are the biggest asset to, to, to, to any business. I'm sure everyone on the call would agree with that.
So people are the biggest asset, but also with the access that you give to individuals, be it third parties, privileged users, high, high risk users, as we may describe them or, or typical business user, the types of systems that they have access to are potentially very sensitive, be it with PII data, PCI related data, credit card details, sensitive IP for the company, high risk information. It's important to be able to understand and educate people on the risk of having access to those systems.
There are many stories that we read about in the news in the press every day, particularly, you know, in the UK, there's some, there's some good examples here that I'm sure people may have heard about as well around the world, that there was a large supermarket called Morrison's that had recently went through the courts of appeal and, and they ruled that they were due to pay compensations over a thou hundred thousand employees who were the victims of a data breach.
That was ultimately the, at the hands of one of their senior internal auditors who deliberately leaked payroll information in 2014. So that was obviously a hugely high profile breach here, Tesla again, earlier this year, 2018 in the us filed a lawsuit alleging that a former employee unlawfully hacked the company's confidential and trade secret information and transferred that information to third parties.
There was another incident back in 2013, Alan and Shaw, an employee left and continued to access sensitive file systems and email to, and that was for two years undetected downloading sensitive documentation and design work there's example of investment banks, where with one of our, one of our customers actually observe it where there was an employee, an employee who was using the company's service to set up their own business of a gaming company and using, using the company's resources to, to, to launch that company.
And it ultimately used the company resources to manage that and, and offer that from a service perspective. These are, these are all different types of forms of inside threats that organizations need to be aware of and be able to manage.
Okay, so sorry to continue inside. Threats are ever growing across the, across the organization and across the world. So we've had incidents where up to 3 million records are stolen every, every day across across enterprise organizations. There were reports from the IBM export where it was stated that more than two thirds of total records were compromised in 2017. And we've also been working with an organization called where there were a number of companies over 200 companies that were assessed over a 12 month period.
And it was, it was found that the average cost of an insider instant was over nine, $9 million per incident, all related to insider threats.
So the enterprise today and Alexei alluded to this during his presentation earlier as well, is that most organizations have many different layers today. So firewalls I PS IDs systems D P EDR systems that's then point detecting response, latest NextGen, AV identity access management systems, cetera. And there is the thought of the, the perimeter basis. So the fortress, if you will.
So everything within those walls, we would deem to be defended or protected, which is part of a typical enterprise perimeter theory. Now, the reality of that could be seen as somewhat different, or a more honest view, a friend of the company observe it. We work with Dr. Red Amar Russo and he's, he was actually the former CISO at, at and T. And the thinking there was more that to do our job the way the world has moved forward.
That there's much more remote working, working with the parties, digital transformation, lots of benefits of outsourcing and working in a more holistic way with our, with our partners and an employees.
And ultimately that leaves gaps within that perimeter wall. So therefore the, the more current thinking around cybersecurity would be taking more of a zero trust approach from an internal perspective, as well as external. And of course, that leads into us be having to understand what the employees are doing within an organization or third party contractors, et cetera.
So we can have the, the best visibility and the best means to protect our critical assets within the business. There are some faces on this slide here that you may recognize. So ed Snowden, on the far left there contractor, the, the, the people, the risks within the business can take different forms.
So it could be a malicious insider, such as the ed Snowden case whilst working for the NSA as a contractor where sensitive governmental information was, was leaked out the, an Anthony Levandowski next to him there whilst working at Google on the automated car projects within the last two weeks of working for the company was able to download repeatedly 1400 documents.
And that information was then subsequently sold to Uber for circa $300 million, allegedly, which then resulted in a lawsuit between the two companies of approximately half a billion dollars.
So you can begin to see the impact that an insider threat from a malicious standpoint may take. There are of course, other examples, such as the Anthem breach where a database admin was user credentials were stolen, taken, accessed the database, hundreds of thousands, if not millions of records lost from that attack all related, obviously to the insider threat attack, vector target. I mentioned, but most of the organizations that we talk with and it's well recognized is it's not necessarily the malicious insider that we need to be most aware of.
There are other forms of insider threat that we've touched on the non-malicious, if you will, the negligent user or the accidental use case, and these are as dangerous or as risky to organization as a, as a malicious inside of themselves.
So this gives us more of a, an overview of the market as we see it. So inside of threat management there in the center, this is, takes the form of the user activity monitoring space that I think most people will be aware of. So looking at session monitoring, session recording, but then taking that to the next level.
And really what organizations are benefiting from is to look at the, and get that insight, that visibility across the organization of what is happening at a user level, but also from a data or file activity level. And ultimately this gives us insight into malicious activity, as well as non-malicious negligent and accidental use cases. It's important that this bleeds into other areas of security, such as the seam technologies and UBA.
So user behavioral analytics, security incident, and event management, where this forms more of an holistic joined up approach, where you can get the insights and the visibility and the context, the early detection of an insider of what's happening.
And then that can then be aggregated or fed into other systems across the, across the organization, such as automation, tools, orchestration, et cetera, as part of that joined up gap organizations as well, have relied heavily on DLP technology as well, not only from, from a compliance perspective, but also from a, from using DLP from a security or data exfiltration data loss perspective.
So, so what we've actually found is by leveraging the insight when analyzing or focusing on what users are doing and tying that to the file, or the data actually gives you a much better means of being able to identify data loss, because you have that early visibility and that ability to react and be on the front foot and proactively defend the organization before a file may be uploaded to Dropbox, copy to a USB or emailed out of the organization.
So speaking with regards to a CISO's point of view, and from a security posture at large it's, how do I reduce the meantime to detect a threat or an incident within the business, and how do I remediate that quickly?
It's well recognized that the average time to detect a threat within the business is typically over three months.
And, and of course can sometimes be many years before an organization. And I've touched on a couple of those examples already today, where, where rogue employees may be coming back into the organization to, to, to, to do harm or steal information, et cetera. So how do we close that kill chain? How do we shorten that window? And the key way of doing that is to have that context and visibility, that real time detection and that flexible means of preventing.
So the quote you can see on the slide here was actually from a CSO that, that we've worked with and, and the quote was, I don't, I don't have to say, I don't know anymore. I have these tools and I have the visibility.
So, and again, and actually, this is something that you touched on as part of your, your presentation earlier.
I would wholeheartedly agree. We need to think people process and then technology in that order.
So, so from a people perspective, we need to, we need to think about, and as part of a wider insider threat program, we need to elect a champion. We need to build out the insider threat team. So we're very clear on who in the business is gonna take part in a, if, if an insider threat incident happened, is that somebody from finance, human resources, the security and it team, et cetera, which C-suite needs to be involved in the insider threat team. We need to have a very clear playbook and plan. If we have an incident, how do we react to that? How do we remediate?
How do we report from a compliance perspective, both internally and externally? How do we do that? And how do we create an integrated insider hub as well?
So people process technology in that order. Okay. So we need to know and protect how to our critical assets.
So what, and every order, every organization's gonna be different here, but how do we understand what, what sensitive data do we hold? Do we hold credit card details? Do we hold PII? Have we got very sensitive IP information?
Are we, are we a pharmaceutical company where we absolutely need to lock down, you know, new, new IP, new, new data that we discovered, where does it reside? And then we need to think about the privacy laws. Obviously GDPR is very topical at the moment and organizations quite rightly are really locking this down and understanding where their sensitive data lies, how they classify in this data, how they ultimately apply and, and make sure that they are compliant with the privacy laws that impact their particular business.
And then how do we understand the context and how do we understand the value of the data that we have in the organization? So how does technology help us here? So if you look at the world from an insider threat management perspective, the key benefit and value is providing that context to what is happening across the organization. So what are the users' roles? What are the user have access to? What is that user doing on a day to day basis? How is the data moving around the organization? Is it coming from a cloud service? Is it on a network file share? Is it on somebody's computer?
Is that data being copied? Is it being deleted, modified renamed files? And then ultimately, how do we analyze what is happening when we combine the user and the data that they have access to?
So a new approach to mitigating the insider threat is by having very clear visibility, being able to have a layer of analytics, to understand and make sense of the data that is being collected. And then how do we enforce and prevent insider threat risks?
So if we take a slightly deeper dive into what we mean by visibility, so the there's a, so we have a particular user here, Donna, Ron, we can see that this particular person has access to many different types of applications, Microsoft fin apps, development applications. They may have access to email, Gmails, Skype, et cetera. What can they do with the systems and data they have access to, can they print screen? Can they copy paste? What systems they have access to ultimately, how do we track what could happen to certain files?
So if the file's being created, renamed deleted, has that file been encrypted, zipped up? Has it been copied? What's the particular different types of exfiltration points across the organization? So could I print the document? Can I copy it to Dropbox in the cloud, perhaps? Can I copy it to a USB? Can I email that document out of the organization? And then ultimately, how do I prevent something happening here? So do we have the ability to educate and make users aware of what good and bad security practices, how do we notify those users? How do we block those users?
Can we log off that user, for example?
So I'm just gonna work through a particular example here. So Donna Ron would, then in this example, downloaded a file from the financial application. So it may be a payroll date, a payroll file, for example. So this may or may not be treated as sensitive or risky, but we have visibility of it at this point in time, which is, which is key.
If that, if that file that is then renamed, if it was renamed from payroll XLS to something innocuous, like my holiday photos, JPEG, for example, that wouldn't typically be a normal action that we would expect to have. So we start to build up a picture and the risk to the business of this, of this piece here, if the, if this particular user Donna Ron then downloaded Dropbox and installed it on her laptop, again, that would begin to raise the risk or even higher, because we've got the visibility of the chain of events here in the context.
And then we have the, the actual file document copied to the cloud. Then ultimately that, that that's the fi final piece in the chain that ultimately want, we want to prevent, because this is sensitive information that's been passed through the organization from the financial application onto the user's machine, and then ultimately trying to data exfiltrate that document. So it's very important that you have the ability to have these early warning signals to be able to prevent a negligent potentially or malicious action in this, in this case. So the final step here is around enforcement.
So one of the key ways in any organization to maximize prevention is to make the users aware of what good or bad security policy or good or bad security practice may be in real time. So one of the, one of the measures that an insider threat management system could give you from a technological perspective is the ability in that scenario.
We, we just run through there. If that document was about to be copied outta the organization, you could then pop a dialogue box. As you can see on the screen there, which would then ask that particular user in real time to acknowledge that they were going to allow that document to be copied to a USB or, or in that incident out to out to the Dropbox in the cloud.
Now, if I'm a negligent user within the organization. So my intent is good. Maybe I was copying that file so I could work on it at the weekend. For example, I'm being proactive, I'm being productive, but I'm going against security policy. So if I'm able to, if I'm able to prompt that person in real time, if they're negligent, then they're likely at that point to understand that this is going against best practice and they will remember, remember, and they'll be aware for next time that this, this is, this is not a good, good practice.
So again, security and awareness, and this ability to educate and make the users within the organization aware of good bad practice in real time is a, is a, is a key preventative step.
Okay? So I just wanted to touch on two use cases. These are both use cases of customers that we have that observe it within the DAC region. So both within Switzerland, Austria, and, and Germany, this particular first one was a service provider that we are working with and they have many high profile customers globally, but their particular cybersecurity operations is, is based within the DAC region.
They have over 80 people within their, so they have 40 cyber cybersecurity solutions. And the, the key, even with having those 40 cybersecurity solutions, 80 people within a, so they still were unable to understand the context or get visibility of incidents that were happening with their, with their clients. So this is where they, they turn to observe it. Or they used an insider threat management tool here to be able to really get down, to understand at a user and a data level, what is actually happening through the context of the examples that I I gave earlier.
So some of the key benefits for them within the organization was to be able to identify the malicious or the negligent or accidental incidents that happened. They were able to integrate our solution into a wider, a wider global sock out of the box environment or a single pane of glass, if you will, that could then be used with automated automation and orchestration tools.
And the other key benefit that they found, and they replayed back to us was the ease of deployment and the speed and time to value of deploying the observant solution that gave them that insight and that visibility and the final slide here. And the second use case was actually the reason why I chose this one again from the, from the DAC region was the opposite size or scale of the enterprise to the site, the service provider, tens of thousands of employees, lots of resources I just touched on, but actually this particular customer was in the hospitality hospitality industry.
And they didn't have didn't have any dedicated security people. They had one it manager that wore two hats basically, and one of the hats was responsibility for security, but they had an insider that broke and had access to the internal payroll and salary information of the organization and was actually a disgruntled employee who chose to make public everybody's wages and salary information within the company, but also externally as well.
And this led to the complete revamp and review of the security controls and how do they get real time visibility into incidents like this happening and be able to be on the front foot to stop this happening again. And this is where we work with them from a technology perspective, again, as inside a threat to give them that visibility context, control that early detection in real time, to be able to very simply with very low operational overhead.
Because again, there was one it manager that was responsible for security was able to have this system to be effectively their eyes and ears across the business, and be able to react and stop future internal threats. Okay. So that's the end of my presentation today.
Again, apologies for the technical challenges that we had through the presentation, but hopefully the presentation was well received and be very happy to answer anybody's questions.
All right. Thanks a lot, Simon. It was indeed a very insightful and was very beautifully crafted presentation. Definitely much better than mine. Thanks a lot for that. And let me just quickly switch back to myself for the Q and a all right.
I hope you can see like U a slide now again, please submit your questions using the questions tool and the first one we've got, I actually almost expected it from the beginning of your presentation. Does it use machine learning?
So our particular observing its technology, we, we have an element of analytics that's being built in, but the core element of our technology is built around alerts and rules.
So we have a concept called an insider threat library where we have over 300 outta the box alerts or rules that we've built whilst working with over 1800 customers globally in about 86 countries. We based on our experience over the last 10 years, we've built up that library. So that gives us that early warning alerts and context. But as we move forward, we can we've today. We combine that with the data or the file activity. So user and file, and then we're building in the analytical wrap to then yeah. Give you that predictive element as we move forward.
Okay.
And if I might add a couple of words from my side, although machine learning and AI is a hugely popular marketing buzzword nowadays, just putting that label on a product, doesn't actually mean it any better or smarter by definition. So not all machine learning is created the same and actually quite a few solutions I've seen personally as a somewhat, somewhat academic background in that area. I would say those have nothing to do with machine learning proper.
Anyway, let's continue. The next question in, in the list is how do you monitor employees or who uses a laptop for personal matters, or I guess if I'm add to that, how do you monitor an employee who is outside of your network, for example, how do you deal with those people?
Sure, sure. So actually a very common use case is very good question. So a common use case for us in the Dak region is actually looking and understanding what third party contractors are doing when, when they have access into your systems, into your network, into your databases, et cetera. And the way we would do that, observe it is we have a gateway solution. So effectively we funnel all of the outside contractors that through a particular server or gateway. And that gives us the ability to monitor and get insight into what that user and that data activity looks like.
So we would also support Citrix VDI systems, et cetera, from a central server approach where you would not deploy agents on endpoints.
Okay. All right. All the next questions are actually even two, but I combine them into one for you. How much overall does threat hunting still play in this area? And would it still make sense to budget it, to complement your solution?
Sure. Very good question. So from an observant perspective, we, we are very focused on the user and the data from an insider threat perspective.
There are other tools such as EDR endpoint detecting response that are looking at the threats and the outside in. So they're, they're gonna be more focused on the ransomware attacks, malware, et cetera. And they're looking at different elements of the endpoint. So threat hunting at process level, et cetera.
They, they're not the key difference is they're not focused on the user or the data they're focused more at the process level. So if you are searching for malware and ransomware attacks, for example, then absolutely there is definitely a place for the EDR or the EPP next gen AV type of technologies using threat hunting, but observe, it would sit as a complimentary layer to that because we are focused on stopping threats from a user and data perspective.
It's actually kind of a shame really that cause, or a typical EDR solution would actually look to a large extent at the same activities happening on the endpoint as your solution. Right. But since it kind of has a completely different perspective on that information.
Yeah. Just
It kinda do both. You still have to, to use two solutions.
Yeah, yeah. You absolutely.
I mean, there is clear differentiation between the two, one's looking at external threats coming in at a process level, looking at, you know, the, the, the actual code, whereas we are at, we're actually analyzing, we, we study metadata and we also capture video as well.
So we're, you know, who can imagine being able to see exactly what's happening on a server, be able to, or, or an endpoint and be able to replay that, you know, that that's a different type of insight and visibility than you, you would, you wouldn't get that level of visibility of what's actually happening within the organization from an EDR platform.
Right.
And to again, follow up on a best question from the same person, or like, did, I mean duct trace or cyber reason, or what did you mean, or yes and no, that's exactly the problem I mentioned in my part or the presentation as inside the threat management platform is lots of functional technological overlaps with different security tools. EDRs like endpoint security tools, network security tools like that trace DLP email.
Anyway, the problem with that, none of those tools even combined in a, in the same bucket would ever be able to do the same type of functionality as a dedicated insider threat management platform, simply because they, to not focus on the same business processes, if you will workflows.
So
In an ideal world, of course, or no, all those tools should kind of merge together, maybe through mergers and acquisitions of their vendors, or at least through some APIs and stuff, but that's really something for the future, which won't happen in the few, in the next few years.
So yeah, unfortunately we are still stuck in a fragmented security tool landscape, but then again, one dedicated insider threat management solution may be a more reasonable choice and then five different standalone solutions, even though each of those standalone solutions is arguably better in a particular slice or the security functionality. Okay. Next question are. And that the question I really like a lot being from Germany, if you will.
So, or with that large amount of data you capture about users, how do you keep them anonymous for data privacy and compliance purposes?
Sure. Yeah. Very good question. Question. I was expecting actually it's a, it's a, it tends to be a question that gets asked around data privacy.
You know, how do you, how do you protect the individuals? I mean, the, the, the short answer within the, within the platform itself is that we have anonymization so effectively every user within the platform is masked. So you are unable to identify who that user is. So you're still able to track bad behavior and, you know, everything I've described earlier is still holds true. So you've still got that complete visibility of a user.
You don't necessarily know who that person is, but your, a user and combining with that data activity, and only when you reach a risk level that you would want to anonymize the, the data or that, that particular user, then you can, then you can do it at that point. But then to de anonymize that user, you would potentially have to give that to a senior ranking person within the business. Maybe somebody who's on the worker's council, for example, HR, to be able to reveal who that user was.
But, but at that point, you have good reason to understand if they, if they've been breaching certain security policies or rules within the business. So overall anonymization is widely accepted as a, as, as a good means of addressing data privacy concerns.
Okay, great. We have really couple minutes left. So one last question for you, or so can you briefly describe the way to actually deploy and implement your platform? How difficult is it?
Yeah, so another good question there. So yeah, no, very, very straightforward, very, very simple. So I mentioned the gateway solution, but typically within an organization, you'd use a lightweight agent, which is not a kernel level agent. It sits in and what's known as the user space.
So very, very lightweight, very easy to deploy, very easy to just drop agents out, to, to individual machines or endpoints or servers across the business. We would typically, you know, set up within a, a couple of weeks to then drop the agents.
So, so for example, if we were to run a short proof of concept, you could set that up in less than half a day. You could drop the agents there, they communicate back to an on-premise server.
And, and then ultimately, as I described before, we have over 300 pre-configured alerts that you can then pick and choose which ones you would want to turn on on day one. But ultimately you have a huge amount of configuration that's already been done for you outta the box.
So, you know, again, obviously depends on the size of organization, but within, you know, two to four weeks, you could have a, a fully operational system up and running, which is a huge difference to maybe a, a DLP type technology that maybe also addressing data, exfiltration concerns, et cetera, but that could, could potentially take you years rather than weeks to deploy that and, and get it operationally functional.
Okay, great. And with that, we have reached the end of our today's webinar. Thanks a lot, Simon. Thank you. All the attendees and future listeners of our recorded webcast.
I hope to see you in one of our future equipping core webinars and have a nice day.
Thank you everybody.
