Following our piece about Insider Risk Awareness Month, here is an excellent example of the challenges in effectively mitigating insider risks. While insider risk management (IRM) solutions can identify the behaviors that may go unnoticed by security teams, automated responses should be part of an overarching data protection program. It’s this blend of people, process, and technology that help organizations protect sensitive data.
On the surface, IRM offers protection from behaviors that may put sensitive data at risk. But, as a recent story from the NBA illustrates, not all IRM solutions have the enforcement capabilities when things get too risky. To summarize the piece, The New York Knicks have sued the Toronto Raptors and several individuals, including their head coach and a former Knicks employee, for allegedly illegally obtaining proprietary information from the Knicks. The theft involved over 3,000 files, including scouting reports, plays, and video clips. While the Knicks had an insider risk program, it failed to intervene when needed. (For those in the DLP, Insider Risk, and F1 world long enough, perhaps the details sound somewhat familiar.)
In the scenario above, the cybersecurity team had protected sensitive data. They deployed an IRM solution, and it was able to flag the unusual activity. The problem was that no automated response stopped those high-risk activities once that happened.
This is the classic case where a DLP solution can augment an IRM solution. IRM sees behaviors and can spot when they are unusual; DLP can rely on policies and take action. Combine the two, and you can see both sides of the same coin. This enables more accurate automated decisions and more detail for forensic analysis of incidents.
The last line in the original article suggests a key capability of an IRM solution:
“Why the IRM team used technology that did not prevent the transference of data in a more proactive manner is unknown.”
Per the 2023 Verizon Data Breach report, insiders inflict 20x the damage as external attacks. How does your IRM vendor cover that need?
Why don’t all companies have IRM and DLP? Resource constraints and complexity. The cybersecurity talent shortage is not new, but it persists. Two distinct products that deliver a somewhat overlapping solution will further challenge that talent gap. Businesses decide what to include in their security stack; there was likely a conversation about the costs/benefits of IRM and DLP, and inevitably, things get cut.
Legacy DLP solutions are overly complex, have too many false positives, and can break business processes. Moreover, they are often blind to insider risk. Standalone IRM, too, has shortcomings. It’s frequently limited in scope, can cause privacy concerns, and lacks active controls to stop data loss. There needs to be a better option that addresses IRM and DLP use cases without the overhead of 2 platforms.
The Reveal platform from Next is a unified IRM and DLP solution that adapts active DLP controls based on machine-learning-derived IRM insights.
Reveal’s IRM capabilities focus on “who” and “how” and rely on machine learning to flag unusual actions that represent data risk. The DLP capabilities focus on the data and rely on prebuilt rules to stop expected risky behavior. The result is an optimized balance of insider risk insights that can be acted upon with DLP’s controls.
Several analysts have discussed how IRM and DLP are converging, most recently in the 2023 Gartner Market Guide for Data Loss Prevention.
“Gartner sees that DLP vendors are increasingly converging with insider risk management platforms. This convergence enables better detection of data exfiltration as it enriches DLP events with anomalous user behaviors, improved risk scoring and real- time monitoring capabilities.”
Want to learn more? Watch an on-demand demo of Reveal.