ENTERPRISE INFORMATION PROTECTION

The Challenge of Preventing Insider Theft
The privileged user is a unique role within an organization. These users are given the right to access sensitive applications and information with the express trust to know and abide by all their governing policies. But this trust is very difficult to verify, and typical IT security controls are unable to monitor activity or enforce policy at the file, application, and user levels simultaneously. To mitigate the risk of a trusted user exposing sensitive data to a media outlet like Wikileaks, organizations must implement technology that can:

• Operate independently of any application or other security technology
• Prevent itself from being disabled or circumvented by a knowledgeable user
• Identify data by its context (file type, application source, network source, etc.)
• Analyze data transactions in context (who is the user, what actions are being taken, when does the action take place, what applications are used, etc.)
• Interact with the user before the risky transaction is complete
• Initiate a response without necessarily preventing the user from doing their job
• Deter or prevent data compromise while recording all events within an evidentiary sound process

Verdasys Digital Guardian is designed, architected and deployed specifically to reduce the insider threat risk. It has been proven time and again by our customers to be a highly effective and comprehensive solution for detecting, deterring, and preventing insider threats, minimizing the likelihood your company will end up a headline due to Wikileaks.

Digital Guardian Agents operate between the user and sensitive data to monitor and control the activities of anyone authenticated to an instrumented host system. Digital Guardian records and securely stores every privileged user’s activities as situationally-aware and causal event logs with admissibility and weighted precedence as primary forensic evidence in criminal and civil cases both domestically and internationally. The Digital Guardian Agent is stealth and tamper-proof, making it a highly effective countermeasure against all levels of insider threats, including system administrators and IT security managers.

The Digital Guardian platform offers multiple automated policy enforcement options available whether a privileged user is online, offline, or within a virtual environment. They are designed to fire only when risk thresholds have been exceeded, allowing users to work freely within their usage rights:
 

• Incident Alerting: An alert that classified information was being copied to removable media would have warned the security team in real time that PFC Manning was allegedly copying files illegally.
• Warning, Awareness, and Justification Prompting: If PFC Manning had been prompted in real time that his alleged actions were improper and being recorded he would have likely stopped his actions immediately. All activity would have still been securely recorded and alerts sent, while at the same time no data would have left the secure facility.
• Encryption Controls: Policy-based encryption based on file classification and usage rights would have allowed PFC Manning to move the data to CD or USB, but would have prevented the loss of data as the content would have been encrypted with no ability to decrypt it outside of the secure facility.
• Blocking: Although typically a control of last resort, blocking rules could be used to prevent classified data being moved to removable media, burned to CD/DVD or printed. Blocking rules can be activated by type of data including classification level, amount of data, or usage right of the user. PFC Manning’s alleged activities would have been blocked immediately.

Anyone one of these countermeasures could effectively deter a WikiLkeaks-type incident. When used in combination as a “defense in depth” strategy, the insider threat would almost always be prevented: Any privileged user would be accurately identified in real time attempting to compromise data with forensic evidence that could be used for investigations and litigation; security team members would be alerted to the attempted compromise; and no data would leave a secured system unauthorized.