Preempt is a Behavioral Firewall; it understands the behavior of every user in the company, starting with the low level employees and all the way up to the senior management boards. It starts with knowing the user’s working hours, IP addresses and devices they are using to access the network, and continues with more personalized data such as knowing which servers that user is permitted to access and which ones are off limits. Once a user’s behavior is understood, you can respond to any changes that may occur, indicating the possibility of insider threats. Say an employee suddenly accesses 4 different servers; that doesn’t necessarily mean trouble; a quick background authentication can validate the user’s identity to confirm that they are who they say they are.
How does it work?
What we do is sit in front of the active directory domain controllers and monitors the traffic. We can see what everybody in the organization is doing, what servers they’re using, whether they’re using local or remote endpoints, and we understand the patterns. We also take data from other sources, such as security tools used by the company such as login data and email security gateways like Cisco. By profiling the users, we can tell if someone is more likely to click on a phishing email and act upon that knowledge in advance; we know exactly who has standard access and who’s a privileged user, and we can identify consultants and contractors from executives etc. We are then able to build a policy with a set of rules that determine what happens if someone’s behavior changes; for example, if a user is accessing a new critical server, they will need to confirm their identity before they can proceed, and if a service account is performing a login, we know that it may have been compromised and requires immediate action and/or observation. We’ve managed to tie user behavior with adaptive responses, so it looks like a firewall, but it’s actually much more dynamic and allows us to respond in real time. We work with many organizations, from under 100 employees to thousands of them. Our product sits on the network, so it’s not an endpoint solution, it’s a virtual appliance you can put anywhere you want, and it’s all managed from one central management system.
Is your solution automatic or does it require people to operate it?
Many of the incidents are auto resolved and don’t require any human intervention. Some companies choose a more conservative approach, allowing a security analyst to look at incidents, send them for review and take action. This is the power of the solution, it has a flexible policy for different threats; it can isolate the user or endpoint without disturbing the rest of the organization, and it can give many different responses according to the organization’s policy. The idea is not to stop business processes, but to ensure they remain secure. The fact that behavior is so dynamic requires us to do a whole lot of learning. Most access is controlled by identity. Depending on the time of the day, where you are and what you’re working on, we are able to detect if a user is doing something they shouldn’t, and take action to preempt a threat where needed.
Have you found any behavioral patterns with your customers?
We’re seeing 2-3 patterns. Many companies want control over their privileged users, while others are more concerned about contractors and external consultants. At the end of the day, they all want to have visibility. We provide that visibility by telling you where your service accounts are, which ones are stale and which are risky, and we give insights on your infrastructure so you can get a sense of what’s going on and who’s doing what.
Can you characterize a malicious insider?
Companies trust their employees, giving them access to just about everything, and that’s the challenge. According to the dimensional research report released last week, about 87% of IT security professionals are more concerned about naive employees that bend the rules to get things done, than about malicious insiders. So there are people who unintentionally do things they shouldn’t and employees who are knowingly doing insecure things because they want to get their job done faster or easier. This puts the company at risk. There are also malicious insiders who are knowingly doing insecure things for personal gain. There could be variety of motives for insiders to do bad things, for example, if someone is not happy with their work or is planning to leave, or if they’re looking to make some extra cash by selling insider information. Today, many security companies are focusing on what’s happening on the perimeter, but once the hacker gets passed them, there’s not a lot to protect you. Let’s say someone unknowingly deploys malware on a laptop in the office because they clicked on a phishing link. The hackers can control that laptop and get credentials which are also used on another laptop, causing a chain reaction, so even though the hacker is outside, it’s easy to see the behavioral difference that will allow you to explore further. We can challenge the user with an extra layer of authentication and we can block them if needed.
Do companies tell their employees about your system?
Most companies don’t tell their employees about it, because they want to monitor their employees’ behavior objectively. My hope is that in the future, more companies will share this information with the users, to help educate them about best practices to protect data. Employees are the weakest links because they make the most mistakes; if businesses can share info with the users, people will get a better understanding of what they should and shouldn’t do, resulting in them doing more of the good things and less of the bad things. My belief is that companies that do share this information will end up more secure.
How do companies react when insider threats are detected?
There are many different ways they could react based on the type of threat, the kind of user and the asset being targeted. O For example, if a marketer suddenly goes to the HR server or the finance server that they don’t have permissions for, they will need to verify their identity. In this scenario, the employee will know they did something wrong because they will be asked to verify their identity and they would be blocked from accessing the server. So, they know their actions are being tracked. There’s no generic answer as each scenario and the response could be different based on the company and the risk.
What would you advise to companies who wish to secure their networks from the inside?
First, companies should get a better understanding of the kind of access people have and reduce it to the minimum possible. In many cases, employees have access to more than what they need to do their jobs. Secondly, they should educate employees on the implications of their actions. In most cases security training only happens about once or twice a year, and people forget what they were taught; but, if the info comes in real-time as a response to actual insecure activities, it will help them stay alert and stick to best practices. For instance, if a password is too weak, we can provide real time feedback telling the user to change it, or if a phishing email arrives, we can send a warning directly related to an action they took. The more awareness to user behavior the more secure and effective the business will become.
How do you see the future of enterprise information security?
Over time, in the world of dissolving enterprise perimeters and hybrid networks, security enforcement is going to be based upon user identity; and not just a static identity, but behavior-based identity. Behavioral Firewalls enable that transformation.