Techhub

How User Activity Monitoring Helps Put Human Behavior into Context

Andrew Distler Principal Consultant, Data Protection and Insider Threat, Everfox
Andrew Distler
4 min read
Insider Risk Innocent Files 1

  

Traditional Insider Risk & User Activity Monitoring Programs

Everybody knows why Insider Risk Programs exist. Mainly, to protect the organization from witting or unwitting risky activities performed by individuals with access. Of course, that’s not the only definition, and the wording may vary, but that’s usually the gist of it. Regardless of the words, that sentence just screams “we’re here to catch bad actors and stop bad things!” Which is true. However, this sentence isn’t: “We’re ONLY here to catch bad actors and stop bad things!”

Effective Insider Risk Programs

Mature Insider Risk programs are doing much more than that. They exist to enable organizations to become more efficient, to streamline processes, and to provide a mechanism for greater collaboration. Often, that means not finding the “bad actor” but instead proving that one doesn’t exist. I’ll quote a mentor of mine who molded my thinking in the Insider Risk space: “We’re here to put human behavior into context.” Nothing puts human behavior into context better than User Activity Monitoring (UAM).

Why Context Matters

CASE ONE - Potential Data Theft

Case in point. I was working at a DoD site when we were alerted by our security team of potential data theft. An employee was seen by a co-worker printing out a massive amount of sensitive material. This seemed very odd to the reporter, so they alerted security. Now, prior to the stand up of our Insider Risk Program and rollout of UAM, this would have meant a security investigation, interviews, forensic log pull. The whole nine yards. However, since we had streamlined this process ahead of this incident, Internal Security allowed us to take the first look before performing any action.

Five minutes was all it took.

Clear Context

With the email collections generated by UAM, we could clearly see the communication from the individual’s supervisor asking for the documents to be printed prior to a major briefing.

Case Closed.

CASE TWO - Employee Productivity

In a similar instance. There was a report to our network defense team that an individual spent all of his time on YouTube. As “employee productivity” was the trend at the time, the network defense team verified, via network logs, that it was indeed true, this employee was on YouTube during most of their workday.

Ok, now we have a report of activity and solid evidence to support the claim. This person should be let go, right? Wrong.

Because our Insider Risk team had a collaborative relationship with our network defense team, we were often utilized to verify information they identified in their logs. We were able to review video collections captured by User Activity Monitoring to determine that yes, the employee was often on YouTube – on one of their three monitors. Listening to music on YouTube was not a violation of any policy, and video recordings showed the employee diligently working on the other two screens.

Case Closed.  

Explore More Insider Risk Solutions

Reduce Mean Time to Investigate (MTTI)

Insider Risk Programs come with a cost, both in manpower and money. But when we talk about justifying a program through metrics, it’s important to not only note how many “bad actors” were caught or how many “bad things” were detected or thwarted. It’s also important to clearly call out the cost savings of collaborative programs and how a tool like User Activity Monitoring can, in a matter of moments, save you hundreds of hours in investigative steps like interviews or forensic reviews.

Of course, we must not forget that we’re also here to protect the individual employee. Whether it’s to detect the bad – or prove it doesn’t exist – UAM allows Insider Risk teams to see what traditional investigative steps cannot and provide insight that truly allows us to “put human behavior into context.”

Empower your team with transparency. Discover how Everfox Insider Risk Solutions provide the tools to monitor user activity while helping to protect both organizations and employees. Explore our User Activity Monitoring Solutions or get in touch to learn more.