Ophir Bleiberg leads the charter on emerging products at Imperva. He spearheads the Imperva CounterBreach product team. I sat down with him to get the scoop on what is happening in the marketplace on solutions for insider threats. He goes into great detail about what is missing in today’s solutions.
Q: Why are insider threats difficult to uncover?
There is a new realization within organizations that bad actors are going to get in. Perimeter controls are still an important part of enterprise security, but the reality is, users are your new perimeter. The risky aspect of this is that employees have legitimate access to important data to do their jobs. But, when users become compromised, are careless or have malicious intent, they become the weakest link in your enterprise security posture. Moving away from the assumption that you can keep hackers and insider threats out, organizations need a focused protection strategy for what matters most – and that’s protecting the sensitive and valuable data that resides on databases, file servers, and cloud-based applications.
Q: What are the current approaches to solving the insider threat problem today? Why do they fall short?
There are two main categories of solutions, both based on a Security information and event management(SIEM). The first one is a DIY and the second approach uses a User and Entity Behavior Analysis (UEBA) on top of the SIEM.
Current solutions fail because they are designed to detect malware and tools that hackers use. Current solutions completely miss the primary target of the attack: your data.
SIEM solutions generate an overabundance of security alerts, and security teams are unable to keep pace managing the sheer volume of data. DIY solutions have the challenge of continuous policy management and inability to integrate new infrastructure quickly.
UEBA solutions layer machine learning on top of SIEM solutions. These solutions flag unusual activity based on successful and failed logins to a wide range of IT assets. Hence, the UEBA are only good at detecting the side effects of compromised users, but not at pinpointing data breach incidents early in the cycle.
Q: Why is Imperva in a unique position to address insider threats?
We are seeing a change in the mindset of our customer base from prevention to detection. Rather than focusing on keeping bad actors out, it’s all about detecting that they are in and keeping enterprise data protected.
Insider threats have become the leading cause of data breaches. Imperva is in a fantastic position to help organizations address insider threats because we’ve been focused exclusively on protecting data for organizations across the globe for more than 12 years. With this expertise, we know data access better than anyone else and can very accurately distinguish between good data access and access that is cause for concern.
Q: What are you adding to the Imperva product portfolio?
CounterBreach takes Imperva security capabilities to the next level with brand new technology, based on machine learning, to help customers pinpoint data access behavior that is suspicious or out of the ordinary and potentially putting their data at risk. CounterBreach leverages Imperva SecureSphere technology, which monitors all access to structured and unstructured data repositories, and helps organizations answer the question: was access to this data okay? By providing additional context and highlighting worrisome data access incidents, security teams can perform more efficient investigations and stop data breaches originating from insiders
Q: Can you elaborate more on the layers within CounterBreach?
We took a layered approach to developing our data breach detection solution. The first layer of CounterBreach is called Behavior Analytics, our new machine learning technology that pulls in inputs from SecureSphere to perform anomaly detection. CounterBreach helps companies uncover incidents that may look like normal business activity, but in reality are very concerning. Unlike generic machine learning or behavior analysis solutions, our focused solution looks for activities which are both anomalous and potentially indicative of malicious activity.
The second layer of CounterBreach is called Deception Tokens. Deception tokens help pinpoint endpoint devices that have been compromised by an outside attacker. In our field testing, this technology has proven to be 100% false positive free.
This combination allows our solution to be both very sensitive and very accurate in pinpointing anomalies that are truly significant to the users.
Q: Please explain on how the combined solution has outperformed the current approaches
CounterBreach combines domain-tailored statistical methods that help us understand not only what is a-typical, but also what is “right.” It is the combination of these two that makes our solution unique in the market and raises actionable alerts to our users.
Behavior Analytics and Deception Tokens generate incidents in a new, very friendly user interface from Imperva. You can see which endpoints a user typically works from, as well as the databases, files and cloud apps they usually access.
Our solution combines incidents and visibility we gather from all of our sensors and bring them together into a holistic view of how the user is accessing company data. IT organizations can easily spot the riskiest individuals in his organization see how they normally behave and investigate their anomalous activity across data assets.
Once you see an anomaly, you can drill down into the audit trail to perform forensics, and you can also decide to quarantine a user from accessing data repositories until the investigation is complete.
Q: Can you please share with us the success of CounterBreach in customer deployments?
Experience with our many beta engagements has shown that most organizations have bad practices in place that put data in serious jeopardy and often bypass traditional tools like access permissions and auditing tools. One of the things CounterBreach will do is to uncover these threats. While most customers want to fix this, the reality is that these processes take time. We have structured our product in a way that both allows the owners of this system to demonstrate to their managers why this process is important and also supports the time-demanding process by introducing features like time-limited whitelisting. These features allow the customers to get instant benefits by getting their environments more secure.
The next set of discussions will focus on the Behavior Analytics and Deception Token technology that powers CounterBreach. More information about CounterBreach is available here.