Proofpoint this week unveiled a new platform it says will improve insider risk detection and response. The cloud-based ObserveIT Insider Threat Management (ITM) platform, which builds on the company's ObserveIT platform, adds user risk analysis, greater visibility, data interaction and threat context for detecting and preventing insider risk.
The insider threat platform combines the capabilities of user behavior analytics solutions, the ability to track endpoint-based interaction with data and files, and workflow capabilities to accelerate incident response, explained Josh Epstein, Proofpoint's vice president of insider threat management.
Insider threats, which can be caused by negligent insiders, malicious insiders or credentialed thieves, are a persistent issue for organizations of all sizes. A report released earlier this year, for example, showed a significant increase in both the frequency and cost of insider threats during the past two years. It found that incidents had grown by 47% since 2018, and the average global cost of insider threats grew by 31% during that time.
The platform's insider threat detection capabilities are designed to reduce the frequency and severity of incidents by reducing the mean time to detect (MTTD) insider incidents. A prebuilt library of threat scenarios can trigger risky or anomalous behavior alerts. Teams also can build rules or policies using a flexible rules engine that accesses data about user activity, application use, endpoint resources and data interaction. Threat-hunting utilities allow organizations to build custom visualizations that help spot concerning trends and threat signals.
The second part of the insider threat platform is its integrated response workflow, which allows security teams to securely share information cross-functionally. This helps ensure that all people who may be involved in an organization—security, human resources, compliance, legal and line-of-business managers—can be part of the workflow.
Together, these features can help protect activity associated with high-risk user groups, such as contractors, departing employees and privileged access users.
Proofpoint's ObserveIT ITM is intended to complement other security solutions instead of replacing them, Epstein said. In fact, it is frequently integrated with Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platforms and can be an important part of cybersecurity strategies including security awareness training and cloud- or email-based information protection solutions.