Network Security

Why Organizations Fed Up With Data Being Breached Need Insider Threat Detection

Expert Insights talks to Patrick Knight, Senior Director of Cyber Strategy and Product Management at Veriato, to talk about the importance of employee monitoring for rounded cyber security.

Article thumbnail image

Insider threats are a growing security problem for businesses everywhere. In fact, up to 60% of cyberattacks come from within the organization itself. Attacks can come from employees (intentionally or unintentionally) leaking sensitive information, installing malware or falling for a phishing attack.

Security vendor Veriato has created a platform which they argue can help to reduce the risk to businesses from insider threats.

We sat down with Patrick Knight, Senior Director of Cyber Strategy and Product Management at Veriato, to discuss how businesses can stay secure from growing threats.

Could you tell us a bit about who you are and what Veriato does?

I’m the product manager for our Insider Threat protection technology, Cerebral, which is a combination of user activity monitoring and user and entity behaviour analytics. Both components help to limit inside threats within the business.

On one side, activity monitoring provides detailed evidence that employers need to do an investigation in the event that a trusted insider has mishandled information. On the other side, user behaviour monitoring and analytics (the machine learning component) helps you look at the large organisation over time and protects privacy.

Cerebral is a software-based solution that uses a server and an endpoint client or agent. It’s installed on all the endpoints you want to monitor in the organisation to track user activity and prevent cyberattacks.

Is it important for businesses to be monitoring employees?

Absolutely. In this day and age of massive data breaches, it’s not a matter of if, but when.

In fact, there are stats that project that as many as 60% of all breaches are caused by a trusted insider, whether accidental or not.

Our technology gives you the ability to look at data breaches and say, ‘Oh it was an accident, we need to work on education,’ or to determine if employees are willfully looking for somewhere to leak data.

What kind of data is Veriato protecting?

If you’re a financial organisation, it’s probably financial data. If you’re a healthcare organisation, it’s probably patient information. Every organisation has data that they need to protect. And there are a variety of ways it can fall into the wrong hands.

When organisations give insiders access to their data, it’s assumed that they will handle it appropriately. But maybe the insider’s life is in a bad place, or they want to seek revenge on the business, or simply be fooled by a phishing email — there are dozens of reasons that insider attacks happen.

Data can be walked out the door by a trusted insider, downloaded to a USB stick or uploaded online. Employees can even sabotage or breach systems and pass information to competitor organisations — and it happens more frequently than you’d think!

Any way it’s carried out, willfully or accidentally, compromised data security causes serious problems for the business. Veriato works to prevent this from happening.

What sort of monitoring is carried out, is it all end user desktop activity?

It’s essentially monitoring everything — all activities that occur on the endpoint that are generated by the user.

However, you can narrow it down if you need to. For example, based on data protection regulations.

For those organizations with heightened concerns over employee privacy, our user and entity behavior analytics is the perfect solution. It uses machine learning to examine a user’s activity changes over time and even compares groups for anomalies. If the machine learning indicates there is cause to investigate, the security team can then react and examine the detailed forensics data. If that machine learning anomaly never occurs, the activity is never sent to the Cerebral server and privacy concerns are abated.

How do admins get visibility over this data, can they see it in real time?

The alerts are in real time, with constant visibility. The user gets reports, real time alerts, and dashboards.

Our solution is also configurable to the organisation’s needs. An administrator can oversee everything, department managers can oversee the activities of the people in their jurisdiction — it depends on the structure of the business.

This goes for monitoring alerts as well. For example, if an employee is low-performing, Cerebral provides evidence that shows that they’re using their work computer for personal use. Or, in the event of a crime being committed, we give the necessary evidence, such as a full video playback that shows whether an attack was planned or accidental.

These are just a few examples that would go to the manager, but there are plenty of others.

So, take me through a breach. Say I want to download something on a USB stick and walk out of the office, how does your platform stop that?

We have an agent on every device, so we can look for specific activities. This means we can tell when files are being copied to external storage, or when large amounts of files are being emailed or uploaded to a cloud storage platform like Google Drive or even the dark web.

We are constantly collecting data so that, in the event of a breach, we can look at all of the activities that led up to it. Organisations therefore get the full context, which is what a lot of other solutions miss. If they’re at the network layer, for example, they may see the data being exported. But they don’t have the contextual visibility of what occurred on that endpoint leading up to the event.

That’s how we stop breaches. We not only provide visibility into the breach itself — we provide visibility into what led up to it. If a user’s risk profile changes, the policy for that user can be changed to block data uploads and prevent breaches.

What types of companies need this technology, is it mostly larger enterprises?

Every organization, regardless of size or industry, has some data protection need. Whether that is due to industry compliance regulations such as HIPAA or PCI, or sensitive intellectual property protection concerns or simply worker productivity or harassment issues, a technology to give that needed visibility to identify fraud or breaches is constantly growing globally.

Organizations are now being held liable for data breaches. It doesn’t matter if the breach was due to external attacks or internal ones – accidental or malicious – data protection legislation and regulations are focusing on the organization who collect the data for protecting it.

This means organizations of any size or industry have a gaps in their security when it comes to those individuals with authorized access and passwords to the data.

Alongside Cerebral and Investigator, Veriato also offers Ransomsafe. Can you tell us about that?

My background includes 12 years in the anti-malware industry. Anti-malware is blocking and protection against malware, including ransomware. But there’s still headline after headline of companies crippled by malware infections. Why are these organisations still suffering infections and downtime, and having to pay these ransoms, if the Endpoint Protection is so effective?

Well the answer is, they’re not. Because they’re signature based, and they’re good at detecting what they’ve already seen, but not good at detecting the new stuff, that’s coming out tomorrow. So, we’re not trying to be an anti-malware solution.

Instead, we understand what ransomware does, which is to try and encrypt your data. When we see that, we immediately lock out that account and back up all the data. So, you don’t lose anything.

For my last question, can you summarize why our readers would need this product?

Data breaches are not going away — they are only going to continue to grow. There’s no regulation around how much data organisations can collect on users, and breaches are not unique to any type of data. So, your use case could be vastly different, but the size and impact of that data being breached is not — a breach can cripple your organisation and cost a significant price.

It can sometimes take months for breaches to even be identified. Would you know if data was walked out the door by a trusted insider? How long would it take you to find out it had been sold to a competitor on the dark web? How do you remediate against an attack when it has been several months?

This is the value of Cerebral. We monitor to give you real-time visibility and spare enormous expense and uncertainty. There’s no size limit to the problem, and the scope is enormous. Dealing with that scope is the problem we’re trying to solve.


Insider threats are only going to grow more prevalent as cloud based technologies make it easier for company data to be accessed anywhere, at any time, by trusted insiders.

Knight makes a powerful point that a company with only 10 employees can easily collect data on millions of people, with no regulation to stop this. Platforms like Veriato could become vital tools for all companies to protect this data.


Read independent reviews of the top cyber security products and services: Expert Insights

Find out more about Veriato: Veriato Home