Data Loss Prevention

Joseph Bell On Tackling Insider Risk

Joseph Bell, Chief Information Security Officer at Everfox, discusses how IT and security teams can work together to stop attacks that are coming from within the organization—without losing the trust of their end users.

Expert Insights Interview with Joe Bell of Everfox on Tackling Insider Risk

Often when people think about cyber threats, they imagine an external threat actor trying to gain access to their organization’s network to cause damage and steal data. Because of this, businesses tend to focus their cybersecurity efforts on preventing malicious external actors from getting in, or quickly detecting them should they manage to gain access. But sometimes, the threat is a little closer to home. Insider risks, or insider threats, are caused by someone who’s authorized to access a network. This could be a current or former employee, a consultant or board member, or even a business partner. And because these attacks come from within, they’re notoriously difficult to identify.

“Insider threats are tricky to detect and track because IT security teams need complete visibility into all user activity, which is really difficult to do while still maintaining employee trust,” says Joseph Bell, CISO at Everfox.

Everfox, formerly Forcepoint Federal, is a cybersecurity provider that offers a suite of innovative, high-assurance solutions designed to protect organizations against complex cyber challenges, such as zero-day attacks and insider risk.

Joseph has two decades of technical experience in the IT security space, having previously held directorial roles at Verisign and Raytheon. In his current role at Everfox, Joe is building an information security program that will ensure Everfox is ready to target and prevent some of the most complex cyberthreats organizations are facing today.

In an exclusive interview with Expert Insights, Joseph discusses the tools and techniques that IT and security teams can use to stop attacks that are coming from within the organization—without losing the trust of their end users. You can listen to our full conversation with Joseph on the Expert Insights Podcast.

Insider Risks Are Tough To Detect

While, by definition, insider risks cause damage to an organization, that damage isn’t always intentional.

“There are three common types of insider risk, or insider threats,” says Joe. “The first is your intentional insider—this is the person that’s intentionally trying to exfiltrate corporate sensitive information.

“Then you’ve got the accidental risk category, where for example someone is copying a folder from point A to point B, and they simply don’t know that that folder contains sensitive information.

“And then there’s the intentional but not malicious insider threat, where you’ve got, say, software developers who’ve developed code as part of their job for some project or program, but then when they go to leave the company, they believe that they’ve got some ownership rights over that code, and they look to take that code with them. They think that data is theirs to some degree, but in fact, it’s not; it’s intellectual property belonging to that company.”

The fact that insider risks can be accidental makes these threats very difficult to detect, as IT and security teams have to continuously monitor user behavior in order to spot any anomalous activity. And unfortunately, that problem is exacerbated by the fact that organizations are most at risk of insider threat during periods of transition—when their IT and security teams have a lot of other tasks to focus on.

“Organizations become very vulnerable or susceptible to insider risks as new processes are being implemented,” says Joe. “There are gaps created for where malicious insiders are able to act, and then their actions or activities go unnoticed.

“There’s also the added ‘opportunity’ for an insider threat when it comes to remote and hybrid work settings. There are many organizations out there today that are simply not monitoring their employee actions or behaviors as closely as they should.

“In order to effectively detect insider risks or threats, IT security teams need a solution that can not only collect behavioral data across channels, but also deliver insights and analytics that really allow the organization to accurately identify, respond to, and then resolve high risk behaviors before a true malicious or harmful event occurs to that company.”

Tackling The Risk With The Right Tech

There are three main technologies that IT and security teams can use to tackle insider risks and threats. The first of these is user activity monitoring, or UAM.

“User activity monitoring is among the most effective solutions out there today for identifying and reducing insider risk,” says Joe. “These solutions allow IT and security teams to monitor risky user activities and then track those trends in real time over a historical period of time. Some of the more advanced solutions are very effective at flagging anomalous behaviors that deviate from an establishes baseline, and can also understand user intent through context sensitive analysis.”

UAM solutions are particularly effective when implemented alongside a behavior analytics solution. These tools analyze the data provided by the UAM solution, looking in particular at the context around each user activity, and they assign each activity a risk score. This enables IT and security teams to prioritize their remediation efforts to focus on the most high-risk behaviors.

The second tool that IT and security teams can use to combat insider risk is content disarm and reconstruction (CDR). Employees consume a lot of data every day in the form of text files and image files, such as Word documents, PDFs, and JPEGs. Threat actors can embed malicious code into these files so that, when a user downloads the file and shares it internally, they inadvertently help that threat actor to breach the organization and spread their attack across the network.

To prevent this, CDR solutions intercept files at the point of download or sharing, break them apart, and rebuild them using only the content that’s known to be safe. This means that any malicious content is removed from the file before it’s downloaded or distributed.

The final tool that can help teams to stop insider risks is remote browser isolation. These technologies execute users’ online browsing activity in a secure sandbox environment that’s completely isolated from the user’s desktop—whether physical or virtual. This means that, when a user opens a webpage, any potential malicious content is contained within the sandbox, where it can’t do any damage. “From the user’s perspective, they see a familiar web browser,” explains Joe. “But behind the scenes, the remote browser isolation solution is isolating that web session to keep the malware from getting through to their actual desktop.”

Balancing Visibility And Trust

IT and security teams need full visibility into each user’s activity in order to identify insider risks. This, says Joseph, is very difficult to achieve whilst maintaining employee trust. However, it’s not impossible.

“Not only do [IT and security teams] need to work together to mitigate insider risks and complex threats, but they’ve also got to work within their organization as a whole to maintain employee trust,” he says. “Amid any kind of an insider risk program implementation, it’s critical that you’re communicating to your employee base what you’re doing, what it’s designed to do, and any impact that they will see [to their user experience]. Organizations and their IT teams and security teams must also clearly define the basis for tracking employee behavior […], and how to balance security and privacy to ensure transparency and accountability for all levels of the organization.”

There are a few ways in which they can do this, says Joe. First, they should look for a tool with in-built privacy protections, such as granular policy controls, role-based access controls, and data encryption in transit at rest.

And just as importantly, organizations should look for a solution with a “fixed audit trail” that prevents the technology from being used improperly by persons that have access to sensitive company information.

“Ultimately, having the confidence that technology is being properly used—and ensuring that your employee base is aware of how that technology is being used—will go a long way to establish and build that trust that you need in that employee base.”


Listen On Spotify:

Listen On Apple Podcasts:


About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.