Insider threats are often considered the biggest risk for organizations because they can cause the most destruction. Survey reports, and studies, have found that organizations have spent millions of dollars to recover from insider threat attacks. Proactively detecting and thwarting such threats is a critical aspect of robust information security governance. Doron Hendler, CEO, and Co-Founder at RevealSecurity, sheds light on a context-based detection model that analyzes activity sequences performed when using an application. According to Doron, this User Journey Analytics method is a ubiquitous detection model that can be applied to any SaaS and custom-built application. Since no rules are required, it eliminates the need to fully understand the application business logic.

Time Stamps

01:23

First, let's talk about your professional journey before we get into the details of insider threats, detection challenges, and solutions.

03:27

Doron, would you like to add to the reasons why we are having this discussion?

07:29

So, Doron, going back to monitoring using technology, share with the listeners what was the traditional method, what were some of the weaknesses of the traditional method, and what you and your company are offering by way of your platform.

12:23

So given this move to these more advanced, more sophisticated solutions, for folks who are listening in on this conversation, CISOs of companies who have the authority to make purchasing decisions, how do they go about evaluating the different products out there? What should they be looking for in terms of what would work best for their context for their environment? Any advice? Any suggestions?

14:34

What could be possible shortcomings of the user journey analytics approach?

17:26

If a company was going to adopt this (User Journey Analytics) technology platform, what kind of changes does it require? From a change management standpoint, what should an organization be prepared for?

19:13

When the user journey is different from the normal user journey, let's say abnormal user journeys are detected, how does the alert system work? Who is alerted? And is there a way of capturing or documenting whether organizations respond to those alerts?

21:57

How do you convince a potential buyer or potential customer to adopt this new technology solution? What does it take to convince them? What have you experienced when you have engaged with prospective customers? What are their concerns when they're evaluating such platforms?

24:53

I'd like to give you the opportunity to wrap it up for us with some final thoughts and advice.

Memorable Doron Hendler Quotes/Statements

"The highest risk in today's organizations, in our digital transformation, is our identities."

"If you cannot trust anyone, you have to monitor, you have to track, and you have to learn how to do this quickly, accurately, and automatically."

"Today's solution around detections, which are based on rules, basically provide very, very limited, ineffective detection, in the application layer."

"Accuracy comes with context, if you understand the context, you will have much better accuracy."

"This technology will offer a solution which is frictionless, that doesn't require major (organizational) changes or any changes."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Our discussion today will revolve around

insider threats, and how to proactively detect and thwart

this form of malicious attack. I'm indeed fortunate, in fact,

we are fortunate to have with us Mr. Doron Hendler, CEO and

Co-Founder of RevealSecurity. Welcome Doron!

Hello, welcome. Hi, Dave, thank you for inviting

me.

Sure, sure. Looking forward to learning a

lot from you about your journey. So let's do that first. Let's

talk about your professional journey before we get into the

details of insider threat, detection challenges, and

solutions.

So I'm in the High Tech for more than 30 years

doing different types of journeys in different

industries, different skills. Basically, I've done business

and traveling from almost Australia to Brazil and did

businesses across companies, across industries, in different

geographies. And I was fortunate to get into RevealSecurity

mainly because, a few years ago, I was a social engineer, then by

mistake, I was hacked by somebody that called me and by

mistake, I made a terrible mistake by not notice that

somebody is social engineering me and I consider myself as a

sophisticated user. And when I called to this insurance company

that I realized that I've been hacked, I told them what

happened. And I asked them to basically close my online portal

and credentials and reset my credentials. And they did so.

And when I spoke to the CISO, she was telling me that I don't

have to be worried. And I asked her why. And she said, because

it happens to so many different people, even the sophisticated

one, and I asked her how come you don't have any technology

solution in place that can detect that somebody is

basically impersonating and doing malicious activities on my

behalf on my name. And she said that they do have technology,

however, it takes them forever to detect and once they detect

it's already weeks after the incidents, and it's not

accurate. And it's it's it's a problem. And when I heard that

this is a problem, I thought to myself, alright, this is an

opportunity. And this is how we started RevealSecurity. David

and myself, my co-founder and partner along alongside with

Adi, who is System Architect.

Fantastic. So that's great that you

experienced something which motivated you to address a need.

And I can't emphasize enough how important it is to develop

solutions, whether that involves a specific technology, process,

people, whatever that might be, because we could do with all the

help that's necessery. I'd like to give the listeners a little

bit of a background on insider threats, and then I'll turn it

over to you because you are the expert here. So, as our

listeners must be aware, insider threats are often considered the

biggest risk for organizations because they can cause the most

destruction. In fact, survey reports, studies, have found

that organizations have had to spend millions of dollars to

recover from insider threat attacks. And if you think of

some of the well known attacks, probably the GE attack will come

to mind, where employees stole trade secrets to gain a business

advantage. Then we are also very familiar with the Capital One

breach, which happened in 2019, which was carried out by a

former software engineer from Amazon Web Services, which was

basically the hosting company for Capital One. I also was

intrigued to read about a disgruntled employee who was

able to gain access to Tesla CEO Elon Musk's privileges to make

direct code changes to the Tesla manufacturing operating system

under false usernames and exporting large amounts of

highly sensitive Tesla data to unknown third parties. So these

are very concerning. Doron, would you like to add to the the

reason why we are having this discussion?

So rightfully said Dave, the highest risk in

today's organizations in our digital transformation is our

identities. So in many of the cases, we're moving from known

people that work in the office on a day to day basis, to

identity, digital identities, this is a digital world. And the

ability to actually understand who does what in our corporate

business application is one of the major challenges in today's

world. Because once you move to the cloud, once you move to SAS,

it's it's all about you and the application and what you do. If

you connect more applications from a marketplace, then

basically you enrich the connectivity and data and flows

and activities between applications, and the one that

knows all of our all of our secrets, and all of our

solutions that basically should protect ourselves, are the

people that have the privileges and the ones that that actually

knows, and protect us, I like to give this analogy for the guard

that basically sits and in the entrance of many offices, this

guard knows about all the alarm systems, and all the checkups,

and all the procedures in order to do this monitoring. But what

happens if we cannot trust this guard? What happens if this

guard is doing malicious activity? How would you if you

cannot trust this guy? And at the end, people say, okay, but

are you monitoring your internal employees? Are you monitoring

your partners? So now I'm trusting my systems to basically

monitor privileged accounts and accounts and actions. And I'm

looking for anomalies because I want to protect the company, I

want to protect our business, collectively, me as a security

officer or, or as an executive. And one of the challenges is if

you cannot trust no one, and you have to monitor and you have to

track and you have to learn how do you do this quickly,

accurately and automatically.

True, very true. And you mentioned trust,

and hope you will agree that we are moving in the direction of

Zero Trust, that yes, we should be trusting people who are

working for an organization who are loyal to the organization or

holding responsible positions. But there is enough evidence to

suggest that things happen in people's lives, people get

fired, people have tough economics times, which often

serve as a motivator to engage in disruptive acts. So

therefore, it is imperative that organizations arm themselves for

lack of a better word with the best possible solution,

technology solution, which will do the work for them, whereby

everybody is being monitored. So there is no discrimination of

any sorts, where technology is being used to monitor, carefully

monitor. So, Doron, going back to monitoring using technology,

share with the listeners, what was the traditional method, what

were some of the weaknesses of the traditional method, and what

you and your company are offering by wave of your

platform.

So today's detection technology,

predominantly, in the application space, I would say

based on rules. Now rules are were set and developed mainly

around patterns and scenarios, which have been identified, that

been identified by the corporate in the business as things that

you should not do or users should not do. So there were

listing all the things that people should not do. And if

they are doing this, the rule will flag it. The challenge with

this is that there is a limit to what we as human beings can

think of, of what potential scenarios may happen because

there is a limit, and you may skip some, one, few. And also

this approach of us thinking of what potentially may happen, is

not scalable across so many different applications? And

today, in our digital world, where applications are a click

away and you can adapt new system, new CRM, new SAP, a new

ERP system and so forth, many of the applications are only a

click away. How can you imagine that you will know the business

logic and the patterns of what can be done or what should not

be done across so many different applications. So the current

solution, today's solution around detections, which are

based on rules, basically provide very, very limited,

ineffective detection, in the application layer. Also, it's

not accurate, which means it generates very high number of

false positives. So you need much more, many more people to

go through this alerts to understand if these things

really happened. So you have to separate and identify the false

positive and, and the real incidents. So the industry have

moved into a much more accurate detection, which is based on

context. Just to give you an example, one of the first

companies that was thinking in moving into a sequence in

context was Cisco, when they introduced NetFlow. NetFlow was

one of the first product in the market that Cisco introduced,

that was actually doing the shift from analyzing single

activity single packet into a sequence of packets. Why,

because Cisco was saying accuracy comes with context, if

you will understand the context, you will have much better

accuracy. The same things happens also, with end-points.

Detection started with antiviruses, and slowly moved

into EDR, extended detection response, looking into

processes, into flows. So we at RevealSecurity was following

that trends and developing what we call user journey analytics

in the application. So we actually monitoring the journeys

in the activity, the sequences of who does what in the

applications and using or developed based on our very

unique machine learning unsupervised clustering engine,

we are able to differentiate and learn per user multiple behavior

profiles, it's normal behavior profiles. And if something

different happens, we can flag it and say, hey, there is

something different here from your normal activities. And then

you can investigate quickly and accurately why what was the

reason for that? So moving from all traditional context into

journeys, context, user journeys analytics, it's actually brings

a totally new dimension of very accurate detections or reducing

the signal to noise ratio, as we like to say, automatically and

quickly. And that's, that's the name of the game around

detection. And that's what is needed today.

Very interesting. So essentially, if

I could summarize what you said, that there is a clear move from

user behavior analytics to user journey analytics. Rule based

solutions, don't work, statistical analysis to augment

rule based solutions are also found to be not very effective.

Very interesting. So given this move to these more advanced,

more sophisticated solutions, for folks who are listening in

on this conversation, CISOs of companies who have the authority

to make purchasing decisions. How do they go about evaluating

the different products out there? What should they be

looking for, in terms of what would work best for their

context for their environment? Any advice? Any suggestions,

The best advice I can give your listeners is they

have to try it. So analytics and machine learning, it's a lot of

trial and errors. It's a lot of mathematics, it doesn't work on

every scenario on every applications. And my

recommendation and my advice is that you should be able to try.

Once you try this, some of the success criteria can be the

number of false positives, number of false negatives, how

accurate, how easy it is to investigate, can it be applied

to any application or specific application, can it be applied

to situations that you have between applications, for

example, today, you have identity providers, like Single

Sign On providers and then you move to another applications how

you can call it all of the sequences between the

application, how do you how do you analyze all of this journey?

So, trying, understanding, and analyzing the results are my my

advice to many of the listener, that they need to try this they

need to see actually how system is working and then come to the

conclusion what works for them best.

Very good, very good! Now, you mentioned

about use of machine learning to analyze to monitor analyze user

journeys. Now, we all know that even machine learning is an

evolving technology and the effectiveness of machine

learning techniques and outcomes depends on gathering good

quality data. So there are there are challenges with the machine

learning approach. So given that, just like you said, the

user behavior analytics approach has shortcomings, what could be

possible shortcomings of the user journey analytics approach.

So the user journey analytics in the end,

it's very much relies on the fact that you have a journey.

Sometimes in some applications, for example, transferring money,

if you transfer from money from point A to point B, there is no

journey, there is no process. Then you need to apply a

different modeling, a supervised modeling, like what like in the

industry. So user journey analytics, it's applicable to

application that has process, that there are different

options. So the user has different journeys in different

application, even if for the same application, you can, you

may do different things in different ways. And if it's

based that the user has a variety of options to do

different things. So user journey analytics is applicable

for cases and use cases where there are processes. Once you

have a process, it means that you have a sequence, sequence of

activities, sequence of activity represent a journey. And this is

something that with the right machine learning and clustering

that is able to cluster based on similarity, similar sessions,

then technology like this can be very, very effective. It has its

own challenges, because clustering needs data to be

accurate. And this is exactly one of the challenges in the

industry. Not all the clusters or the unsupervised clustering

engine are good for such scenarios. So my recommendation

is to find the company that really developed a dedicated

custom built dedicated clustering engine for security

purposes. And not using off-the-shelf or open source

solutions, as opposed to developing a dedicated

mathematical clustering engine that is able to cluster a high

number of data points or sequences accurately,

automatically, with zero configuration, that itself all

this profile by itself, self learning, and continuously

updating the profiles or creating new profiles as data

comes in. And that's the important, build an accurate

automatic machines that can save you money, time and effort.

Right, right. So another question that

comes to mind. When organizations adopt a new

technology, a new technology platform, it's not if one can

assume that, yeah, I've adopted it, I'm going to see results,

the organization also has to be prepared has to make certain

adjustments to the way they operate, whether it's from a

process context, from a people context, or from the existing

technologies, how they interface with the new technology

platform. So the organization has to make some adjustments. So

if if a company was going to adopt this technology platform

this, which provides these user journey analytics, what kind of

changes does it require? Like from a change management

standpoint, what should an organization be prepared for?

Does that make sense?

I have to say this Dave, my recommendation is

that technology will adapt itself for the organization,

because the probability that the organization will change for

specific technology is slim. So one of the requirements is that

this technology will offer a solution which are friction,

frictionless, that doesn't require major changes or any

changes. So, to my point of view, that's that's my

recommendation. Because expecting a very large

enterprise, I don't know with the 5000, 10,000 and sometime

50,000 people organization, to change in order to implement the

chances that this project will be successfully are very slim.

Therefore, if you adopt such a technology, the technology needs

to be designed in a way that it will not interrupt with the day

to day processes and will be adopted to observe them as they

are and come up with the insights automatically and

accurately.

Okay, that's good to know. So

essentially, what you're saying is, the adoption and

implementation of such a platform should be fairly

smooth, should not should not interrupt existing operations.

Well, that's, that's very good to know. Another aspect when

there is a detection of anomalous behavior, when the

user journey is different from the normal user journey, let's

say abnormal user journeys are detected. How does the alert

system work? Who is alerted? And is there a way of capturing or

documenting whether organizations are responding to

those alerts

When a sequence is being detected, there's an

anomaly, an alert is being sent to the SOC (Security Operations

Center) and being investigated by the analyst. Right. And then

they have to, they can follow a procedure. For example, if this

is a very high risk in a very high sensitive, sensitive

application, the procedure may be in a way that you basically

trigger another OTP (One-Time-Password) to the user.

And that's maybe something that the user need to confirm that he

is the user. And that he owns the device, because he's making

a sequence which is very sensitive, relates to

potentially money transfer. And because of that, you may decide

that the procedure will be sending another OTP, or a text

or something else. So there are different ways to do this. Now,

if you want to basically investigate, so you can, you can

also integrate into SOAR (security orchestration,

automation and response) system and suspend the user, hold the

users, quarantine the user not approving the transaction. So

there are many, many, many different ways that you need to

investigate and the classical way, the simplest way that I see

we see many organization in a way that you basically contact

this individual. And you ask him, why have you done this or

whether you have done this this sequence. And in many of the

cases, I have to say that internal consultants outsourcing

and then internal employees are also trying the system, they're

trying to see if there is some something or someone or some

technology that actually monitoring their behavior. So I

like to say also on going back to the guard at the entrance,

when you come in the morning, you see the guard, you tell the

guard, good morning, you trust him, he protect you, he is

monitoring who comes in and out. Also me as an employee, I trust

my security, infrastructure, security technology, that it

will protect me and make sure that I'm not going to be abused.

So nobody will steal my credentials. Or if somebody will

do a malicious activity that will hurt the organization, it

will be detected. So this is some of the thoughts that I have

on this point.

Yeah, makes sense. And just since he used a

couple of acronyms, SOC stands for security operations center,

and OTP stands for One-Time-Password. And if

there's anything else that comes up, we'll clarify as we go

along. But yeah, that makes a lot of sense. In fact, the

reason I asked that question Doron, in my work, when I do

research, when I consult with companies, I often come across

instances where their processes for quickly reacting to the

threat alerts and doing the due diligence is often slack, is

often sloppy. That's why I posed the question, but I totally

understand from where you're coming. Another kind of a

reaction to what you were saying is, in the world of security,

the perspective on security varies from organization to

organization. Some organizations are more skeptical than others,

when it comes to trying new solutions, because they feel

Yeah, we will spend money, we are not sure we will see the

ROI. So when you are talking about a solution like this,

which has a lot of promises a lot of potential, how do you

convince a potential buyer or potential customer to give it a

shot? What does it take? What have you experienced when you

have engaged with prospective customers? What are their

concerns when they're evaluating such platforms?

So one of the main concern is the variety of

new applications and legacy applications that security

executives needs to protect and write basically, business rules.

And, and they don't have the capability, the manpower, the

time to develop these across so many different applications. And

every other week, or day or month, you have more and more

applications, SaaS applications coming in, then you collect all

the logs and into a central repository, and you need to do

something with it. All right, rather than just collecting the

logs. So for us, it's not convincing. This is a need and

need by many of the security executives to come up with a

much more effective way accurate and cost saving in monitoring

the application layer, which is kind of there, but the need is

there. But the technology is not there yet. And we don't need to

convince them because they require something like this,

which today, they have to spend a lot of time and effort and

sometimes people even when we discuss with them maybe about

budgets and space holders they saying in responding to us, we

don't need to put a space holder for you guys. And I ask why?

Because the cost saving you giving us on professional

services that we need to hire third party companies to write

all these rules to advise us how to write the rules and patterns,

etc. The cost saving is already two or three times higher than

the cost of your system. So it's a no brainer in many of the

cases.

Okay, excellent. I want to reiterate

something you just said -- collecting the logs is not good

enough, you have to do something with the logs. So true! Promptly

analyzing the security logs, and taking the necessary action is

centric to maintaining a proactive security posture. So

Doran, we are coming to the end of our discussion today. I wish

we had more time. But anyhow, I'd like to give you the

opportunity to wrap it up for us with some final thoughts and

advice.

So when you're looking in into the future, in

the next few years, you will see more and more basically, that

the identities are becoming digital, there are no networks,

because it's all about identity access into the applications.

There are lots of different technology around access, around

identity and access management, but very few around detection of

applications. And at the end, what makes your business

successful are the people and the applications, the rest are

facilitators to make you successful. And if you really

want to be protected in making sure that you are fully covered,

there is a need for an application detection and

response solution layer, which is required today by many of the

organization and can provide you the bulletproof for the future.

Fabulous. Well, Doron, thank you so much

for your time for your insights. I'm sure listeners greatly

appreciate it. Thank you.

Thank you very much, Dave for hosting me today.

A special thanks to Doron Hendler for his

time and insights. If you like what you heard, please leave the

podcast a rating and share it with your network. Also,

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.