ObserveIT Insider Threat Management
ObserveIT Insider Threat Management is a platform that combines the functionality of traditional User Behavior Analytics (UBA) and Data Loss Prevention (DLP) products in a lightweight and streamlined solution for detecting and mitigating various insider threats.
ObserveIT is a privately held software vendor based in Boston, MA in the United States. Originally, the company was founded in 2006 by Israeli entrepreneurs with the initial focus on remote privileged user monitoring, which was gradually expanded to cover other types of sensitive users as well: third-party vendors, contractors as well as own administrators and business users. In 2014, after an investment round, ObserveIT has established its US headquarters. Currently, the company is serving more than 1700 customers from over 80 countries, primarily in the financial, healthcare, telecommunications, manufacturing and retail markets.
The company’s Visual Endpoint Recording technology utilizes lightweight software agents that allow monitoring and capturing a wide range of details from user sessions across multiple platforms. The solution collects this data centrally and offers its users a wide range of analytics, alerting and reporting functions. KuppingerCole has reviewed the company’s user activity monitoring solution in 2015 and our verdict back then was that ObserveIT provided an exceptionally strong session monitoring technology, but its advanced analytics capabilities were not on par with other players in this market. Three years later, however, the market has changed dramatically, and the ObserveIT’s portfolio has evolved to address these changes.
Under the pressure of the continued Digital Transformation, many companies are undergoing significant changes that affect their organizational structures and business processes. Constant adoption of new technologies and platforms has led to a massive increase in the complexity of their IT infrastructures. Sensitive corporate data that used to be stored in closely guarded on-premises silos is now spread across multiple clouds. New business models and communications channels dictate the need to provide access to the corporate data, systems, and applications to numerous new users from around the world.
The very notion of a privileged user has changed as well: it is no longer the system administrators that can pose the biggest risk to your company – in fact, every business user that has access to sensitive corporate data can, either inadvertently or with a malicious intent, cause substantial damage to your business by leaking confidential information, disrupting access to a critical system or simply draining your bank account. The most privileged users in that regard are the CEO or CFO, and the number of new cyber attacks targeting them specifically is on the rise, but a threat can come from any level, and knowing what each user is doing at any moment is becoming the most critical part of a sensible cybersecurity strategy.
In the recent years, the market has responded by offering a multitude of specialized User Behavior Analytics (UBA) solutions that usually operate by collecting security events from various sources - network traffic, endpoint monitoring or applications logs - and then utilizing machine learning algorithms to look for anomalies and suspicious activities in them. However, just detecting a statistical anomaly is not enough to understand the exact nature of the incident – an alert raised by a standalone UBA solution must be investigated by a security analyst, who will then have to decide how to deal with it. This decision will unavoidably be a reactive one, responding to a threat long after it has been detected. Automated remediation powered by a fuzzy AI logic alone may not an option for many companies.
ObserveIT offers an alternative approach towards insider threat detection: instead of anomaly detection, the company focuses on academic research of commonly seen indicators of insider threats, creating rulesets to identify them and designing an automated threat mitigation platform that implements flexible prevention methods. At first, this approach may appear similar to a traditional signature-based antivirus pitted against a modern EDR solution, however one should take into account the sheer breadth and granularity of context information the company’s technology can collect from endpoints as well as its ability to apply mitigation directly on those endpoints (for example, block access to a USB drive when an attempt to copy sensitive files is detected). In a sense, ObserveIT Insider Threat Management platform combines the functionality of a traditional user behavior analytics solution and a data loss prevention product, but without the limited mitigation capabilities of the former and complexity and high maintenance of the latter.