Employee monitoring to protect against data loss and misuse is becoming mandatory in more industries, but insider security is harder than ever to enforce. As more regulations around data privacy and missteps at high-profile companies generate ongoing headlines, security teams attempt to monitor insider threats without stepping into the quagmire.
Teramind, a startup in Miami that is focused on insider threat prevention and employee monitoring, added data loss prevention (DLP) capabilities to its platform, a suite of software for on premises and cloud.
What the difference between insider threat prevention and user behavior analytics as a stand-alone product? We asked Isaac Kohen, founder and CTO of Teramind. Kohen, who conceived of the employee monitoring software and served as the product architect, explains how the technology can aid enterprises with insider threat prevention.
Editor’s note: This interview has been edited for length and clarity.
Can you talk about your background and explain how the company’s insider threat prevention technology differs from other monitoring tools?
Isaac Kohen: I founded Teramind in 2014. My experience before that was as a software engineer at a hedge fund, but I always took an interest in security. I did some consulting in the financial area around security. As far as quantitative finance goes, the [intellectual property] of the company is essentially the lifeline. If the trading algorithms get out and other companies are using the same algorithm, [then] it becomes worthless; it just doesn’t generate the results anymore. In software engineering, we would see how sensitive this data is and how exposed it was, especially from cyberthreats. Because in the financial industry employee turnover is extremely high; [it’s] extremely competitive. I came up with an idea to protect company data and intellectual property from malicious insiders or even negligent insiders.
That was the first use case. The product has evolved to other use cases as well. One of our biggest use cases is compliance. They want to know where their sensitive data is and how things are handled as far as users go. Do employees see a Social Security number and then start documenting it on the screen anywhere? And if so, we report that, and the time, and send out a warning to the supervisor or something like that.
Did you always have a cloud option or did you start on premises and begin to offer cloud as well?
Kohen: As you know, there is a big shift; everyone is moving to cloud one way or another — some companies faster than others, some countries faster than others and some industries faster than others — from email to cloud storage to virtualized machines in the cloud. The first offering at Teramind was cloud-based in late 2015, early 2016. In a few months, we started to hear requests, especially from large organizations that were regulated with cloud, for an on-premises version.
Basically we designed the product — the server, the back end of it — so that it is extremely easy to move to a virtual machine that we can distribute, which is exactly what we did. So we have identical functionality across both offerings. Today we offer both, and, not surprisingly, our sales are 50-50.
You talked about the insider threat, but the technology also has capabilities around employee productivity monitoring. Did it start out as security product?
Kohen: It started off as a means to neutralize the potential for malicious insiders. And to do that we use some combination of [user activity monitoring], which is the same as employee monitoring and also get the user behavior analytics, which is analyzing the data from employee monitoring and preventing and blocking and educating the user when appropriate to do or not to do certain actions.
The first thing that the product has to do in order to function at all is to collect data. This doesn’t always have to be in the form of employee recording; there is an anonymization layer. But it gives you an option that once rules are violated, you can record five minutes and a number of things before and after that violation; and you can record it in excruciating detail, so every keystroke, full video type and more. For call centers, we have audio playback. We track documents that were printed. The depth of the product is really what makes it stand out; it’s not just an event logger. There are many, many of those and that’s great because they give you a bird’s eye view. But I don’t think you’d find a much better tool for drilling down deeper and looking at forensics when something does go wrong.
You mentioned productivity. That’s a very small use case for us, but it is a use case. We collect all log data. It has been used by human resources to monitor users in different departments, customize groups, optimize employees’ use of time, and optimize licenses on software based on their usage. That’s a use case but it is a byproduct of collecting all that data on IT.
How is the data storage handled?
Kohen: We just collect data from one source, and that’s the agent [on users’ devices]. And we have some customers’ that don’t use our [cloud] platform, but just use our agent. In terms of data storage and retention, it is really up to you. In cloud we provide six months of storage of employee recordings and then lifetime of the account data. And you can define monitoring profiles for different types of users. You can compress and do all kinds of things with the storage. Typically, customers store what they need to and they manage their own retention.
How would you describe your user behavior analytics versus stand-alone UBA products? Or do you feel that your product fits into that category?
Kohen: Compared to full-blown UBA products, we would be entry-level. We take elements from UBA to achieve what we need to achieve to protect from insider threat. We connect to the user, we set up the product in a matter of weeks and then we reconnect after a couple of weeks, and then advise them. And the way we do that is first we set up rules based on what we observed, which is where the UBA comes in. You let the computer find out what the user is doing basically and then combine that with what you know is wrong behavior from [accessing] Social Security information to moving files, and then you get risk profiles of users with the highest risk scores. It’s not a pure UBA solution, but it does take elements from retention, regression and things like that. But compared to companies exclusively doing that, it’s not as developed.
When a company is interacting with you, do they need to approach you with a use case or a set of users that they want to monitor and then you get into some of the implementation issues? How does that work? And, how hard is it to customize the technology for unique situations?
Kohen: We believe in being hands-off, but we are available to assist. What that means is that you can go ahead and set up a trial in the cloud or on premises. You can purchase [licenses for] any amount of users without ever talking to us. The dashboard is extremely comprehensive – – that’s one of the compliments that we get from customers. We have lots of tool types within the dashboard. … But the most important thing of all is that we give you a ton of pre-built rules from which you can customize. In other words, if you have a scenario where you are afraid that people will copy information from the [customer relationship management] that you are using and paste it into a different CRM, then we have copy and paste rules that you can customize.
You added data loss prevention capabilities earlier this year. Is that enhanced functionality for insider threat prevention or do you consider this a DLP product?
Kohen: I think we have a pretty strong DLP offering. It is being rolled out to our existing customers, and it is offered as an add-on product to our Teramind suite. That DLP functionality is absolutely necessary to complete insider threat prevention. It is not just about [employee monitoring]; you need to work with content. We built the functionality from the ground up. We probably do not have all of the capabilities of a McAfee, Digital Guardian or that other providers do. I think when you combine the layer of DLP with everything else that we provide, such as the employee behavior analysis and the rules engine combining behavior, I think you get much more robust product for insider threat prevention.
You are working on support for Linux servers and workstations, but your technology doesn’t support mobile devices. Is that still the case?
Kohen: Unfortunately, yes. The product itself is based on user requests. There is some demand for Linux, not much; there is much more demand for mobile. We are working on the mobile version much harder than we are on Linux. And we’re happy to report that we are making good progress. There is no date for either Android or Linux.
Are companies more interested in insider threat prevention technology after a major breach? What trends are you seeing?
Kohen: First of all, there is a lot more awareness now regarding insider security than when we started off. Don’t forget that there is more awareness in terms of regulation. It’s not just a company waking up one day and saying, ‘You know, we need DLP.’ No, it is because the regulation requires DLP and we have the monitoring aspect and that includes GDPR. It is combination of companies waking up and those regulations waking up and forcing companies to act.
You mentioned GDPR. In terms of employee monitoring and other capabilities of these products, how is privacy handled and are there concerns about that?
Kohen: I don’t think we have any meetings without addressing that. It is a very, very big concern. We have many different ways to alleviate that. First of all, you don’t have to monitor anything; you can define rules and capture data before and after a rule is triggered. The way that works is there is a circular buffer on the endpoints that records stuff and then forgets things at the same time. You capture exactly what you need to capture.
Now we have other companies in countries outside of the United States where the law states that you can monitor employee activity except for Microsoft Office and so on. You can define the software, exactly what to capture and so on. You can do so with such granularity that you can capture only specific tabs like a web browser, and without tabs, it will be blacked out. It’s extremely flexible; so that you can capture at certain times and not during lunch hour; not during Skype but yes in Gmail. The goal is to give you flexibility so that you can do so exactly to the extent that you are allowed to do it.
What should CISOs and other security managers consider when they are evaluating this type of technology?
Kohen: There are many things to consider. It depends on your specific use case, why you are starting or extending your insider threat program. You should look into — if a breach happens — what level of detail you can get with your current system, what level of detail you are missing, and try to fill the gaps. It’s not a question of will a breach happen anymore at many companies. It’s a question of when.