How do you monitor the behavior of the humans in your organization without seeming creepy? That’s the challenge Forcepoint has set itself as it integrates the User Entity Behavior Analytics features of its RedOwl acquisition into its product portfolio.
Detecting when people put an organisation at risk—conducting industrial espionage on behalf of a competitor, or just inserting a USB stick full of malware into their work laptop—is something few would object to. But the process of monitoring people going about their daily work in order to do that detection can stray across a ‘creepy’ line without careful planning. Different cultures and areas of the world have different expectations about where this line should be drawn.
The way Forcepoint approaches things is to build in the greatest individual privacy protections it can, in order to support those jurisdictions—such as the EU—where privacy controls are strictest. Individual companies can then choose to use these robust privacy protections, or not.
“We’re attempting to balance that need to have deep insights into various datastreams in order to make sense of what’s going on, while also protecting employee privacy,” said Lauren Webster, Senior Director of Product Management at Forcepoint. Getting this right means looking at more than just what technology is capable of.
“We’ve worked really closely with customers,” says Webster. “The technology has really been informed by programmatic considerations that surround the technology at each customer.”
Take the case of masking. The actions of employees captured by the Forcepoint system are masked so that they are pseudonymous; you can’t easily tell just by looking at the system who is performing the actions. This way the focus is on unexpected behavior irrespective of the individual involved. If someone normally only logs into development systems, and one day starts trying to log into production systems or copies data from production onto a USB stick on their laptop, that might trigger a flag to look into things in more details.
These actions may well be entirely innocent, but they are unusual and warrant further investigation. It’s this investigation portion that sits outside of the technology itself in the customer’s processes and procedures, and this is where Forcepoint is careful to work with customers to ensure the technology works as part of a larger, human-centric system.
“This isn’t a case of technology solving the problem by itself,” Webster said. “The customer also has to have in place the programmatic elements of who is allowed to do the unmasking, how that unmasking is performed, and so on.”
“We are very aggressively baking in this ‘privacy by design’ idea into our products,” she said.
The notion of personal privacy and informed consent is enjoying a resurgence, at least partly due to GDPR coming into force, but there’s a broader conversation that we should be having about what information security really means. Keeping information secure is about controlling access to information in a kind of Role Based Access Control for data. Who should have access to this data, and under what circumstances? If a person’s role changes, or the circumstances change, then access to information should also change. Doing this with purely manual systems struggles to scale as the amount of information, and the number of systems it is stored on, continues to grow.
These user behavioral monitoring systems can also be used to enhance privacy. For example, if a staff member is misusing their access to snoop on employee HR records, or improperly viewing customer data, a UEBA system like Forcepoint can flag that behavior and thus safeguard the information of individuals. Rather than being a creepy spying tool, it can actually deter creepy spying behavior.
“Watch the Watchers is a well known concept, and it’s one we adopted really early on,” said Webster. “If a customer wants to implement a Watch the Watchers program, we can re-ingest all of the user’s activity in the UEBA product back into the system so that an audit function can independently monitor what the UEBA users are doing in the system.” This kind of capability indicates how carefully Forcepoint has designed the product to safeguard its proper use.
Of course, these capabilities are only useful if organizations actually implement robust oversight functions that can survive attempts to circumvent them. If there are no consequences for getting caught doing the wrong thing, bad actors can simply continue to act badly with impunity.
This is a conversation that we are likely to be having with increased frequency in coming weeks and months.