Dtex – Trust but Verify with Endpoint Security Analytics

Dtex’s endpoint visibility shows you data that you can’t get anywhere else – and these answers are the difference between catching a breach and a data theft disaster.

Here are just a few things that customers have found in their enterprises once they installed Dtex:

Enterprise Risks

Theft of Intellectual Property
Detect the internal or external theft of sensitive data that other security systems miss. Get the data that will allow you to stop data exfiltration before it happens. Fortune 500 company Sanyo is just one of the companies using Dtex to help them protect millions of dollars-worth of IP.
Failed Security Controls
See controls that are mis-configured or being bypassed. 96% of Dtex assessments found staff actively bypassing security measures.
Accidental Misuse
Accidents by insiders leave your organisation exposed. Find and train the employees that are making the most serious mistakes.
Malicious Employees
Spot employees who are using corporate equipment for illegal activity or are trying to sabotage corporate systems. Historical Royal Palaces uses Dtex to protect huge volumes of customer credit card information.
Off-Network Risky Behaviour
Bridge the crucial visibility gap and understand what users are doing with corporate devices while offline.
Fraud and Embezzlement
Detect the theft of inventory or customer data for sale to external parties. The Allianz Group, one of the world’s leading financial services providers, uses Dtex to find and stop potential fraud before it even begins.
Detect and Stop the Insider Threat
Restriction isn’t the answer to stopping the insider threat — visibility is. Dtex shows you the true risks within your organisation, allowing you to find and stop malicious insiders, or even well-intentioned mistakes, before they cause damage.
Context is Key
Existing security measures are often ineffective against the insider threat because they don’t take history, trends, and context into account. The result is a lot of false positives, wasted time, and ineffective monitoring. Dtex tracks each of your employees’ normal behaviour and crafts finely-tuned analytics that alert on suspicious activity changes. By putting each user’s behaviour in context, we create intelligent end user analytics that only pick up on the activity that really matters.
The Dtex Insider Threat Risk Model
Insider threats can come from just about any angle, so that means you don’t just need visibility, you also need to know where to look.While the Dtex micro-agent provides the visibility, the Dtex Insider Threat Risk Model lets you know where you should be looking first.
Context is Key
The reason why lots of DLP and SIEM solutions don’t work is because they don’t take history, trends, and context into account. The result is a lot of false positives, wasted time, and ineffective monitoring. Dtex tracks each of your employees’ normal behaviour and crafts finely-tuned alerts based on suspicious activity changes. By putting each user’s behaviour in context, we create intelligent insider threat detection that picks up on only the activity that really matters.

How does it work?

1. Profile Known Risks:
Sometimes the threat is known. Over the past 15 years, Dtex has continued to evolve and refine its library of known high risk activities. Every endpoint event is parsed through the Dtex library to highlight known high risk behaviours.

2. Baseline Normal Behaviour:

Sometimes the threat is new. When trying to identify new or unknown threats, Dtex first focuses on what is normal. A baseline of normal activity is created for each user, device and application. Base lining metrics can include:
• Endpoint utilisation metrics – cluster analysis of software applications used, working hours, websites visited and task switching behaviour
• File access metrics – what files are regularly accessed, from where and in what quantities
• Account access metrics – what login accounts are regularly accessed (users often have access to multiple accounts)

3. Understand the Context:
The reason WHY is often overlooked. However it is often the most important factor in any Insider Threat investigation and usually cannot be answered without the experience of a seasoned security analyst with extensive domain knowledge.
Dtex has simplified this by incorporating contextual information of the events leading up to, and following, an Insider Threat event. An analyst can then use these contextual cues to easily investigate, acknowledge or ignore alerts generated by the system.
4. Evaluate the Risk:
A risk is not always a risk. Some security risks (e.g. malware) are black and white; however when dealing with people risk (like an Insider Threat), black and white is rarely the case. Dtex understands this and incorporates the company IT Acceptable Use Policy within the Risk Model so that acceptable behaviours can be ignored and policy breaches highlighted. The severity associated with known risky behaviour, abnormal behaviour and the context behind each event is aggregated into a single Insider Threat score which is used to prioritise alerts.
Dtex combines an incredibly lightweight micro-agent on each endpoint with a powerful server-based analysis engine to deliver security, visibility, and cost saving solutions.
Advanced User Behavioural Analytics
Dtex automatically builds a user-level profile of activity based on Dtex data not found in any log files, and automatically identifies sudden changes in behaviour that indicate high-risk activity.
Leading Insider Threat Detection
Despite massive spending on security tools, the threat from insiders is greater than ever. No combination of existing security tools comes close to the simple, scalable visibility from Dtex.
Anonymisation for privacy compliance
The Dtex patent pending approach to anonymisation ensures that international privacy laws are adhered to and employee privacy is respected. Metadata collected by the micro-agent is stripped of personal identifiable information without affecting the underlying risk model. This empowers the Security Team to rapidly investigate alerts while ensuring Legal and HR oversight when an alert turns into an incident.
To determine whether activities are abnormal, we compare a user’s recent events against themselves (i.e. their own historical baseline), against their peer group (i.e. the baseline of users in similar departments or roles) and against the entire organisation.

ResourcesCase Study

Your Solution – Dtex

Dtex has evolved into the lightest, most scalable endpoint solution in the world. Specifically designed for scalability and near-zero performance impact, Dtex is configurable for both local and multinational organisations. This mature, hardened technology enables Dtex to deliver the visibility, transparency and security needed by global businesses to prevent internal threats without compromising user privacy. In addition to the core technical expertise, our international team has a deep knowledge of the legal, regulatory and business requirements for protective monitoring. While often supported by its service partners, Dtex retains full responsibility for project management to ensure the highest possible standard of service delivery for every customer.
Total User Visibility
User behaviour is monitored and benchmarked.Dtex combines an incredibly lightweight micro-agent on each endpoint with a powerful server-based analysis engine to deliver security, visibility, and cost saving solutions.
Privacy is Critical
While we believe in the benefits of endpoint monitoring, we also believe in the importance of employee privacy. Dtex records all of its user behaviour analytics using anonymised metadata, which protects users’ identities. There’s no key logging, content, videos, or screenshots. Legally, we keep ourselves and our software up-to-date with current privacy guidelines around the globe. In fact, Dtex can be used even under the strictest privacy laws in the world.
Security Shouldn’t Come at the Cost of Privacy
We believe that visibility doesn’t need to mean surveillance. Our security is built specifically to respect employee privacy and national privacy laws without compromising visibility.
Too many enterprises achieve internal visibility at the cost of privacy, severely damaging employee morale. Dtex, however, values and respects employee privacy. There are no screenshots, no key-logging, no video footage — none of the information that employers really shouldn’t have.
Dtex collects information in the form of metadata. This metadata can go through an optional anonymisation process that strips out any identifying user information, making all of the information within Dtex totally privacy compliant.
As a global security provider, Dtex takes privacy law compliance seriously. Its anonymisation features and collection methods mean that Dtex is legal even under some of the strictest privacy regulations in the world.
Our Protective Monitoring Guidelines – Restriction isn’t the Answer
You cannot reliably lock down every super-user’s access, plus, many of them would know how to get around security alerts. Even worse, a lot of times, trying to limit a super-user will make it difficult to get their work done and will just end in frustration and a productivity drop. Dtex takes the route of continuous endpoint monitoring. Our system automatically monitors the behaviour of super users and will alert you in real time if something seems fishy — so you can stop any threats before they even begin.
Managing super user risks with Dtex.

Managing the Risk of Privileged Super Users
News desks have been flooded with tales of extreme data breaches as of late, from Edward Snowden’s notorious leak to full on cyber-attacks involving industry giants such as Target and Sony Pictures. The fact of the matter is that while these organisations may have stories that hit the press, every organisation is at the risk of a data breach because of “privileged” or “super users.”

Who Is a Super User?

Privileged super users have greater access to company data and have the authority to make changes to the company’s systems. A few examples would be:
• System administrators
• Database administrators
• IT security or audit practitioners
• Application developers
• Network engineers
There are also some less obvious ways in which organisations unintentionally grant privileged user access to employees within the organisation. For example, many companies still follow the practice of granting employees access to the local computer’s Administrator group or cloning an existing user’s permissions in an attempt to streamline operations. The vast majority of these employees have no ill intent, but such access also exposes the organisation’s network to a heightened security vulnerability should it come face-to-face with a cyber-attack.
“Lock Down” Isn’t the Answer
Privileged super users are amongst the most valuable in an organisation. What many organisations have unsuccessfully attempted to do to reduce unauthorised or malicious access to company information is to impose a company-wide lock down on resources, but this has proven to be unsuccessful for a number of reasons:
1. Despite best efforts, organisations do not have a reliable way to tell if they have missed individuals or machines who have privileged access.
2. Security systems offer too little contextual information when a breach occurs, or they produce too many false positives.
3. Many current security systems are set up to alert an organisation if there has been a varying degree of malicious privileged user access—something which privileged users will know how to bypass or avoid (these super users may have helped set up the security system in the first place).
Continuous Protective Monitoring One obvious answer to mitigating the risk of privileged user abuse is to reduce the number of them within your organisation. This may mean limiting employee or even manager access. Another may be to reduce or limit the amount of time a user has super user privileges. But what these two solutions don’t provide for is the behaviour of the super user.
A super user will gain access to crucial company information when he or she sees fit regardless of what systematic lock down measures an organisation may attempt to have in place. As mentioned in the above point, a super user will gain access to crucial company information when he or she sees fit regardless of what systematic lock down measures an organisation may attempt to have in place.
The solution therefore for any organisation of any size or sector is to have a flexible, automated auditing and monitoring process in place that oversees and scrutinises the behaviours of the super user. By having a protective continuous monitoring system that will immediately alert an organisation of any dramatic changes in a super user’s behaviour in real-time, organisations will be reliably informed when someone has compromised the network or is potentially stealing information the instant it happens. This means a company can act and respond quickly prior to any serious damage being done.
The leaking of privileged information can do serious and oftentimes irreparable damage to a company’s market advantage, its reputation, and ultimately its bottom line. Every company needs super users, but they can quickly turn into a super threat if not properly monitored. Apart from having policies and processes in place to try and mitigate super user threat, the real key to preventing super user abuse is to be able to determine the context and the intent of an individual, which can only be achieved by a system in place to consistently monitor the user’s behaviour.
The Dtex Difference
Dtex combines a very lightweight endpoint micro-agent with server based data storage and analytics. Even when a user is not connected to the corporate network, usage metadata is logged, encrypted, and uploaded when back on the network. Complete visibility, no gaps in understanding.
For every user and endpoint, Dtex captures anonymised metadata:

• Every application used (both time in memory and in focus for user)
• Every file and folder activity (created, deleted, printed, moved, copied, etc. to locally, server, and remote locations)
• All web activity, including file uploads and transfers
• Every window a user opens By providing an inline, combined view of this metadata, analysts can quickly determine a user’s behaviour.

Insider Threat Alerts
Metadata generated from the Dtex micro-agent is analysed to profile user behaviour and alert on known-bad activity and significant changes from normal behaviour.
Dtex alerts focus your team’s attention on the super users and devices that are mostly likely to represent on events that represent insider threats.

Contact Securite to learn more about Dtex’s solutions