1
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
Insider risk within the enterprise is a significant and persistent challenge for security teams. A recent Intel/Mcafee
study indicates 43% of data breaches were directly caused by internal employees and contractors1. This supports a
finding from the 2015 Verizon Data Breach report which aggregates the top causes of breaches - 90% have some
tie to an internal human action2.
In response, we recommend Chief Information Security Officers (CISOs) and key security leaders establish a
comprehensive insider threat program rooted in security analytics to increase organizational capacity to proactively
monitor, detect, and respond to malicious, compromised, and negligent insider activities. This type of approach
delivers deep context and analytic flexibility, critical to effectively and responsibly
identifying, discouraging, and stopping unwanted activities including intellectual
property theft, corporate espionage, and client data loss, while also providing early
warning of potentially compromised accounts. The key is to build a program
integrated with a holistic, configurable, and contextual technology platform.
RedOwl delivers unparalleled visibility into employee activities, behaviors,
and relationships by fusing together unstructured, context-rich data streams
(email metadata and content, chat, voice, web and print content) with
structured data (server logs, SIEM, DLP, alerting feeds, endpoints, proxy, physical
security and print logs) to provide a comprehensive view of enterprise risk. Our
analytic models allow entities and events to be scored and prioritized through
multiple lenses across all of these data streams - previously unavailable to security
teams. Our integrations with Active Directory and corporate human resources systems
play a key role as well, and our analytic visualizations and workflow are second-to-none. As a result, we offer true
situational awareness of the human layer of the enterprise, and a rich, powerful forensic platform that radically
enhances internal investigations and follow-ups.
The alternatives, including some of the more traditional, black-box User and Entity Behavior (UEBA) tools, are built
on narrow views of human activity. They are also limited to structured data sources analyzed in disparate systems,
while conforming to a fixed configuration of analytics. Such an approach may allow a buyer to check the box -
“insider threat monitoring,” but these tools fail to deliver a holistic picture of risk because they present a disjointed
analysis of human behavior, and in the end, miss the entirety of why it is crucial to establish a comprehensive insider
threat platform-based risk management strategy.
Tackling the Insider ThreatINFORMATION SECURITY PRODUCT OVERVIEW
APRIL 2016
1 Intel-MacAfee: Grand Theft Data 2015 2 Verizon: 2015 Data Breach Investigations Report
1
43% of data breaches were
directly caused by internal employees
and contractors
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
2
RedOwl’s customers include Fortune 2000 companies in financial services, energy, aerospace and defense, and
hospitality. We are backed by leading investors at the Blackstone Group, Allegis Capital, and Conversion Capital.
With headquarters in Baltimore, MD and offices in London, New York and San Francisco, we have built the most
comprehensive platform to tackle insider risk.
What Are You Trying to Accomplish With An Insider Threat Program?
At the most basic level, your organization is attempting to protect against significant problems that can cripple leading companies:
Fraud – Unauthorized access or modification of an
organization’s data for personal gain
Information Technology Sabotage – Taking
advantage of corporate information technology to
harm or undermine the organization
3
4
Intellectual Property& Sensitive Data Theft –
Stealing data from the organization, often for
monetary gain or personal benefit
Corporate Espionage – Coerced theft for third party
gain national/strategic/competitive advantage
1
2
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
3
Without a clear plan and adequate technological capabilities, damage from insider activities is likely to be quite
severe. Examples of recent insider events of significance include:
• Major Financial Institution - An employee leaked data corresponding with 10% of the Private Wealth Management
clients of the firm, allegedly in order to sell information on the black market. 900 files were posted online; Stock
dropped 3%.
• Film Studio - Executive emails, films, intellectual property leaked with suspected insider involvement- led to
resignation of head of the studio.
• Energy Producer- Disgruntled employee reset all network equipment to default, disabled security, shut down
operations for 30 days.
• Telecommunications Provider - Employee accessed 1600 customer accounts as part of a plan to “jailbreak”
unlocked phones.
• Major Financial Institution - 27,000 customer files threatened to be sold on black market allegedly by internal
employee group.
• National Security Agency - Millions of sensitive files leaked by planted insider, Edward Snowden, fundamentally
affected reputation of the U.S., its allies, and employer- top U.S. consulting firm.
• U.S. Army - Simple web scraping enabled the theft of hundreds of thousands of cables leaked by Chelsea
Manning to an external organization.
When the risk comes from the inside, it represents either malicious individuals (those intending to do the
organization harm), negligent individuals (those violating policies often for convenience or perceived short-term
needs), or compromised accounts (i.e. credential theft).
POTENTIAL THREAT LANDSCAPE = THE EXTENDED ENTERPRISE
• Business
• IT Admin
• Developer
• Security
• Operational
• Management
• Administrative
EMPLOYEES
•
• IT Staff
• Business Consultants
• Building Maintenance
• Logistical
CONTRACTORS
• Shared Systems
• Guests
• Deal Collaborators
• Traditional Vendors
• Cloud Vendors
PARTNERS
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
4
For all of these use cases and for all user persona types, the consistent analytic requirement is to effectively
aggregate, analyze, and monitor all the data sources that expose evolving human activity, relationships, intent,
behaviors, and context with respect to their interactions with other individuals, content, devices, applications,
and even locations. Properly doing so allows the organization to be aware of when unwanted scenarios and
unexplainable anomalies develop and occur, ideally at the indicator stage.
Do You Have Visibility Into All Your Data?
Most security teams are experienced in assessing log data - network flow, endpoint logs, firewall logs, identity
access management logs - all feeding into a SIEM platform. Accessing and integrating such information feeds
in support of insider threat programs is important, but this approach to data management creates a significant
vulnerability for complex organizations.
Looking at SIEM-friendly “machine metadata” alone expose two fundamental gaps - content and context. By
expanding your focus through the use of a comprehensive platform, your team will be able to utilize “human
metadata” and “human content and context” to better assess risk across the organization. Both of these categories
of data sources are critical in making inferences, judgments, and decisions about the most sensitive entities within
the organization - employees and contractors.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
5
In our experience, the most critical observable data points relevant to most insider incidents - whether they are
the actual events pertinent to a policy violation, breach, or even indicator events that ought to have provided early
warning - tie back to streams of data that most security teams today have no visibility into:
1 Communications data 4 Physical security data
2 Enhanced endpoint/proxy data (e.g. content) 5 Alert feeds
3 Enrichment data (e.g. human resources, Active Directory, public records)
In its recent market overview of security analytics, Gartner noted that security teams require:
Ensuring these types of data streams are fully aggregated, indexed, and analyzed as part of an insider program
is key. Content must be preservable (to the extent permitted by law) with appropriate back-end and front-end
capabilities within a security platform to make analysis and exploration feasible, effective, and efficient.
Can You Assess Behaviors, Not Just Anomalies?
Traditional black box User and Entity Behavioral Analytics (UEBA) vendors detect anomalies while exposing
organizations to three major security vulnerabilities:
1 Anomalies without context are highly noisy
2 Investigation (often through external tools) is costly and frustrating
3 Not every “relevant” scenario involves anomalies - statistical patterns still matter
RedOwl’s unique approach leverages anomaly detection along with robust pattern analysis and a built-in forensic
platform. Beyond just anomaly detection, RedOwl’s software was created to deliver three critical benefits to
security teams:
1 Holistic visibility into internal employee activity, behaviors, and relationships across all forms of critical
data in a rapidly evolving data environment
2 Proactive, not reactive, risk posture to detect and mitigate high-risk individuals, relationships, and events
3 Enhanced investigative response to alerts and reports through improved context, reduction of false
positives, quicker decision making, and greater exposure to previously unknown risk scenarios scenarios
By ingesting a comprehensive set of data sources and layering analytic techniques in order to fully understand
nuanced interactions that indicate changes in sentiment and behavior, RedOwl’s platform delivers detailed risk
narratives enabling analysts to assess high-risk user activity holistically.
3 Gartner: Market Guide for User and Entity Behavior Analytics, 22 September 2015.
“...semistructured and contextual unstructured information that informs organizations on
employee behavior and potential insider threats. For example, this behavioral information
may be found in various user communication channels, such as email and messaging.3“
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
6
Furthermore, analysts can quickly pivot from alert to investigation within a single application, instead of having
to move from one user interface to another. Built-in workflow is designed for both large and small enterprises.
Analysts and platform users are able to track their actions, form and collaborate on cases, enrich events and
individuals with notes and attributes, build dashboards, which improves the overall process.
Is Your Analytic Approach Configurable and Extensible?
RedOwl provides insight into high-risk behaviors and individuals, not just high-risk events. By evaluating nuanced
interactions between people, data, devices, and applications over time, RedOwl prioritizes context-rich timelines for
security teams.
Our software approach is built upon four key technical pillars:
1 Fusing disparate
employee data
sources into one
platform, including
content
2Applying multiple types
of rigorous behavior-
based analytics focused
on change, pattern, and
anomaly detection
3Exposing powerful
forensic search and
discovery tools through
a powerful user interface
4Delivering proactive
reporting that fully
integrates with human
workflow and existing
client information
architecture
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
7
This is further enhanced by our key analytic building blocks:
• Feature Extraction: Enrich events of interest based on analysis of both content and metadata patterns
incorporating domain expertise and advanced probabilistic models.
• Behavioral Models: Apply advanced statistical methods to analyze entities over time and proactively
detect deviations from normal baselines (individual and global)
• Content Analytics: Incorporate a variety of natural language processing and sentiment analysis
techniques to feature tag events and score sentiment
• Powerful Visualizations: Use visualization techniques to enhance the human role within the analytic
process - make analysts smarter, and include their brains in the platform
• Extensible Data Model: Flexible to handle all structured and unstructured data sources within an
extensible core - an opinionated data model.
• Machine Learning: Classify, group, and isolate statistically relevant features in order to discover similar
events or behaviors related to other individuals within the organization.
Our user interface is built to enable analysts - not just data
scientists - to easily implement and refine the analytics to
meet unique use cases and evolving security needs without
custom software development. RedOwl layers analytic
techniques because each available analytical strategy - such
as descriptive statistics and sentiment analysis - answers a
unique question pattern. Depending on the use cases you
are tackling, you may want to use each analytic capability
individually or in combination.
We fundamentally believe that a one-size-fits-all approach
to analytics is not appropriate for large organizations. A lack
of configurability leads to major long -term weakness. “Black
box” analytic platforms do not provide enough flexibility for
organizations which face different types of threats and uses
cases that evolve over time. Instead, configurable analytics
allow the platform to adapt to your use cases, learn as you
learn, and even enable you to tackle new problems and use
cases within one application.
Sample Question 1: “Which of my employees are exhibiting
negative sentiment that may be a
precursor to malicious behavior?”
Analytic Technique(s):
Content analytics plays a key role.
Sample Question 2: “Which of my employees are exhibiting
behavior indicative of reconnaissance
activities on the network, and is
completely strange to their own history?”
Analytic Technique(s):
Requires a combination of feature-based
extraction, behavioral modeling, and
machine learning.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
8
How We Do It: Data, Features, and Models Lead to Narratives
The combining of enriched, tagged, and modeled unstructured and structured data sources is precisely what
enables security teams and management to detect early signs of high-risk behavior within the company. At scale,
these interactions also indicate the relative and evolving risk of human activity across the firm.
RedOwl understands a wide range of structured and unstructured data sources, including:
• Communications: Email, chat, voice, SMS, phone logs
• Network and endpoint activity: SIEM and EDR
• Physical activity: Badge access, print logs
• Employee transactions: Trades, changes in benefits
• Enrichment data: Human resource records, expense reports
At the core of everything we do is the exposure of extensible event-level features. Features enable analysts to track
events - “micro-policies” or indicators that warrant further attention - but they do not necessarily trigger unwanted
and noisy alerts throughout your Security Operations Center. This approach allows the RedOwl platform to make
early judgments about which groups of events matter initially. Over time, the platform ties in deeper entity-level
temporal aggregations and flags events in the user interface for the analyst.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
9
Note that there are a variety of examples of features:
The platform also takes advantage of attributes ingested from existing knowledge stores such as Active Directory
or Workday, which plays a key role in our entitlements capabilities. This allows us to apply features to only events
by certain types of actors, or weight the events differently depending on the attributes of the individuals involved.
Direct/Self-Contained Features
Lexicon-based: Racial slurs, profanity, restricted stocks, competitors, deal terms
Metadata-based: Number of attachments, size of event, number of recipients
Directional: Output to a particular/set of domains, or input from such
Time grouping: Emails that are sent late at night, badging into a building outside of business hours
Contextual Features
Sequential: Does a particular event follow another event within a given time frame?
Global Statistical: Does a recent aggregation of similar events represent a statistical spike compared to the organizational “normal?”
Actor Statistical: Does a recent aggregation of similar events represent a statistical spike compared to the individual’s own “normal?”
Contextual: Does any field within the metadata represent an abnormal quantity for the individual’s own history?
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
10
Next, our platform is based on the important concept of a “model.” A model is a weighted collection of features
that allows us to aggregate individual events over time and drives us towards a very flexible, extensible way of
deriving risk scores for individuals tied to configurable use cases within the application.
Data Gathering Recon Model: This sample model looks at abnormal user activity around file access, SSH server
access, IT policy violations, and even internal communication wall crossings.
Negative Behavior Model: This example, focused on general negative behavior, examines granular elements of
sentiment-related content features.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
11
Over time, the aggregation of data models tied to individuals enables us to do several key things:
1 Develop a sense of what is normal for a given individual
2 Expose which individuals are displaying characteristics of a given model at a higher level than others in
the organization for a given time period
3 Expose which individuals users are displaying characteristics of a given model at a higher level
than normal
The platform gives you the ability to build collections around multiple models. In this particular case, risk narratives
are tracked within the platform within our insider risk chain so you can leverage previously unknown insights and
quickly take action.
The risk chain report depicted below is comprised of five analytic models. Each model consists of several different
behaviors, queries, and analytics. Together, they provide a holistic and contextual view of the profiled individual’s
behavior over time. Analysts can move from the high level risk chain visualization directly into significant events and
the underlying data sets in order to fully understand risk narratives.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
12
The final piece of the analytic puzzle is tying this into a configurable dashboard to build multiple real-time lenses
with which to view the organization.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
13
Deployment Options
Our platform is a distributed, fault-tolerant, full-stack application that gives you unprecedented visibility into your
critical data steams. The only software required to use RedOwl is a current web browser. RedOwl is designed to be
horizontally scalable, allowing us to add capacity as data needs grow, and to provide redundancy.
RedOwl designed our security analytics platform with multiple deployment models in mind — it can be deployed
either in a customer’s preferred cloud environment as a virtual private cloud or directly within the data center. The
platform can be also deployed in a fully redundant fashion - it does not have any runtime dependencies on client
data stores, or any external resources.
What You Get: Risk Use Cases
Build an integrated program designed to deter, prevent, detect, and respond to insider threats:
DEPLOY A TRULY
COMPREHENSIVE INSIDER THREAT
PROGRAM
DETECT INTELLECTUAL
PROPERTY LOSS
PERFORM FASTER,
CONTEXT-RICH INCIDENT
RESPONSE & DISCOVERY
SITUATIONAL AWARENESS
ABOUT EMPLOYEE, DEPARTMENT OR ORGANIZATION
RISK
Build an integrated program designed to deter, prevent, detect, and respond to insider
threats and data sources include SIEM, identity, Active Directory, endpoint agents, and
unstructured data including email/chat, and telemetry data including badge or shift
information.
Pinpoint the theft or premature disclosure of sensitive corporate information including
ideas, plans, methods, or technologies. This could include SaaS usage for transferring
content or evidence of corporate espionage.
Better gauge the size, scope and business impact of a security incident with additional
context, helping responders to quickly and accurately assemble a narrative. In cases where
attacks are successful and data is stolen or systems compromised, an enterprise may be
able to learn how to block future attacks through forensics. For example, forensic analysis
may reveal behavioral and technical clues that security teams can monitor in the future.
Leverage advanced analytic techniques to fully understand the inner workings of your
organization and to manage risk comprehensively.
Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL
14
Conclusion: Secure the Human Layer to Reduce Risk
In 2015, Gartner named RedOwl a Vendor to Watch, explaining that RedOwl:
Today’s technology-enabled employees pose an asymmetric risk to enterprises unprepared to identify and disrupt
unwanted behavior. The cost of being unprepared is high. The FBI recently warned, “Victim businesses incur
significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or
former employees.5”
A holistic platform that understands human activity is the cornerstone of a comprehensive insider threat program,
providing insights into high-risk behavior and evolving threats within your company.
Information security teams have limited visibility into network traffic patterns and perimeter threats - but little
visibility into the human layer. With RedOwl, security teams can incorporate important signals buried within
unstructured data, gaining real visibility into the human behaviors, activities, and relationships of the employees,
contractors, and partners with routine access to internal networks.
RedOwl’s platform enables unparalleled situational awareness of people within the extended enterprise, continuous
monitoring for threats such as fraud, intellectual property loss, reputational risk, and effective incident response.
Security teams have two choices: look at log data and add a traditional black box UBA solution to a SIEM, or use a
holistic platform built on configurable analytics to comprehensively tackle insider risk.
“... positions its platform as a means to help with issues ranging from risk and compliance to legal,
investigative and organizational. Through the use of additional contextual information and analysis,
it is able to show issues that may have otherwise gone overlooked, such as noncompliance, rogue
insiders or employees showing behavioral patterns that indicate they are about to
leave an organization.4”
4 Gartner: Market Trends: Security Analytics — A New Hope for Security, or Just Hype?, March 20155 http://www.ic3.gov/media/2014/140923.aspx
DETECT ROGUE, NEGLIGENT OR COMPROMISED
EMPLOYEES
Spot potentially damaging aberrant and unwanted behavior to identify and distinguish
rogue, negligent or compromised employees, including monitoring privileged users.