Insider Risk Indicators

Insider Risk Indicators

What are the top insider risk indicators security leaders prioritize today? Pulse finds out.

Insider risk indicators (IRIs) are activities or characteristics that suggest data is particularly vulnerable. Which of the following IRI categories does your organization monitor today? (Multi-select)

62%File indicators (i.e. zipped file, source code movement)
68%Vector indicators (i.e. untrusted file sharing, USB drive use)
52%User indicators (i.e. off-hours activity, departing employee)
10%None of these
3%I don't know
209 responses

How would you best describe the method your team leverages to monitor for IRIs?

16%We don't monitor IRIs
23%We don’t monitor for IRIs until they become an active security threat
34%We monitor for IRIs manually (i.e. on an ad-hoc basis)
21%We use an Insider Risk tool to do continuous monitoring of IRIs
6%I don't know
209 responses

To the best of your knowledge, how does your organization correlate and analyze file, vector, and user IRIs?

18%We don’t correlate or analyze IRIs
35%We use an Insider Risk management solution to correlate and analyze IRIs
23%We manually correlate and analyze IRIs in a spreadsheet
17%We use a SIEM to correlate and analyze IRIs
7%I don't know
205 responses

How are you alerted when an Insider Risk event or an IRI is triggered?

23%We are not alerted on insider risk events or when IRIs are triggered
41%We receive alerts from our DLP, CASB and/or UEBA technology
27%We receive insider risk alerts from our SIEM
9%I don't know
205 responses

What is the main method through which your team determines the risk level of an alert triggered by IRIs?

13%We don’t monitor for IRIs or alert on them
40%We rely on personal intuition/institutional knowledge to prioritize alerts
31%We use an Insider Risk playbook/strategy to manually determine risk level
9%We use an Insider Risk tool that automates risk qualification & prioritization
7%I don't know
205 responses

IRI patterns are based on the severity, frequency, sequence or mix of detected IRIs. For example: 1) an engineer, 2) moves source code 3) to an untrusted removable media device 4) remotely 5) during off hours. Does your organization monitor IRI patterns like this to prioritize Insider Risks?

37%Yes, we use an Insider Risk playbook/strategy that defines patterns and helps us prioritize them
21%Yes, we use an Insider Risk tool that automatically detects IRI patterns and prioritizes them
14%I don't know
204 responses

Which 2 of the following IRIs is most critical for your company’s data security? (Multi-select)

40%USB thumb drive use
28%Off-hours work
21%Creating a zipped file
32%Source code movement
23%Mismatched file content and extensions
28%Use of a personal application
37%Departing employee
28%Remote activity
26%Web upload to untrusted domain
27%Public file sharing
203 responses

What is your single biggest challenge your organization faces when it comes to protecting data from Insider Risk?

16%Priorities - too many conflicting priorities as executive level
29%Budget - making the case for insider risk and getting budget
16%Alerts - there are simply too many alerts to know what is a real insider risk
20%Complexity - too many disparate tools that do not talk to each other / integrate
4%Time - manually aggregating data and analyzing it takes too long
14%Resources - not enough people or staff to manage insider risk
190 responses