Email a colleague    

March 2019

Protecting Data from the Insider Threat: Veriato Closes the Security Gap with Massive Data Collection & Machine Learning

Protecting Data from the Insider Threat: Veriato Closes the Security Gap with Massive Data Collection & Machine Learning

Today’s frequent headline stories of enterprise data breaches signal that some of the billions spent on security may be misdirected when it comes to data theft.

For example, network security solutions — intrusion detection systems, firewalls, network behavior analysis systems, and more — are aimed at taming outside threats from hackers, malware, and the like.  But as network security improves, criminals will increasingly rely more on inside threats where they gain access to sensitive data by bribing, blackmailing or even tricking employees or trusted contractors.

Insider threat management, then, is an issue that needs greater enterprise attention.  In fact, in the telecom fraud prevention domain I’ve been following for several years, fraud professionals know insider fraud is a key problem, but are largely unaware of the commercial software that’s available to help.

One veteran company in the insider threat surveillance business is Florida-based Veriato and I recently spoke with Patrick Knight, the firm’s Senior Director of Cyber Strategy and Product Management.

Patrick gives us a concise tutorial on: the big security gap that insider threat monitoring fills; the evolution of systems from individual threat alerts to full machine learning; and the challenge of organizing an insider threat program that leaves no blind spots yet is sensitive to employee privacy concerns.

Dan Baker, Editor, FraudTech: Patrick, can you give us a quick backgrounder on Veriato and your value proposition?

Patrick Knight: Sure, Dan.  Veriato has 20 years of experience collecting and analyzing the massive volume of data that’s needed to properly monitor an enterprise in an age of massive breaches.

Fraud is a key enterprise use case we address, plus we cover the special monitoring and compliance needs of industries like healthcare, financial, and government.

What really distinguishes our solution is that our software client (or agent) lives on the endpoint — not on the network.  Monitoring the endpoints is key because that’s where breaches occur.  But systems that only watch data that passes through the LAN or WAN miss a ton of relevant and contextual data.

With Veriato, you’re going to see everything the user did.  We capture all activity around and leading up to a breach and can even present that visually so a research officer or investigator can actually see what led up to an action.  What did they read today, what documents did they touch, and were those documents controlled or not?

In short, we focus on insider threats that could lead to a major fraud or data breach.  Now there are many security tools designed to block outsider threats from hackers, malware, and so on.

But ironically, that same data being guarded from outside network intrusion is no longer protected when a criminal hires someone inside the organization to steal the data. 

This is Veriato’s sweet spot: the on-going fraud threat inside the organization.  If you’re only worried about malware, then the fraudsters may have stolen all your sales records and walked out the door with them.

Start differences between Insider and External Threat Defenses

At any large organization you’re looking at a mountain of data to analyze — so much that it could overwhelm the researchers.

Well, it’s a valid concern because the data organizations collect is growing at a staggering rate.  You can’t keep up today without help from machine learning, and in recent years that’s been a big focus of ours at Veriato.

As a pioneer of the business, we served small organizations and monitoring computer endpoints when insider threat management was a new capability.  In those days we focused on sending alerts.  For example, Patrick is accessing a website that he shouldn’t.  Or he doesn’t normally send 10 gigabytes of data to the Google cloud application or access the Dark Web, but he did today.  So that may be a trigger something bad might be happening.

The problem with using alerts like this is: how do you manage that at a 10,000 employee organization?  You soon realize you can’t sit there and watch for the breaches of 10,000 employees.

So this is why machine learning is so invaluable today, and we’ve scaled Veriato to meet that need.

What we’ve done is created learning algorithms that are fed the sensitive data points and know what constitutes a risk.  And recognizing that as human beings we tend to change our habits fairly slowly, we examine changes in behavior over time.

What if an employee stops being productive?  What if they suddenly start accessing certain parts of a sensitive system frequently?  Activities like these may signify a risk and will constitute an alert.

So our machine learning technology will advise: “You might want to look at Patrick’s activities today because something has changed — it doesn’t look good.” And that analysis can also come from comparing a worker with her peers.  In an organization where you have a group of people doing the same tasks, the behaviors of the group should look more or less the same.

Another monitoring point is employee productivity relative to that of others in the same kind of job.  If one person is not performing well compared to his peers, or maybe the person’s productivity has dropped over the past week or month: maybe that’s a sign something is wrong.  Also, if a person is going to leave the company soon, that person may want to take data with them.  It’s a common fraud and insider threat scenario.

Do organizations pushback on monitoring their desktops and mobile devices from an employee privacy or access point of view?

It’s a key question: how do you monitor for insider risk and also respect the privacy of the employees?

We recently published a report entitled, 2019 Insider Threat Maturity Report, that helps an organization measure the maturity of their insider threat program.  It includes ten steps to follow when setting up an insider threat program.

2019 Insider Threat Program Maturity Model Report
Click the image above to download the Report from the Veriato website.

It starts with getting executive support because if you don’t have that, you won’t have the budget, you can’t get full team cooperation.

When an organization is setting its data protection rules, we say: be open and be clear about those policies.  For instance, explain your policy on social-media-surfing at work.  And make sure employees get training during the on-boarding process.  When colleagues know and respect what you are doing, that creates a strong foundation for the whole security process.

To have an effective program, we encourage our customers to roll out our client on all endpoints.  Don’t leave one part of your company blind to our investigation capabilities — even executives.  That’s often a hard sell since an organization’s executives tend to have more access than they should to sensitive data.

But that kind of oversight is needed.  What if you had an incident — even an accidental one?  You need full visibility to trace how the breach happened.

Are there any guidelines on which departments in the enterprise need access to the sensitive monitoring data?

Access policy varies greatly because no two organizations are alike, so the key question to ask is: who should get involved when you need to take action on an incident?

The security team in control of evidence certainly needs access.  If there’s a violation of policies, HR might need to get involved to reprimand the person.  If it’s a criminal case, then law enforcement needs to get involved.  In one recent theft case where our software was used, millions of dollars of losses were recovered, and those people were charged by the police.

And it almost goes without saying: the data our technology collects is legally admissible in court.  It is frequently used in investigations and we follow forensic investigation rules to rightfully collect it.

What mobile devices and operating systems do you support?

We do support Android, the most widely used mobile device, and of course we monitor Macs and Windows systems on the desktop.  This gives us widest coverage.

Insider Threats: The Cost of Delayed Detection

Patrick, thanks for this fine tutorial.  Insider threat monitoring is a software category that needs greater visibility: it fills a vital role in controlling data theft and fraud.

I think you’re right, Dan.  Insider threat solutions tend to not get the attention they deserve.

The good thing is the solutions keep improving.  For instance, our new Cerebral product combines the capability of our two previous products.  You get both the user activity monitoring as well as the scalable machine learning component.

So a researcher conducting an investigation has the full scale of employee activity available to access, yet, to protect privacy, that data is kept on the endpoint until it is ever needed.  Machine learning monitors the pictures and lets you know when behavior changes indicate there’s something the investigator should look at.

For example, Patrick is chugging along and is not showing any sign there’s a problem.  At that point, my data remains on my endpoint and the organization looks at other possible risks until my risk score or my behavior has changed to the point that warrants sending an alert to the investigator saying: “We’ve scanned the behavior of 10,000 employees, and Patrick’s risk score is high enough that you need to take a closer look.”

We think that Cerebral is a great evolution of our product.  It’s allowing us to be a more attractive choice at very large organizations, but at the same time it’s doesn’t sacrifice the investigator’s ability to gain full access to user activity data and do a proper job of research when the risk warrants that closer look.

Copyright 2019 FraudTech Journal


About the Experts

Patrick Knight

Patrick Knight

Patrick Knight is the Senior Director of Cyber Strategy and Product Management at Veriato, an innovator in actionable user behavior analytics and a global leader in insider threat protection, where he helps organizations protect critical data from threats by trusted insiders.

For over 17 years, his cyber security career has helped enterprises protect against online threats through the development of anti-malware, network intrusion detection, computer and network forensics and encryption technologies.

He is a writer and speaker on topics of cyber security and privacy in multiple forums including NITSIG and Virus Bulletin.  He is a 12-year veteran of the U.S. Intelligence Community and the United States Army in the fields of Signals Intelligence and Cryptanalysis and a Russian and Serbo-Croatian Linguist.

He can be reached on Twitter at @PatrickKnight70 and on LinkedIn at

Recent Articles