Dtex Systems Intercept 6.0 uncovers malicious and negligent behavior without invading employee privacy
Dtex Systems announced the release of Intercept 6.0, a Next-Generation Insider Threat Management solution. Dtex Intercept 6.0 is a first-of-its-kind Insider Threat Management solution that delivers always-on, human-centric security by proactively illuminating dangerous activity as ‘Indicators of Intent’ in real-time across the entire organization, both uncovering malicious and negligent behavior well before an incident occurs, and providing a full audit trail after without invading employee privacy.
“Next Generation cybersecurity is defined by an unyielding focus on the most important element of a business’s ability to operate effectively and safely – the human factor,” said Mohan Koo, Co-founder and Chief Technical Officer at Dtex Systems.
“The enterprise workforce’s behavior, habits and interactions ultimately determine opportunities and threats, how and where risks emerge and if compliance mandates are met.
“We’ve built Intercept 6.0 to do what prior-generation EPP, SIEM or Insider Threat Management solution are unable to do… allow executives, IT and cyber-security practitioners to easily see, understand and act on contextual technical and behavioral intelligence to stop insider threats, prevent data loss, and protect the workforce, wherever they may be.”
Insider threats continue to be a top security, risk and compliance concern for every organization, regardless of size or industry.
Investments in point solutions and reliance on modules from SIEM and EPP platforms are falling short as evidenced by the increasing number of high-profile data breaches caused by malicious and negligent employees and consultants.
These solutions are simply not engineered to monitor and surveil the most critical and common denominator in every business activity: the humans powering the day-to-day operations, especially as organizations adopt virtual, work from home business models and digital transformation accelerates.
According to Gartner, one of the keys to success in building an Insider Threat Management Program is to “determine risky behavioral patterns, using past incidents and cross functional input, and correlate the technical as well as behavioral threat indicators to analyze each incident in its full context.”
Powered by Dtex’s patent pending DMAP+ Technology, Intercept 6.0 continuously collects and synthesizes more than 500 unique elements of enterprise telemetry from data, machines, applications and people to surface dynamic ‘Indicators of Intent’ that combine to deliver holistic, contextual awareness about an enterprise workforce’s activities. These elements are enriched in near real-time using advanced behavioral models that are mapped against a person’s normal activity and peer group baselines.
Dtex’s cloud-based predictive analytics engine continuously processes, scores and stacks ‘Indicators of Intent’ to stream live status updates, trend analysis and, when required, trigger notifications of abnormal activity that deviate from baselines and indicate elevated risks to an interactive, all-in-one dashboard for forensic investigation, protective action and cross-functional reporting.
“Dtex Intercept is the only security platform I use to see, understand and act on threats to our IP. Not only does Intercept tell me who’s doing what, when and how but it gives me a holistic, context-rich forensic record of what happened before and after an indicator of malicious or negligent insider behavior so I can eliminate the threat before data is exfiltrated,” said Graeme Hackland, CIO with Williams F1 Racing.
“We evaluated five Insider Threat Management solutions against a weighted criteria of 13 must have capabilities including user behavior monitoring within specialty engineering applications and a collector that was invisible to employees. Dtex was the only solution that gave us those light-weight collection capabilities and the visibility we needed to support our mission-critical operational requirements.”
The next-generation insider threat management features and design innovations that combine to make Dtex Intercept 6.0 unique include:
Contextual workforce cyber intelligence
Intercept 6.0 employs lightweight forwarders and a cloud-based correlation engine to deliver unmatched visibility, monitoring, surveillance, forensic and investigative capabilities against technical and behavioral indicators to SOC and IR teams frustrated with gigabytes of data and hundreds of disparate alerts.
Enterprise Telemetry collected and synthesized from more than 500 unique elements of data, applications, machines and people delivers holistic, real-time awareness about workforce activities.
- Intercept 6.0 collects only 3-4MB of data per user/day, creates no noticeable network impact and does not harm employee productivity or endpoint performance, using less than 0.5% CPU.
- New technical and behavioral collection features include full file lineage capture (including configurable file hashing algorithms), enhanced network connection profiling for improved off-network detection / device geo-location and three layers of tamper protection.
- Intercept 6.0 also includes an optional set of ‘focused observation’ features, offering increased visibility for high profile forensic investigations through the introduction of UAM capabilities such as trigger based video and screen capture.
- In addition to Windows and macOS Workstations, the new Dtex forwarder also extends full monitoring support for Windows Servers, Linux Servers and Virtual Environments (e.g. Citrix, VDI).
Behavioral Enrichment of workforce activity, data movement, application usage and device forensics against individual and peer group baselines using predictive models and advanced scoring algorithms that identify, score and highlight deviations, trends and Persons of Interest without false positives.
- Automatic Activity Correlation offers the enrichment of multiple sequential activities into a single ‘correlated’ event. This allows Intercept 6.0 to identify both the act of ‘obfuscating data’ as well as the relationship between the new file and the original file or files, increasing the severity of the ‘Indicator of Intent’.
- Additional innovative enrichment features include Advanced Rule Based Behavior Profiling of New or Rare Processes, URLs and IP addresses. Intercept 6.0 utilizes URLs to score activities such as file sharing by confirming authentication protocols and the use of passwords. For IP addresses Intercept 6.0 looks to identify the host network such as subnets, local addresses and corporate owned IPs in comparison to outbound connections to unidentified IPs to assign risk scores as part of overall ‘Indicator of Intent’ calculations.
Predictive Analytics regarding potential insider threats, probable data loss scenarios, and likely shadow IT projects as well as possible fraud, compliance and privacy violations that deliver actionable answers not incomplete alerts.
- New, advanced analytics capabilities in Intercept 6.0 include Peer Group Anomaly Detection and real-time ‘Known-bad’ Behavior Alerts that correlate five unique insider threat classifications including Compromised, Malicious, Intent, Data Loss and Negligent to notify SOC and IR teams of increasing risk levels and persons of interest that should be monitored closely. New alert triage and case management capabilities with whitelist policies, dispositioning and rule feedback are also available.
- A first of its kind User Investigation report collects all behaviors, not simply security oriented technical data, to produce a dynamic forensic investigation packet that automatically produces a complete contextual evidence trail of any ‘person of interest’ activities.
- For executives and other operational departments such as Human Resources, IT and Compliance, Intercept 6.0 automatically generates a CISO Scorecard and Remote Working Trend reports.
Enterprise scalability measured in hours
Unlike other solutions that are restrained to only analyzing people or devices of interest once identified by human analysts, Dtex Intercept 6.0 was purpose-built to scale and protect the entire organization up to millions of users, endpoints and servers continuously
- Intercept 6.0’s ‘cloud-first’ architecture does not rely on a traditional relational databases and instead leverages best of breed, NoSQL technology that processes data in-memory, effectively flattening the data set, to deliver streaming analytics at low-cost without the need for extra database licensing fees.
- Intercept 6.0 can be deployed to more than 500,000 endpoints in a single cluster in less than 2 hours with full telemetry enabled.
Employee privacy and GDPR compliance
Security doesn’t need to come at the expense of privacy. Dtex puts privacy first, offering patented anonymization that obscures all identifying data from user behavior intelligence collection to ensure a positive organization culture and GDPR compliance.
- Intercept 6.0’s meta-data intelligence collection architecture does not rely on intrusive content capture processes driven by analysts, instead elevating a user for inspection without introducing human bias and allowing monitoring to be dialed up for more focused observation capabilities in proportion to risk.
- Intercept 6.0 leverages patented pseudo anonymization techniques to remove data elements that do not comply with GDPR and other privacy regulations, instead looking at meta-data congruent to application usage to surface early warnings of risk that serve as evidence to justify more intrusive, traditional DLP type monitoring techniques.