Blog post

Clarifying a murky Insider Threat Detection market

By Avivah Litan | June 21, 2018 | 0 Comments

We just published research on insider threat detection solutions (See Go-to-Market for Advanced Insider Threat Detection ) in our attempt to clarify how different products help organizations with this use case.

Here are some key findings from our research note:

  • Three categories of advanced insider threat detection technology have emerged: stand-alone UEBA products, endpoint-based employee monitoring and DCAP. Each category has its own costs and benefits.
  • Some buyers want insider threat analytics to sit on top of existing data collections and will be inclined to buy UEBA.
  • Others want visibility into all user activities and will be attracted to endpoint agent-based monitoring systems, while some want to focus on user access to specific file shares or datasets and will find DCAP most appealing.
  • Most buyers are not sure what configuration they want when they start their research and buying process — they just want insider threat detection efficacy and results.

See Figure below for our definition of inside(r) threats, i.e. abuse access that a user has.


Our research compares the different insider threat detection technologies in detail. We also wrote up four case studies on how some of these products are used, in part to emphasize the variation in buyers, use cases, constraints and solutions.  These case studies can be used by vendors to translate product design into implementation success, and for understanding buyer pains and personas.

Here are the key takeaways from the case studies: (End user organization names are kept private, but vendor names are disclosed).


Case Study 1: Key Takeaways

Buyer: CISO at midsize investment firm.

Goal: Maximum user visibility without obtrusive technology and processes; replace host-based DLP in the future.

Constraints: CISO doesn’t want to classify data, and considers all data and information sensitive. System should support this.

Result: ObserveIT’s endpoint agent-based monitoring system enables visibility into all user activity, and supports rules that can be further developed as requirements evolve.


Case Study 2: Key Takeaways

Buyer: Insider threat manager at megasize global financial institution.

Goal: Machine learning and behavioral analytics applied to user behavior inside and outside the enterprise digital network and physical (building) network. Leveraging existing security controls and applying UEBA after those controls have done their job.

Constraints: Needs a system to support organization-wide governance process and segregation of duties, so that security staff are not the judge, jury and executioner.

Result: The Haystax UEBA ingests existing security control data and applies its models and behavior analytics on top of those systems’ alerts as well as other relevant organizational data.


Case Study 3: Key Takeaways

Buyer: Lead security architect for the bank’s governance and IT risk management division.

Goal: A system with machine learning and user behavioral analytics that sits on top of an existing data lake; enables different enterprise constituents to have their own models, analytics and user interfaces applied to the same datasets.

Constraints: System must use data already imported into the enterprise datalake that supports different workgroups needing different use cases satisfied using UEBA.

Result: Gurucul’s UEBA sits on top of the enterprise data lake and provides out-of-the-box UEBA analytics for different use cases across the institution.


Case Study 4: Key Takeaways

Buyer: IT director for a higher education institution.

Goal: Detection of unauthorized extraction of unstructured data resident on file shares; the ability to prioritize detection alerts based on data classification.

Constraints: System must enable deep visibility into server-side file share activities, and must not depend on client endpoint agents.

Result: Varonis DatAlert provides behavioral detection capabilities based on file share activities to spot sensitive data misuse, administrative policy deviation and ransomware.


There’s certainly no one-size-fits-all when it comes to insider threat solutions. Hopefully our research note can be used to understand product differences and how they address buyer pains.



Comments are closed