Customer Stories: Discovering Unknown Issues

New insider risk use cases are constantly emerging, highlighting the gaps in companies' cybersecurity postures when they fail to fully consider the endpoint and endpoint user's actions. Imagine your organization as a dark room. Each security tool used shines a flashlight into a different area - IAM, anti-virus, web filtering, email security, etc. This may illuminate more areas, but without visibility into the end user's actual endpoint activity, there will always be a dark corner hindering security.

The importance of endpoint risk monitoring cannot be overstated. Without it, companies are blind to valuable pieces of data that are unavailable without the context of the endpoint user's actions and workflow. Endpoint risk monitoring provides a wealth of information about user behavior, including which applications are being used, which websites are being visited, and which files are being accessed. This information is essential to identifying potential security threats and preventing cyber-attacks.

Below are two excellent examples of cases where available cybersecurity and network-based security tools failed in exposing critical risks taking place in that dark corner of the room.

Use Case #1 – Discovering Fraud from the Ground Up

The Environment: The case took place in a financial institution that had recently installed innerActiv. As expected, being in the financial space, they had a multitude of security systems already in place, both physical and digital. Prior to the deployment of innerActiv, they did not have any user activity monitoring in place although there were other

The Problem: “Something unusual is happening” was all IT Security had to go on. They had several red flags on a specific employee, a loan originator, mostly coming from his co-workers and management. They had had a hunch for around a year that the user may be taking actions out of the norm, but were frustrated when investigations using their current software set came up with no actionable evidence.

The Solution: Without a clear target or a strong baseline of trends from this employee (the system was still newly installed), innerActiv started by:
- “Casting a wide net” of policies to this user and several of his peers to understand daily use and any variations
- Increasing the number of screen captures included in events to provide forensic and contextual evidence of actions for review
- Beginning periodic screen capturing on a timed basis to get an overall review of the user’s day and to provide a review of his screen information for unusual usage or visual red flags
- Ensuring Activity policies were active to allow IT Security to review his application usage, web contexts, file access patterns, and active times as both a stand-alone source of information and further validation of collected events

The Outcome: A year-long struggle ended in a week when multiple issues, including fraud, were revealed and remediation began. innerActiv revealed:
- Significant and ongoing fraud by the employee who had been opening loans and lines of credit using the identities of infirmed relative(s) without their knowledge or approval
- Bypassing the organization’s standard security practices by creating free Gmail accounts for each customer he dealt with instead of approved secure portals. These free Gmail accounts were used to communicate and share financial and PII data back and forth between the customer and the bank.

Use Case #2 – Discovering Large-Scale Time Falsification

The Environment: The national automotive rental company originally deployed innerActiv as part of a strategy to minimize data loss during a large-scale downsizing. Layoffs are notorious for being extremely high-risk periods.

The Problem: After seeing the data that iA was able to gather, the company’s HR department approached innerActiv with a new problem – investigating a specific department that they felt was incorrectly reporting billable hours. Although they strongly suspected timesheets were being falsified, none of their existing software was able to nail the times down definitively. The suspicion was that one or several employees were using the timekeeping system inappropriately by clocking in or out for other employees. The problem had been ongoing for some time.

The Solution:  innerActiv was deployed to the endpoints in the department with Activity timeline options active. Activity timelines were collected for analysis.

The Outcome: It quickly became clear that HR’s suspicions were correct to a significant degree and now they had definitive data to handle it. Activity timelines clearly showed that one employee would clock in many users at the appropriate time in the early morning. The employees would then begin coming in to work between 1-3 hours later, costing the company sizeable amounts in extra wages. Since the employee who was in charge of clocking in changed every day, traditional tools had a difficult time tracking the loss.

The common thread 

The common thread in both of these instances is the invisibility of these impactful incidents to the organization, despite being well-equipped and proactive in their security stance. The incidents in question, financial fraud, and time falsification were unable to be substantiated by the organizations for months or years at a time simply because they did not have the proper light to shine into that black box of endpoint activity and user behaviors. As soon as innerActiv was present to fill in the gaps, the case became immediately clear, forensically sound, and able to be remediated quickly and efficiently.

Another commonality between these cases is the organization’s inability to move forward without accurate and actionable evidence of the incidents. This is a struggle shared by IT Security, HR, and legal teams alike when high-risk incidents are all but known, but can not be addressed. innerActiv removes this barrier by providing objective and non-discriminatory data to these teams or others. Depending on the investigation, this may be in the form of policy violation events that include machine IP and MAC information, patterns of actions taken, screen capture timelines, document shadow copies or data excerpts, or even user-generated feedback. In other cases, this actionable data may be user activity times, application and file timelines, or tracking of unexpected idle times. These data sources are reported in real-time and can be easily correlated. innerActiv’s risk scoring and built-in case file system allow this actionable data to be readily available and accessible to IT Security, HR, legal, compliance or others.