Traditional DLP tools suck. There, I said it.
Too much noise in already-overloaded security operations teams means that these tools get underutilized and, in some cases, hinder a security team more than they do help them.
Offload the Security Team with Employee-Led Resolutions
There is an (incorrect) understanding that a security team has to be the one solving all the problems. Clearly, security is a shared responsibility and every security team is stretched thin.
So how can teams offload some of this work? In this blog I’m going to talk about the use of employee-led resolution to data loss issues, and how teams can integrate with several tools (such as Tines, KnowBe4 and Slack) to make this seamless and effective.
Security is Everyone’s Problem
“Security is everyone’s problem” sounds great, but what does it mean? Well, many security challenges can be stopped or controlled by an individual user, rather than flooding the security team. However in order to do this effectively we have to empower users to take the necessary and appropriate action, rather than just forward on a security alert (as such). Instead, we must expect them to deal with it.
Traditionally, Security Awareness Training (SAT) programs or tools are in place to teach users on the threats and risks to their organization, and what they should do to try and avoid them. We’ve probably all completed some phishing awareness training at some point in our career. In recent years, though, we have seen a decline in the effectiveness of this approach. As employees get laden with mandatory, boring training they grit their teeth through just to pass a compliance check.
If we were to apply the same approach to data protection, then we just end up exacerbating the problem, and never actually reducing sensitive data leaving the organization.
New Workflows for In-Line Security Awareness Training
At Harmonic, I worked closely with the Product and Engineering teams to develop our webhooks. Security teams can send Harmonic alert data into a webhook endpoint, whether that be a SIEM, SOAR or other ingestion tools.
We use Tines, and built some awesome workflows that enable security teams to coach users to resolve their own issues in perfect harmony with the platform's user intervention features.
How it Works
Let’s break down how we did this:
Step One. Configure the Webhook
Using Tines, we select the Webhook input, copy the URL into Harmonic's webhook integration, and subscribe to all alerts.
Step Two. Store the Data
Next, we need to store this data somewhere, a database should be a good start (but you could use Tines records). Here, we store event data such as; Username, Email, Alert Timestamp and the Alert ID.
Quick win - use Notion’s database features! It’s free and super effective. An actual database is recommended for large deployment
Step Three. Query the Database
We then query the database to see how many times the user has triggered an alert in a timeframe, let’s say 24hrs.
Step Four: Send to the Security Team
Here's where it gets fun! If this is the user's first alert, the SecOps team receives a notification in their alerts Slack channel as an FYI. At this point, we hope the user reads the intervention screen and takes the necessary action..
Note: If they don’t and dismiss the intervention, you can subscribe your webhook to Intervention Actions and take further actions!
Step Five: Directly Message the End User
If the alert triggers a second time, the user receives a message from Maestro (Harmonic’s data protection virtual expert) on Slack with information on what happened and advice on how to protect company data. This end-user nudging helps coach the user on their actions and what they need to do to keep the organization secure.
Step Six: Mandate Training
If the alert triggers a third time, we will deliver mandatory, but short and engaging content via a SAT.
It’s here where we can further coach a user in what to do. Rather than make them sit through hours of mandatory training over a boat load of topics. We deliver short, sharp and targeted training when it's required. Catching the user at the right time, that is directly related to the nudge from Maestro.
In the example below, I have set this up in KnowBe4.
Put the Power into the End Users’ Hands
The benefits of this targeted nudging is that you are putting the power into the end user’s hands to resolve the issue. Editing the input via the intervention pop-up allows them to double-check and make changes before a data loss event.
Friendly, yet informative content delivered through a communication tool like Slack integrates smoothly into their workflow and preferred communication method. This approach gives users a chance to digest and understand what happened, helping them avoid similar issues in the future. Lastly, providing the right type of content at the right time avoids the monotonous mandatory training spiral.
Towards Fewer Alerts
The end goal is to have fewer alerts handled by the security team. This will give them more time to respond to the most critical threats and engineer new ways of doing things like this!
There are so many ways this can be achieved and my example is just one way. The beauty of webhooks means you can take actions in a SOAR however you like and trigger a series of events that meet your culture, ways of working, or incident response playbooks.