Reducing insider risk through email monitoring

When collaboration and messaging software such as Slack and Microsoft Teams took the world by storm years ago, they were touted to be “email killers”. Yet, here we are in 2020 and email remains a ubiquitous channel that businesses use to communicate externally with customers, vendors, partners, and other organizations. This, in turn, makes it a high risk channel for loss of sensitive data and non-compliance by insiders.

The insider risk posed by this channel remains significant enough that the CERT division of Carnegie Mellon University in the United States, a leader in Insider Threat studies and management programs, recommends the following risk mitigation measures in relation to email use:

Alerting administrators to emails with unusually large attachments.
Tracking or preventing emailing, printing, copying, or downloading of certain information, such as PII or documents containing certain words such as new-product codenames.
Preventing or detecting emails to competitors, to governments and organizations outside the United States, or to webmail like personal Gmail or Hotmail accounts.

With this in mind, version 9 of our solution takes a significant leap forward in bolstering our data protection capabilities with the inclusion of support for monitoring Windows users’ Microsoft Outlook email activity. Our newly released Agent (that runs on and monitors events on end-user systems) monitors and takes action on email activity, while new policies help define which activities should raise sensors and/or trigger an action. For example, policies can detect emails containing PII. Security operators are alerted to risky or non-compliant use of email by employees, with the option of real-time blocking of such activity if it is deemed to be high risk. This, combined with contextual information on user activity before and after the alert on email activity is seen, provides a powerful way of understanding what actually happened and the intent behind it. Did an employee copy confidential files from a network share, zip it, and send it to a competitor organization? Or was it a case of sending a file she was working on to her personal email to finish up work over the weekend? Does this employee often send work docs to their personal email? The context of user application, file, web and network activity cannot be gained by looking solely at email logs or dedicated email monitoring solutions.

So, what kind of email monitoring capabilities do we have and how can they help? We monitor inbound and outbound email activity and provide policies that can be configured to monitoring the following:

Email header fields:

To
From
Cc
Bcc

Email subject content
Email body content
Email attachment content and size

Email policies can use optional blocking, blacklisting, or whitelisting capabilities on email header fields. Additionally, content inspection within the body or attachments can be used to audit and manage how confidential information is emailed outside of the organization. For example, is confidential information being emailed to foreign government agencies or competitors? Are documents with confidential project names being emailed outside of the organization? Are employees being non-compliant with Acceptable Use Policies (AUP) around email and handling of sensitive information? Are emails being received from known spam or phishing domains? By using our solution to both alert security operators to indicators of risk and non-compliance and provide in situ awareness and training to employees as necessary, you can significantly reduce insider risk. This seamless flow of integrating detection technology with compliance enforcement and process improvement allows for the easy adaption of different measures according to the situation.

For instance, in the Verizon Wireless Insider Threat Report of 2019, a whopping 73.4% of data breaches were found to be caused by privilege abuse - i.e., using existing logical access in an unauthorized manner. Under this category, would fall an employee who emails sensitive company documents to her personal email before going on vacation with the intention to complete a project during her time off. Although not malicious, this increases the company’s risk exposure in a couple of different ways. This personal email account could be sitting on a server in a different location, breaching GDPR and other regulations. This email account could be accessed from a personal laptop and the sensitive files could be downloaded to that laptop. The laptop could then be lost, stolen, or hacked into, furthering the risk of data loss and associated financial and reputational damage.

In such a situation, providing users with in situ awareness and training will go a long way in reducing risk of exposure. By adapting email monitoring policies to detect emails sent to personal or webmail accounts and simultaneously warning users of the risks of privilege abuse at the time of the incident, users can be gradually trained to adhere to company policies in place. In the above example, the employee may not have necessarily remembered company guidelines around email. An employee may not think that anyone is watching, or she could have intentionally violated those guidelines, preferring to choose the flexibility of getting work done at home in spite of the security risk posed by such an action. A reminder of company Acceptable Use Policies at the time of non-compliance acts as a deterrent to further such activity and ensures corporate information remains within the bounds of acceptable risk built around corporate security measures.

In other cases, the intent could be malicious;an employee could send company IP to their personal email before leaving the organization, or a disgruntled employee could exfiltrate information to external third parties. Our policies look for predefined and custom configured sensitive content within attachments and the body of an email. Policies can alert administrators to threats even if users try to hide their actions under the radar by bcc’ing unauthorized recipients. In such situations, depending on the sensitivity of the content being sent and the recipients, implementing more stringent measures that prevent that email from being sent might be a better approach than just warning the user responsible.

With these enhanced capabilities, we further reduce the data loss risk surface by supporting organizations’ people and processes with great technology.

_{This post was originally published in May 2020 and has been updated for comprehensiveness.}