Skip to main content

018: Set Insider Risk Management policies

Overview

Insider Risk Management allows you to monitor activities by risky users using state of the art AI algorithms. By default, no special data collection or monitoring is performed for users, but specific events, such as the user triggering a specific DLP rule or them announcing to HR their intention to leave the company, trigger detailed analysis of the past and future user activity to identify potentially malicious behavior, including actions such as collecting sensitive data in removable drives, printing sensitive documents or attempting to bypass physical access controls. While the Zero Trust principles indicate that no activity should be blindly trusted, using Insider Risk Management to put special focus on users which are in a heightened state of risk allows for more focused policies to be enforced as needed.

In order to benefit from this capability, you need to create and manage insider risk management policies based on in-scope groups of employees and the type of risk activities that you want to detect and investigate (i.e. policy indicators). In the context of a Zero Trust implementation, the following policies are of specific value:

  • Data Theft by departing users
  • Data Leaks by priority users
  • Risky AI usage
  • Security Policy Violations

In addition to these policies, Insider Risk Management can be also used to identify risky users to which more restrictive DLP policies will be applied. Any of the policies above can be used to put risky users in the scope of more aggressive or restrictive DLP policies that are too limiting to be applied to the whole population.

Reference