.svg)
.svg){kind=small}
Insider risk is a tricky challenge for security teams: how can you tell the good actors from the bad, or intentional actions from mistakes? Anyone with approved access to endpoints and SaaS systems could expose data to exfiltration risk if those systems are focused solely on preventing outsiders from getting in.
Data loss prevention (DLP) allows security teams to see what’s really going on inside endpoints, SaaS apps, and gen AI tools through file lineage, AI-driven content inspection, and identity provider (IdP) information. In this example, we’ll show you how Nightfall prevents insider risk using lineage, AI content inspection, real-time remediation and alerting, and custom policies.
Insider risk illustrated: Nightfall DLP vs. Bob
One of the most common insider risk scenarios: Bob, a disgruntled employee, has access to SaaS, cloud storage, and endpoints and wants to take company secrets to his new job when he leaves.
On his last day at work, Bob raids his company's Google Drive account and grabs a tax return, an investor pitch deck, and a customer list. He also downloads proprietary Python code from a GitHub repo.
Reactive security won’t do any good once these assets and secrets leave protected environments. Preventing access and downloads/uploads is the best way to protect sensitive data from insider risk.
Here’s how Nightfall does it:
- Bob tries to upload the stolen assets to his personal Box account.
- Behind the scenes, Nightfall detects this action and blocks any attempted transfer immediately.
- Bob receives a message directly inside his Box interface, plus a message via Slack or email notifying him about the action he’s trying to take.
- Instead of implementing a blanket policy for every file movement, Nightfall provides alerts to gather a reason for end-user behavior.
- The company fine-tunes its Nightfall instance to determine legitimate threats from sanctioned actions. Security increases while alert fatigue decreases.
A deeper level of security with DLP
A deeper look into the Nightfall console shows how security teams can triage Bob’s actions directly in the console, or share these threat events into a SIEM or SOAR. The security team can see a more complete view of what’s going on with Bob thanks to data lineage — something only Nightfall can offer among other DLP solutions:
- Any attempted browser uploads were immediately blocked
- A full event summary with every action from Bob, with notifications to the end user and to the security team
- Asset data (detected by Nightfall’s AI-trained models), including an active Stripe key in the code Bob tried to upload.
- A complete lineage of the file, from when it was created to when and where it moved around the company’s digital spaces, to Bob’s exfiltration event.
The intelligence from Nightfall’s detection and content inspection allows Bob’s company to create flexible policies to pinpoint true threats and prevent inappropriate access to secret files and drives. With Nightfall, the company can recognize information about users, user groups, and user risk, including blocking asset upload attempts from high-value company SaaS sources.
Cloud storage and sharing is smarter with all-in-one DLP from Nightfall: allows users to access the files and drives they need to do their work while protecting sensitive data, secrets and credentials, and confidential information from insider risk.
A proactive approach to insider risk
Nightfall’s insider risk capabilities put the power back in the hands of the security team and end users. Our all-in-one DLP provides automated data detection, allows employees to correct issues in real-time, and reduces manual alert remediation.
Go beyond responding to incidents and reactive security to build a security-first culture across all teams. Learn more about how to solve insider risk with Nightfall by scheduling a demo with an expert on our team.
.svg)
.svg)
.svg)
.svg){kind=small}
