Many mature security organizations have people or teams focused on proactively hunting for threats. One of Sift Security’s co-founders, Ram Sripracha, spent a lot of time in his previous role on Amazon’s security team hunting for threats using a leading enterprise search tool. This experience inspired him to create Sift Security to fill-in the gaps he found in existing security tools.
Consider an employee, Amos, who is leaving the company under unusual circumstances. We have reason to suspect that Amos might be stealing confidential information. Here is how Sift Security could be used to determine whether Amos poses an insider threat.
In our deployment of Sift Security, we are monitoring email metadata, network activity, and host audit logs. Since one of the most common channels over which data are expropriated is email, we begin the investigation at Amos’s email account. We narrow our investigation to the past few days, and look at all of the files Amos attached in email messages. We find 32 such attachments and begin investigating the largest one. We identify the message to which it was attached and the recipients to which it was sent. We find a target email address that appears to be a personal account belonging to Amos.