Like human fingerprints, your employees’ network activity leave behind digital footprints, or a unique set of tracks that identify who did what, where and when.  A user’s digital footprint is an asset to your organization, helping you identify the combination of activity and behaviors that led, intentionally or by chance, to an attack or introduction of malware on your network. 

Digital footprints fall into two categories – passive and active. Passive footprints are left behind unintentionally by users as they interact with the network; active footprints are the trail of information that employees intentionally share or post on websites or social media platforms.  Digital Footprint Management (DFM) systems aggregate data from both the active and passive footprints, providing a consolidated, extensive and comprehensive view of network interactions.  A typical digital footprint reveals important information about web sites visited, files accessed, downloaded materials, email activity, WI-FI usage and more.  Digital footprints also identify instances where files were renamed or transferred to cloud-based sharing platforms or external devices.

How is the digital footprint relevant?  Organizations face many insider threats from both deliberate and unintended behaviors; even well-meaning employees can introduce malware by accident or unintentionally leave your company’s data vulnerable.  The 2015 Vormetric Insider Threat Report[1] relates that over 22% of US organizations experienced a data breach in the last 12 months, and that 93% of organizations “said they feel vulnerable to insider attacks,” while only 7% feel safe. According to a recent Ponemon report[2], it took an average of 170 days to detect an attack, and additional 82 days to contain and remediate!  When an infection occurs, digital footprints are invaluable in allowing network administrators to quickly identify the point of infiltration and speed the containment and remediation process.

Staying one step ahead with alerts.  As users interact with the network and further define their footprint, alerts can be triggered when users visit specific websites, download suspicious files, use USB storage drives and external devices.   An endpoint management solution can play a vital role in detection by delivering comprehensive email visibility, identifying email title, sender, content and attachment, strengthening phishing prevention and protecting against other common threats.

An Efficient Path to Investigation.  In the event of a network infection, centralized and detailed activity logs help determine which employee and which device introduced the problems, saving IT staff hours of investigative work and allowing them to efficiently and effectively address the problem.  Tracking activity and having access to all user’s digital footprints help solve issues quickly, efficiently, and in the least expensive way.

Education: the key to prevention.   By determining the who, what, when and how, administrators have the knowledge to educate other users and to adjust policies to prevent repeat occurrences.  Policies established at the highest levels of your organization and enforced by IT staff and tools will educate the management and allow them to create a strong defense using the critical information obtained. Forensics data and processes are essential: 66% of organizations indicate that they want full visibility of log files, network traffic, endpoint forensics and other volatile data to respond and to explain that response to their organization.[3]
With the right technology in place, the security team can have the forensics necessary to investigate insider threats from every angle and take the necessary steps towards prevention.  Accessing a user’s digital footprint is the key to preventing and recovering from threats and attacks efficiently and with minimal disruption.

About the Author:  Greg Jorgensen is the President of Interfocus Technologies.  Interfocus is an endpoint management and insider threat security solutions provider enabling visibility into user activity, controlling IT assets, enforcing policies and protecting continuously compliant enterprises.

[1], “Vometric Insider Threat Report 2015”, Vormetric Data Solutions, January 2015

[2], “The State of Malware Detection & Prevention,” The Ponemon Institute, March 2016

[3], “Threat Intelligence & Incident Response: A Study of US and EMEA Organizations, The Ponemon Institute, February 2014