Curiosity – Our Path to Risk Insights

I’ve been asked recently about how we developed Information Centric Analytics (ICA), Symantec’s User Entity Behavior Analytics solution, and in particular the focus on data loss risk.  This is a great question.  If you go back a few years, the world of Data Loss Prevention (DLP) seemed straightforward – at least in theory.  The focus was to find the data you cared about, and then keep it safe.  But if, like me, you are curious, you will be wondering what else could be done to solve this problem in a more effective way?  That’s exactly what both we, and our customers, have been doing – bringing more insights to reduce data loss risk.

I am very proud to be part of the team whose technology is being used by the world’s leading organizations.  Our customers are at the forefront of operating highly mature DLP programs, and as such I have the opportunity to have deep and open conversations about how to develop our solutions to better serve them.  It was from these exchanges that came the germ of the idea for the predecessor of ICA, a technology that was developed by Bay Dynamics, which was later acquired by Broadcom to enhance our DLP offering.

What we developed was a risk engine, a technology that really helped customers be able to ‘slice and dice’ data. Customers now had a mechanism that allowed them to be curious. I describe this as allowing them “to choose their own adventure”.  Symantec provides a broad array of security intelligence, with data feeds spanning endpoint, web, cloud, and email.  Just imagine the power that providing this greater context and insight can bring to the understanding and management of risk.  ICA truly has the flexibility to support customers in unique and powerful ways, allowing them to explore new ways to reduce data risk.

As I worked alongside customers, a common theme emerged - having a broad range of inputs allowed better management of data risk.  Let’s take an example.  If you start with only a data-centric view of data loss, then you tend to think of the problem in a limited way.   First, you might want to find if there is any sensitive data on a particular server or endpoint, and then consider the response (perhaps to encrypt the data or device).  This is what you might expect a data protection product to do.  What happens if you are allowed to follow your curiosity? So much more can be done.  What if you could now see not only the server, but report on what vulnerabilities are in the operating system, and if there were live threats that could exploit the vulnerability, and if the user activity on that server was suspicious? Clearly, this extra context would allow a more considered decision to be reached.

Having established a flexible technology base to cope with multiple security inputs, we decide to explore other applications of the technology.  For example, I often hear customer requests for reducing risk in data loss programs – ranging from tracking the ‘breadcrumbs’ a user would leave behind (and using this to profile their risk against other populations), seeking help in optimizing DLP controls, protecting virtual machines or improving DLP incident response.  I led the team that developed intelligence technology so customers could understand the response behavior related to multiple events. This automation consolidated low priority incidents together, allowing their incident responders to focus on the most pressing cases, particularly when presented using Attack Chain models.  In short, to reduce the signal to noise ratio from their incident reporting system.  You can read more about these benefits in this blog.

Since being part of Symantec and Broadcom, the innovation journey has continued.  I’m pleased with the progress that’s been made.  ICA is now integrating into DLP Cloud and I am personally excited about the role of ICA in helping customers solve new security challenges.  By approaching problems with data curiosity (and a little bit of data science) I know ICA can help customers stop seeing the world a pixel at a time, and instead appreciate the full picture.

Find out more about Symantec DLP and ICA here.