Teramind stood out at RSA 2018 as a company that offers a solution to a major challenge in cybersecurity: the efficient operationalizing of security policy. Their solution combines user session recording and indexing with sophisticated, rule-based alert templates.
Teramind monitors and records all user sessions, with both video and optical character recognition (OCR) playback and analysis. Then, with a process they call “Intelligent Session Mining,” Teramind indexes all text that appears on a screen, even in images, remote desktops, and Java applications. The solution then exploits this rich session data to mitigate insider threats and detect suspicious behaviors.
What’s compelling about Teramind is its ability to put teeth into policies. A typical corporate security policy might say, “Information will be protected against any unauthorized access.” As most of us know, implementing a policy like this is quite difficult. While it might be relatively simple to restrict access to sensitive databases, there’s a huge middle ground of confidential documents and communications that might comprise unauthorized access to information.
For example, imagine that an employee sends an email to a gmail address that says, “I just saw our new patent application. So interesting. Can we have coffee sometime?” What’s going on? Is the employee writing to the company’s patent attorney or is he or she leaking valuable intellectual property to an outside party?
It’s a good question, but one that may be essentially impossible to determine for two reasons: 1) the email has to be discovered and read; and 2) it must be interpreted accurately. Then, whoever reads and interprets the message has to take the right action in response. In reality, this level of policy enforcement is not going to happen without dedicated tooling.
“People are uncomfortable talking about insider threats,” said Isaac Kohen, Teramind’s CEO and Head of Product. “We get that, but it’s a very serious matter. Insiders can be threats, even if they don’t know it. What Teramind offers is a way to determine if there is an insider problem in a fair way. If someone’s up to no good, you want to know. If the behavior is benign, you can stay out of people’s way.” Kohen started his career in quantitative finance by programming trading algorithms at a major hedge fund. He has leveraged this background to hone Teramind’s rules-based analysis of end user behavior.
Teramind enables administrators to set up rules to discover potential insider threats by setting up rules-based templates. In the example, a security analyst might establish a rule that whenever an employee uses the word “patent” in an email, the email gets flagged and the analyst is alerted. Teramind can search for patterns and create alerts based on suspicious behaviors. A rule could monitor how many times an employee sent emails with flagged words, for instance.
The solution can automatically take actions based on rules tracking observable employee activity. Teramind could be set to block an email with the word “patent” in it, for example. Security analysts can play user sessions back in video form or examine session metadata. The solution can also track user productivity by measuring idle time. Teramind was truly a highlight of RSA 2018.