Teramind – A Fully Customizable Approach to User Behavior Monitoring and Insider Threat Prevention
With employees having access to more sensitive information than ever, companies need the ability to detect and prevent threats from inside, be they through negligence or malicious intent. However, differences between industries and company cultures require more than a one-size-fits-all approach. Teramind provides a totally customizable employee behavior monitoring solution to identify suspicious activity, spot possible threats, measure productivity, and ensure industry compliance.
Please tell us a little bit about your background and current position at Teramind.
My background is in software engineering and for IT security consulting. I am the CEO of Teramind, which I founded in 2014. At Teramind we develop state-of-the-art applications for user behavior analysis, insider threat prevention, and session recording.
What are some examples of insider threats?
Insider threats come from employees through malicious activity or just negligence. Not every threat is a user who is evil or has bad intentions. For instance, a person with legitimate access may inadvertently respond to a phishing email and expose their credentials.
Other types of insider threats come from negligence, for example, an administrator who makes changes to a database system with disastrous side effects to the database.
Employees looking for another job can also be considered an insider threat since they may take the company’s intellectual property or customer lists to their new place of employment.
And then of course you have the really malicious users, employees who steal data or cause reputational damage to a company. We had an interesting case with a company that was concerned about the radicalization of their employees. They wanted to know which of their users were being exposed to radicalizing content so that they could take action based on that information.
How does Teramind monitor and react to employee activity that is deemed threatening?
Teramind is one of the most complete tools for monitoring employee behavior in the sense that it monitors everything. Then it is up to the user to determine how to interpret what Teramind captures. We provide a few hundred templates of behaviors to help our users develop the rules most pertinent to their insider threat concerns. They can choose to detect and capture questionable behavior related to privacy protection, security, jobs, and productivity.
So, for example, if they want to monitor when someone is getting ready to leave the company and pursue other opportunities, they would consider setting up specific rules within Teramind. A user spending more time than usual on LinkedIn or searching job sites like indeed or Craig’s List would be the type of behavior they want to capture.
Another example would be health records, which today are worth more than financial records. Therefore, the type of behavior you may be interested in is when an employee views patient health records or for that matter, anything related to a patient’s healthcare outside of the company’s healthcare management program. If Teramind detects a patient name and a drug type inside a Gmail window, that’s a problem that you want to be alerted about.
In addition, by learning the baseline of a user or group we can detect anomalies. For example, if we learn that a user or group typically sends 30 emails a day and one day they send 300 emails, you will be alerted. So, it not only alerts you to behavior that you define as questionable, but it also can alert you if a user changes their behavior.
Can an organization set rules within Teramind as to which employees to monitor?
It can, but that may be overmining. We find that when you generalize a bit, you get more quality alerts and less false positives. But certainly, if you needed to exclude an administrator from a certain rule or only have a rule apply to someone who is suspect, it can be applied that way for sure.
Can Teramind be used to monitor employees or freelancers who work off-site?
Yes. 20-30% of today’s workforce in the United States are remotely employed, and that number is expected to grow. Also, outsourcing is a big threat as companies send out data all the time to India, China, and the Philippines. We built the Teramind system with that in mind, allowing monitoring and limiting activity by those accessing your system remotely.
How does Teramind respond when it detects rule violations?
It is up to each company how they configure the rules to best suit their concerns. We provide a whole lot of templates to get our user’s imagination going. Teramind can be configured to respond with actions like alerting the administrator or just alerting the user, blocking the user, even blocking and alerting. So, let’s say an employee is on social media more than 20 minutes a day, You may not want to block them, but you may want to show a pop-up alert “Your time for social media has exceeded 20 minutes.” making it a user education thing. You can also choose an action that will close an application after a certain amount of time.
Depending on the rule, you can also redirect users. Let’s say you have a “no Instagram” rule – if an employee attempts to go to Instagram, they can be redirected to your company’s website.
Since Teramind does file content analysis, if an employee downloads a file from SharePoint, encrypts it, zips it and then tries to email it, a company can choose to block this type of email from going out.
You can even kick a user out – completely lock them out of their workstation. So, the actions really depend on the context and the rules that each company sets.
Is user activity and behavior constantly being captured?
Teramind is a very robust recording engine that captures all data and user activity including keystrokes, websites, searches, printing of documents, and audio for call centers. In fact, some clients use us for compliance. Let’s take, for example, the case of a clerk who looks at sensitive data all day. While that’s not a violation, as it’s his job, some regulations may mandate that he needs to be recorded while viewing this data. So, we fill that gap as well.
However, you don’t have to record everything – you can choose to record only rule violations. We are an endpoint-based system where that endpoint can be configured with a buffer, so the recorded data will not be uploaded to the server unless an alert is triggered. Let’s go back to the previous example of an email containing patient information and a drug name addressed to an email address outside of the company’s domain. When setting a rule for this type of behavior, not only can you choose to have this email blocked, you can configure Teramind to record the five minutes before the attempt to send the email and the five minutes after. If there is even one rule, for example, that requires recording 5 minutes prior to a rule violation, then we will configure a buffer of 5 minutes. So yes, it is constantly recording, but it is constantly overwriting except for that 5-minute buffer. That’s what makes Termamind proactive, and not just reactive.
How does Teramind calculate “productivity”?
Good question. We collect a lot of data, so we can measure things like users’ idle time, computer interaction, how fast they type, mouse movements, what websites have been visited and for how long. This is a great gauge of productivity for employees that do computer-based activity like data entry, programming, any work involving intensive interaction with the computer. This data generates reports that show when the user worked, when they arrived and left, and the length of their breaks.
In addition, we let you define which applications and websites are productive and which are not, and you can define that further for each department. So, while spending time on social media sites is very productive for a social media department, it is not a very productive activity for the data entry department.
Moreover, you can get a breakdown of how much time an employee spent on productive versus nonproductive applications and websites. So, you can see that if an employee worked 9-5 but 70% of their time was spent in applications that were not productive for them.
You can also automatically assign tasks to qualify what the user is doing. For example, when a user is in their CRM and inside the email marketing software, you can say qualify that time as being engaged in sales. You can then define different groups applications and websites and enter your payroll information into Teramind. Our reports show how much time that person/department/entire company spent on a specific task and give you an idea of how much every type of task costs the company.