Retail
85,000
Global
A context-rich IRM solution that provides detailed user-level visibility including into unauthorized use of external drives.
- Greater visibility across potential risks
- Behavioral context for investigations
Company profile
A multi-brand retailer operates more than 2,500 stores in North America, Asia, and Europe. In addition to Point of Sale devices, each retail outlet maintains back-office Windows PCs that are used by multiple retail managers, assistant managers, and regional managers for employee shift scheduling, viewing and managing inventory, and other tasks. All back-office devices are connected to the corporate network and run endpoint detection and response (EDR) software to protect the PCs and corporate network from malware and similar attacks.
The need
According to the organization’s Information Security Manager, the security team was concerned about their lack of visibility into activity on the back office endpoints. While they were satisfied with the protection their EDR solution provided against external malicious attacks, they had no idea how back office devices were used. While they had network-level visibility, they needed user-level visibility. In the Information Security Manager’s words, “No EDR alert does not mean there is no risk.”
In particular, they required better visibility into unauthorized use of external drives. A regional manager had recently traveled to several stores and printed documents from a thumb drive that contained malware, infecting back office devices in several stores. They required a solution that could provide them with data on exactly what was occurring across their retail environment and contextual information to understand whether activities were benign or potentially malicious.
The retailer also faced other challenges. The back-office endpoints varied in age and operating system, meaning that any solution to address the lack of visibility must have minimal computing overhead requirements. Additionally, technology enablement personnel would have to deploy it in stores around the world, thus simplicity in deployment and configuration was necessary.
The solution
To meet these needs, the retailer brought in the DTEX Platform. Built on Amazon Web Services, the DTEX Platform brings together the capabilities of User and Entity Behavior Analytics, digital forensics, and DLP in an all-in-one lightweight, cloud-native platform. The DTEX Platform delivers the context and intelligence that answers the Who, What, When, Where and How related to any potential insider threat situation, compromised account event or data loss scenario.
The DTEX Platform is accurate, lightweight and easily scalable with an AWS backend. It provides contextualized data from data, machines, applications, and people (DMAP) in near-real-time, both on and off the corporate network to surface
behavioral indicators of risky activity. It doesn’t generate false positives that create confusion. It’s smart enough to understand the difference between normal and malicious behavior, enabling organizations to quickly zero in on real threats. Finally, as a zero-impact solution, the DTEX Platform collects only 3-5 MB of data per user each day with low CPU usage and zero impact on employee efficiency or performance. Importantly, the DTEX Platform is a cross-platform solution, supporting Microsoft, Mac, Linux, and virtual environments.
The results
Within the retail stores, the DTEX Platform was deployed across all back office devices, within a few days, and provided the retailer’s security team with a baseline of user activities — and some startling results.
Widespread unauthorized use of USB storage.
The retailer had a policy to limit the use of removable storage devices and had reinforced that policy after the earlier USB-based infection. To the team’s surprise, the DTEX Platform reported that almost a third of all authorized retail personnel used unauthorized USB flash drives multiple times each day—an order of magnitude higher usage than any other group within the company.
An investigation by the internal security team determined that these activities were unauthorized, but not malicious. Instead of following company policy to use OneDrive storage and other cloud-based tools, regional managers, store managers, and assistant managers devised a workaround when sharing and printing schedules and other office work that needed to be moved between users and shifts.
Uncontrolled Webmail Accounts.
Webmail accounts on corporate devices are an attack vector for malware and misuse that often introduce risk, including legal and reputational. Internal security was surprised to find dozens of unauthorized Gmail and Yahoo accounts incorporating the company’s brand. Since these were accessed through web browsers, the retailer’s security team had no visibility to the accounts or activity.
On investigation, the security team discovered that this too was a workaround that had spread between stores through word of mouth. The corporate email inboxes of store managers were inundated with messages from job applicants, making it easier to miss critical internal messages. The store manager’s solution was to establish webmail accounts for listing in local job postings, not recognizing the risk to the personal data of applicants or the possibility of former employees accessing this confidential data.
Benefits
- Greater visibility across potential risks: The DTEX Platform quickly presented a picture of potential risks from these activities, allowing security teams to devise a roadmap to remediate risk that was efficient and actionable.
- Behavioral context for investigations: Visibility into uncontrolled webmail accounts was only possible through the DTEX Platform. The DTEX Platform also provided needed context to allow investigators to quickly discern between malicious and benign intent. The retailer quickly resolved the need for these accounts by establishing recruiting email addresses for each store.
Related Case Studies
Ready to Learn More?
For further insights on how the DTEX Platform secures critical infrastructure, request a demo.