Insider Threat Management

Check out Gartner’s Market Guide for Employee-Monitoring Products and Services

Share with your network!

(Updated on 10/29/2020)

Gartner released a research note on the employee-monitoring market, in which Proofpoint was included as one of the vendors. This paper defines the market and presents its key findings and recommendations for organisations considering deploying an employee-monitoring solution. They describe it like this:

CISOs should coordinate enterprise use cases for employee monitoring to select and implement EM products and services that help with insider threat mitigation, regulatory compliance and employee productivity. Use this Market Guide to understand key players and the types of use cases they support.

We strongly agree with most of what Gartner presents in this paper, although we would have emphasised two points more: the importance of intelligent analysis of user activity to automatically highlight risky users and the importance of having very clear visibility into what users are doing (and what they have done – during an investigation) via screen activity recordings.

User Behaviour Analysis

We’ve been in this market long enough to understand that simply monitoring employee activity and collecting data is not enough. Vast collections of log data provide minimal value when there aren’t the resources available to review and analyse it all. The data alone is simply not actionable, except, perhaps, for system-based post-incident forensics.

The future of employee monitoring—which is already here today—is the automated, ongoing analysis of employee behaviour in order to detect anomalies and problematic trends before they cause damage to the organisation. When IT managers can receive pinpoint information about risky behaviour that hints at intent, they are in a far better position to take preventative action and ensure that data breaches are stopped before they ever occur.


User Activity Recording and Playback

Another key aspect to successfully monitoring employee behaviour is the ability to play back screen recordings of any risky, suspicious or out-of-policy activities. Unlike arcane logs and reports, anyone can instantly understand what a user was doing by simply watching the session’s screen recording playback.

Not only does examining a screen recording make it easy to immediately distinguish between nefarious activity and activity that may only be careless or (completely harmless), it also provides incontrovertible evidence of a user’s actions. This kind of evidence proves invaluable for a wide range of purposes, including communicating about incidents with colleagues more easily, discussing incidents with employees more effectively, conducting forensics investigations more quickly and supporting claims made in legal claims.


In any case, we recommend that you take a look at Gartner’s report. You can access it here (membership or purchase required):