Security teams have a great deal of tools at their disposal: vulnerability scanning, penetration testing, anti-malware software, intrusion prevention systems, security information and events... the list goes on.

However, every time a security event is discovered at an organization, management asks 3 questions:

  1. What happened?
  2. When?
  3. Who?

And among all of these solutions, the one consistent question that frequently goes unanswered is "who?"

Not as in "which asset?" and you are so close with your servers that you give them nicknames or the "which external actor?" in parts unknown that felt it necessary to try and steal some information from your organization, but the "who?" as in the human being in your company who uses the unpatched laptop or the real person who clicked a link, causing the really scary alert to fire.

The term that I've heard to describe this specific gap is "the inability to tie it back to a chair". The word "chair" is used because almost every network device and security product identifies the parties involved by IP address or MAC address. Some products even go so far as to tell you which account was logged onto the system at the time, but it just takes a couple hours to run the query and get results, so you finally answer the "who?", but your window to perform more context around the user's other activity has passed.

This "who?" question is exactly what UserInsight was built to answer. We invested heavily in accurately correlating the activity between impersonal machines on your network to the usernames real live human beings involved, whether they knew it or not.

We'd love to hear about your challenges around the "who?" - and also please let us know any questions you have about UserInsight.