There are two philosophical schools as to how companies can protect their system. They can either do it prescriptively, telling people what they can or cannot do.
The problem with this, says Igor Baikalov, PhD, chief scientist for Securonix, is that it limits the business. “Security that impacts the business this way really does not work.”
The second approach, he believes, is something that enables the organization.
“Eventually, companies realize that they need to get better risk visibility, analyze behavior, and have situational awareness.”
Threats from within
This view involves using algorithms and models to know what is not normal for a user or system or a particular application of an entity. Essentially, companies build a “normal” profile and then watch out for any deviations from normality. “This would often indicate some kind of malicious behavior,” he says.
And indeed while plenty of threats come from the external environment, insider threat is also very real – and very prevalent.
“We have seen case after case, data breach after data breach, that is caused by insiders whether it is malicious or accidental.”
Bad guys penetrate the perimeter through network devices or social engineering like phishing, credential sharing. They use these credentials and identities to do something bad on a network.
Because of this, companies must be mindful of whoever has access to enterprise assets, and knows the security measures. “Only an insider will find it easy to circumvent these measures, get access to the information, and then eventually get the information out of the network,” Baikalov says.
Various tools allow for monitoring of a wide range of activities, including swiping cards, using particular doors to get to the office, arriving and leaving at a usual time and coming to work on weekends.
Cyber behavior can be measured and analyzed.
It’s a red flag when somebody deviates from an established pattern.
“Perhaps ten years ago it was difficult to have this conversation with the customer. The common opinion at that time was ‘I trust my employees so I feel bad about about monitoring them.’” Baikalov says.
But recent breaches show the involvement of insiders, who may even have no idea that they have been used by malicious actors who hijack their credentials.
“These events help us explain to the customer that by monitoring their employees, we detect activity that deviates from the pattern and prevent such incidents.”
Every company has the right to monitor its people as a condition of employment. “There is nothing really that specifically violates privacy laws in this respect.”
And just as each company has a distinct culture, so do different environments and cultures. “In Europe, for instance, there are certain expectations of privacy that are different from the US,” he says. “A lot of that depends on the type of legal environment – the privacy laws and other regulations. In Europe it is amplified tenfold as far as ownership and access to personal data.”
The difference can easily be resolved by providing guarantees. For instance, companies can mask the data so that the analytical tools do not expose the personal data of the users in the system. In many countries with strict privacy laws, for example, only the analysts and their agent can see the information in a remote-analysis environment. On premise, access is given to a very limited number of people at a specific location.
It’s one thing to collect information, and quite another to make sense of the seemingly unrelated data points and point how they connect to and among each other. “At some point we need to be able to use the same language to describe the threat models,” Baikalov says.
It is not just big companies, or those that belong to say the Fortune 100, who have the appetite for mature security in the form of analytics. Aside from federal agencies, or those in finance or healthcare of energy, more and more small but security conscious customers are using analytics to help them protect their information and infrastructure.
AI and good old housekeeping
Looking ahead, Baikalov says artificial intelligence will play a big part in the security battles of the future, both for attackers and defenders.
“Many of the attacks now use some type of advanced algorithms to drive data. They will be in computer time, so you also have to be able to create a system that can respond fast. Remember – the attackers just have to be right once, while the defenders have to be right one hundred percent.”
The challenge, he emphasizes, is for defenders to respond in this speed and eliminate the human factor as much as possible without affecting the enterprise. “Bear in mind the impact on business.”
Despite the exponential increase in terms of speed, and the greater cost of the assets that are being protected, old attack vectors will persist. Breaches will be because security patches were not applied, controls were misconfigured, port was left open, default passwords were not changed. “The absolute majority of the attacks will be caused by poor cyberhygiene and poor maintenance of the systems, not some sophisticated attack.”
How, then, to stay ahead?
Baikalov estimates that 80% of the effort has to go to basic things: Making sure that systems are patched, networks are in order, devices are up to date and security best practices are followed.
Fortunately, security is no longer an afterthought for an increasing number of businesses. Security is taking its place in business decisions. It is becoming recognized as a strategic issue. And why not? “Security breaches can affect, even destroy, companies.”