Chief Technology Officer/CISO
In June, DataEndure participated in the Argyle CISO Leadership Forum panel, “Security Innovation; Unifying Proactive and Reactive.” Security leaders from across industries discussed the nature of insider threats, and where they are seeing the most opportunity for attacks – and innovation. This Executive Summary highlights the key themes and ideas that came out of the session.
Time to Go on the Offense
Historically, organizations (and vendors) have focused on reactive approaches, largely by protecting the perimeter. Today’s threat factors challenge this strategy, specifically the growing number of threats that target insider behavior, like ransomware.
Given there is no edge anymore, organizations are shifting to an endpoint security strategy that removes the reliance on the network for protection. Consensus was you’ve got to have something inside your network looking for things to try and catch the breaches as they happen. Case in point, a firewall isn’t the best line of defense for an organization when its mobile employees are working out of a home office or a Starbucks and spreading whatever bugs they’ve captured back into your offices when they return. In this scenario, the firewall is futile. It’s an inside job.
Takeaway: Organizations can’t just be proactive or just be reactive; there has to be an ability for early detection and identification of the problem paired with a strong incident response – a unified proactive posture coupled with a solid incident response plan.
An Inside Job
There are two predominant types of insider threats companies are worried about.
- A user unintentionally doing something wrong, as in the example above
- An employee who’s leaving the company and intentionally takes intellectual property with them
Whether behavior is intentional or not, because it is difficult to monitor people, the best course of action is behavioral monitoring – how information is used and accessed, as well as behavior on the network. If someone is unintentionally clicking on a web link and downloading ransomware, their system is going to start reaching out to systems that they don’t typically connect with on a regular basis. Changes in behavior on the network and within document access and document management platforms are key signs that something is happening that requires attention and inspection, but you must be able to detect the behavioral change.
Takeaway: Organizations have to be proactive in baselining the environment, both from a network and systems perspective, and monitor behavior that strays from that baseline.
Where to start?
You can’t protect what you don’t understand. The best starting point is to perform a risk analysis of the environment to identify assets and intellectual property (IP); classifying what you have, what’s important and what your risk categories are. All areas of the business need to be involved from the classification and risk profiling perspective. From this, an organization can pinpoint specific risks or weakness. Using all of this information, they can put controls into place to protect IP.
Takeaway: Organizations as a whole are still not doing a good job of understanding who’s actually accessing data, who has the ability to access it, and more importantly, what they’re doing with it. Monitoring unstructured data is the missing link.
Security as part of the cultural fabric
The lack of cybersecurity is not a technology issue as much as a cultural and education issue. As it was in the early days of backup, many organizations today don’t pay attention to security until something bad happens. But the pendulum is swinging.
The culture at the top of the organization is changing – partly as a sign of the times, partly because they are being told they have to make security a priority. It’s no longer acceptable for a CEO to focus on innovation, putting security on the backburner.
Employee awareness and communication needs to be woven into an organization’s security fabric. Beyond a basic understanding of the threat landscape, employees need to have guidance on acceptable behavior, risk identification, and reporting.
Takeaway: As you protect your users and your IP, you can’t prevent them from doing their job.
Automation as an enabler
With finite time, money and staff, there was widespread agreement on the need to take advantage of advances in machine learning, specifically for incident response and detection. While it’s important to maintain a balance of innovation with security, this can be achieved by having the right controls and machine learning/artificial intelligence in place. Technology enables people to respond and identify threats as they happen.
Takeaway: Innovation doesn’t have to be sacrificed for security; security should also be a business enabler.
What about the Cloud?
The cloud presents many compelling use cases for organizations and can be quickly deployed with just a credit card. Yet, with that agility and access come many new ways for data to be mishandled, leaked or sent to other locations.
As business groups have more access to cloud applications, there needs to be a heightened awareness of the risk this new access presents. Configuration issues are an issue for many organizations – users can unintentionally expose data setting off myriad of unintended consequences.
Often with the cloud, security is not top of mind – or wrongly assumed to be “baked in” to the cloud service being consumed. Consider the cloud as is another data center – you just don’t own the infrastructure. This means whatever your security practices, policies, procedures and controls are, you have to be able to extend those into the cloud.
Takeaway: You can’t abdicate security responsibility by moving resources to the cloud. Monitoring and visibility is key.