[BreachExchange] Could the security industry have it all wrong?

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 8 16:09:56 EST 2017


https://www.csoonline.com/article/3239848/security/
could-the-security-industry-have-it-all-wrong.html

For decades, enterprises have focused on securing valuable data and IP by
building “walls and moats” to keep out bad actors. Yet despite growing
investments in defensive technologies, cyber breaches continue to
proliferate. The threat landscape becomes even more complex as perimeters
effectively evaporate thanks to ever-increasing systems (e.g., cloud,
mobile) over which an enterprise has limited, if any, control.

Could the security industry have it all wrong? Is the real problem weak
external perimeters, or is it the need for better visibility and
understanding into how, when and why people interact with critical data –
wherever that data may travel?

Looking at today’s security landscape, it’s clear: The time has come for
vendors and security professionals to shift paradigms – from an
“outside-in,” technology-led approach to an “inside-out,” people focus
approach, which is better suited to the new era of mobility and cloud. It
really comes down to businesses understanding the rhythm of the people they
interact with and the associated flow of their data. And if that rhythm or
flow changes, we absolutely must ask, why.

A change of strategy is required: After nearly doubling between 2015 and
2016, security events are rising sharply in 2017. The numbers are even more
troubling when you consider ongoing, steep hikes in security spending,
forecast by Gartner to top $113 billion worldwide by 2020. Greater security
investment should reduce breaches—so why hasn’t that happened?

Cloud services and remote workers challenge cybersecurity

Two major corporate trends have posed complex and unfamiliar challenges to
cybersecurity: the growth of cloud services and remote workers. These have
helped boost efficiency and agility, attract millennials and improve
employee retention. But they’ve also spread critical data everywhere —
stratified in private and public clouds, on removable media and often
haphazardly co-mingled with personal data on mobile phones, tablets, and
laptops.

With people and data constantly on the move, the traditional security
perimeter in many organizations has evaporated. Vendors introduce new
technologies and update products, but their IT infrastructure-centric view
sets up a never-ending game of catch up. Not surprisingly, the security
industry hasn’t had sustained success — we’ve been trying to solve new
problems with an outdated approach.

Unfortunately, today’s security professionals often can’t see how and where
data is used as it sprawls across company, employee and hosted
applications, devices and services. Big data tools can find high level
security trends, but do not shine a light on the specific identities (real
or impersonated) that may present the greatest risk to an organization.

Are we flying blind?

This lack of user visibility is a serious — and growing ­— problem. In the
2016-2017 EY Global Information Security Survey, “careless or unaware
employees” and “unauthorized access” were named as the top-growing risks.
It's no wonder that compromised user credentials and negligent or
accidental employee behavior are the most common causes of breaches and
data loss. Organizations are hard-pressed to tell what’s going on.

So, what’s the solution? Infrastructure-based approaches are increasingly
ineffective and obsolete. Enterprises are increasingly unable to spot,
control and manage people-based vulnerabilities that can destabilize even
the most secure networks. The answer lies looking in at the one constant —
people interacting with critical business data and IP.

Regardless of how attacks originate, our opportunity lies at the
intersection of people and data. These human contact-points can undermine
even the best-designed systems with a single malicious or unintentional
act. Our ultimate vulnerability is not malware; it’s unpredictable human
nature.

Adopting an “inside-out,” real-time approach to security focusing on
people, rather than technology infrastructure, offers several benefits.
First, it also drives organizations to think about the “why” behind
activities that occur.  By knowing the motivation behind cyber activities,
organizations can understand what kind of user they’re dealing with in that
exact moment, and make swift, informed and effective decisions about
remediation.

Such an approach to detection and response also helps enterprises
understand the context and intent of user behavior, “good” or “bad”. It
creates an early warning system, proactively searching for abnormal
behavior across a range of risk indicators that might point to a potential
future breach.

For example, a people-centric approach can help identify whether a data
breach was caused by a simple mistake (as most of today's cyber incidents
are) or by an employee targeted by a social engineering campaign. Once that
is understood, a clearer path to remediation and long-term improvements
(e.g., employee education) may emerge.

Finally, besides improving threat visibility and managing risk, this
human-centric approach to security also helps support compliance
requirements. It does so by ensuring effective identification, evidence
collection and reporting of a breach — and by demonstrating that proactive
capabilities are in place for mitigating risk.

The security industry is at a tipping point. Record cybersecurity
investments have been met with an onslaught of data breaches ­— led by a
dramatic rise in insider-related incidents. Staying ahead in today’s new,
fast-evolving security environment calls for placing cyber-behavior and
intent at the center of security. It is the only way to have a chance to
keep up with all the technological innovation to come.

The change is already underway. Gartner says detection and response
technology will be the top enterprise security priority from 2017 through
2020. Focusing on “inside-out” is the smartest way to protect employees,
along with critical IP and business data, while safeguarding the brand’s
reputation and ultimately maximizing cybersecurity investments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171208/39b1d2ca/attachment.html>


More information about the BreachExchange mailing list