Concerns for data protection within cyberspace are rising, especially as the cost of security spending increases while the amount of data loss incidents continues to grow. Traditional approaches to cybersecurity are failing, and so various data protections firms are adapting their strategies to counter the malicious attacks.
New measures in cybersecurity data protection must be innovative and adaptive, which is why we spoke with Guy Filippelli, the Vice President of User and Data Security at Forcepoint. Filippelli discussed with us the work that Forcepoint is doing in data protection – namely a measure of protection that adapts to the behavior of internal employees. Forcepoint’s ‘Risk-Adaptive Protection’ strategy uses behavior-analytics to identify an organization’s strongest and weakest points in their cybersecurity based on their employees’ online routine in the workplace.
Christopher P. Skroupa: Security spending is expected to reach $120 billion dollars by 2021, yet there continues to be more and more data loss events making headlines. Why are traditional cybersecurity approaches failing?
Guy Filippelli: It comes down to the reality that adversaries are increasing their capabilities, and in many ways democratizing their capabilities. So, even though companies are spending more on security, the threat has been escalating faster than traditional protection can evolve to address. Essentially the cybersecurity industry is broken. And, organizations need to fundamentally rethink how they address cybersecurity for today’s modern threats. It’s time to start looking at the people in your organization, rather than just looking at security as a problem of how to protect your perimeter.
Skroupa: What is the concept behind Risk-Adaptive Protection?
Filippelli: Addressing today’s threat landscape can’t be successful with a static solution. Risk-Adaptive Protection enables security to fluctuate based on the threat environment. It’s very agnostic compared to how we put security in at the airport or at a sports stadium; where, depending on the threats that we may face, we may see a larger security presence or a smaller security presence. In the cyber-world, a compliance driven operation has been dictating security measures for too long – we need to stop this. What we [Forcepoint] have found is that we – as collective organizations – need to move to adopt an adaptive policy based on risk.
For example, employee A may be more of a risk than employee B, and so employee B should have more permission than his or her colleague to do things that require a cyber operation. We believe having that ability of dynamic scoring is really going to change cybersecurity because you’re going to build much more closely in, where you can start to operate to lessen security for those who are lower risk, and raise security for those who that are high risk in the organization.
Skroupa: Can you explain the key factors that make it a different approach to cybersecurity?
Filippelli: Technically what we’re doing is tying endpoint capability with an analytic solution. So that enables us to have visibility down to the device of which we’re monitoring and the person behind that device. And, analytically we can also take advantage of other bridge data which enables us over time to really build a composite picture of what somebody is doing. We get an understanding of what their normal baseline behavior is and then adjust this over time.
For example, say I’m a big sports fan and I’m on the ESPN website several times a day as I’m sending out emails. I’ll visit various sites as I do my research for work at a certain time of day, everyday. We all have these patterns that become our normal, and what we’re trying to do is to take advantage of that, build a baseline and when something is out of sorts it is an indicator that something may be amiss – and the key is that it’s an indicator. We’re not suggesting it will be preventative, but it’s a much better approach to identifying the risk(s) in the organization based on having more data, and the ability of tying an endpoint with an analytic solution.
Skroupa: How does the security level account for and adapt to change in human behavior?
Filippelli: It accounts for it by the data that comes in through the baseline. The baseline is constructed by all of the sites you log into and off of, and who or what you interact with, documenting all you share or access. All of that is starting to build a print and composite picture of you. If something changes, that’s the indicator I previously mentioned.
Another example; if you’ve gone malicious and all of a sudden you’re accessing files you formally weren’t, or if you’re about to leave, and your behavior is changing, that would trigger an alert. If your account has been compromised and nothing is consistent with the baseline composite picture, that will again be a trigger. So when you start to really bring this back, and that’s why I think the human element is so important here. Cybersecurity starts to act like people in our everyday lives. We know when something is wrong or amiss.
Skroupa: Statistically, what amount of data breaches is it anticipated to prevent compared to traditional approaches?
Filippelli: Well, it is hard to answer that question, as you noted, but what I will say is that when you speak to those, particularly from the U.S. government, that really look at the overall security landscape, and in particularly from the FBI, what they will indicate is that the majority of instances are really driven by insiders. Those insiders may be malicious, they may be somebody that’s been compromised, or they may be somebody that’s actually just negligent. But, their point and our point is that this isn’t about insider threat security. It is about the human. What they do often times is that they go out into the communities and they educate companies that their weakest links are their people.
We don’t think that’s the right way to talk about your employees. People are your greatest asset, and what needs to happen is to have security enabled to take advantage of them and their patterns of life so you can have a human centric approach to cybersecurity. This is evidently prudent as people are accessing corporate documents from everywhere; the office, home, beach, airport, at 10 p.m., at 1 a.m., at 4 a.m. We’re always online all the time, and cybersecurity hasn’t kept up with the increasing flexibility of corporate America. That’s where we believe you really have to understand what the individual is doing.
Skroupa: How does it affect, and how is it affected, by unintended human errors?
Filippelli: Well, it identifies them. Nobody is perfect, and mistakes happen. We’re going to access documents that we shouldn’t have, or engage in some type of behavior online that may have introduced risk into the corporate environment. Doesn’t necessarily mean that the individual is malicious, and it doesn’t mean that the individual is negligent. It means that they made a mistake and what you want is a system that will actually alert someone. They bring that to the head of security, and then the alert gets handled.
I don’t think any organization upon finding out about a security breach is going to take termination action if it was an accident. Of course, if you’re sending documents to a competitor or clearly introducing some sort of malware into the organization it becomes a whole different gambit. However, if you’re the employee and you do something by mistake, you want the system to identify that. And the reason you do is because more and more mistakes lead to somebody either becoming malicious or overall raising the threat environment of that organization.
Skroupa: In the event of a data breach, how does this measure contribute to recovery and re-security?
Filippelli: It enables you to identify your riskiest people. So the whole concept of risk-adaptive protection is going to have greater fidelity into where risk is in the organization, full-stop. Then what you can do is automate and enable actions based on that. So, from a recovery standpoint, I am going to always want to be most cognizant of where my risk is the highest. And I’m probably going to ensure that is where I’m enabling security when I’m standing to back-up my systems, rather than those that have perhaps been identified as less of a risk. But, in a way, that question I think is a bit misleading in the sense we’re not suggesting that Risk-Adaptive Protection will further recovery and response. Rather, what we are suggesting is that it is a tool to make better use of your security resources.
Skroupa: What would be the cost of not taking a risk adaptive approach to security?
Filippelli: I don’t think you’re truly taking advantage of your technologies, or your people and you’re just continuing to build a piecemeal approach. Foreshadowing what we’re going to see at the RSA conference in San Francisco, there will be more security vendors than the previous year and this is a trend that’s contingent to each and every year, all of us that are in security know this.
As you pointed out in your first question – why isn’t security getting better, we hear of breaches everyday. Senior management is wondering what they need to do. Well, number one, they need to focus on their people. Second, they need to think about risk holistically and adapting accordingly. Think about where risk is more threatening, too, and not just people. Third, think about a system. Think about what you’re deploying. Don’t go to a vendor and by x, y and z and expect it all to work together. That’s a major problem. In sum, it’s not just what we believe is the future of security. It’s the right thing to do, but if you’re not doing it then we invite people to think about it. Think about how you’re making people a part of their security, and ask questions about adapting security based on risk. Now, with machine learning solutions and processing technologies, we have the capability to achieve these measures.
Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.