The most notable takeaways were as follows:
- Analysing user behaviour in order to identify security concerns is opening the door to identifying productivity gains according to CRO, Kevin Isaac.
- One trillion dollars has been spent on cyber security in the past seven years and no CSO feels any safer. Isaac said that it’s an embarrassing statistic for his industry and that the 95% failure rate of protection investment spoke for itself. He asked the rhetorical question, “When we spend the next trillion dollars, are we expecting the same result?” He also alluded to recent survey which stated that 100% of CSOs believed they are going to be victims of phishing attacks breached through phishing in the next year. He stated that security incidents in the Enterprise had increased a massive 26% in the past year despite a 9% increase in budget. He said that figures like these justify taking a different approach to security.
- Forcepoint approaches network security in a different way to competitors, where possible, in that it focuses on analysing user behaviour across networks and devices and creating risk scores for anomalous activity. These include flagging account logins on computers in countries where the user isn’t present, creating folders and copying significant information from network drives into it (this can demonstrate a hack in progress or be a precursor to a disgruntled employee exfiltrating data because they are about to quite the company). By looking at all areas of activity (including physical location) additional threat insights can be identified and checks or lockdowns put in place as appropriate.
- That while it’s known that users are commonly the weakest link in a security environment, your most valuable employees are also the ones who can (deliberately or not) cause the most catastrophic breaches. See video below.
- Privacy is a key issue. Monitoring behaviour of users to such a microscopic level is enough to detract employees from ever working in an organisation. Forcepoint makes a point that only the behaviours and not the content are monitored and once the insights are gained the information is destroyed. When asked how they could certify/prove such practices were actually happening (whether by openness or third-party auditing), CTO, Nico Fischbach, pointed out that no such privacy certifications existed but that the conversations were already happening within the IAPP (International Association of Privacy Professionals) because they were needed going forward.
- Behavioural security is not just about humans. Vulnerable IoT devices and malicious bots are proliferating but “Baselining the behaviour of a microprocessor is a lot easier than baselining the behaviour of a human.”
- Enterprise solutions could help children in schools. While full monitoring brought with it serious privacy issues, there was some scope for identifying the likes of vulnerable/mentally compromised children or those who might be researching a massacre materials.
- That many organisations aim to tick compliance boxes instead of genuinely-reducing risk. The example was given that if you went to a hospital, would you want your information simply to be compliant or genuinely secure? Isaac believes, Many CSOs aim to tick boxes to protect themselves from compliance-related prosecution and to be able to report to their superiors that official best practice had been followed.
- Customers hate DLP (Data Loss Prevention) solutions. It get’s installed but can’t be activated because users don’t like it. It creates friction, and stops them doing their job. Behavioural analytics is never seen and so doesn’t get in the way. One Wall Street bank was using behavioural analytics in their regulatory compliance space for traders – ingesting email, voice and chat and looking for behavioural issues to help prevent insider trading. They were catching more DLP risk and incidents there than they were with the straight DLP product because behaviour was more interesting than DLP.
- Zero trust security is less secure than adaptive trust. Relying on ultra-secure credentials simply doesn’t work on its own because credentials can be stolen.
The writer attended the Forcepoint conference in Malaysia as a guest of the company