Page 36 - Cyber Warnings
P. 36
like investors. However, many common security metrics are not very actionable. There is much
more to be done to be able to act, in near real time, on threatening activities seen in the
protected environment.
Identify exploitation of legitimacy
Telling the difference between when a legitimate tool is used for a legitimate purpose versus a
suspicious activity is very difficult. The only approach we have now is behavioral analytics,
which is in its cybersecurity infancy. It is a good start, but we also need to move toward a model
that conducts legitimacy tests for every transaction, not just for files and credentials. We need to
analyze actions and data movement and try to determine intent, whether from an external actor
or an unauthorized insider. This step requires knowing a lot more about the context of the
activity.
One controversial possibility is the development of user reputation and predictive analytics. The
concept is to assess the probability of a given account being breached, stolen, or used for
unauthorized insider activity. By collecting user behavior in context, from the tendency to reuse
passwords on different systems to the job description and typical working hours, we can
compare each action to a set of expected legitimate activities and flag those that are outside a
given level of risk. This is a sensitive area. We will have significant privacy, ethics, and legal
issues to address before this technique enters the mainstream.
Protect decentralized data
Data is moving around outside of the corporate perimeter, making it much more vulnerable to
unintentional leaks and targeted attacks. It is moving to clouds and personal devices, as well as
to partners, suppliers, and customers. Less than 20% of an organization’s data ever moves in
this extended ecosystem, yet 70% of data loss is connected to this movement. Today some try
to protect this type of data movement by encrypting it and sending decryption keys in a separate
email, passing on the responsibility for protection to the next person in the chain. This results in
a very small sphere of trust. We need to figure out how to extend the sphere of trust while
maintaining better control.
Data classification and loss prevention systems represent early efforts to manage and extend
the sphere of trust for decentralized data. Security that moves with the data, enabling persistent
policy enforcement, is the next step. We need to be able to protect data during its next use,
similar to digital rights management mechanisms.
Detect and protect without agents
So much of our history and strength in security is based on having an agent running on the
device we are protecting. However with the onset of technologies like IoT, the future of
cybersecurity, and the solution to most of these big, hard-to-solve problems must take place in
an agentless security world.
The evolution to agentless security is already underway, with early solutions attacking the
problem from multiple directions. Chip designers are enhancing hardware-level security,
36 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
