Dynamic Data Protection: a customer’s perspective

As the CIO of Forcepoint, I get exposed daily to vendors trying to sell me a multitude of technologies. Some come from across the country while others sit just a few offices away in the same building. While I have of course implemented many Forcepoint solutions, there is nothing compelling me to do so. I have the freedom to choose the technologies that work best for my environment and protect the company.

My CISO and I often have conversations around the types of technology we want to bring in, and one of the most important things we look for are products and solutions that help me do more with less, and that offer superior effectiveness and efficacy. As with many other organizations of our size, scaling internal security analysts to match the rate of growing threats, while not compromising the speed of resolution, is a challenge. Any security solution that can help to separate the signal from the noise – either by reducing the number of alerts or helping the analysts to focus on investigations – that’s what I want to prioritize.

When the product team at Forcepoint started sharing this concept of Dynamic Data Protection and how it could start to transform security postures, it piqued my interest, and we stayed close to the solution. As the team got closer to bringing this capability to market, I jumped at the opportunity to be Customer Zero. The prospect of using analytics to establish intent and help inform enforcement was something that hit on all my priorities. I was delighted to be able to share our story recently at the RSA Conference in San Francisco in a talk entitled Extending Behavioral Insights into Risk-Adaptive Protection and Enforcement, and I’ve captured some details from that talk in my thoughts below.

When we looked at the internal programs we were running, we saw a synergy between Dynamic Data Protection and our existing privacy initiatives. To successfully roll out this type of program, we had to look beyond just the technology – In fact, we had to look beyond IT. Our first step was to establish our privacy policy with the help of our colleagues in Human Resources and Legal. The partnership between CIO, CISO, General Counsel and CHRO is paramount and became the foundation for this program. Once we had organizational buy-in, we made sure to openly communicate the changes to our employee population – who seemed very receptive. Trust is key for the success of a human-centric security program, and transparency goes a long way.

The next step was to identify the risk policies we wanted to move from being static to dynamic, and risk-adaptive. We have chosen to migrate many of our policies to the new framework, but don’t necessarily want to make them all variable related to the risk level of the individual. There are many policies related to compliance regulations (such as GDPR), and sensitive data that we want to ensure will be blocked from data exfiltration.  For those policies, we will select an action plan that “blocks all” regardless of risk score. We believe these account for about half of the existing policies. For the remainder, we believe additional context can help inform the enforcement, and we can add more granularity around the action plans. Our criteria includes conditions where we believe having more information about the behavior of the user would help inform decision making. For example, for our removable media policy, we can leverage risk-adaptive action plans based on the user risk score, with enforcement options ranging from Audit, to Audit/Encrypt to Encrypt/Notify to Block.

At this point we will have established our program and started to create policies we want to enforce. The next step is to establish the baseline – to ensure that the system best understands the users’ “normal” behavior, so it can appropriately identify the anomalies. To do this, we are running the system in audit mode, allowing the analytics engine to learn for 30 days to ensure we minimize false positives and that appropriate calibration is performed. Then we will increase the notification for when any of these new risk policies get invoked. We want to do a deeper inspection to verify the triggers were behaving the way we intended. We know we will need to end up tweaking a few of the thresholds to get the results we are expecting. In some cases, this will involve increasing or decreasing the strictness of enforcement.

Often, the role of the security team dealing with alerts is to find the needle in the haystack. What we learned is that there are two ways to achieve this goal. The first is to build a better needle-finding algorithm while the second is to just get rid of the hay. After implementing Dynamic Data Protection, we can do both. The aggregate number of alerts that hit my analysts have gone down, because of the flexibility afforded with the automated policy enforcement. My user community is now more productive because I’ve relaxed some of the more rigid DLP policies, that were impacting the ease of doing business.  We’re still pretty early on in our deployment, but early indicators show that we’re scratching the surface of unlocking the potential of this capability.

Our plan is to stay in lock-step with our HR and legal teams and roll out Dynamic Data Protection on a country-by-country basis following the privacy restrictions imposed by each of the countries in which we do business. Our goal with this program is to remove the security friction without losing security control, to stop the bad and free the good. I look forward to sharing more of our internal roll-out of the program with you as we hit future milestones.