Human-Centric Security in Financial Services Organizations
Recently I had the opportunity to address the FFIEC 2017 in Alexandria, Virginia regarding Forcepoint’s view on technology and the cybersecurity landscape. This got me thinking about one of the most difficult-to-navigate sectors when it comes to securing critical data and IP: financial services.
Security has never been more important than it is today, and at the same time, the needs are not being met by current approaches. Breaches have risen in scale and proliferation, costing businesses millions. I’ve been working in cyber security since 1996, and in those 21 years I’ve seen little change in the approach. Collectively, we must change our thinking in terms of how we address the problem. That means not just vendors, but all of us who touch technology in our jobs.
Since we’re talking about financial services, let’s level with facts and figures. Over the past eight years, the customers of cyber security products and services have spent $298 BILLION, and over the next four years, the spend is projected to accelerate to $427 BILLION. What are we achieving with that massive security spend? Less than 50 percent of the organizations spending all that money say that this spend is making them more secure. In fact, 90-95 percent of all enterprise organizations have already been compromised, by either outsiders or insiders. The average cost of a single data breach is over $6M, with financial services breaches costing typically $245 per record breached. And the business impacts can occur in the form of regulatory fines and notification costs. In the US, for example, regulatory notifications alone run close to 700K per breach, while fines can range in the millions. You can see how hundreds, thousands and even millions of records being compromised can add up – and quickly.
One of the main secular trends today is obviously cloud migration, including sensitive government organizations and highly regulated industries. Sensitive data is now everywhere, no longer in just the data centers of the enterprise, but spread out in the data centers of Amazon, Microsoft, Google, and others. In fact, 95 percent of organizations are running either cloud apps or infrastructure-as-a-service today. And for those applications that aren’t in public cloud, enterprises are using the same technical approaches utilizing private clouds. On the average, the typical enterprise is running over 700 cloud apps and services.
Another change in the enterprise computing landscape is the use of mobile platforms and BYOD. Estimates are that by 2020, mobile devices will account for 42 percent of the computing done in the global workforce. And BYOD is huge today: 67 percent of all workers worldwide are using their own devices at work. And for all the advantages of cloud and mobile computing, there is also increased cost for data breaches.
Similarly, the use of mobile platforms in the enterprise has driven costs up to around $10M, mostly due to compliance failures associated with mobile platforms, particularly BYOD. We haven’t made progress here because we’re so focused on technology, and the IT landscape is shifting faster than our cyber security thinking.
OLD WORLD TACTICS
I like to bring up the Great Wall of China as a classic example in perimeter security. Once upon a time, you could keep the bad guys out with a huge, impenetrable wall. Today, do you think that wall does a great job of protecting the people of China? Of course not. It’s pretty hard to do in a global community; citizens are everywhere, jobs are everywhere, homes are everywhere. Threats are everywhere, too, including on the inside. Many companies are promoting the idea of the borderless enterprise, saying that the perimeter is gone. But the perimeter has simply changed. It’s no longer defined by the boundaries around the data center, the in-house network versus the Internet. It’s just not that simple now: users and critical data are everywhere. Essentially, we’re living in the time of the ‘zero-perimeter.’
We talked about investment in tools and technology, which serve an important purpose, but cannot alone solve all of our security problems. Unfortunately, there is no easy fix to the problem – at least not by continuing to build on existing foundations and incrementalism.
Let’s consider the way enterprise security works today:
- Point products solving specific problems. This is how the cyber security industry started, and how it is still being perpetuated. The average enterprise has 50-75 security products in production.
- Sitting on top of these point products are SIEMs: coalescing all security events into a single massive repository of low-level events, logs full of system details, IP addresses, and arcane information. SIEMs were created to become the single pane of glass for enterprise security, but they’ve become so overcrowded and full of noise that the signal is almost lost.
- Big Data. We’ve layered on top of SIEMs a thing called behavioral analytics which has introduced machine learning into the equation. This enables organizations to analyze a huge number of events in order to find a needle in the field of haystacks.
How bad is this problem? We asked the CISO of one of Forcepoint’s customers, a major US bank, how many security events was he processing in his security operations centers on a daily basis. The answer was a staggering 4.5 billion events a day. That’s 1.6 trillion events a year. And how many of those events are really valuable? Less than .01%. The question remains: how do you find those relevant events?
WHERE DO WE LOOK FOR INSPIRATION?
If we buy into this notion, where should we search for inspiration? One thing I’ve begun to learn in my time working with Raytheon is that the folks responsible for protecting nation states truly think differently from most cyber security vendors. The adversary is already inside your perimeter. All those perimeter defenses, and all the other points of protecting presence have driven the enemy to the place where compromise is easiest and where it matters most: inside the network. this can be an external attacker that has compromised the security of the enterprise, whose presence is lurking and operating inside your network using authorized credentials, or someone who’s actually permitted to be inside your network but with malicious intent. The attacker needs to get on the “inside” of the network, to gain access to privileged credentials to achieve their mission. It’s the misuse of authorized access that actually causes all the risk.
Any insider, whether malicious or accidental, has privilege - whether through employment, accidentally, or by criminal means. This is the key. When I have privileged credentials on the entire enterprise network I can access financial data, customer data, strategy documents, employee records, company intellectual property – you name it.
Today, I might be an employee in good standing, but I could change over time. I could be making mistakes in my everyday job that put my company at risk, like emailing confidential spreadsheets to my personal email or copying them to my cloud-based file sharing account so I can work on them at home. I could also have clicked on a spear phishing link which has compromised my laptop, and now my credentials are being controlled by an outsider, a criminal. In this case, the “Heath” that’s visible on the network might not be Heath at all. This “Heath” might be accessing file shares and applications that I never would touch in the normal course of my job. I could become unhappy with my job and plan to leave, start stockpiling confidential information, and plan to take it with me.
In any of these cases, the extent to which I could be a threat to my company is a matter of the intent of who’s in control of my credentials! If we could understand intent, we could understand whether my behavior indicates risk or acceptable use of my credentials. Technology alone cannot solve for this type of complexity and the various employees in your organization.
CYBER CONTINUUM OF INTENT
The Cyber Continuum of Intent is a spectrum of insiders within an organization – ranging from accidental to criminal actor. I laid out a few examples above that fall within this continuum. It’s important for organizations to understand that all of these examples are likely present within their organization today. Additionally, privacy is no longer finite. We give up a lot of information in order to use an app, yet the conversation becomes delicate when an organization wants to monitor employees. Would that be different if we knew it was for our collective digital and physical safety? And what if we were informed of the process and how that data would be used along the way? Third, we have to accept that technology is not magic. There are amazing technologies out there that can do incredible things, but a machine cannot always account for human intent and behavior. Lastly, we must acknowledge that everyone is responsible for security. It is about protecting employee wellbeing, livelihood and the overall health of the business. In other words, we need to focus on the human point.
EVERYONE TO THE DEFENSE
Implementing a culture of security, and living and breathing this mentality, will be the only way to catch up to our adversaries. The complexity brought about by the intersection of human beings and rapid technological change is at the heart of the next big step. We have to change our thinking and start looking inward to our organizations as a source of vulnerability, but also potential. The only way we can make progress and move forward is with a paradigm shift - to start focusing on the human point.