We talk a lot about human-centric security at Forcepoint. But what does that mean? To us, it represents a shift from an outside-in approach to an inside-out one.
In the outside-in approach, we keep adding perimeter layers that include things like firewalls, end-point protection, email and web gateways, antivirus, SOCs, and additional outside-in protections. We keep doing this … but it doesn’t work.
As an industry, we’ve spent $5 trillion building walls over several decades. Despite that, almost 95% of companies have been breached in some way. This is clearly unacceptable.
The three phases of a breach
To find out why we spend so much money for such poor results, it helps to examine how a modern security breach happens. Every breach looks the same in terms of a timeline—a pre-breach period, the breach period itself and a post-breach period.
In the outside-in cybersecurity model, we spend most of our resources on the pre-breach period. In doing so, we only look for external threats to stop. We identify indicators of compromise coming from outside. We can stop the brute force attacks on our castle walls. Yet, breaches still occur.
And that’s because today, breaches happen from the inside out. The large majority of modern breaches happen from the inside. They result from insider threats—threats in the form of negligent employees, malicious employees or compromised employees.
In a typical breach, the breach period itself lasts for two to three months. That’s the time when the bad activities occur—activities that center on data theft. It usually takes outside-in companies months to figure out they’ve been compromised because they’re looking in the wrong place.
The inside-out approach focuses on users, data and behaviors
By contrast, the inside-out approach dedicates much more time and resources to understanding activities inside the network. It’s an approach centered on understanding users, data and behaviors.
- Understanding Users – What applications do they use on a daily basis? What data do they have access to? Which devices do they use?
- Understanding Data – How it flows, how it moves across the network, from on-premises through a VPN to a user, to the cloud, directly from devices to the cloud etc.
- Understanding Behaviors – On a typical day, how does an employee access applications and data they need? How many devices do they use? Where do they typically store and access files they need to do their work?
All three come together in our risk-based approach to cyber security. For us, it’s about using analytics to establish a risk score for every user. That risk score is then used to assess whether our users operate within the risk threshold that we are willing to tolerate as an organization. As long as users operate within the risk guard rails, they are free to do everything their job requires. However, if they cross that risk threshold, that’s when security automatically stops them.
A user’s department, level and role all factor into the level of data and applications they have access to. Understanding the behavior helps set the risk threshold. Anomalous behaviors, like accessing and sending large files or multiple files to different storage locations, become triggers for stopping or investigating the activity.
The inside-out approach still means investing in protecting the perimeter, and everything that entails. However, we cannot ignore that all breaches are inside jobs, so we need to go beyond external threats to become more user, data and behavior centric in our approach to security! For us, that means a platforms that combines edge, data and user protection, yet orchestrated by powerful behavioral analytics. Indeed, this is the basis for what we call human-centric security.
If you’re interested in learning about the inside-out approach in more detail, click Watch the Webcast button on my Voice of the CPO session on the right.