From the Spring 2017 Issue

Security Through Inclusion

Gary Merry
CEO | Deep Run Security Services, LLC

Larry Letow
CEO, U.S. | CyberCX

It’s not the number of people in your security department, but the number of departments into security, that will make you secure.

Creating a secure business is not about replacing part of your business with security functions, it’s about integrating security into business operations, as with any other business function. It’s certainly not about believing that technology is capable of outflanking the human imagination and solving the cybercrime blight.

You can feel the punishment, but cannot see the crime.,

At this point in our technological growth, we can monitor every bit viewed, stored, transmitted or deleted. Why don’t we see all cybercrime as it’s happening, and just stop it? We audit, monitor, and pursue this enemy. Yet, the cybercrime curve continues its devastating upward march. The mortal enemy of business today continues to be the loss of information; billions are spent and billions are lost.

At the heart of this challenge lurks a dichotomy: the cybercriminal is simply executing normal business functions. Credit card numbers are supposed to result in purchases, user IDs and passwords are supposed to give access, and data in its various states, is supposed to be important to your business. The only thing that makes the criminal different is that they are acting with malicious intent.

Intent, especially with members inside of your organization, is subjective, and has been proven to be one of the most difficult cybersecurity challenges.

How do we create departments that are into security and can overcome both this dichotomy and our operational weaknesses?

Albert Einstein is credited with two very insightful quotes: “We cannot solve our problems with the same thinking we used when we created them,” and “The definition of insanity: Doing the same thing over and over and expecting different results.” New thinking, combined with new approaches can be used to form cultures capable of creating internal communities that own the problem and strive to meet this challenge.

Two new ways of thinking to break this cycle:

First, in the case of our internal organizations, we allow users to operate with unknown and unvetted intent and without behavioral or organizational oversight. As a result, our technology continues to do the same thing, and our businesses hope for different results. The inclusion of insider threat analysis tools must be an integral part of any entity’s ability to proactively thwart malicious insiders. Insider threat tools can be educational for the employee and a rapid identifier of malicious intent. Without such tools, we will continue to be blind to indicators of malicious intent, and bad and negligent actors will continue to find cracks in our security and we will continue to be plagued with our existing cybercrime results.
To quote a good friend – “Everything that happens in your organization begins and ends with an endpoint device. That includes everything that goes right and everything that goes wrong.” To be effective, insider threat tools must focus on the endpoint and require agent based technology (as opposed to network-based technology). Any organization needs the same protection whether the employee is sitting in the office or traveling on an airplane.

Ideally, the insider threat tool focuses on data loss protection, individual device interaction, individual device activity, productivity and provides 360 degree data loss prevention (DLP). Organizations must be able to know who is viewing sensitive documents in real time and how those documents are being handled. In the event of misuse, the tool set must be able to alert, challenge, prevent, encrypt, and provide forensics on modifications made to key documents, identify transfers via email, USB, cloud or printing, all while gathering important information that would otherwise be invisible to traditional network-based monitoring.

Finally, implementing an insider threat tool needs to be seamless, without any performance degradation to the device or the network. Most programs use Microsoft Active Directory or third party tools to implement or update the agent to devices.

It takes people to win a battle, and a community to win the war.

As abstract as intent can be to technology, it is far less so from within a community. Drafting the corporate community into the fight against cybercrime is a concept that is neither novel nor easy.  Mitigating cybercrime by joining teams to the problem takes far more than status meetings or adding new titles to our organizational charts.

The community starts in the form of a continuous chain of effective leadership, focused on security from the board room through organizational leadership to the most specific of workgroups. The cornerstones of the community are assessments of cyber strengths and weaknesses that join all levels of ownership, across all organizations, to the common cause of protecting the community from both the inside and outside.

A cyber risk management tool provides both a methodology and a mechanism that promotes a common grammar and a focal point for vision and leadership. This intersection point of vision must not inhibit the wielders of technology and must not be in a form that is foreign to non-technical leadership.

Cyber risk cannot be successfully managed as an island of risk; its inclusion in overall business risk management is imperative.

As managing cyber risk is a team effort, for a cyber risk tool to be effective, it must expand security ownership and responsibility beyond IT, blur organizational lines, cross information ownership boundaries and broaden leadership roles. A cyber risk management tool should deliver, at a minimum, the following value to the organization:

• A clear and concise view of strengths and vulnerabilities
• Engagement at all levels of management
• Empower all levels to participate
• Support for industry standards
• Support for assessment teams incorporating organizational employees
• Have a scope not limited to IT
• Enable a transparent and open review of findings and methodologies used
• Flexibility to modify approach to meet specific business topologies
• Involvement of people and teams, not exclusively a scanning software solution
• Empower the organization to make its own risk judgement based on findings
• Must provide results in business terms with actionable results

Clearly there is no single solution to our increasing cybercrime problem.  The first step, however is to realize that the flaw is not in the technology, but with people and operational policies.  To overcome these vulnerabilities, operations must be as effective, adaptable and flexible as technology, and technology investments must emphasize people and operations. Failure to invest evenly is paramount to waging war with guns but without ammunition, or, for that matter, without knowledge that a war is being waged.

Larry Letow Gary Merry

Leave a Comment