The cyber security industry has spent trillions of dollars to keep external attackers at bay. To what effect? We still don't see an end to the cat and mouse game between attackers and the security industry; zero day attacks, new vulnerabilities, ever increasingly sophisticated attacks, etc. We need a paradigm shift in security. A shift away from traditional threat intelligence and indicators of compromise (IOCs). We need to look at understanding behaviors. Those of devices and those of humans.
What are the security approaches and trends that will make an actual difference in protecting our critical data and intellectual property; not just from external attackers, but also from malicious insiders? We will explore topics from the 'all solving' artificial intelligence to risk-based security. We will look at what is happening within the security industry itself, where startups are putting placing their bets, and how human factors will play an increasingly important role in security, along with all of the potential challenges that will create.
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
1. Raffael Marty
VP Research and Intelligence
Head of X-Labs, Forcepoint
Cyber Security Beyond 2020 –
Will We Learn From Our Mistakes?
SIGS Kick-Off | January 2020 | Switzerland
2. A Brief Summary
We need a paradigm shift in security to escape the
security cat and mouse game
Integrated platforms - no more disjointed security
tools
Readiness for digital transformation challenges
Human factors and behavioral intelligence play a
key role in detecting and preventing cyber attacks
and insider threat
6. Visibility Challenge –
Devices and Users
Disjointed security
products
Alert overload in the SOC
Cyber Security Challenges
Privacy and Regulations -
a security inhibitor
New technologies
constantly exposing new
threats
Talent shortage
Phishing
(now with deepfakes)
Discovering attacks too
late (‘right of boom’)
Ransomware
7. $1 Trillion Has Been Spent Over
The Past 7 Years On Cybersecurity,
With 95% Success … For The Attackers
46% say they can’t prevent attackers
from breaking into internal networks
each time it is attempted.
100% of CIOs believe a breach will
occur through a successful phishing
attack in next 12 months.
Enterprises have seen a 26% increase
in security incidents despite
increasing budgets by 9% YoY.
Source: CyberArk Global Advanced Threat Landscape Report 2018 Sources: Verizon 2018 Data Breach Investigations Report.
10. Extending / Improving the Kill Chain
Recon Weaponization Delivery Exploitation Installation Execution
Most Security Tools
• What if there is no exploitation?
• Generally focused on external attackers
• Focused on known attacks
11. Understand the Execution Phase
Recon Weaponization Delivery Exploitation Installation Execution
Discover
Explore
Collect
Exfiltrate, Modify, Destroy
Dwell time can be months
• Broaden focus from external attackers to compromised users and devices to include
insiders (malicious and accidental)
• Shift focus from latest attacks to what your users (and devices) are supposed to do
• Think beyond whitelisting
• Focus on the intersection of users and critical data
12. Moving ‘Left of Boom’
Recon Weaponization Delivery Exploitation Installation Execution
• Focus on behavior of humans and
devices
• Understand humans and intent to help
flag suspicious entities before harm is
caused
• Move to a risk-based approachMonitor human
factors
Monitor for deviations from norm
Assess peer group
membership
89
John
15. NEW ATTACK SURFACES
Artificial
Intelligence
IIoT Container
Workloads
5G
Digital transformation is driving ever new
technologies, accelerating changes in attack surfaces
Etc.
Is your environment set up to deal with new security tools that can be integrated into your existing setup,
processes and people?
Do you need new tools for every new type of attack? Or does your existing tooling cover more than just one type
of attack?
November
2019 - VC
Investments
• Training 3
• NetSec 5
• Phishing 3
• Identity 4
• Fraud 2
• Data 4
• Scanning 4
• Testing 1
• MSP 1
• Others
21. Behavior and Risk Centricity
Monitor Entities
• Learn their normal behavior
• Learn how they behave relative to their
peers
• Learn how they interact with critical data
and IP
• Based on deviations, compute an entity risk
Understand Humans
• Track and assess human factors
Shift to a risk-based approach
• An ‘event’ can both be good or bad,
depending on the context of the entity
89
John
25. Risk Today vs. Tomorrow – The Inclusion of Human Factors
Concerning
Behaviors
ADVERSE
OUTCOMES
26. Concerning
Behaviors
Risk
Adaptive
Protection
Risk Today vs. Tomorrow – The Inclusion of Human Factors
Stressors
Pre-
disposition
Human Context
Attributes
Intent
…
Device
Type
Mindset
Device Context
Exposure
Activities
Concerning
Behaviors
Business
Activity
Activities that, out of
context would be benign,
now flag an attack
”Detection Rules” that
normally generate a lot of
false positives are now
weighed by the risk of the
entities.
27. Am I here to work
for you, or for
someone else?
Regular
Activities
Activities
Predisposition Stressors
Concerning
Behaviors
• Seeking access or
clearance levels
beyond current need
• Testing security
boundaries
• Multiple usernames & identities
• Social and professional network
• Unreported travel
• Low communication, lack of
social connections in office
• None • Communication
with competitors
28. • Needs to be built with ‘privacy first’
• Nuances of regional regulations (GDPR, CCPA, etc.)
• Avoid using human factors for psychological diagnoses
• Securing collected data - Anonymization?
• Verifyability and explainability of approaches
• Where are the socio-ethical boundaries?
Challenges and Dangers
29. Shifting The Paradigm Left Of The Boom
You need a future proof platform that
provides complete visibility and insight
You need sensors
• For every possible point of contact
• Understand user interactions with critical
data
• Cover cloud, on prem, hybrid, and IIoT
You need a way to characterize what’s
normal for your users and devices – and
understands human factors ready