Understand Behaviors to Keep Data Safe

January 12, 2021

The past two years have seen a series of big, targeted data breaches and high-profile cyberattacks against organizations, financial institutions, government services portals, and prominent people exposing personal information of hundreds of millions of people. The SolarWinds hack by supposedly Russian attackers accessed sensitive data belonging to several US government agencies and other public-service institutions such as hospitals and universities. Personal information of at least 5.2 million guests was stolen from the franchise partner’s account of Marriott International. The New Zealand stock exchange was hit by cyberattacks that halted its operations many times. These are just to name a few. The list is growing fast and fat.


What followed has been a rethinking of the cybersecurity paradigm, says Frank Dickson, program vice-president, cybersecurity products at IDC.


“Instead of more cameras on the door, let’s put a fence around the house so you can’t get to the door. Let’s reduce vulnerabilities. Let’s re-architect and fundamentally make the house more secure,” he says. This evolution has continued with the proliferation of cloud-based business solutions paired with an increase in remote work, trends accelerated by the COVID-19 pandemic. The old perimeter, he says, has disappeared, and previous conceptions around cybersecurity should disappear, too.


“Our applications, data and people have all left the premises,” he says. “And so when that happens you have to fundamentally take a different approach.” Protecting data in this context against breach, that moment where it leaves the control of the enterprise, requires the ability to detect and contain threats faster.


Personalize security by user behaviors

In a data landscape where the local coffee shop might serve as an office and mom’s work computer can double as a third grader’s game console, where should cybersecurity efforts be focused? The answer lies in understanding how people have become the new perimeter.


Preventing data from escaping the enterprise-what cybersecurity experts call staying “left of breach”-becomes a matter of understanding the digital behaviors of those with access to information. It’s a mindset that says, “Wow, I need to make sure I can understand behavior as it’s unfolding, not after the fact.” To turn the spotlights on and be in position to take action based on what’s being seen. It’s a continuous risk assessment, like putting a heart monitor on and taking the pulse of everyone trusted to be on the network.


It’s also a framework that is proactive and adaptive in a world that demands both Automated tools help establish “normal,” not just for the organization as a whole but for the digital behaviors of individuals as well. When those behaviors are safe, security should work entirely in the background. If that changes? As the risk-score shifts upwards, it allows the tool sets to adaptively enforce policy to the individual, not on a universal, all-or-none perspective. Being as frictionless as possible to the end user is critical until friction is warranted.


Make security invisible

Fundamental to staying left of breach is the partnership between employer and employee. Building a culture that believes security is important is everyone’s responsibility. The enterprise can provide a user experience around security that is as seamless as the ones employees use in their personal lives, whether ordering groceries online or streaming video. It can move as they move, from location to location, app to app, device to device.


Users, in turn, understand the security infrastructure around them is designed to protect the enterprise by protecting them from mistakes (clicking on a bogus email or sending unsecured files, for example) that might unwittingly allow unauthorized access. It’s a way to build trust in how the concept of monitoring and the concept of continuous assessment has the appropriate framework in place for people.


In this context, the idea of “friction” itself evolves. Security is invisible until needed and, when needed, is a safeguard, not an impediment. A great user experience means employees are far less likely to bypass security measures in the name of efficiency and productivity, significantly lowering the risk of breaches.


The goal is for security and usability to work in concert, not opposition. To IDC’s Dickson, favoring one over the other represents something of a false choice. “Let’s do both right,” he says. “Let’s improve security by making it easier to use. Let’s create the incentives, so people actually want to use the platform we’re using because they improve the user experience.”


And when user experience and security converge in the most ideal way, what does that look like? According to Dickson, it doesn’t look like anything, and that’s exactly the point. The measures we take to improve our security are so embedded and ingrained into our applications, we don’t even know they’re there. They are free and enabling.

An Analytics & Behavior-Centric Approach to Digital Payment Security for the RBI

December 22, 2020

The recent news of cyberattack on a large private bank, where banking operations were halted for two days is really alarming. It appears to have been a denial of service (DDoS) attack or some other flaw in the netbanking system, which led to this attack, where people were not able to connect to the bank’s server and its netbanking site for 48 hours. These types of attacks are always related to flooding of traffic for a specific service because of which the service would stop responding or crash. A known vulnerability within an internal application can also pose these kinds of issues which can lead to a big impact such as bringing the system to a complete halt.

Examples like this always result in the amendment of current security practices. It is good that the Reserve Bank of India (RBI) is focusing on this and bringing more digital initiatives that will ensure banking transactions are secure from a cybersecurity perspective. When banks undertake updates or add new applications, they should evaluate the risk related to these applications and ensure that people accessing them can trust the new services. These parameters need to be assessed every time the bank does a vulnerability assessment. The security team at a bank should know how a certain application is behaving, what is the baseline load, what type of transactions are happening, etc, but this information also needs to be captured at an analytics level. Then if this baseline load is exceeded, it acts as an early warning system to step in and address DDoS attacks quickly.

As RBI is focused on building a more secure digital framework, it should look at utilizing analytics to make sure banking platforms are resilient. In India, the banking sector seems to be heading towards a big transformation. For instance in the past, RBI rolled out new kinds of credit cards for users where a small chip is inserted in cards to improve security and convenience for card transactions. This shows how RBI is working towards modern initiatives and frameworks for the banks to adopt. Once we get to know the new policy and guidelines, we can further share our thoughts.

I imagine that RBI would intend to build a robust security policy that takes all types of banking players (private, nationalized, overseas and cooperative) and modes of transactions into account. As India is talking about data protection and data privacy, these factors will also have to be considered. For example, whether a person completes a transaction from a mobile phone or laptop or from any location, data gets logged into the system. This brings up the question of data security and privacy. I’m sure RBI will focus on these aspects from their digital initiative perspective-how to manage the infrastructure risk along with the privacy risk. Data protection is another point that RBI may keep in mind while designing security policies. Data can be protected and better secured by taking a behavior-centric approach to security.

For instance, during a crisis Forcepoint’s Data Loss Prevention (DLP) solution can help banking customers detect and protect data leaks from a compromised system, the web, email or from an endpoint. As any B2B service consumes that data, it can also monitor data over the transport layer.

Our Dynamic User Protection helps in detecting and preventing an insider threat, and monitors user activities using indicators of behaviors to implement an auto-response based on the risk matrix. This helps banks detect risky behaviors in the core banking system and to identify people who interact with that data.

As people are working from home even in the banking sector, our Private Access replaces the traditional VPN and brings in micro-segmentation. This solution helps in segregating network and data management plane to provide secure remote access to applications and data in the datacenter.

# # #

About Forcepoint

Forcepoint is the global cybersecurity leader for user and data protection. Forcepoint’s behavior-based solutions adapt to risk in real-time and are delivered through a converged security platform that protects network users and cloud access, prevents confidential data from leaving the corporate network, and eliminates breaches caused by insiders. Learn more at


Shifting Gears from IOCs to IOBs

December 17, 2020


I recently had the pleasure of speaking at GovWare 2020 about a topic that will become increasingly important for a growing number of organizations: shifting from the traditional and well-known Indicators of Compromise (IOCs) model to one that’s driven by Indicators of Behavior (IOBs). This does not mean that IOCs will go away-they still serve a purpose-but the new way of working that we’re all adapting to requires a new approach.


Limitations of IOCs

The after-the-fact nature of IOCs is one of their clearest limitations. They are documentation artifacts (hash of a file, reputation of an IP, known-bad URLs, in-memory footprint, etc) based on an isolated action after it has occurred. Too often still, their 1:1 mapping where an IOC triggers an alert which is then triaged by a Security Operations Center analyst to review or take action on leads to alert overload. Even though advanced SIEMs, UEBAs, and threat intelligence platforms can help reduce a handful of false positives through automation, they still occur at excessively high rates.

Besides the sheer volume, the bigger challenge is that IOCs are derived from actions that occur in isolation, lacking context. As standalone events, IOCs remain difficult to assign a priority to, and are even more difficult to keep updated and current. Assuming security teams are able to handle those challenges, what’s the life span of an IOC? How and when does an IOC expire? How much “noise” is there in threat intelligence feeds?


Another key limitation: IOCs were designed for an infrastructure security-centric world. And the world has been changing for years. The current pandemic accelerated this change as organizations now struggle to secure hybrid IT environments: your corporate “network” is now made of thousands of “branch offices of one” as employees work-from-home. That is why we believe users are the new perimeter, not the network anymore, and also that data gravity changed the information protection game. In this reality, IOCs simply fall short.


Forcepoint’s Goals with IOBs

An IOB is the way a user, device or account conducts itself. Our teams designed dozens and dozens of IOBs with the clear goal of addressing IOC’s shortcomings. For IOBs, both the context and the timeline (the “killchain” equivalent) are key. IOBs focus on understanding the context around how your employees interact with the organization’s data and systems over time in a much broader way. With them, context for example means understanding a user’s typical behavior, the timeframe, applications used, the actions they are taking and the outcome they are trying to achieve.


Risk Scores are Key

Controlling and monitoring application and data access is only one part of it. IOBs also factor in actions in context of each other to produce an overall risk score. Typical employee behaviors like accessing approved applications and data shares won’t adversely impact a user’s risk score. But risky behaviors like taking a screenshot of confidential documents, shared in a zoom session, to save on a USB key or a cloud storage service, or printing those same critical documents at home will negatively impact a person’s score.


Our risk computation engine is key to make IOBs effective. Each IOB defines a base risk contribution along with a decay over time, and depending on further context, the risk contribution can adapt. All of this is in service of getting to a key outcome-true risk adaptive protection for users. IOBs enable a shift from a reactive reality to a proactive one. IOBs and the dynamic risk scores they power allow security leaders to anticipate malicious activities like data exfil, compromised user credentials or other insider threats. Most importantly, they help security teams stay left of breach.


Take a look at my GovWare 2020 slides to get a deeper look into IOBs, our design goals, how we categorize them and how they will be a key component in an organizations’ cybersecurity path forward.

Where is your data? You’ll find out in 2021

November 19, 2020

So, as we near the end of 2020 I imagine there are many CISOs, CIOs and indeed business leaders sitting out there, patting themselves on the back as they survey their workforces, established in remote / hybrid office-and-home systems, happily and productively accessing data and continuing to work in an entirely new way. It’s true that their teams have been, like so often, unsung heroes, making the impossible possible in the first part of the year.

However, I’m afraid I need to burst this bubble. In 2021 I believe we will start to realise exactly how much intellectual property was stolen by external attackers and malicious insiders during the 2020 remote working shift with the implications it had on ways-of-working, maintaining infrastructure security and continuing to protect data everywhere.

What did we do?

Almost overnight organizations flipped a switch from a predominantly office-based workforce to remote workers using a plethora of operating systems and equipment. Employees with a wide range of technical know-how were left to set up and configure home networks and devices, while IT teams added and tried to scale VPNs and moved data into SaaS applications. It is almost as if companies gave up on protecting the perimeter, and trusted in basic networking and cloud services to protect what I call the “branch office of one”. The old perimeter is clearly gone, data needs to be more accessible than ever, and the ability for the user to work remotely is paramount.

It’s my view that we don’t yet know what impact this has had, and 2021 will start to unveil it to us.

Did we keep an eye on our attack surface and did we really examine the vulnerabilities we exposed during this time?

When cloud service providers spun up new clouds or SaaS applications for us, did the security keep pace and did our policies get applied consistently?

Has lockdown meant that cyber-enforcement got lighter? Did cybercriminals think they could get away with stealing data while security and IT teams’ attention was elsewhere?

The treasure trove has been opened right up, and security teams should not rest on their laurels. From past experience, I must assume that we haven’t moved as fast as the attackers, and that 2021 will see several large data breaches revealed, while some firms discover to their horror that what appear to be nation state attackers or well-organized criminal groups have infiltrated their defences.

Like it forcefully happened to digital transformation programs, the notion of multi-year security programs will be replaced, in 2021 and beyond, with more agile security. We need to move at “bad guys speed”, and our responses to threats must be completed at the same rate of change we would expect from a business model pivot or adaptation.

The Imperative of Visibility in 2021

Data visibility and the management of data protection is the most important cybersecurity imperative for enterprises in the next year. In this way, 2021 can become the year of working securely, regardless of location. These new patterns are here to stay, and we must do our best to introduce resiliency, security and visibility into our efforts.

As part of this, we must address the elephant in the room. Data loss is damaging to business, and in order to stop that loss, we need to know exactly where our data is, on a minute-by-minute basis. That means we must introduce real-time (or near real-time!) user activity monitoring. We should be monitoring to prevent data loss: not productivity tracking. Transparency in the roll-out of these solutions and the careful consideration of user privacy should be at the heart of any user activity monitoring solutions. Forrester analyst Chase Cunningham has advised: “If you aren’t monitoring your data: your intellectual property is walking out of the door, and you’ll be out of business in twenty years.”

The fact that we have shifted to remote working so quickly, and relatively smoothly, may mean that we have no need to go back to a structured perimeter. But we will need a fast movement towards user activity monitoring – an approach that relies on analytics to understand data access patterns. Without visibility of data in this way we cannot scale and understand how to work productively, flexibly and securely. Through the combination of behavioral analytics and Indicators of Behavior (IOBs), we can achieve visibility alongside control. Data usage must be examined and understood in context, and data loss prevention policies applied adaptively, and dynamically. If we can create cybersecurity technologies which build upon machine learning and analytics to measure and understand data movements in quasi real-time, we can avoid the upcoming dawn of disappointment on the horizon.

As the “new normal” becomes “just normal”, leaders must get the basics right: revisit their policies and processes, validate their posture and risk appetite, and avoid assumptions that all is well just because they haven’t seen an incident yet. Longer term, cloud-native solutions with a deep understanding of users’ behavior will deliver permanent solutions, rather than stopgaps when it comes to protecting data and intellectual property.

People Do People Things: The Future of Security is Human

October 28, 2020

  • Workarounds, shortcuts and creative work strategies are simultaneously a celebration of human creativity and a risk for organizations who are desperately trying to maintain visibility of their assets.
  • Learn more about what motivates behavior, and commit to designing and implementing security practices and tools that work with humans rather than against them.
  • 2020 demanded that humans find innovative ways to keep organizations running. 2021 will continue to reflect human resilience and ingenuity.

As 2020 comes to an end, the importance of understanding the relationship between humans and technology is at an all-time high. Widespread shifts in the fabric of our society, prompted by the ongoing pandemic, exposed weaknesses in security tools and protocols for remote workers, highlighted issues of network reliability and accessibility, and demanded that humans find innovative ways to keep organizations running. While the fallout from the pandemic is unignorable, the ability for people to respond to seemingly endless challenges has been nothing short of remarkable.

The year 2021 will continue to reflect human resilience and ingenuity. It will be the year of workarounds and self-serving insider threats, where people find ways to accomplish their goals despite dealing with personal and professional adversity. Workarounds, shortcuts, and creative work strategies are simultaneously a celebration of human creativity and a risk for organizations who are desperately trying to maintain visibility of their assets. Ultimately, people sharing data and accessing corporate networks in new and potentially unsanctioned ways carries quite a bit of risk – especially for organizations that are new to managing remote workers.

The result of these changes is that successful cybersecurity strategies will stop trying to use technology as a unilateral force to control human behavior. Rather, organizations will come to terms with the reality that adding more and more technology or security does not lead to behavioral conformity, especially not conformity that aligns with security principles and adequate cyber hygiene. In fact, additional layers of security may push more people outside of the guiderails due to increasingly aggravating security friction that blocks them from completing tasks or easily accessing critical organizational assets.

Understanding Precedes Predicting

In light of this, understanding how people adapt to, respond to, and inform their environments is critical for organizations heading into the new year. For far too long, the tech world has created products with the assumption that people will use them in an expected or uniform way, or that people would conform to the rules and constraints laid out by well-meaning engineering teams. If we’ve learned anything from 2020, it is that people are not always predictable, and making assumptions about human behavior is a dangerous game to play. What’s surfaced is that expectations, guidelines, best practices, and even commands will yield every type of behavioral response – from rigid compliance to retaliatory noncompliance.

What can we do? We can learn more about what motivates behavior, and how people ultimately choose to behave. We can also commit to designing and implementing security practices and tools that work with humans instead of against them. To do this, however, we have to focus on measuring and understanding behavior instead of focusing exclusively on detecting compromises and vulnerabilities.

For instance, we know that people’s immediate needs often outweigh potential negative consequences – especially when the consequences do not have a direct, individual, and immediate impact. This means that when we need to accomplish our goals we often take the easiest route. Unfortunately, the easiest route is often riskier than the “ideal” route. When faced with frustrating, security-heavy file and data sharing tools, we may turn to sharing via personal cloud applications. Making rules to stop people from engaging in this type of behavior is not working – so rather, we have to better understand these behaviors to find ways to mitigate their risk to organizations and organizational assets.

Building Behavioral Understanding Into Systems

Within the cybersecurity industry, observing and understanding behaviors must come with context. What may appear at first glance like an obviously malicious act likely to lead to data loss – for example an engineer requesting access to multiple sensitive data repositories over the course of two days – could simply be a person getting their job done. Our engineer may be doing this because she’s been added to several new projects and needs to be able to collaborate with her new team. We want people to be able to do their jobs within the constraints of our corporate network and policies, so blocking them would only encourage the human tendency to find an easier (and less secure!) route for getting their jobs done. With an interdisciplinary research team, pulling experts from security, counter-intelligence, IT, and behavioral sciences together, behavioral understanding can be built into cybersecurity systems. And this is the first important step for finally starting to move cybersecurity left of breach – designing security for the human element.

%d bloggers like this: