Unbound enterprise: data anxiety and the counterintuitive nature of risk
The boundaries around the traditional enterprise have been dissolving for a decade or more. Since the advent of the smartphone, business operations and cybersecurity have become increasingly decoupled from physical spaces. And since last year’s remote working revolution, the transformation has only accelerated.
“The pandemic has really put that into warp speed because not only were we mobile some of the time, now we’re mobile all the time,” said Manny Rivelo, CEO of multinational software company Forcepoint, speaking during an interview at this year’s RSA Conference.
People, even those in the same organisation, now work from different locations and access applications and systems on-site and in the cloud, he said. As a result, the classical office security perimeter has completely changed.
“You could argue it’s dead,” Rivelo said.
To add to the challenge, hackers are always one step ahead, exploiting alterations in the environment. Consequently, there has been an enormous change in the behaviour of hackers over the past year as well, Rivelo explained.
In 2020, there were roughly 46,000 phishing sites put up each week in a flood of activity targeting organisations. Rivelo also pointed to the huge uptick in ransomware attacks, which not only target large companies with sensitive data and deep pockets, but smaller businesses too.
According to the CEO, the industry needs to get in front of the problem by thinking about it differently — with the new security perimeter being far closer to the edge, where the user is.
“We call this new world the unbound enterprise,” Rivelo explained.
Cybersecurity is fundamental to the success of a digitised ecosystem, so it too must innovate.
“By 2023, there will be three times the number of endpoints […] the attack surface is increasing,” Rivelo emphasised, adding that one of the ideas that his company is excited about is the focus on understanding user behaviour.
Security services, classically, have used a whitelist-blacklist approach, the CEO explained, with behaviours within a digital environment deemed categorically good or bad by security systems.
“The reality is you also need to understand the intent of a user,” he said.
Just because a user has high-level security access does not mean that the system should allow atypical behaviour to run unchecked. If for example an employee — or even a company CEO — is detected by the security system gathering quantities of screenshots into a folder, before proceeding to encrypt that folder and exporting it to external storage — automated alerts and checks should be in place to prevent this.
With each step, the risk of the activity being malicious increases, particularly once it no longer matches the historical behaviour of the user. These kinds of security protocols can be automated, Rivelo explained, adding that “this concept of being proactive and understanding the behaviour […] of a user with the security services allows you to provide more context.”
Without embracing the digital revolution of artificial intelligence and hyperconnectivity, companies could be left behind. But it is crucial that businesses bring their security framework forwards as well in order to participate in the unleashing of the unbound enterprise, Rivelo added.
Part of the problem companies face today, according to Doug Merritt, CEO and president of the data platform provider Splunk, is that certainties about what constitutes truth or accurate data are not what they once were. For executives and cybersecurity professionals, this complexity and uncertainty creates anxiety about decision making.
“It has never been clearer that security is a data problem,” Merritt said, during his RSA keynote address.
All data is security relevant and having access to all a company’s data, and making efficient use of it, is fundamental to prioritising and solving security challenges, he explained.
One approach that can be highly effective is to take the contact tracing technique used in tackling the early phases of the COVID-19 outbreak — and applying that to data breaches. This requires a broad look at the entire system, but the results are worth it, he said.
“You could shrink dwell times; you could stamp out major threats. You could fundamentally change the game,” Merritt emphasised.
The security firm Mandiant found that the global median dwell time — the number of days an attacker remains undetected in a victim’s network — has been dropping, Merritt explained. The time has fallen from 78 days in 2018 to 56 days in 2019, then to 17 days in 2020.
While this is good progress, Merritt stated that attackers need only a few minutes to achieve their malicious goals.
After the Covid-19 outbreak, the healthcare community showed that the more data we have “the better decisions and actions we deliver,” Merritt concluded. To build on the progress in cybersecurity, companies need to treat all of their data as worthy of investigation. And they need to use tools and platforms that facilitate this depth and breadth of scrunty.
The counterintuitive nature of risk
In the current threat-saturated environment, the cybersecurity industry must develop and deploy a more nuanced concept of risk, according to Steve Grobman, the CTO of security software company McAfee. This will allow organisations to focus on solutions that offer the maximum benefit, he said during his RSA Conference presentation.
Our perception of risks in the physical world are out of tune with realty, for different reasons, including evolution and how events are portrayed in media and culture. Grobman used the example of snakes and cars: people are far more instinctively afraid of snakes, but cars kill many orders of magnitude more people each year.
“Many of our perceptions about risk in the cyber world are also miscalibrated,” Grobman said, adding that professionals need to use data to counteract the influence of social media and traditional news on their raw emotions.
When analysed in this way, historical cyber incidents can shed light on future risks, in turn revealing hidden insights that businesses can use to inform their choices on where to place resources.
One observation that Grobman highlighted was that the frequency of a category of cyberattack is inversely proportional to its impact. For instance, we can think of the state sponsored SolarWinds hack and everyday nuisance phishing emails as being at opposite ends of a spectrum.
“The impact of a cyber event has multiple levels of nuance,” Grobman explained. The lethality to impacted organisations should be considered independently from the global impact of an event.
For example, we see some events that are high impact, even devastating to single organisations, but that have limited global impact, Grobman explained, referencing hacking incidents in recent years involving Sony, Target, and Marriott.
“Other events such as WannaCry and NotPetya were catastrophic to numerous organisations around the world because they spread fast and were indiscriminately destructive,” Grobman said.
Innovations have provided adversaries with more lethal and efficient tools with which to cause harm, companies have limited budgets, and cyber professionals have their own limitations, he said. That is why it is so vital that the industry understands the risk landscape in fine detail, and that companies ensure that investments have the strongest benefit to risk ratio.
“Ensure that every trade-offs and decisions you make to defend your organisation are based on data and objectivity” Grobman added.