Posted by Ed Macnair / 25 May 2016
As any law-enforcement advisor will tell you, criminals succeed mainly because they understand the human psyche. Knowing how to manipulate somebody into leaving a backdoor open is still the ultimate weapon in any criminal’s arsenal.
Cybercrime is no exception. In fact, as criminal acts go that rely on ‘how we work’ it’s probably the market leader. Increasingly sophisticated, annoyingly clever and coming to a device near you.
One theory behind the success of the bad guys is the age-old demonization of the user which at one stage was probably warranted. However, today’s digital user is in contrast an arguably different animal. They’ve been exposed to every scary story, salacious headline, sat through a hundred security briefings and have all at one point, almost certainly clicked on something that they shouldn’t have.
The security industry has almost done its job too well but with some odd educational consequences. Many users (and some security professionals for that matter) are steadfast in maintaining security practices that have been circulating the market for virtual generations but today are frankly useless.
Ask the average person for example, what constitutes a good password and most will respond with ‘8 characters and throw in some capitals and symbols to boot’. Awesome advice…three years ago. Today if you have anything less than 16 characters, you may as well send a hand written invitation requesting to be compromised.
The industry appears to also assume that all users are hapless digital lemmings merrily meandering towards a virtual sheer drop blissfully unaware that they’re about to do something daft (ok, so some of them are but they’re beyond help). Here’s the thing though, no matter how savvy we’ve become, human behaviors are broadly predictable, transparent to the skilled eye and common, particularly when we’re busy. The bad guys have built a multi-billion empire that says so.
That leaves modern day security with the integral role of understanding human behavior, positive and negative, intentional and unintentional or it will simply cease to exist. Harsh but true.
I now pronounce you, virtualized
Here’s a cracking example of how technology shapes our behavior. Most people have a symbiotic, almost unhealthy relationship with their mobile devices. I know this because I’m well…one of them. Go to any coffee shop, airport, train, public toilet and if you’re the one person looking straight forward and not at the glare of an electronic screen, you’ll invariably be the odd one out (and we’ll all assume your battery has died).
Broadly speaking, this same group of people also impart an abnormal amount of trust in a mobile device. It’s not unusual for someone to refrain from opening a spurious link on their laptop but then happily open it on their smartphone. That’s just crazy.
Understanding people and their behavior is the key to contextual unified security. Where they usually log on, the places they visit on the internet, the usual times they work remotely or how often they use their own device for work establishes normal patterns. Spotting abnormalities is key, intentional or otherwise.
We need to shine a big uncompromising light on ‘how we work’ and the trusting relationship with our mobile devices, only then do we stand a fighting chance of dragging the security market into the world it seeks to protect and serve; and that my friend, requires change.
Alas, poor Yorick…
The cold, hard truth is that any security technology that doesn’t follow the behavior of the user is simply irrelevant and needs to be put out to pasture. ‘Talking a good game’ becomes transparent over time and you can already begin to see a natural attrition of the larger security vendors as they struggle to remain relevant because their products haven’t embraced the mobile user market. The act has stayed the same but the audience has moved on.
Cyber security needs to be ‘as’ progressive, if not more than its adversaries. There is a clear market need for flexible solutions to manage and control cloud access, monitor hybrid-cloud threats and deploy agile multi-factor authentication processes for the socially mobile user.
Where’s there’s a device, there’s a way
If you’re going to employ a user-centric approach to security, then you need a 360o view of their behaviors. A ‘follow the user’ model in principle, allows companies to understand their employees whilst keeping a friendly, secure and vigilant eye on them.
This isn’t a big brother approach to security, in fact it’s quite the opposite. It’s a secure business and productivity enabler at its absolute optimum.
It’s also the first meaningful steps towards a security approach that thrives on visibility. The introduction of simple, unified dashboards that both management and security professionals can use enable rapid detection for anomalies and irregular behavior patterns.
If you extend that to include policies to control cloud application use that can be set at a granular level based on the individual role, or the device being used, the network connected to, specific functions within the application and the location of the user; you are both one step ahead of protecting the user real time and making the bad guys job more than a little bit challenging.
It’s a (secure) walk in the park
It’s interesting to look back on the rise of companies such as Amazon who unquestionably continue to pioneer online shopping. They understood the needs of their market and left the biggest high street names in retail history choking on their dust, wondering what hit them and destined to play catch up for the foreseeable future.
Online shopping had been done before but Amazon took the time to understand the changing needs of their audience, created a technology platform to deliver what they needed and then made themselves ridiculously easy to do business with, all traits not naturally associated with the security market. That has to change and we’ve already begun to define and deliver what that looks like.
The days of ‘spot’ solutions to protect against one kind of threat vector have earned their place in history, they’re also redundant in today’s real world. Much like a dodgy water leak, plugging one hole isn’t going to replace an already vulnerable pipe if it’s fit to burst. Water will always find the quickest route, as will the loss of data, intentional or otherwise.
Understanding users, in fact scratch that, human behavior is the cornerstone to creating contextual, relevant security that can enable and protect in equal measure …and the good news is, some of us are already there.