At Infosecurity Europe 2017, Information Age met with ZoneFox‘s CEO, Dr Jamie Graves to discuss the world of security. ZoneFox helps organisations protect their data against insider threats. Their AI-based tech provides 360-degree visibility of data flow – the who, what, where and when – by monitoring user behaviour and data movement both on and off the network, and instantly alerting to anomalous activities.
He discussed the evolving nature of insider threats, and how to spot them in an organisation. He also outlined what exactly companies need to do to protect themselves and how the insider threat could be avoided.
On top of this, Fox argued that those people that make up the board need to address security as they do other business risks. Having said that, he noted that vendors needed to do more to help explain the threats and the solutions to them.
What is your understanding of an insider threat?
There’s been a fascinating evolution of the classic idea of the insider threat. You’ve got the disgruntled employee maybe trying to steal information or has other interests. But really when you think about the insider threat nowadays, it’s purely about the human factor. So the individual who clicks on a phishing link, for example – the weakest chain in the link.
We speak to organisations all the time that have done phishing training, but they go back a couple of months and employees forget over time, because it’s not at the forefront of their memory. It really is us – the weak link between the keyboard and chair – and it’s helped us redefine what an insider threat is.
>See also: The state of IT security in UK businesses
Previously, we weren’t thinking about doing much with ransomware within the organisation, but because of the prevalence of it we understand that’s a side effect of the insider threat, which is people who haven’t been trained, or have security at the forefront of their minds. This leads to various incidents. It’s the classic attacker vs defender dynamic where the attacker needs to be lucky once, and the defender needs to be lucky 100% of the time. Unfortunately, we [humans] are the weakest link in that chain.
With the ransomware attack on the NHS, that wasn’t a case of emails being targeted, so how are threats evolving? And how can the security industry tackle this?
That [the WannaCry attack] was a fascinating one. It made me feel a bit nostalgic, because it was actually a worm that attacked the NHS and other various unpatched systems as well. It took me back to the good old days of worms, which required very little human intervention other than the lack of the ability to patch a system. It’s fascinating to see that what will happen is that people will evolve attacks and then revert to old school attacks, because we’ve dropped our guard with that one.
As you’ll see downstairs, everyone is talking about the latest thing and what happens is, you look at a lot of the attacks on old advisories – maybe three or four years ago (or even ten years ago) – that people haven’t patched or have let their guard down in some way. In some respect it’s like a one-two punch from a boxer. You get the attack that you are expecting, but the hook in the face that you should have thought about but you were distracted by something else.
We see this in various areas where the main event needs to be distracting. It goes back to the old issue of do we have enough resources to be able to deal with these incidents, or not. Businesses will use a lot of resources in one area, and then miss the sneaky attack in the back in order to steal the ‘protected’ information.
In terms of the insider threat, how can companies mitigate the risk?
It’s a combination of factors. It’s your classic defence-in-depth philosophy where you’ve got controls aligned with good monitoring capabilities. But then that needs to be aligned with good training and awareness capabilities as well. So, one area that is starting to become interesting to me is how you teach people about security problems, and you see some fantastic organisations that have great in-house training. They do it on a periodic basis. They understand you have to repeat something 11 times before you remember it, which is a fair amount, and then you just keep reinforcing that message.
Again, it goes back to security as a culture. If your C-Level individuals don’t get it and don’t care about it, it’s going to spread through the organisation as well. So, consistent awareness of risk and understanding is crucial.
It’s difficult for larger organisations. If you think about the NHS, for example, if there was a proper insider threat there: how do you educate hundreds of thousands of people? It’s enormously difficult.
What is your product and how does it differ from other vendors?
We provide monitoring and analytics to provide insights into what the end user is doing with a company’s critical data. In the way that we’ve got solutions that will stop people from putting something onto a USB stick. That’ll be your classic control. Whether it’s a USB blocking capability or if someone has followed user training these will be able to give you these insights.
What we’ve been doing over the past 20 years is the same thing. We’ve just been putting lots and lots of controls in – and as you have seen it is not working, because we still have a lot of security issues. Part of that is that we are not monitoring properly what people are up to within the organisation itself.
For example, thinking about someone in engineering. ‘Alice is an engineer, and she has access to source code and is able to compile it. But Alice shouldn’t be putting it on USB sticks’. But these are really difficult areas to write policies for, because if you write a policy prohibiting Alice from doing some things, she might get really frustrated by it, She might try and find ways around it. So, there is an issue here of balancing security with productivity in a capability to actually do the job.
Where does the balance lie between bolstering security and improving productivity?
Security is like any other risk that a board has to deal with. I think we as industry have relied too much on talking about technology, and say why don’t you handle security as a risk in the way you would with anything else [financial risk, operational risk]. Which is, you have your board-level KPI, the board-level interface that will update you and from there you will conduct and put together a culture in a business case to then address that risk.
You won’t go in and turn off all the USB ports, for example, or you won’t introduce an advancement SIM solution without doing a proper risk analysis, which is where is my low hanging fruit. Do I have data across all of my systems, or is it one key location that needs protection. Again, if we can speak to the board in terms they understand maybe that will reduce some of the fear or some of the misunderstanding about it, which is, traditionally security has been a blocker. But if you focus your attention on the low hanging fruit that’s when you can have a lot of good wins.
The security industry, looking at people here today [InfoSec], is showing some really exciting stuff. But there’s also some really boring stuff. I think some of us are doing a fantastic job of pushing the boundaries of the possible, but I think we also need to do a better job of educating people at boardroom level and making sure that they understand that security is nothing to be terrified of. And we’re here to help.
Have you seen more companies interested in your service as the GDPR deadline nears?
GDPR is an interesting one, and there is two kinds of people – those who are sick and tired of hearing it, and those who haven’t heard of it at all. Most of the people we have spoken to have heard of it and it is difficult to say whether the hype around it is going to be the new Millennium Bug or the new wave of PCI DSS-like stuff that needs to happen.
You certainly get that feeling from the way people are gearing up to it. There’s a definite feeling out there that some of the individuals are going to be compliant from day one, and others are going to ease into that compliance. Some people have been working on it and are ready for a solution this year. Others I think will wait until next year and try and show that they are on that path.
Security is not a destination it’s a journey. And companies will show they are on that journey to get to that point of compliance. But I suspect there will be quite a few individuals who will be non compliant and hope for the best when May 25th comes around next year.
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here