(Updated 10/12/20) Perimeter-based security strategies have been the starting point for cybersecurity programs for decades because of the nature of the on-prem IT infrastructure that powered work. Network, endpoint and access management solutions helped secure the boundaries of the enterprise and keep bad actors out of protected spaces like corporate servers, offices and endpoints. As a result, perimeter-based security technologies became standard line items in the budgets for enterprise IT.
The cybersecurity world has changed forever. The forces of digital transformation have been rapidly reshaping the nature of work and cyber trends. Ubiquitous network access and enterprise mobility enable people to conduct their work nearly anywhere. SaaS applications and cloud file sharing have changed the nature of enterprise computing and collaboration. Enterprise data, information and workflows are now far more distributed than when they were managed from on-prem resources.
Beyond technology shifts, the nature of the enterprise IT user base has shifted. We see increasing reliance on contract-based workers. We see sharing of IT resources extending across supply chains with trading partners accessing shared infrastructure. We see outsourcing of key services requiring extension of critical application access going well beyond the employee base. These shifting IT usage patterns mean users are not always employees with the level of implicit trust of traditional employee-employer relationships.
And as we know, we now live in a work-from-home world.
All of these cybersecurity trends have conspired to give rise to a new paradigm for enterprise cybersecurity. Today, the focal point is people, not the technology stacks we use to get work done. People are the ultimate security perimeter—for better and for worse. A well-trained, well-meaning user is an enterprise’s best defense. An untrained or maliciously motivated user with authorised access to enterprise resources poses a distinct threat vector with an enormous attack surface. Phishing works. Targeting cloud-based filesharing works. Recognising this reality, modern cybersecurity programs need to think about people-centric security strategies in addition to traditional perimeter and access control security. Let’s unpack people-centric security further.
The Role of People-Centric Insider Threat Management
Trusted users with access to critical data, resources and infrastructure pose unique challenges for security teams. The emergence of insider threat management (ITM) programs and purpose-built ITM technologies came in response to growing appreciation for this unique cybersecurity challenge: how to protect an organisation’s people perimeter.
High-profile examples of insider-led security breaches are easy to find with a simple internet news search. We have seen millions of dollars of digitised intellectual property exfiltrated via a USB stick in a departing employee’s pocket. We see massive unintentional leaks of consumer credit card information when databases stored in the cloud were left unprotected. We see state-sponsored actors within organisations stealing intellectual property and improperly using resources to conduct espionage.
That said, while malicious examples of insider threats are most visible and often make for the most compelling headlines, far more common is the case of the accidental insider threat: negligent users improperly managing data, resources or infrastructure. Whether malicious, negligent or compromised, insiders represent security risks that cannot be effectively managed by traditional perimeter-based security technologies.
The Power of Context Amid Emerging Cyber Trends
A key challenge to securing the human perimeter is that people cannot be accurately described by just looking at their activity logs. Understanding people requires understanding intent. Understanding intent means understanding context. People-centric security technologies need to capture complete, contextual information and provide powerful tools to analyse three categories of context:
- Data Context: Trusted users have access to sensitive data—whether structured or unstructured. Protecting data starts with understanding the context of user interaction with it. Where does protected data rest? Who should be accessing protected data? What are appropriate means to move/copy/communicate the data? If anomalous data movement or interaction is detected, what was the context of the event?
- User Context: People do not always act predictably. We get creative to accomplish tasks more efficiently. We work at the speed of the modern business, sometimes without regard for the security implications. This is why understanding the context around anomalous work patterns (e.g., application interaction, web activity, and more) is fundamental to quickly differentiate between harmless and concerning activity.
- Threat Context: Not all users have the same threat profile. Certain users may have an escalated threat profile based on recent behaviour. Certain non-employee users may be subjected to higher levels of scrutiny (e.g., third-party contractors and vendors). Certain users may have access to highly sensitive data (e.g., wire transfer services and consumer credit information). Certain users may warrant higher levels of concern (e.g., those recently terminated, on HR performance plans, frequently attacked by outside actors, and prone to clicking on phishing links). Understanding which users present a higher level of risk, including when and why, can enable more informed decisions.
People-centric approaches to security need to be contextually aware of these growing and emerging cyber security trends. Collecting and organising relevant context related to data, user activity and threat profiles enables security professionals and their business partners (e.g., HR, legal, compliance, and line of business managers) make informed decisions around security concerns without drowning in data logs and alerts. ITM in particular requires a people-centric approach, enabling security teams to detect and respond to potential threats faster.
People-centric Security
Effectively guarding the modern, post-perimeter enterprise requires a different security paradigm. People work differently today than they did years, months or even weeks ago. We work from all sorts of locations, all around the globe, and cyber threat trends will follow suit. We collaborate across geographic and political boundaries. We exploit productivity tools and find creative ways to get more done, faster and better. Sometimes we mix business and pleasure, and the boundaries between a “work” device and a “home” device often disappear altogether. Most of the time, our hearts are in the right place. But all of these changing dynamics introduce complexity to the security equation.
As the nature of work continues to change, people need to become the center of our security strategies.
As such, security paradigms must evolve to protect individuals, who largely mean well and deserve privacy, while also safeguarding the organisation’s intellectual property, critical resources and brand reputation. As security teams rethink their strategies and refresh their technologies for the new decade, People-centric security solutions, including Insider Threat Management, will play a central role in protecting the modern enterprise.