Security has Failed. A refreshing, and I believe honest, statement presented by Dr. Richard Ford, Chief Scientist of Forcepoint when talking about the current state of traditional Computer Security. Computers are complicated and by their very nature are a difficult landscape in which to separate the good from the bad - the core function of security. Using traditional computer security means (anti-virus, firewalls, secure web gateways) is no longer an adequate way in which to draw these lines. In the words of Dr. Ford, when it comes to the computer security playing field, "it is much easier to play offense then defense."
Can Analytics Help?
Realizing that traditional means are not adequate, Forcepoint is taking what they call a "human-centric approach" to security. This approach seeks to understand normal human behavior as it relates to the flow of data in and out of an organization. The goal is to become better at drawing the lines between the good and bad, allowing their customers to identify and respond to risks in real-time. Rather than static definitions (firewall rules allowing system A and system B to communicate on a specified port), it is far more valuable to provide dynamic intelligence which incorporates both system context and user behavior into computer security decision making. Forcepoint is working to provide this value through User and Entity Behavior Analytics (UEBA).
UEBA is what is referred to as the "Brains" of the Forcepoint suite of products. UEBA allows a dynamic risk score to be calculated and assigned to users and computers through the use of data modeling. Much like data modeling helps financial institutions determine if an applicant is at risk of default before approving or denying a loan, UEBA utilizes data modeling to determine the security risk of a given person and/or system. The risk score calculated through these models is then utilized by the Forcepoint security products to make a more informed decision.
Of course, no two customer environments and policies are indentical so identifying system context and user behavior goes through a learning and training process. Forcepoint states that the training of their data models to detect what is normal in a customer environment can be accomplished in days. The UEBA models are purposely generic at their start and updated over time. This flexibility allows for refinement of the models as new threats are presented within an environment. Once in place, the models assist in distinguishing and alerting anomolies from normal activity.
Having worked a number of years now in the data analytics space helping customers reduce the noise-to-signal ratio within their data environments, it seems obvious to me that analytics can provide immediate value to a 'failed' traditional computer security industry.
At What Expense
So if behavior based analytics seems intriguing and scary to you all within the same breath, you are not alone. Forcepoint is in the business of intersecting people and data, therefore they are very conscience in designing and creating solutions in which privacy and personal protection are a core focus. Anytime you record, model, analyze and act on human behaviors the topic of privacy must be understood. The tradeoff between minimizing insider threats while protecting personal information is non-trivial. While time did not allow us to drive into how privacy in implemented within the UEBA product, perhaps we can learn more in a future session.
If you are interested in learning more about Forcepoint's computer security offerings or wish to view the entire UEBA Tech Field Day presentation, I have embedded the recording below. This and other presentations can be found on the Tech Field Day website.
Disclaimer: I was personally invited to attend Tech Field Day 16, with the event team covering my travel and accommodation costs. However I was not compensated for my time. I am not required to blog on any content; blog posts are not edited or reviewed by the presenters or Tech Field Day team before publication.