Search
Close this search box.

We are creating some awesome events for you. Kindly bear with us.

Fighting cybersecurity threats through User Behaviour Analytics and Defense in Depth approach

Fighting cybersecurity threats through User Behaviour Analytics and Defense in Depth approach

OpenGov speaks to David Barton, former Chief Information Security Officer at Forcepoint LLC (Mr. Barton is a former CISO of Forcepoint, as of re-publication date of 27 October 2017; the interview was originally published on 21 November, 2016). Mr. Barton has over 20 years of experience in security leadership roles across a variety of industries including telecommunications, healthcare, software development, finance, and government.

Mr. Barton presents the lay of the land for cybersecurity in a wide-ranging discussion. He talks about the risks from IoT, insider threats, ransomware and three different types of external threats. He also explains User Behaviour Analytics and Defense in depth approach as measures for building a comprehensive and robust security system.

Can we start by talking about the cybersecurity landscape in the public sector in the US?

In the US the threats are consistent with the rest of the world. And it is not just the public sector, it is all sectors. We are seeing upticks in malware, ransomware, insider threats. When I talk to my colleagues around the world, we see the same threats. We are facing the same issues.

In the public sector, you might have some data that is more attractive to the adversary than in the private sector. Public sector probably has more people-oriented data in areas such as healthcare and national identifiers versus the private sector, where you are dealing more with intellectual property. But both are facing the same threats.

The difference that I see is in the level of maturity of organisations in different parts of the world. It’s not the threats that are different. It is the maturity of the security organisations in responding to those threats.

The organisations in the US or Europe might be more mature, compared to firms or agencies in South America or Asia. But I see increased investment in security, which means the maturity of those organisations is improving.

What are the factors which determine the maturity of an organisation with regards to security?

 Maturity boils down to a heightened sense of awareness.
         
         
         

During the last 5 years, the number of giant attacks or breaches we have experienced in the US has driven probably more investment per capita than you see in South America or Asia. Incidents like the leakage of the nuclear submarine in India recently, 22,000 pages of technical documents, would increase investment over time.

What are the cybersecurity concerns when it comes to Internet-of-Things (IoT) and Smart Cities?

Probably the best way to describe it is imagine you are on a two-lane highway and there’s one car every minute. Now on that you have gone from two lanes to eight lanes and on every lane you have cars bumper-to-bumper, rush-hour traffic. The cops will have a difficult time finding the drugs in the one car because of all the other cars around.

 IoT is adding so many cars to the network that it is going to be more difficult to find the bad guys in all the noise. The second thing is that most IoT companies aren’t focused on security.  
         
         
         

There have been instances of video baby monitors in the US being hacked. Now the bad guys are watching you walk around your house. Privacy concerns get trampled into the dust, when bad guys go and steal video from your nanny cam.

Smart Cities need to do due diligence upfront to make sure they are deploying IoT devices that have security baked into them. They have to avoid buying the cheapest traffic camera.

It makes the lives of our citizens easier but on the flip side if you don’t think about it and do it right upfront, you are introducing risks.

Insider threats seem to be huge concern at the moment. Can you tell us about them?

Two years ago, insider threats were not talked about anywhere. This year, everyone is talking about it. The challenge you face as a practitioner is trying to decide who’s an insider. Is it someone that works for you? Is it someone who has access to your network?

 You have multiple categories of insiders. You have people who unintentionally do bad things. They make mistakes.  That might be preferable to the malicious insider, who is trying to take your data.

 In our conversations with colleagues around the world, we have encountered people getting jobs in companies for the sole purpose of stealing data.

Once a bad guy gets into your network, he or she appears to be an insider. So, I don’t always differentiate between someone outside your network or inside because they both look the same. The challenge that we have is understanding the behaviour are they exhibiting. Is that behaviour normal and reasonable for their job?
         
         
         

When I think about ransomware or Advanced Persistent Threats (APTs), I think the only way to stop those in the future in understanding behaviour. Because they all exhibit some form of behaviour and when it is outside of the norm, then we can take action.

How is user behaviour tracked and analysed?

It is all about User Behaviour Analytics or UBA. It is one of the buzzwords we are going to hear a lot in the coming days. That’s a function of understanding the behaviour of the user and when the behaviour changes to outside of the norm, then taking action. 

 For true UBA, you need to build a baseline, what does your normal day look like. If you build that over a period of 15-30 days, you figure out what the normal is and when the behaviour changes, you can generate alerts or take appropriate action. 
         
         
         

Does Remote Access have a role to play in insider threats? 

Remote Access takes you from your home network or your hotel network to being an insider to your work network. The bad guys are doing the same thing. They may or may not be using your VPN, depending on how good they are. Ultimately when they connect to your network, they are looking like they are local. They look like they are down the hall. With remote access, you need to make sure that you have got tools monitoring the behaviour of remote employees, just so you can tell the difference between what normal looks like and and what abnormal looks like. 

Ransomware has emerged as a major threat. Can you tell us about it? 

I have seen statistics which say that by the end of 2017, ransomware would generate close to a billion dollars in revenue. That’s a huge incentive for bad guys to continue to do it. 

A hospital in the US got hit by ransomware and all their patient record systems were encrypted. They had to turn away patients and ambulances on the way to the hospital. 

It’s difficult because there is always a human element. Even if we do all the training, they can still click on links or respond to emails. 

 There are 200 million emails in a minute on the internet. Around 98% is spam, with malicious links and attachments. Your hope for APTs and ransomware is that you have tools in place to detect the behaviour changes and take required action, such as stopping the machine, disconnecting it or anything else, in time to keep that ransomware from going any further. 
         
         
         

Tools like privileged account management might also help. If none of your people have admin rights, then ransomware is hard to execute. But without UBA it will be difficult to stop ransomware. 

The other challenge is patching. If we are not patching, we will get ransomware. It has to be controlled and delivered by IT admin because users will not do it. Fifteen years ago, there were two worms, Code Red and Nimda. Those are still out there. People at home who own those machines don’t know it and don’t know they have to clean it up. 

How do you think security policies can be enforced better and employee compliance improved? 

 Enforcing policy without technological controls is tough. Every good security program has a component that says we are going to teach our employees, on a periodic basis. We call it security awareness. 
         
         
         

Every good program puts out messages on a periodic basis in front of your employees saying don’t click on links, don’t share your passwords, make sure you pull the door shut. You want to get all of these security awareness topics in front of your people every month and you want to hold them accountable on an annual basis to take a computer based training focused on information security. 

If you do those things and follow up with controls that monitor behaviour, that block access, that prohibit data from leaving your organisation that you don’t want to leave, I think while you cannot solve everything, you can get close. 

What’s your take on data classification and challenges with it? 

Data classification is a tough conversation for most companies. First of all, they don’t know where all their data sits. Then they don’t know what’s in that data in most cases. Without a data classification program, you can’t enforce policy. The challenge for every practitioner I know is, where’s the data at and then once I find it, how important is the data. 
         
         
         

Once you have a program and you have figured out a classification scheme, how do you then go and programmatically find the data and associate a level with that data. 

At Forcepoint, we do some of that work. We have security partners in Asia that help us do that. We run a discovery tool that goes and finds the data. Then with a classification scheme, we tag that data. Once you are able to tag it, then you are able to put controls around it. For example, if this file has credit card data and is considered sensitive, then your security controls can block it. 

Companies worldwide struggle with this, even in countries with higher security maturity levels. It is not geography-specific. It’s just difficult to do. But if you become good at it and it becomes part of your everyday process, then the risk profile for your company goes down drastically. 

What are the major motivations you see for external cyber hacks and where do they originate from? 

For the last 5-10 years, there have been three groups of external threats. The two that we are most concerned about are organised crime and state-sponsored hacking. The third is the hacktivists, the hackers who are trying to change social policy. At the end of the day, organised crime is after your data to make money. State-sponsored hacking is mostly to steal data, to steal intellectual property. 

What should governments be focusing on in terms of cybersecurity? 

There’s a philosophy in security called ‘Defense-in-depth’. It means that we focus on many different areas to hopefully catch and prevent the bad guy from getting to our data. If all I focus on is the organised crime angle, I am going to miss something. If government only focuses on hacktivists, they might miss organised crime stealing citizens’ private data. If they look at only next generation firewalls and APTs, they could miss something by not looking at log data. 

 What we should focus on around the world, is getting the security teams, their policies and programs to a higher maturity level. We still may not block everything, because the adversaries are funded, organised and incentivised. But that’s our challenge.
         
         
         

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and consulting services provider, helping clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,800 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity, and service. For more information, visit www.ibm.com