We just launched something new today and we’re calling it Adaptive Trust.
Now that might sound like a marketing catchphrase, but Adaptive Trust is not a buzzword, it’s a different way of thinking about protecting your organization. With people now being the primary attack vector, companies need to build the context of individuals and respond in an intelligent way using this context with precise automation.
Let me unpack why Adaptive Trust is important for the future of the security industry.
Adversaries Target People, Not Devices Or Networks
Hybrid work has jolted security teams into understanding what distributed companies have known for over a decade—it’s about people, not perimeters.
For the last 20 years, security teams have struggled to build security visibility into devices and networks. But in a work from anywhere environment where their staff are working from different locations, different machines, and different applications, it’s exploded in difficulty. This is particularly true as applications have moved to the cloud and identities are the asset attackers are vying for.
This is no more apparent than when you look at the 2023 Verizon DBIR that says 74% of breaches involve human error and almost half of breaches involve account compromises. Further data from Elevate Security research also shows:
- Last year saw a 2.5x increase in attacks against privileged users
- 82% of delivered phishing emails target 5% of employees
- 92% of malware events come from 3% of users
Not only are attackers going after people, they’re going after specific people. Security teams must understand who those individuals are and get in front of those threats.
Context is King Across Disparate Systems
A 2022 Ponemon report says dwell time for an attacker is 212 days before the incident is identified and another 75 before it is fully contained. That’s not a great showing by security teams who have spent hundreds of billions of dollars on security technology only to find themselves still playing whack-a-mole.
By focusing on people and not perimeters, we can start by building a dynamic system of record across three key areas:
- Actions: Behavioral profiles of individuals
- Attacks: Adversary tactics in how they target individuals
- Workforce Context: Everything about who the person is (from start date to role, to applications they have access to)
Using those three factors begins to build a full picture of an individual and cohorts similar to them. The hardest part in doing so is needing to create this from disparate systems across email, web, endpoint, HR, identity, and potentially more.
But we can start with the four that we find most effective:
- Email Security Gateways
- Endpoint Detection & Protection software
- Web Gateways
- Identity Providers
These four security technologies give significant insight into the three categories above, building adversary profiles against individuals, behavioral profiles of employees and other workforce context necessary to identify identity and other risks.
Responses Should Use Scalpels Over Chainsaws
Speaking to many security teams, automated responses based on security telemetry can be tricky to pull off. I’ve seen some security teams YOLO based on signals and take actions like quarantine devices or lock individuals out of the network. The reality though is that there’s a lot of gray area in automated response and it requires much more of a scalpel than chainsaw. Not doing so will perpetuate the whack-a-mole cycle of cleanup.
Device quarantines or network lockouts wouldn’t be appropriate responses in situations like these:
- A senior engineer has risky behavior pretty continuously, isn’t malicious, but you need to protect them
- Your CFO is the most attacked person in your company and one day you see a suspicious login from an unusual location
- A contract IT help desk employee triggers some high confidence DLP events a day before their end date
In those cases, there’s risk signals, but each of these (and we could come up with hundreds of others) require very specific responses.
Scenario one can be solved by requiring stricter security technology policies and deeper monitoring applied to the engineer. The second scenario could be solved by automatic session revocation, password reset and conditional access policies requiring stronger authentication. The last scenario could be solved by device quarantines, but what about SaaS applications? And shouldn’t you be proactive about it given the context (access and end date)?
The point of all this is, context about people gives you the ability to use a scalpel in your responses instead of using chainsaws. We’re past basic responses and need precision in how we proactively protect identities and how we respond.
Enter Adaptive Trust
So Adaptive Trust is a different way of thinking about protecting your organization. People are now the primary attack vector. Companies need to build risk context for individuals, and respond in an intelligent way using this context to drive precise automation.
But Adaptive Trust requires more than just a new way of thinking. It requires security technology to be open and connected with data available to gain insights and take action available in near real-time.
Elevate’s taken the approach by building a better together solution across the Microsoft security stack that also plays nice with others by offering outbound integrations to technologies such as CrowdStrike, Splunk, and SailPoint.
Customers of Elevate have seen up to a 70% reduction in phishing, account compromise, and data loss events. Taking a people-centric, adaptive approach to security has huge payoffs in reducing security risk and helps focus your security team on protecting what matters—your people. Get in touch with us to learn more.