Elevate Security

Solutions

Use Cases

Security Awareness & Human Risk Management
For Security Awareness professionals, Elevate Security helps you engage employees to become your best defenders. By deeply understanding the behavior of each individual, Elevate helps you make better decisions for protecting your organization, and fostering a culture of security accountability.

Security Operations & Case Management
For Security Operations (SecOps) professionals, Elevate Security reduces operational burdens on the SOC resulting from high-risk user generated incidents. By injecting individual risk data into SecOps policies, tooling, and controls automation, you'll free up resources to fight real adversaries, strengthen workforce safeguards, and improve response efficiencies.

Identity & User Risk Authentication
For Identity and Access Management (IAM) and Identity Governance and Administration (IGA) professionals, Elevate Security provides proactive protection against workforce cybersecurity risk by applying the unique risk each user represents as a conditional factor in the authentication and access governance review processes.

Products

Elevate Engage
Actively deliver personalized feedback nudges, scorecards, and direct targeted training based on individual computing behaviors and current security risk.

Elevate Control
Inject user risk intelligence into security operations tooling and processes to accelerate incident triage and response, enable better help desk decision making, and automate controls for risky individuals.

Elevate Identity
Inject user risk intelligence into IAM and IGA systems and processes as a conditional factor for authenticating or revoking system access, and enhancing access governance workflows.

Use Cases

Security Awareness & Human Risk Management
Security Operations & Case Management
Identity & User Risk Authentication

Products

Elevate Engage
Elevate Control
Elevate Identity

Resources

Partners

Partners

Technology Partners
Value-Add Partners

Company

Company

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases

Careers
Awards & Recognition
Contact Us

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases
Careers
Awards & Recognition
Contact Us

Support
See a Demo

Search
Our Category

What is Human Attack Surface Management?

Robert Fly

Human Attack Surface Management

This post is an introduction to Human Attack Surface Management, a new cybersecurity approach to managing workforce security in the enterprise.

Elevate Security was founded for some very simple reasons. 

We’ve spent millions upon millions of dollars on security tools and technology, only to find they simply discover more problems without truly decreasing risk for our enterprises to an acceptable level.

As we dig into the root cause of alerts and incidents, year after year, what we find is a similar story. Our technology investments are not living up to their promises, and almost all of our incidents are still due to human error.

An end user makes a mistake online. Cyber defenses fail. Bad actors attack. Cybersecurity incident occurs. Bad things result. Rinse and repeat.

How have we progressed as an industry over the last decade or so? Well, let’s look back to 2011:

  • Globally, the security industry was spending $55 billion a year on technology.
  • 300+ security companies
  • The very first Verizon DBIR was published that year. Phishing and malware dominated the report.
  • 667 breaches confirmed

Now fast forward to 2021:

  • Global security spend is expected to be $230 billion
  • 3000+ security companies
  • The most recent Verizon DBIR is published. Phishing, malware, passwords and other issues dominate the report.
  • 5,250 breaches confirmed

What’s changed? We’ve spent more than 4x on security, saw vendors solving security problems grow 10x too, and suffered nearly an 8X increase in breach incidents! 

What hasn’t? The same root causes of incidents from 10+ years back. If I were on a board of directors and saw that return on (a massive increase in) investment, I’d be extremely skeptical.

Clearly, cybersecurity has not made the progress as an industry we would have hoped.

Cybersecurity Isn’t Focused on People

At a very fundamental level, the job of cybersecurity is to protect two things: data of course, but also people. Yet our industry of late has argued (and sold myriad solutions) focused on protecting networks, applications, email, endpoints and other systems. 

The current cybersecurity vendor landscape has failed us for this simple reason: it’s lost sight of why security teams exist. It has gotten us wrapped up in the latest whiz-bang features and capabilities, chasing the latest technology shifts. “Wow! Look over here! We’ve got AI and machine learning!” Vendors do it all in the name of making money, but have missed the mark on reducing risk for the things you should be protecting.

Humans. Data. Don’t lose sight of that.

Because in a world awash in constant threats, we can feel like we’re running on an infinite hamster wheel. We have constant pressure to increase our security capabilities against an enemy who has a distinct advantage over us. It feels like we’re in a race we can’t win. Sometimes we wish we could just pause and catch our breath! 

Someone needed to hit the reset button. That’s one reason why we started Elevate.

Cybersecurity is Causing Business Friction

The 2021 Verizon DBIR proves that human error currently accounts for 85% of breaches. 

Because of this, cybersecurity puts a lot of emphasis on protecting our end users from themselves. In fact, we’ve added layers of security to every way they could screw up, from identity to access, browsing to email. The aim of all these tools is to make it more difficult for your workforce to make mistakes. But, it’s often a one-size-fits-all approach to security controls.  

The problem is, every time we add another layer of protection, we add FRICTION to the employee, supplier or contractor who is just trying to get their job done. That 10x increase in spend over the last decade has added a LOT of friction to the average enterprise. 

A recent research study tracked a 450% increase in end uers intentionally circumventing security controls with the shift to remote work since 2019. Getting anyone in your workforce to admit they do it is something else entirely.

Security teams have become known as the “Office of No”, a dreaded part of the organization that impedes business efficiency. Maybe even more dreaded is that we’re constantly trying to train security into users, expecting that one more video will make the difference. Security training programs and phishing simulations are often regarded as, at best, annoying and at worst, punitive. Our recent report with Cyentia Institute proved them ineffectual at delivering the behavioral change they promise. Once again, it’s a one-size-fits-all approach.

There is a better way to approach this human error problem. One that thinks not in terms of one size fits all tools, technologies, and training, but rather in terms of truly understanding and mapping human risk to business risks. We then need to work on enabling the right sized controls for a given end user at a given time – think Zero Trust for your workforce with custom fit controls. If we can drop these one-size-fits-all approaches, then the security team can be seen as a business enabler that values speed and efficiency as much as the rest of the enterprise. 

Someone needs to eliminate the friction. That’s another reason we started Elevate.

What Is the Human Attack Surface?

The mapping of human risk can be expressed as the human attack surface. Human attack surface is the sum total of people’s actions, access, and security controls that impact an organization’s risk. 

Let’s examine this definition, because each word holds significant meaning:

  • People – full time employees, part-time, contractors, trusted suppliers, seasonal workers, third party vendors
  • Actions – what good and/or bad decisions do these people make on a daily basis that improves or hurts your organization?
  • Access – what systems and data do they have access to? What levels of access do they have?
  • Security Controls – what inherent controls does your organization deploy (or not) that impacts the effectiveness of attack vectors aimed at people?

More deeply it’s about understanding that each and every end user is an individual whose good or bad decisions impact security according to the specific level of access they enjoy. Each successive mistake by a risky human increases their blast radius on the human attack surface, and the individual controls needed to contain them. Controlling for the riskiest people helps to mitigate your organization’s overall level of human risk. 

This is both a broad and deep challenge.

Discover more about the unique capabilities of Human Attack Surface Management.

Share This

Robert Fly

Led security and engineering teams at Salesforce and Microsoft. Picked up first hacker magazine at age 9.

Decoding the Most Common Social Engineering Attacks: Pretexting, Phishing & More

Over the years, hackers have turned away from trying to break through firewalls in favor of a much broader and accessible attack vector: the human […]

Read More

Stop Dancing With Risk And Start Driving User Cyber Behaviors With Andre Russotti

Matthew Stephenson interviews Greg Silberman to delve into the world of risk and privacy and discuss whether it’s possible to choose one over the other.

Read More
Pretexting Demystified: Decoding the Human Element of Cyber Attacks

Pretexting Demystified: Decoding the Human Element of Cyber Attacks

The landscape of cybersecurity threats is vast. But one tactic stands out for its clever manipulation of human psychology: pretexting. Pretexting has doubled since last […]

Read More

Get Started Today

Quantify risk across the organization, and identify areas where increased safeguards and processes are needed to reduce your risk profile and protect your team.
Book a Demo
>