Dinner With An Entree Of Phish, Side Of Ransomware, & Data Loss For Dessert
Last year, I hosted dozens of security executives for dinner, and this conversation, verbatim, happens every time.
Me: How big of an issue is employee risk?
Exec: Huge—my SecOps team spends so much time cleaning up after employee mistakes.
Me: Now that employees are more distributed and targeted than ever, what are you doing to better protect them?
Exec: Well, we have some new training. It’s better than what we had, and we do quarterly phishing simulations.
Me: Are those working to reduce that risk?
Exec: Hmmm… probably not. I mean folks are completing training and the phishing sim click-throughs are down. But, as far as really reducing risk, I don’t think so, but I don’t know.
Me: Ok, if you had a magic wand, waved it, and your employee risk dramatically was reduced and freed up your SecOps team, what would you have done?
Exec: Probably more training and more phishing simulations
Me: But, you said you don’t think they work?
It’s sad to say that the last 20+ years of training requirements, created primarily by compliance mandates, have dragged the security industry into thinking that the only path forward here is training and simulations.
But, with 82% of breaches due to human error, incident costs at F1000 companies costing $650k, breaches costing $8.6m, and security teams feeling like cyber janitors for their workforce, we’re struggling.
If we don’t change course quickly, we’ll continue to drown in response work. It’s getting worse—within the last 6 months, we’ve begun seeing attackers targeting engineers at a 2.5x higher rate than they had previously.
I don’t think I’m going on a limb here by saying:
Adversaries know your people better than you do.
Understand Your Employees Better Than Adversaries Do
In order to better protect employees, first we need to deeply understand their vulnerabilities *right now* and historically. The good news is security operations teams have direct access to the data to build that understanding. What we haven’t done yet is pull it together to make intelligent insights about risk.
We built Elevate to define a comprehensive employee risk score using these key parameters:
- Actions: How is employee behavior impacting their security posture?
- Attacked: Who and how often are employees getting attacked?
- Access: What is the blast radius if they were to get attacked?
This—when coupled with data collected about an employee’s role in the organization like start date, manager, etc—begins to paint a pretty clear picture of who is risky in an organization, and their specific areas of vulnerability. In most organizations, a tiny cohort of less than 8.5% of employees are causing 80% of incidents. The trouble is they are scattered throughout the organization, and we just don’t know who they are until after something happens.
Context is king, and we now can paint a real-time picture of an employee’s risk—much better than an attacker could themselves. We can also take the next step in embedding this risk score in the tools our security operations teams use every day such as SIEMs to help with event and incident triage. This new understanding of user risk can also be delivered to case management and identity governance tools to help analysts with file and access approval decisions.
Intelligent, Adaptive, & Proactive Response
Your security operations team is also in a unique position to take action on employee risk. With a deep understanding of employee risk, we can move from a game of security whack-a-mole to a proactive and adaptive approach to security.
Think of this as an intelligent behavioral analytics solution that identifies the likelihood of poor behavior before it actually occurs, with deeper context, and automated security protections to stop the incident from occurring in the first place.
Have an engineer that is particularly risky and still needs access to crown jewels? Well, we can automate conditional access policies that restrict device, browsing, and IAM protections. Work progresses unimpeded, while the organization stays safe.
Someone in Finance seeing an uptick in outbound C2 activity caught by your web gateway? Well, we can automatically block outbound traffic, quarantine a user’s device, and require MFA to access any services until an investigation takes place.
Empowering Your Security Operations Team
Gaining a deep understanding of employee risk coupled with automated and proactive response playbooks allows security operations teams to get in front of incidents, save time so they can do real threat hunting, focus and prioritize triage efforts and deploy right-sized safeguards to the employees who need it most.
We’ve seen tremendous success with F500 companies using this strategy. From 20-50% reduction in incidents, to decreasing key metrics like mean time to respond, to increased employee satisfaction. Employee security context embedded in your security control technology gives your teams the advantage it needs to better defend your organizations.