CISOs spend more and more every year on cybersecurity solutions, only to be faced with the harsh reality that they are no better off than before. Verizon reminds us of this brutal truth every year – that the same types of attacks are still prevalent and the success rates often continue to rise – and the 2021 DBIR has no better news for us. And yet, the report dropped a huge hint about the attack vector we are not adequately addressing, but could make all the difference in the world.
“85% of breaches involved a human element.” The Verizon Report presents this casually right up front in the Summary of Findings, represented by the longest slanted bar on the page. This is not a shocking statistic to anyone in the industry, and I suspect most read right past that, as it is as obvious a statement as “85% of plants have green leaves”, probably thinking to themselves in both cases that the percentage is very likely even higher. What is shocking is that we can acknowledge such an obvious truth year after year after year, and continue to let it pass as a truism that we just have to live with.
Why have we in the cybersecurity community accepted this so easily, when we have doggedly pursued every other attack vector there is – email, endpoints, web, IoT, cloud apps, etc.? Amazing inventions continuously emerge from the startup community, touting creative new methods and even AI strategies to more rapidly identify when an attack is starting and how quickly it can be thwarted. Yet, other than training, none are addressing this human element, the users themselves that we employ and contract with to actually make business happen, who are clearly playing a massive (and mostly unwitting) role in the breach process.
It turns out that users are not so easily configured, monitored, or controlled as every other IT control point. We have yet to figure out how to install an agent and config file onto a user or push a user system update when the current one proves to be insecure. And how are we to know if they are pre-programmed to visit sketchy websites, sympathetic to Nigerian princes, or incapable of crafting a complex password? Users are perhaps the single most important component of our business machinery, but are simply not at all like any of the other control points IT is prepared to manage.
It’s not like we haven’t tried. But changing human behavior and protecting our businesses from them (as opposed to their inorganic counterparts) is necessarily going to be an indirect effort. There is a whole industry focused on Security Awareness and Training, with all sorts of educational and interactive content to inform users of “safe” ways to conduct business and nefarious exploits to beware of. But, let’s face it, the best statistics available show strikingly low correlation between participation in these awareness activities and real-life behavior (0 – 5% reduction in phishing fails), while the negative impact on productivity and positive attitudes toward security are not insignificant.
While I acknowledge that the solution to the problem of user risk is not an easy one (or it would have been solved years ago), I think that a logical approach will steer us to some useful conclusions and some hopefulness. Note that for this exercise I want to set aside malicious insiders for two reasons. First, they represent only a small fraction of user contributions to breaches, and second their methods are identical to malicious outsiders who have already gained access to an authorized account or sensitive assets. Now let’s proceed with thinking about the unintentional insiders that contribute to that 85% of breaches and how to protect them and our businesses.
There are three steps essential to successfully tackling this problem of user risk.
- Understand user roles and behaviors that contribute to increased risk, and how they impact the risk profile of an organization. Behavioral psychology plays a pretty big role here, but it’s a huge topic and outside the scope of this logical exploration. Suffice to say that there are two primary modes of behaviors we are interested in. The first is accidental or careless exposure of credentials and valuable assets, and the second is being tricked into helping a hacker to carry out an attack (phishing, social engineering, ransomware, malware installation, etc.)
- Identify the specific users who impose significant risk upon the organization and explore the strategies to effectively mitigating their risk without crippling overall productivity. In order to focus on the users contributing the most risk, there must be some sort of scoring system in place that takes into account not only the behaviors discussed in step 1, but also the level of access each person has to sensitive assets, and also the degree to which they are attacked. A strong dataset and an educated approach to weighting all of the variables are essential in this step.
- Develop a layered strategy of actions (playbooks) necessary to effectively mitigate user risk and prevent user-initiated kill chains from starting. Actions should be targeted at the specific risky individuals and should be timely and appropriate to their actions and risk level, as opposed to the current ubiquitous one-size-fits-all approach. Playbooks should pull from a wide range of actions, from simple communication to users and managers, to initiating security administrator investigations and automating policy configuration changes.
I will explore each of the above in greater detail in subsequent posts, as each is deserving of a minor thesis on its own. Please check back for these additional installments in the near future.
Also, be encouraged that the logical exploration above is not purely theoretical. Elevate Security has implemented all of these steps and has customers validating significant reduction in security alerts and incidences as a result. Please explore www.elevatesecurity.com to investigate further.