A look at dynamic data protection
AS THE CHIEF digital information officer (CIO) of Forcepoint, a global human-centric cyber-security company, I get exposed daily to vendors trying to sell me a multitude of technologies.
Some come from across the country, while others sit just a few offices away in the same building.
While I have, of course, implemented many Forcepoint solutions, there is nothing compelling me to do so. I have the freedom to choose the technologies that work best for my environment and protect the company.
My chief information security officer (Ciso) and I often have conversations around the types of technology we want to bring in, and one of the most important things we look for are products and solutions that help me do more with less, and that offer superior effectiveness and efficacy.
As with many other organisations of our size, scaling internal security analysts to match the rate of growing threats, while not compromising the speed of resolution, is a challenge.
Any security solution that can help to separate the signal from the noise – either by reducing the number of alerts or helping the analysts to focus on investigations – that’s what I want to prioritise.
When the product team at Forcepoint started sharing this concept of Dynamic Data Protection and how it could start to transform security postures, it piqued my interest, and we stayed close to the solution. As the team got closer to bringing this capability to market, I jumped at the opportunity to be Customer Zero. The prospect of using analytics to establish intent and help inform enforcement was something that hit on all my priorities.
I was delighted to be able to share our story recently at the RSA Conference in San Francisco in a talk titled Extending Behavioural Insights into Risk-Adaptive Protection and Enforcement, and I’ve captured some details from that talk in my thoughts below.
The partnership between CIO, Ciso, General Counsel and chief human resources officer is paramount and became the foundation for this programme. Once we had organisational buy-in, we made sure to openly communicate the changes to our employee population – who seemed very receptive. Trust is key for the success of a human-centric security programme, and transparency goes a long way.
The next step was to identify the risk policies we wanted to move from being static to dynamic and risk-adaptive. We have chosen to migrate many of our policies to the new framework, but don’t necessarily want to make them all variable related to the risk level of the individual. There are many policies related to compliance regulations, such as General Data Protection Regulation, and sensitive data that we want to ensure will be blocked from data exfiltration.
For those policies, we will select an action plan that “blocks all”, regardless of risk score. We believe these account for about half the existing policies. For the remainder, we believe additional context can help inform the enforcement, and we can add more granularity around the action plans. Our criteria includes conditions where we believe having more information about the behaviour of the user would help inform decision making.
For example, for our removable media policy, we can leverage risk-adaptive action plans based on the user risk score, with enforcement options ranging from Audit, to Audit/Encrypt to Encrypt/Notify to Block.
At this point we will have established our programme and start to create policies we want to enforce. The next step is to establish the baseline – to ensure that the system best understands the users’ “normal” behaviour, so it can appropriately identify the anomalies. To do this, we are running the system in audit mode, allowing the analytics engine to learn for 30 days to ensure we minimise false positives and that appropriate calibration is performed.
Then we will increase the notification for when any of these new risk policies get invoked. We want to do a deeper inspection to verify the triggers were behaving the way we intended. We know we will need to end up tweaking a few of the thresholds to get the results we are expecting. In some cases, this will involve increasing or decreasing the strictness of enforcement.
Often, the role of the security team dealing with alerts is to find the needle in the haystack. What we learnt is that there are two ways to achieve this goal. The first is to build a better needle-finding algorithm, while the second is to just get rid of the hay. After implementing Dynamic Data Protection, we can do both.
The aggregate number of alerts that hit my analysts have gone down, because of the flexibility afforded with the automated policy enforcement.
My user community is now more productive, because I’ve relaxed some of the more rigid data loss prevention policies that were impacting the ease of doing business. We’re still pretty early on in our deployment, but indicators show that we’re scratching the surface of unlocking the potential of this capability.
Our plan is to stay in lock-step with our HR and legal teams and roll out Dynamic Data Protection on a country-by-country basis following the privacy restrictions imposed by each of the countries in which we do business. Our goal with this programme is to remove the security friction without losing security control, to stop the bad and free the good.
We’re still pretty early on in our deployment, but indicators show that we’re scratching the surface of unlocking the potential of this capability.