A look at dy­namic data pro­tec­tion

The Star Late Edition - - OPINION & ANALYSIS - Meerah Ra­javel Meerah Ra­javel is For­ce­point’s chief dig­i­tal in­for­ma­tion of­fi­cer.

AS THE CHIEF dig­i­tal in­for­ma­tion of­fi­cer (CIO) of For­ce­point, a global hu­man-cen­tric cy­ber-se­cu­rity com­pany, I get ex­posed daily to ven­dors try­ing to sell me a mul­ti­tude of tech­nolo­gies.

Some come from across the coun­try, while oth­ers sit just a few of­fices away in the same build­ing.

While I have, of course, im­ple­mented many For­ce­point solutions, there is noth­ing com­pelling me to do so. I have the free­dom to choose the tech­nolo­gies that work best for my environment and pro­tect the com­pany.

My chief in­for­ma­tion se­cu­rity of­fi­cer (Ciso) and I of­ten have con­ver­sa­tions around the types of tech­nol­ogy we want to bring in, and one of the most im­por­tant things we look for are prod­ucts and solutions that help me do more with less, and that offer su­pe­rior ef­fec­tive­ness and ef­fi­cacy.

As with many other or­gan­i­sa­tions of our size, scal­ing in­ter­nal se­cu­rity an­a­lysts to match the rate of grow­ing threats, while not com­pro­mis­ing the speed of res­o­lu­tion, is a chal­lenge.

Any se­cu­rity so­lu­tion that can help to sep­a­rate the sig­nal from the noise – ei­ther by re­duc­ing the num­ber of alerts or help­ing the an­a­lysts to fo­cus on in­ves­ti­ga­tions – that’s what I want to pri­ori­tise.

When the prod­uct team at For­ce­point started shar­ing this con­cept of Dy­namic Data Pro­tec­tion and how it could start to trans­form se­cu­rity pos­tures, it piqued my in­ter­est, and we stayed close to the so­lu­tion. As the team got closer to bring­ing this ca­pa­bil­ity to mar­ket, I jumped at the op­por­tu­nity to be Cus­tomer Zero. The prospect of us­ing an­a­lyt­ics to es­tab­lish in­tent and help in­form enforcement was some­thing that hit on all my pri­or­i­ties.

I was de­lighted to be able to share our story recently at the RSA Con­fer­ence in San Fran­cisco in a talk ti­tled Extending Be­havioural In­sights into Risk-Adap­tive Pro­tec­tion and Enforcement, and I’ve cap­tured some de­tails from that talk in my thoughts below.

When we looked at the in­ter­nal pro­grammes we were run­ning, we saw a syn­ergy be­tween Dy­namic Data Pro­tec­tion and our ex­ist­ing pri­vacy ini­tia­tives. To suc­cess­fully roll out this type of pro­gramme, we had to look be­yond just the tech­nol­ogy – in fact, we had to look be­yond IT. Our first step was to es­tab­lish our pri­vacy pol­icy with the help of our col­leagues in Hu­man Re­sources and Le­gal.

The part­ner­ship be­tween CIO, Ciso, Gen­eral Coun­sel and chief hu­man re­sources of­fi­cer is paramount and be­came the foun­da­tion for this pro­gramme. Once we had or­gan­i­sa­tional buy-in, we made sure to openly com­mu­ni­cate the changes to our em­ployee pop­u­la­tion – who seemed very re­cep­tive. Trust is key for the suc­cess of a hu­man-cen­tric se­cu­rity pro­gramme, and trans­parency goes a long way.

The next step was to iden­tify the risk poli­cies we wanted to move from be­ing static to dy­namic and risk-adap­tive. We have cho­sen to mi­grate many of our poli­cies to the new frame­work, but don’t nec­es­sar­ily want to make them all vari­able re­lated to the risk level of the in­di­vid­ual. There are many poli­cies re­lated to com­pli­ance reg­u­la­tions, such as Gen­eral Data Pro­tec­tion Reg­u­la­tion, and sen­si­tive data that we want to en­sure will be blocked from data ex­fil­tra­tion.

For those poli­cies, we will se­lect an ac­tion plan that “blocks all”, re­gard­less of risk score. We be­lieve these ac­count for about half the ex­ist­ing poli­cies. For the re­main­der, we be­lieve ad­di­tional con­text can help in­form the enforcement, and we can add more gran­u­lar­ity around the ac­tion plans. Our cri­te­ria in­cludes con­di­tions where we be­lieve hav­ing more in­for­ma­tion about the be­hav­iour of the user would help in­form de­ci­sion mak­ing.

For ex­am­ple, for our re­mov­able me­dia pol­icy, we can lever­age risk-adap­tive ac­tion plans based on the user risk score, with enforcement op­tions rang­ing from Au­dit, to Au­dit/En­crypt to En­crypt/No­tify to Block.

At this point we will have es­tab­lished our pro­gramme and start to cre­ate poli­cies we want to en­force. The next step is to es­tab­lish the base­line – to en­sure that the sys­tem best un­der­stands the users’ “nor­mal” be­hav­iour, so it can ap­pro­pri­ately iden­tify the anom­alies. To do this, we are run­ning the sys­tem in au­dit mode, al­low­ing the an­a­lyt­ics en­gine to learn for 30 days to en­sure we min­imise false pos­i­tives and that ap­pro­pri­ate cal­i­bra­tion is per­formed.

Then we will in­crease the no­ti­fi­ca­tion for when any of these new risk poli­cies get in­voked. We want to do a deeper in­spec­tion to ver­ify the trig­gers were be­hav­ing the way we in­tended. We know we will need to end up tweak­ing a few of the thresh­olds to get the re­sults we are ex­pect­ing. In some cases, this will in­volve in­creas­ing or de­creas­ing the strict­ness of enforcement.

Of­ten, the role of the se­cu­rity team deal­ing with alerts is to find the nee­dle in the haystack. What we learnt is that there are two ways to achieve this goal. The first is to build a bet­ter nee­dle-find­ing al­go­rithm, while the sec­ond is to just get rid of the hay. Af­ter im­ple­ment­ing Dy­namic Data Pro­tec­tion, we can do both.

The ag­gre­gate num­ber of alerts that hit my an­a­lysts have gone down, be­cause of the flex­i­bil­ity af­forded with the au­to­mated pol­icy enforcement.

My user com­mu­nity is now more pro­duc­tive, be­cause I’ve re­laxed some of the more rigid data loss pre­ven­tion poli­cies that were im­pact­ing the ease of do­ing busi­ness. We’re still pretty early on in our de­ploy­ment, but in­di­ca­tors show that we’re scratch­ing the sur­face of un­lock­ing the po­ten­tial of this ca­pa­bil­ity.

Our plan is to stay in lock-step with our HR and le­gal teams and roll out Dy­namic Data Pro­tec­tion on a coun­try-by-coun­try ba­sis fol­low­ing the pri­vacy re­stric­tions im­posed by each of the coun­tries in which we do busi­ness. Our goal with this pro­gramme is to re­move the se­cu­rity fric­tion with­out los­ing se­cu­rity con­trol, to stop the bad and free the good.

We’re still pretty early on in our de­ploy­ment, but in­di­ca­tors show that we’re scratch­ing the sur­face of un­lock­ing the po­ten­tial of this ca­pa­bil­ity.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.