Forcepoint is the leading user and data protection cyber security company, entrusted to safeguard organisations while driving digital transformation and growth. Their solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Nick Savvides, Senior Director of Strategic Business, APAC at Forcepoint is responsible for providing thought leadership and over-the-horizon guidance not just externally to CISOs, industry and analysts but also to Forcepoint’s product and research teams.
His main objective is to lead a practice that works with Forcepoint’s key customers and partners to deliver innovative and transformational security projects by taking a whole of business, human centric approach.
Nick Savvides in conversation with dynamicCISO , talks about how next generation firewall (NGFW) and how organizations can get protection from malicious traffic, but not malicious use of legitimate applications. This is where Dynamic User Protection (DUP) really plays an important role, it observes what the user is doing and the traffic flow. DUP observes the user, it understands what they are doing, it essentially abstracts away all the complexity of the connectivity, and from its visibility comes immediate high-efficacy actions.
DUP is the Heart of our New Converged Cloud Security Platform elaborates Nick, on their initial release where DUP can drive responses in Data Loss Prevention platform. When a user regardless of their application or traffic flow, can be blocked from leaking data or making risky choices.
DynamicCISO : With the emergence and pervasiveness of cloud many problem have emerged for security professionals. How do you see what isn’t visible and obvious?
Nick Savvides : I think that it is important to recognise that cloud being both a driving force and an enabler of digital transformation, requires digitally transformed cyber-security. Enterprises were used to securing their applications and data when they were inside their own networks, and they controlled all the transition point. As these though moved into the cloud, the tools didn’t quite fit right, and attempts to extend them were at best compromised or at worst failures. This led the rise of cloud specific tools, like CASB, which was really the first of the security tools from-the-cloud for-the-cloud.
This is why I think about the problem from a different perspective, rather than build your security model around the infrastructure which is constantly changing. If you model it around the two constants of users and data, you can not only regain my visibility but also discover unknown risks and act on them before they become incidents. This is digitally transformed cyber-security, much like business processes become user-centric when digitally transformed, so does cyber-security. Cloud allows us to instrument our users, our endpoints, our data and our services, in way that was previously too complex, too expensive or just plainly too difficult.
This is digitally transformed security, where your security and platform, see what is happening and automatically moves to prevent it, with most incidents being auto-handled, and prioritized incidents being handled by security teams.
DynamicCISO : Data traffic should be broken up into manageable pieces using packet filtering, grooming and brokering processes, to make sure the security systems and analytics tools are seeing everything. This is a part of elastic visibility. How do you see DUP being out to use?
NS : I’d start by saying that visibility on it’s own is fairly meaningless, it doesn’t provide a security benefit unless there is ultimately an action that comes out of it. The NGFW might protect you from malicious traffic, but not malicious use of legitimate applications. This is where Dynamic User Protection really plays an important role, it observes what the user is doing and the traffic flow, no matter what it’s doing, where it’s going or how it’s getting there doesn’t matter; DUP observes the user, it understands what they are doing, it essentially abstracts away all the complexity of the connectivity, and from its visibility comes immediate high-efficacy actions.
In upcoming releases, DUP will be able to drive these adaptive responses in our Cloud Security Gateway, so when there is traffic or application control in the cloud, DUP can dynamically restrict or permit actions.
DynamicCISO: Securing in the dark: Virtualized networks are typically segmented using virtual firewalls to protect key applications and services from attack, and to prevent lateral movement in the virtualized environment that could compromise data or resources. Your take on this and how enterprises can benefit from DUP??
NS : These technologies are important, and they have role in protecting against an external attacker moving around a network or applications.
Whether it’s a malicious bad actor who has taken over a user’s credentials/session/system, malicious internal user or simply a user making a mistake, their actions will not be stopped by these technologies, this is why DUP is so critical.
Enterprises can immediately understand the real time risk presented by a user and have dynamic responses change they way that user is handled. For example, a user might have had their account taken over by a malicious actor, DUP would observe the malicious user say stockpiling data, that the user has authorised access to, before copying it off the system and then in real time determine that this indicates a risk event will likely occur, and in real time dynamically tell DLP to prevent the copy, upload, or access of that data.
DynamicCISO: In the world of Indicators of Compromise (IOCs) where there are organizations heavily rely on IOCs, where do Indicators of Behavior (IOBs) that Dynamic User Protection (DUP) uses fit into the picture? And, how is this approach more effective than the other?
NS : IoBs and IoCs are as they saying goes, two sides of the same coin. IoCs are great at sharing threat information and helping with threat hunting and identifying malware or evidence that a threat actor is in your systems and they are very important for a modern security team but they do nothing for identifying risky users and misuse of legitimate access.
For example, a bank might be shared a filehash of piece of malware that is targeting the finance sector, and it uses that IoC it is searched for across the entire estate of servers and endpoints using an EDR tool. As you can see that is all very infrastructure centric, it’s concerned with systems not people. It doesn’t protect against the user who is disgruntled and is planning on copying financial data of customers for their own use.
That’s where IoB’s come in understand both the cyber and non-cyber related activities, like language tone in messaging, anomalous access to authorised data, or even taking screenshots of confidential data, these can allow us to understand the real time risk the user presents to the organisation, with protections that happen at transaction time, not post-fact like IoC detection.
DynamicCISO: How does DUP reduce the need for manual touch points and improve risk-adaptive policy automation??
NS : As I said before visibility without action is meaningless. If you look at the SIEM and MSS industry, they tried to get from visibility to action but generally failed. Even with all the funnels and analytics and even integration with SOAR tools, these still suffer from high levels of false positives and visibility only into cyber-security related activities.
Forcepoint’s Dynamic User Protection, addresses this by significantly reducing false positives by adding context using non-cyber signal analytics, allowing DUP to drive real-time risk adaptive responses into control tools. Initially at launch this is focussed on Data Loss Prevention, but will soon be expanded to our Cloud Security Gateway.
DUP is risk aware, rather than building more and more rules, and then more and more complex response definitions, it can simply tell the control tools, like DLP, that this user at this point in time, at the transaction time, is risk, and from there DLP will take the appropriate reponse for the risk level. This essentially eliminates the need for manual touch points for nearly incidents, while also auto-prioritising human based investigations into users that present the largest risk to the organisation.
DynamicCISO: Insider threats are now a perennial security risk to any organization globally. What are the insider threat prevention best practices you suggest organizations to follow?
NS : Security maturity and resourcing is required really to put effective insider threat management even for the most well resourced organization. Being a complex area, I would answer this question for the bulk of enterprises that simply do not have the ability or desire to operate such a program.
This makes my best practice recommendations for insider threat management come down to three simple things.
Firstly, understand that users are both your biggest risk and your biggest asset, keep them onside and make them part of your insider threat program journey.
Secondly, use the cloud, use a digitally transformed insider threat technology, because otherwise you are solving yesterday’s problem and will end up with complexity that will kill your program. This will ensure that automation and risk adaptive responses are there from the start, so you can have immediate risk reduction.
Thirdly, use a vendor or partner that has experience in the field and make them a key part of the program.