Few things in life can be expressed in black and white terms. Sure, a light switch is either on or it's off; one baseball team wins the World Series each year and one doesn't; and every line of computer binary starts with either a one or a zero.Most of the time, though, our lives are full of gray areas, not absolutes. Brent crude almost never drops below $40 a barrel, but it did happen once and the chances of it happening again are greater than zero. There may be a 60 or 70 percent chance of rain tomorrow, but it's rarely 100 percent. And, sometimes, even the Chicago Cubs win the World Series.So why is it that security practitioners often treat their threat environment as if it's black or white, rather than a spectrum of possible states or probable outcomes — even when this binary view diminishes the quality of their comprehension and decision-making and thus jeopardizes their actual security?To read this article in full or to leave a comment, please click here
Most organizations are pretty good at vetting job applicants up front. They interview candidates, contact references, and in many cases conduct at least rudimentary background checks to bring out any issues of concern before making a hiring decision.Government security agencies go several steps further; just ask anyone who's filled out an SF-86 and then waited while investigators delved into youthful indiscretions, overseas trips and contacts with foreigners.But it's also true that most government and private-sector organizations operate on the principle of "Once you're in, you're in." Few of them have anything remotely resembling a continuous monitoring program for current managers and staff, let alone for contractors and vendors. And yet virtually every day brings fresh news of a data breach, intellectual property theft, or other adverse event either instigated or abetted by a supposedly trusted insider.To read this article in full or to leave a comment, please click here
Most organizations are pretty good at vetting job applicants up front. They interview candidates, contact references, and in many cases conduct at least rudimentary background checks to bring out any issues of concern before making a hiring decision.Government security agencies go several steps further; just ask anyone who's filled out an SF-86 and then waited while investigators delved into youthful indiscretions, overseas trips and contacts with foreigners.But it's also true that most government and private-sector organizations operate on the principle of "Once you're in, you're in." Few of them have anything remotely resembling a continuous monitoring program for current managers and staff, let alone for contractors and vendors. And yet virtually every day brings fresh news of a data breach, intellectual property theft, or other adverse event either instigated or abetted by a supposedly trusted insider.To read this article in full or to leave a comment, please click here
A security analytics approach that exploits the unique strengths of Bayesian networks, machine learning and rules-based systems—while also compensating for or eliminating their individual weaknesses—leads to powerful solutions that are effective across a wide array of security missions.
Despite the drawbacks of security analytics approaches I described in part 1 of this series, it's possible to build such solutions today, giving users a way to rapidly identify their highest-priority security threats at very large scale without being deluged with false-positive alerts or being forced to hire an army of extra analysts.To read this article in full or to leave a comment, please click here
A security analytics approach that exploits the unique strengths of Bayesian networks, machine learning and rules-based systems—while also compensating for or eliminating their individual weaknesses—leads to powerful solutions that are effective across a wide array of security missions.
Despite the drawbacks of security analytics approaches I described in part 1 of this series, it's possible to build such solutions today, giving users a way to rapidly identify their highest-priority security threats at very large scale without being deluged with false-positive alerts or being forced to hire an army of extra analysts.To read this article in full or to leave a comment, please click here
Digital technologies have changed the face of business and government, and they will continue to do so at an even faster pace. They drive innovation, boost productivity, improve communications and generate competitive advantage, among other benefits.The dark side of this digital revolution has now come clearly into focus as well: McKinsey estimates that cyber attacks will cost the global economy $3 trillion in lost productivity and growth by 2020, while theft, sabotage and other damage inflicted by trusted insider personnel continue to cost organizations in lost revenues, revealed secrets and damaged reputations.To read this article in full or to leave a comment, please click here
Digital technologies have changed the face of business and government, and they will continue to do so at an even faster pace. They drive innovation, boost productivity, improve communications and generate competitive advantage, among other benefits.The dark side of this digital revolution has now come clearly into focus as well: McKinsey estimates that cyber attacks will cost the global economy $3 trillion in lost productivity and growth by 2020, while theft, sabotage and other damage inflicted by trusted insider personnel continue to cost organizations in lost revenues, revealed secrets and damaged reputations.To read this article in full or to leave a comment, please click here
Organizations attempting to implement a world-class insider threat program have learned from experience what doesn't work well (see Part I of this post). As a result, they have a better sense of what they require to prevail in today's evolving insider threat landscape.There is an emerging consensus that any world-class insider threat program must have the following three core characteristics:1. Preventive: Organizations want more than just a threat detection system that tells them an attack has already taken place. They need an early-warning system that allows them to prevent insider threat events through a comprehensive threat assessment framework that leverages all available internal and external data and produces far fewer false negatives and positives.To read this article in full or to leave a comment, please click here
The consequences of failure range from failed security audits and interruptions of service or product deliveries to more significant degradation of ongoing operations, monetary losses and lasting reputational damage. In extreme scenarios, there is even the potential for bodily injury and loss of life.In response, many corporate and government leaders have invested heavily over the past few years in controls designed to mitigate the likelihood and consequences of a damaging insider event. Policy and procedural controls naturally have played a big part in these nascent insider threat programs, but so have a number of emerging technologies grouped under the umbrella of Security Analytics.To read this article in full or to leave a comment, please click here
The consequences of failure range from failed security audits and interruptions of service or product deliveries to more significant degradation of ongoing operations, monetary losses and lasting reputational damage. In extreme scenarios, there is even the potential for bodily injury and loss of life.In response, many corporate and government leaders have invested heavily over the past few years in controls designed to mitigate the likelihood and consequences of a damaging insider event. Policy and procedural controls naturally have played a big part in these nascent insider threat programs, but so have a number of emerging technologies grouped under the umbrella of Security Analytics.To read this article in full or to leave a comment, please click here
In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).+ Also on Network World: Match security plans to your company's 'risk appetite' +This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles—and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn’t fully address the more severe risks organizations face with increasing frequency.To read this article in full or to leave a comment, please click here
In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).
+ Also on Network World: Match security plans to your company's 'risk appetite' +
This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles—and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn’t fully address the more severe risks organizations face with increasing frequency.To read this article in full or to leave a comment, please click here
Bryan Ware