Every July, thousands of the world’s most savvy security professionals descend upon Las Vegas for the Black Hat conference. For the uninitiated, the well-understood rule of the conference is that mobile devices stay in your hotel room, lest you wind up on the “Wall of Sheep,” a conference stalwart posting in which hackers happily embarrass those who aren’t practicing “safe” computing.
While we may like to think this is extreme and paranoid, it is an acute reminder of the world in which people live today. When it comes to cyber security, paranoia is warranted. In this world, what happens in Vegas – may be held for ransom.
The fact that hackers are all around us is certainly more visible at a conference like Black Hat, but we have to keep in mind it is the daily reality companies and consumers alike face. Recognition on a “Wall of Sheep” is the least of the consequences we encounter in the real world.
Instead, we live in an environment where best practices suggest you must assume you have already been hacked – whether it be from an external or internal threat – without the luxury of a notification.
Therefore, cyber security practices are no longer centred around prevention and perimeter fencing, but on continuous analysis, rapid detection, adaptive protection, and response. As such, the security community has shifted to the acceptance that they are in a constant state of breach, or as Gartner astutely stated in 2016: “[all organisations] are in a state of continuous compromise,” with threats originating from both external and internal points within the network.
This has put cyber security on a necessary path to convergence with surveillance, the latter emerging as a necessary paradigm in the quest to detect and resolve breaches before significant damage is done.
Security teams now need to understand what anyone on their network is doing at any given time and be able to identify anomalies as quickly as possible. Unfortunately, while it’s not getting any easier to detect suspicious user behaviour, it is growing more costly.
According to recent research from the Ponemon Institute, “organisations are spending an average $4.3 million per year annually to mitigate, address, and resolve insider-related incidents – with that spend surpassing $17 million annually in the most significant cases.”
With this in mind, teams must embrace true surveillance techniques and dig deeper to look at what’s happening on the level of an individual user and individual device over time. This may elicit groans from already overburdened security teams, but the good news is that the larger information security community can take a helpful page out of the books of financial markets.
>See also: Cyber security is a ‘people problem’
Trade surveillance in financial markets has long been mandated to identify, investigate, and prevent abusive, manipulative, or illegal trading practices in the securities markets. Nearly all activity of a trader is monitored: what an individual is trading (securities, volumes, dollars, pricing), when they trade, prior and post time proximity to market, and even phone calls and other inbound/outbound communications.
Traders, contractors, and even administrative and back office employees have to disclose certain personal holdings information regularly to remain compliant with regulations, and agree not to trade in instruments covered by the organisation.
Today’s trades can execute in mere fractions of a second, so effective surveillance involves collecting a large range of data about traders, with a microscope on how their individual activity patterns change over time.
The amount of data recorded, organised, and analysed to surveil trader activities is enormous. Looking only at preventing unauthorised people from trading vs. examining the what, when, where, and how of their individual activities is the challenge, and opportunity, facing security teams in financial markets.
Other industries should take note.
Over the past decade, there has been a tremendous evolution of cybercrime and cyber attack capabilities. The same evolutions that allow computers to algorithmically trade millions of times per minute or enable online retailers to render customised preferences and pricing on the spot are the same capabilities now enabling advanced cyber attacks.
The more businesses embrace digital communication and automation, and have more complex daily interactions with data, the more they are subject to malicious behaviours from both outside and within the network. In short, one could argue the cost of successfully launching a cyberattack has fallen and there has been a commensurate increase in supply.
Thus, security professionals can look to the evolution of trade surveillance as a roadmap for bolstering cyber security arsenals across industries. Cyber security practices need to start looking deeper into user activity, understanding not just what communicates with what or when, or how much data is accessed, but also what data is accessed, when, and from where that access originated.
This is both a general computer science problem of managing and analysing data, but also one requiring not just general examination of collective communications, but of individual users, devices, and even content of communications in some cases (that is, what type of data is accessed and what machines and users communicate with each other, not simply that they are communicating with each other).
This is where the technologies such as machine learning and AI become very relevant to help analyse what constitutes normal vs. anomalous behaviour. With this information, we can be better equipped to weed out malicious internal users, users inadvertently fallen victim to a phishing attempt, and even malware that is lying dormant within the system, to lead to more effective response and resolution.
Today, efforts to identify malicious actors within your network are akin to an attendee’s similar observations scanning the conference floor for the few individuals with a burner phone this year at BlackHat. The line of sight wouldn’t give them enough information to tell a potential hacker from just an innocent executive desperate for a means of communication for normal business purposes.
The path of effective cyber security is heading toward convergence with surveillance, but it still has a way to go.
Sourced by David Murray, chief business development officer at Corvil
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here