The cyber thief develops a new advantage, breaks into an IT system, and swipes data. An enterprise spots the hack too late, figures out how it was done, and changes its defense to stop the hack from happening again. The defense holds until the cyber thief figures out the next work-around.
That is the action/reaction cycle. Like a perverse iteration of Newton’s third law, every clever action is followed by an equally clever reaction.
Companies are getting wise to this, adding depth to their cyber-defenses to contain, rather than prevent breaches. Yet, there can be no change in strategy without a change in thinking first.
“The cycle will continue, but that is not the end of the world,” said Haiyan Song, senior VP for security markets at Splunk.
Security is not Splunk’s first mission. The firm specializes in offering Software-as-a-Service-based big data applications. But in recent years, some Splunk customers have been using the platform for IT security.
All it took was a change of thinking. Big data apps look for patterns such as insights that can lead to ideas about how to better sell a product or a service. Why not apply the same pattern-recognition capabilities to gain insights into who has been looking into data they have no business looking at?
“What we need is a mechanism for situational awareness,” Song said. Once something is spotted that breaks the pattern of normal usage, the IT manager can respond by containing the threat. Here, Song falls back on biology to provide an analogy. The response would be no different than antibodies fighting an infection.
That, in turn has led to a shift in spending at the company. “Before, the money spent on prevention was four times [greater than] detection. Change the premise. We will never have airtight [defense]. Assume they are inside the system and let’s invest in detection.”
Looking Inside to Defend Against the Outside
Security is not enough. Vigilance and resilience have to be part of the solution, too. “We need a clearer picture of where the risks are and when we are under attack,” said Ed Powers, US leader for Deloitte’s cyber risk services.
Deloitte has counseled more than 1,000 clients in the past year about cyber risk. While boards and executives are paying more attention than they once did, and paying more money for security, their perception of the problem has not gotten better, Powers said. What, then, is adding to security risk?
“Over the last 15 years, we systematically connected our economy with the technology to share information, not protect it,” said Powers. “It is possible to protect information, but it is costly to do it.”
Next, no matter what business you are in, “you have to trust people,” Powers said. “People make mistakes.” Human errors and complacency create openings for malware to get in. Yet, “you have to continue trusting people,” Powers added.
Finally, the connection between the organization and its strategic agenda magnifies cyber risk, Powers noted. “You can’t afford to stop doing things,” he said. “You are going to increase cyber risk over time.” But you can’t focus on securing everything.
Cyber-security gets especially tricky when one considers the “insider threat” — the disgruntled employee who has access to your data. “How do you create a defense in depth and create vigilance without destroying a culture of trust?” Powers said.
At Deloitte, the cyber risk team works hand-in-hand with a human capital team, using behavioral psychologists to figure out what constitutes normal corporate behavior, and what does not. The challenge is to spot those workers who are acting