Interview

Human behaviour is the new perimeter: Matt Moynahan, Forcepoint

Digital identities will be the ultimate weapon for CSOs against the hackers says Matt Moynahan, CEO, Forcepoint.

Matthew-Moynahan-CEO-Forcepoint-300x225.jpg

Matt Moynahan as Forcepoint’s CEO since 2016 launched a bold approach to the world of cybersecurity, centered upon enabling customers to focus on what matters most. It was about understanding people’s behaviour and intent as they interact with critical data and IP wherever it resides.

IDG India had a detailed interaction with Matthew Moynahan, CEO, Forcepoint on his India visit who said, “Forcepoint’s human centric cyber security is the next generation, behaviour-centric analysis of activity on your network to ensure that data exfiltration doesn't take place as opposed to worrying about all the activity outside of your walls that is trying to get in.”

Edited Excerpts:

How murky has been the threat landscape in 2018 versus the past? Any new attack vectors or modus operandi by bad guys that’s scarier for organisations?

I think the scary part is that a lot of the same stuff that people are using to get in, which is behavioral based. Around 80% of all the breaches that are now taking place with some sort of identity or credential theft and 50% of all these sophisticated attacks by countries, nation-states against each other aren’t using malware, they are file less. That’s the big change which we expect will continue in future.

CSOs have a hard-hitting task to secure all forms of data from core to cloud in a ‘perimeter-broken’ environment. Is there a secret sauce to end their worries?

Most of the chief security officers will aye (say yes) when asked if the perimeter has dissolved or disappeared. But they are still spending their money on the perimeter technologies. In this new world of the cloud, people and information are meant to move and not be in one place at the same time. You will start seeing a new focus on technologies like DLP, which were built for credit cards back in the day, start to take more prominence.

Hardware boxes will blinker in security world: Forecpoint CEO

With cloud and SDx world, the hardware security boxes are expected to reduce in the company’s premises/data centres.

 

Forecpoint CEO Matt says, “There will always be some companies at some location/s that want an appliance. But, most things are distributed in nature – branch offices, people etcetra and hence the future will see bunch of different layers of security added to the traffic stream.”

 

A vast majority of network security services are being consumed in a cloud service model.

 

“That doesn’t mean that appliances won’t go away, container need to be a form factor, or end-points aren’t going away. Forcepoint’s view is to be deployment-agnostic and add value in the cloud, at the endpoint and network. We are much focused in understanding the behaviour for protecting workforce and companies from data exfiltration,” he says.

Technologies like UEBA and behavioural based will become prevalent, but they have to be real time and they have to be automated to adapt in this new world of hybrid and cloud, and public cloud and private cloud. Your security needs to be free to move with people and content, and it needs to be smart to get out of the way if there is no bad behaviour. Because the old world of having “yes/no”, “black and white” policy, then you might be able to get away with on-premise, you cannot get away with in this hybrid environment because it will impede your productivity and stop collaboration because the underlying technical landscape is so much more out of your control.
 
DLP has been a big focus and money churner for Forcepoint from heritage Websense. What are the new trends in DLP from demand perspective and technology innovation?
 
DLP is one of the most important technologies in the market today, in my point of view. The problem with DLP is that it wasn't designed for hybrid environments and most of the policies were a ‘one-size’ fits all. If you see this, block this; if you don't, let it go. And, now information is used so differently; in the old world DLP used to be almost more like database security – data at rest, lock it up; if starts to move, block it down. And, that's no longer good anymore.

DLP fused with behavioural analytics will understand the end-user who is actually interacting with the data and make more intelligent decisions. The next generation of DLP will be smart and not dumb, and that's where behavioural analytics will come to the fore.
 
Almost all security vendors are talking about behavioural technologies including Forecpoint’ risk adaptive protection that offers adaptive security through behaviour-centric analytics. But bad guys are smart cookies as they track and hack new behaviour patterns much faster.

The hackers have a hard time scaling. They are good at breaking systems, but they are not good at scaling. Hackers don't have the time, money or quite frankly desire to go understand every single human being on the network or every digital identity. They are good at tricking people, like phishing scams but they are not good at understanding the 24/7 behaviour, or the day in/day out behaviour of a good employee.

Understanding the behaviour of your own workforce, customers and partners will become the ultimate weapon for a chief security officer in this new world because almost like a new digital key that you can use, a fingerprint of the behaviour that hackers don’t have. Behavioural analytics isn’t around monitoring workforce for the purposes of watching them. It is about understanding your workforce for the purposes of protecting them because they are the targets of identity theft and that's where it's going to flip the entire model on its head.

What’s the state of Insider Threat? The 2018 edition of Global State of Information Security (GSIS) Survey 2018 by PwC and IDG indicates 50% plus of source incidents still originate from employees and ex-employees of organisations.

This is why behaviour is so important; once someone is authorized on your network it's all about behaviour. The first mile of behaviour is, did somebody steal the credentials of your employees and now using it to hack your information. The last mile is insider threat. Are employees that used to be good, turning against the company, and everything in between is good employees doing things that are causing harm but not intentional. They might be tired, they might be attaching something to an email which has been phished, they may be spoofed or may just try to get around a policy.  Behaviour covers the entire continuum, from identity theft to insider threat to all the good employees that are making the majority of data exfiltration. You got to stop the bad stuff which is insider threat like the credential theft. You have to help the good employees not do accidental things and that's still half the battle for chief security officers.

In the US, we see reports at the board level, that aren't going to talk about things like indicators of compromise and viruses stopped; you are going to start talking about things like data leakage events that you stopped, insider threat exfiltration attempts that you stopped that would have led to a breach or a news story. It’s more of an inside-out report card as opposed to the outside-in which is more fear based than anything else.

Matthew’s Bucket List for Next-Gen CSOs

  1. Have an infrastructure that is smart, based on an understanding of the identities on your network.
  2. Secure critical data inside that is important to someone else even though you may not think it's important to your company.
  3. Build a security model designed for next gen world which is hybrid, multi-cloud environments.
  4. Monitor each user equally as new discrimination isn’t about gender or sex or religion, it’s the job code.
  5. Manage the encryption keys properly and make sure that your policies are sound.
  6. If you assume to get breached then don’t spend much money on the perimeter but on the inside-out defences.
  7. Contain it right on the spot, when you see the bad behaviour interacting with critical data.

Any best practices for security leaders in terms of change management, leadership focus or IT strategy to thwart the menace of insider threat? Any silver bullet?

User activity monitoring should be commonplace. Most big banks, where there is a lot of insider threat are monitoring certain positions like traders, or people with privileged access. You really should equally monitor everybody; don’t discriminate. The new discrimination in the digital world isn't gender or sex or religion, it’s the job code. If you monitor one job code and not the others then hackers will take advantage as they know you are monitoring one part of the world but not the other. Equal activity monitoring while respecting the privacy of the individuals and using that information as a new type of key to understand behaviour will be crucial for CIOs and CSOs.

For good employees whose patterns have changed, the combination of insider threat and DLP can stop some of the very sophisticated use cases. If you don’t have DLP in your business and you're not doing active monitoring of identities, you are exposed.

Reportedly 95% of organisations have been breached. If we are beginning with the best practices, assume you are breached, assume they are going to get in, and ask yourself what critical data would they be going after, and how do you stop them from getting it out.  It’s a very different mind-set.

If you assume that you're going to get breached then you wouldn't spend so much money on the perimeter but spend more on the inside-out defences - the containment side of things, as opposed to the defence. The containment in this new world is where behaviour will be the new perimeter. Contain it on the spot, when you see the bad behaviour interacting with critical data.

What will be the CISO role in 2018 with regard to reporting protocol in an organisation? Do you expect more shift of power between C-suite executives by the year 2020?

In countries like India, CISOs are too many layers down or non-existent. But in some of our large customers in these regions, CISOs are reporting directly to the board or reporting directly to the CIO.

There’s an awakening in the US and Europe on critical infrastructure, and things like power plants and manufacturing plants, whether it is cars or food - those typically aren't underneath the CISO which is not a great place to be.

One case is the rise of the CISO from a levelling perspective and you see broadening of the CISOs’ mandates to include critical infrastructure. CISOs need to go more north towards the top and get visibility, and go east and west to expand the scope because right now critical infrastructure is exposed and it should ideally fall into the purview of CISO's to make those security decisions. Some of those environments don’t really have anyone at the top from a security stand point, it's usually the plant manager or the operations manager.

If CISOs manage more of critical infrastructure including cloud infra, end point security in future, what will CIOs do?

CIO is much like a CISO. For CIO there's no real training ground or certification to become a CIO. Companies need to sit back and decide basis the nature of business i.e. technically, regulatory, compliance and security. They need to introspect the proper CIO background and bias as these two executives bring very different things. Is it infrastructure bias or is it data protection bias, is it threat or is it containment?

For the CIO, is it infrastructure related, someone who can fully drive hybrid cloud strategy or is it regulatory compliance. It’s will really dictate the effectiveness of your infrastructure and the security posture of that infrastructure, if you don’t get that bias right. They can’t just hire a CIO or chief security officer to get a checkbox because it is going to dramatically alter the perspective of your infrastructure with that hired person for the years to come.

Organisations trust security vendors like a superman who will fight all the bad guys. However the reality is that security professionals seldom have a peaceful night because a petite window is always open for the hacker.

Just like the living body, there is a lot bacteria in our bodies that doesn’t hurt us. We don’t spend a lot time worrying about the risk of that stuff coming into our bodies. The risk is when something bad is about to happen, you want get it as soon as you possibly can and prevent it if you can and stop it if you have to. That's the way CISO's got to think.

... “The security industry somehow forgot about the person and they focused on viruses, events and indicators of compromise. It's become a forensic scene as opposed to a proactive police force that walks around the playground to ensure nothing bad happens.”
Matthew Moyanahan
Chief Executive Officer, Forcepoint

I really do believe that anyone who’s talking about perimeter risk alone is wasting their time. Anyone talking about containment and prevention from the inside out is a serious business consideration. How much inside-out risk do I have? How many people are hiring red teams or offensive teams to let you in and see how easy it is to get out? The world is going to wake up and recover from failure approach? And the failure being they broke in and how to recover from it which is containment and preventing data exfiltration as opposed to worrying so much about people getting in. It's a different mind-boggling perspective.

Every single security product ever made was designed to stop somebody from doing something. Almost every single type of hack, whether it was credit card fraud, cheque writing fraud, phishing, identity theft, it all has to do with impersonation. Somehow, the security industry forgot about the person and they focused on viruses, events and indicators of compromise, etc. It's become a forensic scene as opposed to a proactive police force that's walking around the playground to make sure nothing bad happens.

Endpoint security has become the new sexy even for network security vendors around jargons like EDR, UEBA, CASB. What’s your endpoint story to shine in the crowded market place?

Our strategy is simple as we stop trying to be all things to all people. Everyone talks about endpoint and you have CrowdStrike, Cylance and all the next generation technologies; you can’t even keep track of them.

Forecpoint will be the best at understanding behaviour on the endpoint, and enforcing policy on that endpoint. We’re not going to be an anti-virus company, but be the best behavioural and data Protection Company. The importance of our human point strategy is very focused in making the technologies’ good and add value to company’s security posture. The endpoint is sort of a bloodbath, if you will, everyone is trying to go after AV budget.  

What about physical security appliances by vendors - including Forecpoint that sells NGFW - in cloud and software defined world? Will the blinkering lights of shiny boxes fade out in the company’s own data centres?  

You will always have some companies at some location that want a box, for sure. But, now most things are now distributed in nature – branch offices, people, etc., hence what the future will see a bunch of different layers of security added through the traffic stream. That typically is a province of network security. A vast majority of network security services are consumed in a cloud service model. That doesn’t mean that appliances won’t go away, container need to be a form factor, or end-points aren’t going away.

Forcepoint’s view is to be deployment agnostic and to be able to add value in the cloud, at the endpoint and network. And, we are much focused in understanding the behaviour for protecting workforce, and companies from data exfiltration.

If I were a CSO building the next - next generation security strategy at my organisation, what should be key do's and don'ts?

From our perspective, one, have an infrastructure that is smart, based on an understanding of identities on your network. Two, begin getting your arms around and people are behind your categories of data that really matter to you.  And, it can’t be just data that is important to your company but data inside of your company that is important to someone else even though you may not think it's important to your company.

Once you understand identity and the data that is critical to your business, then you can start having a security model that is really designed for the next generation world which is hybrid, multi-cloud environments, where your business is running on an infrastructure that you don’t own or manage.

In sum; Identities, and data – and then making sure to manage encryption keys and your policies are sound. The next generation enterprises need to figure out identities, and how they interact with data and then apply enterprise class policy and encryption to those intersection points.