We recently made two big decisions. The first is that we decided to throw out our traditional approach to endpoint security and go with one of the newfangled behavior-based systems. The second involved facing up to the limits -- OK, failure -- of IT security education programs.
To be honest, the first decision was pretty easy because the traditional approach to endpoint security has always struck me as a little backward. The traditional approach is based on signature identification. Some nefarious person or group creates a new threat vector (sorry for slipping into the language of my information security team) and releases it into the world.
The threat vector does some level of damage before a security sleuth recognizes the threat's signature. The traditional endpoint security vendors then work hard to find a way to thwart the new threat; they add their mitigation to their libraries and we then automatically or manually deploy the new library to block the threat. This cycle then repeats -- seemingly forever.
The newfangled way is to monitor what is happening on devices, networks and servers and, based on behavior that we believe indicates some nefarious action or risky activity, block the behavior. Assuming this behavior-based security approach works, it makes sense to me. First, the behaviors are common across different types of threat vectors. Second, I don't have to worry about updating libraries or what might come into my life from an un-updated device. Third, this approach works for a wide range of equipment rather than just endpoint devices.
As part of our periodic review of systems, we had done some testing with behavior-based security approaches and were happy with the results. So when the existing contract for our traditional endpoint protection system expired, we made the leap. Lest you think this leap was painless, we are paying more now for protection than we did before -- but we are also protecting a lot more of our environment than we did before. Also, the behavior-based security systems find things that were previously hidden -- like something a software engineer is using or connecting to that is a bit sketchy. But, those shadowy IT operations seem to be the exceptions, and we can work those out now that we know about them. (In our case, the engineer begged us to let him connect to the sketchy service -- we are still deciding what to do about this one.) Time will tell whether we made a good decision but so far, so good.
IT security education: 'Abandon hope'
The second decision we made was to completely and entirely give up on humans. We had hoped that our IT security education programs -- training, frequent reminders, case studies, tools like data loss prevention (DLP) and begging -- would stop the people in our company from doing things like clicking on a blatant phishing link, emailing a sensitive data file to a customer or installing a thumb drive they found in the parking lot.
It turns out that my optimism about humans vis-à-vis IT security is badly misplaced. Indeed, I have lost hope in humanity, or at least in the efficacy of IT security education drills. When it comes to knowing and doing the right thing to prevent security breaches, the odds are stacked against us. The math is compelling. Suppose, for simplicity sake, there are 1,000 people in the company. What are the odds that one among us thousand-strong will not get suckered into doing something we should not? And, remember, all it takes is one.
So, how does my utter lack of faith in the human capacity to obtain an IT security education actually pan out day-to-day? We now treat everyone with suspicion. We assume that everyone is a bad actor and so lock down their access. We tease them with phishing attempts that we generate (just to see who will click that link). We don't let them use USB ports. We determine which external services and applications they can access. We treat them for what they are -- terrible persons who, if given the chance, will do something to put themselves and the company at risk.
All right, perhaps I am exaggerating my attitude, but I have learned through sad experience that people will make potentially life-altering mistakes -- not because they have bad intentions but simply because they are human. And since we are all human, no one is immune from being the one who makes the life-altering mistake, including the mistake that ends up putting a company at risk. Even I worry about getting caught when we send out an internally generated phishing attempt. Why? I am the last person who should be sent to the remediation training -- I am supposed to know what I am doing, and yet. ...
About the author:
Niel Nickolaisen is a veteran IT leader, currently serving as the CTO at O.C. Tanner Co. He is a frequent writer and speaker on transforming IT and on IT leadership.
Recent columns from Niel Nickolaisen:
AI has come a long way since 'Moneyball'
Finding IT agility in the OpenStack platform