Rather than focus on attacks from the outside, organizations should concentrate on the internal networks, data and risks within their control.
In focusing on the potential attackers outside of organizations, government agencies and private-sector companies may be missing the larger threat looming inside their organization, according to one prominent cybersecurity expert.
“We pretend we have a perimeter. We have this fantasy of the perimeter that sits around the enterprise… keeping the bad stuff from getting in,” Richard Ford, CTO for network security vendor Forcepoint, told an audience at Black Hat USA in Las Vegas last week.
“It’s very ‘threat-centered,’ which forces us to focus and rely on this dissolving, or nonexistent, perimeter, ” Ford continued. “This makes the job very challenging.”
Rather, he advised security professionals and other executives to consider the potential IT security risk posed by those who already have access to the organization’s networks and data rather than obsess about external bad actors alone.
“I would argue that honestly, security is pretty broken. And we broke it,” Ford said during his session entitled Inside Out: Viewing Everyone & Everything as Potential Insider Threats. “As an industry we’ve been so focused on the outside threat.”
Ford said that a better way to mitigate risk is to flip the script and start concentrating more effort on the internal networks, data and risks within an organization’s span of control. “What if we start to think about what’s inside, what we control,” he said. He added that this change of approach may also call for creating a more expansive definition of what is “inside” the organization -- one that includes any bring-your-own-device smartphones or laptops, personal networks used for work or information stored in the cloud or at a third-party site.
Ford acknowledged that organizations should not “burn their firewalls and give up their antivirus software” protections. Rather, he said this change of attitude and approach lies more in fundamentally altering the way IT security is handled -- going from a reactive stance to a more proactive one. “As soon as we build a wall that is 20 feet high, our attackers will build a ladder that is one foot higher than that,” he said, adding that “reacting” to these changes with new products and technologies ultimately creates fatigue in the way IT security is perceived.
Thinking also about the potential threat coming from inside the organization -- be it a phishing email carelessly opened by an employee or a disgruntled current or former worker colluding with bad actors for personal gain -- makes more sense because those attacks are fairly prevalent and typically more damaging. “It’s a much different way of approaching this space,” Ford said. With this in mind, the question shifts from “Where is this coming from?” to “What is this program/user trying to do, and should it be doing that?” he added.
He urged organizations to stop thinking about “insider threat situations” as being synonymous with mistrusting employees. Instead, because the vast majority of insider threats are ones that prey on responsible system users who mistakenly open the wrong file or attachment, security should focus on making sure employees have what they need to do their jobs and “providing them protection.” By looking at what parts of the network and what data is being accessed in attacks makes it easier to find the “accidental insiders” who are being too cavalier with opening attachments or misusing their access. “These are the perfect candidates for additional training and better tools to manage their access,” Ford argued. “But this should not be about distrust of the users.”