Just as prescreened travelers get fast tracked to their airport gates, agencies should adopt a risk-adaptive security approach that uses behavioral data to inform policies for individual users.
Airport security screening has long been a painful and time-consuming process, but that began to change when the Transportation Security Agency's TSA PreCheck program launched in 2011. As one of the first mainstream examples of risk-adaptive security, TSA PreCheck leverages known user behaviors to deliver a more targeted and efficient security screening process.
Government agencies today have opportunities to apply similar processes to growing cyber threats. According to Cybersecurity Ventures, the cost of cybercrime around the world is expected to hit $6 trillion per year by 2021. Meanwhile, in May 2018, the Office of Management and Budget released a report showing the majority of agencies that have cybersecurity programs in place are still at significant risk of attack.
But with a TSA-like risk-adaptive approach, agencies can make their policies stronger and more effective in today’s rapidly evolving threat landscape.
Not all passengers or threats are the same
Prior to 2011, all U.S. airline passengers were treated the same -- as potential threats -- and subject to inefficient, in-depth security review prior to entering the gate area. TSA PreCheck, however, applies security to the individual, not the group. It offers travelers a simpler screening process in exchange for detailed background information that helps TSA create targeted security policies for users. It lets the agency better understand and trust individual travelers, in turn making the process better, safer and more efficient for all.
Many government agencies today take a one-size-fits-all approach to security, treating all users as risky and eschewing any form of nuance or context. Security is based on binary choices between “good” and “bad” behavior, and often the entire staff pays for risks resulting from isolated incidents.
Utilizing a strategy that can keep pace with today’s sophisticated threat landscape is the path forward. Agencies should adopt risk-adaptive security tailored to individual profiles so they can ensure that an optimal level of security is always applied. It’s both a human-centric approach and a data-driven one.
Developing a baseline of “normal” behavior
Solving real problems with risk-adaptive security requires a better understanding of how and why individuals use and access information. According to a 2017 Verizon report, 81 percent of data breaches were the result of hijacked user credentials. And yet, a recent survey found that about 50 percent of commercial and federal IT practitioners said they do not correlate activity from multiple sources to understand and identify risky user activity.
Analyzing digital identities' daily patterns can help agencies develop a baseline of “normal” user behavior. When behavior deviates from the norm -- as would happen if someone’s credentials are compromised or if an employee, intentionally or not, begins accessing restricted data -- agency security personnel can look into that abnormal pattern and address to the problem as appropriate, perhaps by blocking that person's access to specific directories or services. The key is that security countermeasures are enforced without penalizing the entire workforce or rewriting security policies wholesale.
These responses can be automated and enacted in real-time. Automation allows an agency to increase its security posture without having to add resources or costs. Indeed, automation can potentially help lower costs by enhancing labor efficiency.
Traditional approaches can lead to friction and risk
It might be tempting, in the face of seemingly never-ending vulnerabilities and a stream of high-profile data breaches, to take an extremely defensive approach to security. When agencies have a limited visibility into context around individual user activity on a network, the default approach is to group users broadly and apply the most restrictive policy to the entire group in the name of risk and safety.
At first glance, the restrictions may seem to impede bad behavior, but blanketing departments or job titles with the same security policy can be frustrating for employees. And, more troubling, it can actually hurt security as employees seek clumsy and potentially risky workarounds. These shortcuts represent additional headaches for security administrators, as it becomes difficult to separate a real threat from workers simply trying to do their job.
Saying “no” to a culture of no
Government agencies cannot afford to rely on fixed policies and a culture of “no.” This mindset facilitates the illusion of security while creating more work for security teams, frustrating agency workers and potentially introducing additional risks.
By focusing on individuals and their behaviors, agencies don’t have to block all users from using the services they need to do their jobs. Instead, the government can implement more targeted and effective security measures -- ones that detect when data or credentials have likely been compromised -- that do not inhibit productivity. The TSA did it with PreCheck and has reaped enormous dividends, including the goodwill of its passengers, without sacrificing security. Risk-adaptive security processes can provide government agencies with the same benefits and a better security posture in today's ever-changing cyber threat landscape.
NEXT STORY: DARPA outlines adversarial AI defense