Keynote FORCEPOINT : Does the future of cyber security involve adaptive protection against risk?

The aim of this conference is to explain how to move forward on adaptive protection issues, reintroduce humans in cyber security and restore user trust. The speaker is Nico Fischbach, CTO of Forcepoint.

(*video in french)

Review of the conference

When digital transformation meets cyber security

Upon exiting a meeting, CISOs (Chief Information Security Officer) often find themselves involved in a project that’s just days from its launch. Conversely, when the ISD (Information System Department) sometimes leaves a meeting with security teams to submit a corporate digitisation plan, all they’ve been told is that security policies cannot be changed.
In other words, there is rarely true communication between ISD and CISO teams. And, users consider every new tool or security policy to be a point of friction, when their objective is actually to offer added value.

What do security evolutions and the automobile have in common?

Cyber security evolutions can be compared to the advances made to the automobile. When we build an environment, it is essential to have a good chassis. We can have the most beautiful car in the world, but if the chassis is weak, performance will be limited. In computer security, the idea is to build an architecture based on what has been done by companies over the past ten to fifteen years. That is, on a solid base.
Then come the engine, trim and features. Five or six years ago, vehicles would beep when they came too close to a vehicle in front of them. Today, new models don’t beep anymore. Instead, the car automatically slows down when it gets close to another vehicle. Although drivers were surprised at first, they quickly got used to this feature and came to trust it.
The principle is similar in business. Many sensors are deployed, but companies don’t necessarily have the means to process the data they provide. 
Like cars, the idea is to trust a system that frees users, but keeps an eye on them. Sensors and intelligence are added to detect problems before humans can. This allows an automated response to block problems before they can occur.

Putting humans back at the heart of cyber security

Users and data are the two constants in hybrid information systems that combine hosting centres within companies, third-party centres and the cloud. To avoid blocking users unnecessarily, three levels of risk are defined to understand what users do with these data:

  • In low risk, users with a sufficient authorisation level are permitted to copy data to a USB key without being hampered by the system. The action is simply recorded and stored.
  • In medium risk, users who want to send data by e-mail could be asked to confirm whether they want to perform the action in question.
  • It is only in high-risk situations like phishing, for example, that user accounts are blocked reactively and automatically.

Putting in place an adaptive protection program

The goal of an adaptive protection program is to reduce the points of friction and increase user trust. Companies have been investing in cyber security infrastructures for years. All these solutions don’t need to be thrown away, because they are still useful. Antiviruses, firewalls and email gateways are probes that provide plenty of information that can be useful when taking decisions.

Adaptive protection is also a question of maturity and is not suitable for all companies. Putting it in place requires a certain amount of experience in the area of risk management. Concretely, adaptive protection involves consuming all the information uploaded by existing architectures and assigning it meaning. This makes it possible to detect, analyse and block threats. There are four steps for implementation:

  1. Private data policy: Respect privacy and national laws, involve the legal and HR departments, communicate transparently and use clear procedures to protect staff.
  2. Risk policy: Keep it simple, let the system do its work and take action to reduce friction.
  3. Controlled deployment: Identify a group of test users, adapt the rules to refine the policies, learn behaviours over 30 or 60 days, validate and deploy.
  4. Adaptive protection: Get a great car with a solid chassis, good brakes and excellent wind resistance (reduce friction). In other words, get effective collaboration from the departments through good leadership and a robust corporate culture. Employees need to be told why these solutions are being deployed, and what it means for them.

And so, an adaptive protection program restores trust by default, it doesn’t block by default. 
Adaptive protection lets employees succeed without hobbling them. And, boards of directors will see this solution as a vision of a company on the move, allowing added value where security is considered proactive and non-blocking. Last, security teams will have much fewer incidents to deal with, and will be able to respond quickly to incidents that actually do occur.