By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services
In the last post, PART #3 – Security and Fraud: What is normal?, I talked about trends in the identity and access management space in looking at what is normal. Given the change in threats and the need to accept the risk of more sophisticated attacks, it’s inevitable that more and more attacks will appear as acceptable behavior on the surface. They may be, however, behaviors that can slowly siphon off valuable assets. But knowing what IS normal and detecting fraud are not easily done and require a fundamental shift in a security strategy.
Today we look for events that represent a certain type of threat. We monitor a wide range of systems and types, focus on correlation, limit our exposure through comprehensive vulnerability management, and seek to limit impact via a defense-in-depth strategy. All of this ties into a meaningful risk management program and very solid practices. Perfect. However, the common thread is to focus on generally known conditions. We have a lot at our disposal to help quantify threats, and that is helping to make very informed decisions about risk. But, what we’re lacking is the ability to define normal behavior.
Look at the work DARPA is doing around behavior analysis to determine threat potential. This is directed at everything and everyone. In simple terms, anything can be a threat at any time, regardless of preconceived judgments. Today your secretary is nice, tomorrow she’s emailing your competitor all your files. What characteristics of her activities could have warned you of this potential? Was it her or her infected systems?
Security is about controls and creating a model to protect assets from threats. But threats are becoming far more intertwined with our business – its systems, processes, applications, and people.
Today’s capabilities are looking at “threat” conditions so we can effectively apply controls to achieve a balance between threats and assets. The problem that is quickly surfacing is the redefinition of the threat relative to the controls — we are now looking for what is wrong as opposed to what is right.
Financial companies do this naturally, and I have received numerous calls from American Express looking to make sure that the ticket I purchased in Rome was valid. A great service.
Now the question is — how do we tie that type of fraud detection effectively into the IT security program? It’s a huge shift and in a direction away from the current direction of today’s developing technology. However, with the change in how threats are manifesting themselves, it’s reasonable to see fraud becoming more of what security organizations will focus on.
Up next, I’m going to jump forward to highlight a potential direction I suspect will materialize in the coming years. It’s going to require a leap of faith, but it’s building on what has been discussed so far and taking it to a long-term vision.