The human point: Gaining visibility into the context behind user actions

human point

In this podcast recorded at Black Hat USA 2017, Dr. Richard Ford, Chief Scientist at Forcepoint, talks about the security industry’s need of a paradigm shift toward examining user behavior and intent.

human point

Here’s a transcript of the podcast for your convenience.

Hello, my name is Dr. Richard Ford, I’m the Chief Scientist over at Forcepoint. In that job, I’m responsible for a variety of different things, but one of the things I’m most excited about is doing some of the fundamental research around what we call the human point. And that’s really what I’m here to chat with you about today.

Excellent, can you tell me more about the human point?

Yeah, so first of all, when we say the ‘human point’, what do we mean? Cause that’s not a common expression, it’s an empty vessel that we can put something in. But I think it’s really important – stands from the insight that the most valuable time for your data, but also the most vulnerable time of your data is that point of intersection where your most critical data is accessed and used by another person. By a person, right? It’s that human point of intersection with your valuable data that forms the human point. And I think one of the things we’ve done wrong in cyber, is we tend to think very tech-centric. If you walk the floor here at Black Hat where we are today, it’s a very tech-centric floor. So when we think about that floor, by focusing on the technology, we sometimes miss the importance and the subtleties of how your data is most valuable and most vulnerable at that human point.

When we think about security, putting more security around that human point and also truly valuing that human point, because that’s where your data is really actionable becomes really the goal of cyber. And by focusing on that more than continually focusing on threats, we can stop being so much on the back foot against the attacker, cause one thing is pretty true, and that’s that people don’t change. Right? We’ll change a little bit. But people are much more consistent than the attacks, which can come from all different directions, makes it hard to follow.

So, Richard, why is that the better way?

Right, so we touched on that right at the end. So, it’s a better way for a number of different reasons. The first thing is, when you come in the morning and you look at your logs, you have hundreds of thousands, and if you’re more like us, hundreds of millions of events that occurred over the weekend, and you’re buried in this pile of data.

If instead you start to slice that data and that world view up going from events to what’s really happening on my network on a higher level, why is Richard looking at this, why is this account the most risky? We get out of being buried by data and we get into this mode where I’ve gone from hundreds of millions to maybe what, 2,500 different employees that I have to think about and their interactions with the data. And to be clear, that’s not necessarily saying this employee is doing something bad with the data. It might be that this employee is compromised, or this employee is trying to get the job done and they’re using an unapproved tabbed service. So we’ve seen very good, well-meaning employees drive breaches by saying ‘I’m going to do this analysis out in AWS or somewhere out in the cloud’ and then because they’re not a security expert, failing to secure that critical data in the cloud. So I think it’s a better way because we’re buried in data, and what we need is really information. Right? We need to start filtering it through this lens of that point of interaction.

The second reason it’s a better way is it’s not continually reactive. So we’re not always on the backfoot with the attack, waiting for the attacker to sort of do something so that we can react to it. It’s like playing rock, paper, scissors right now where I’m going to make you always go first, and I’m really good at winning that game. Right? If you’re playing first, I’m pretty confident about it. And so, by allowing the attackers to dry off the dams, to call the tune if you like, that puts us in a bad position.

It’s also a better way because sooner or later, if I want to steal something, I’ve got to touch it. I’ve got a cup of tea sitting here on the table in front of me as we’re chatting. If I want to get that cup of tea, I can come at it in all kinds of different ways, but eventually I’m going to have to pick it up in my hand. So by focusing on that point of interaction, it simplifies. I’ve seen it written that data is the new perimeter. Right? And there’s a lot of sense to that sort of world view, right, when you think about it?

So, by focusing on this human point where the data and the user meet, you have a simpler way of thinking about it. It’s a very human way of thinking about it too. So, you know, the human mind can’t look at all those log files, right? You can’t hold that in and make a story out of it. It’s like pixels of a frame without the meaning of a picture. So, by focusing on this more human interaction, we can start to do security better, cause it’s a simpler more consistent way of looking at your data in a way that actually values what you care about the most.

And how do you make that real?

Yeah, right, so it sounds like smoke and mirrors – it sounds like this is hard. Fortunately, especially from Forcepoint’s perspective, we’re sitting at all the right points on the network, so it all starts with visibility.

Think about it – most security comes from visibility, then control, then predict. So if I think about visibility, Forcepoint has the beautiful position of sitting at the edge of the network, we’re obviously in the firewall space. We also handle all content, so we can see content that’s coming through the email channel, which is a very important channel for data movement. And also the web channel. And then of course we have insider threat and DLP, you know, solutions that give us much more granular access. So you know, sometimes people ask me can’t you just do this with analytics from a distance, like with UBA? And the answer is it’s like looking at a field from a long way away with a pair of binoculars versus being right there next to the data where you can interact with it. You’ve got a much better view from up close, right?

It starts with the visibility. And one of the things that I think is unique to us is that we were a company that was purpose-built to be able to get to those critical points of visibility in the network, and they’re also critical points of control in the network. So the other problem with looking at things from afar, is you can’t influence what’s happening. You’re a passive observer, and we’re an active observer, right? So we actually can have control. And then finally, the magic here where it really gets clever, is you start to use analytics to make sense of those events into a story.

If you think about the current computer security sort of model, it’s about getting more data. So, if we were trying to understand a movie, let’s say Armageddon, right? We’d look at a frame of Armageddon, we’ll be like ‘I can’t really figure out what this is about’ and so we’d add more pixels to it. Let’s look at it in 4k or HD – doesn’t tell you anything about the movie, you don’t know what’s going on. But even if you just drew stick figures in the corner of your notebook and flick through it, very low resolution, you’d know instantly that it’s about one rock trying to hit another rock, which is kind of the plot of the movie, plus some bits with Bruce Willis. You know, so you get the basic idea, right? It’s about seeing this in motion that’s really important. So, your analytics start to take all these singles pixels and turn it into a picture, and then we turn these pictures into a moving picture and that trajectory, those analytics are important.

One of the risks with all that is privacy. So, privacy is near and dear to my heart. So the immediate response, and I like to take it head-on, is are you monitoring all this stuff? So, that’s absolutely true, but the point is that if you bake privacy in, you bake that human-first way of thinking of these things as opposed to machine-first, you can do a really good job of respecting the privacy of the individuals but still providing protection for the company. And it’s that balance that we’re all so pretty keen on, and that’s an important point that some people forget. We always think about the company – that’s one side of the equation, you have to think about the person too.

What’s next for Forcepoint?

Well, a lot of good things. I mean, what’s next for me after this is to get some sleep, you know how Black Hat always is, so they’ll be people listening and will know exactly what I’m talking about. For Forcepoint at large, what you’re going to see is us weaving this human point through all our products, through all of these different points in the network. And becoming very much a human-first, people-first security company that offers unparalleled protection and unparalleled privacy for the people who access and use data at their most vulnerable and most valuable human point.

You’ll see even in all our upcoming releases this story becoming more and more consistent with how we do security, with the goal of simplifying. The goal of security is to enable business – it’s about, as our CEO Matthew Moynahan likes to say, it’s about stopping the bad and freeing the good. And we sometimes focus on stopping the bad to the extent that it makes freeing the good and getting our job done hard. Security is a means to an end, we’re here to make certain that we can meet those ends in the business context and you’ll see that woven through all our future releases in increasing amounts as time goes on. We’re excited about it. It’s going to be hard but interesting work. Certainly going to keep me busy.