InfoSec is people

Most information security and data protection events have a strong technology focus. After all, for the last decade or so, the rising tide of cybercrime has been largely seen as a technical arms race.

The good guys strengthen their defences, the bad guys escalate with a new attack vector. Then the good guys get stronger defences so the bad guys change their methods. Rinse and repeat ad infinitum.

But the security business has come to a realisation. Technology is not going to solve all the problems of InfoSec. This was the unexpected theme to come from this year’s CLOUDSEC event, hosted by Trend Micro in Sydney. This is the first time Trend Micro has brought this event to Sydney.

With over 500 attendees and around 20 exhibitors, CLOUDSEC 2016 brings together a broad cross-section of the InfoSec community.

The morning sessions, prior to the afternoon breakouts, were delivered by Rik Ferguson, the

Vice President Security Research at Trend Micro, Michael Barnes, the VP Research Director at Forrester Research, Timothy Wallach, the Supervisory Special Agent Cyber Taskforce at the FBI, and Dhanya Thakkar, Vice President of Trend Micro. The first three speakers then came together for a panel discussion.

All of the speakers had a common message. The age of technologically-led defence is behind us.

Instead, there needs to be a clear connection between cyber-risks, business risk, user behavior and corporate decision making. From Ferguson noting that many of the most expensive breaches coming from social engineering breaches such as business email compromise, to Wallach’s revelation that just 45 records were needed, from a pool of over 60 million that were stolen in one breach, to net the thieves over US$9M by breaching teller machines – it’s clear the bad guys are increasingly targeting specific individuals.

Throughout the day, speakers mentioned emerging techniques in the machine learning and artificial intelligence realms are becoming increasingly important. Their role is not to detect specific breaches directly but to identify anomalous behavior that may come from either an intentional breach or from users acting in ways that make them open to attack.

Throughout the day, there were continued references to the importance of people in security.

User education, everyone agreed, needed to be continuous, targeted and made relevant to the everyday activities of personnel. It was interesting to contrast the training programs employed by Trend Micro and the FBI. During the panel discussion, Ferguson described the internal security program at Trend Micro. It’s done without warning with a great many metrics collected. In particular, he said it was important to focus on positive behavior and reward it, as well as the negative.

In contrast, Wallach described the FBI’s program which relied on more traditional computer-based learning even though, he says, the FBI has a very strong internal security culture.

During a very interesting and engaging afternoon session – the last before the social part of the conference kicked off, Nick Klein, a trainer with SANS and an accomplished digital forensic investigator, discussed various tools and techniques that can be routinely employed when conducting a cybercrime investigation.

One of the key points he made was the reliance on “IT people” by management to investigate incidents. Although they might have strong technical skills, digital forensics is a very specific field. He noted that many investigations have either been made more difficult or completely destroyed by the actions of poorly trained, but well meaning, IT teams.

InfoSec is clearly at a pivot point. For the last two decades, since the first widespread malware attacks of the 90s, the security industry has been focused on delivering new technical solutions that addressed specific vulnerabilities. In response, threat actors have coalesced into loosely affiliated networks that share intelligence and tools.

But at the heart of every attack lies an end-point and that end-point is a person.

What was clear from CLOUDSEC 2016 is engaging business people, on their terms, is vital. This goes from how threats and risks are presented to board members, how users access systems and how IT people secure systems and investigate incidents.

Holding a scalpel doesn’t make you a surgeon. Similarly, running a bunch of security hardware and software doesn’t make you secure. It’s about training, skills and ongoing education. It’s about people.

Join the CSO newsletter!

Error: Please check your email address.

Tags infosectrend microCloudsec 2016#cloudseccyber crime#CyberSecAUfbicyber security

More about FBIForrester ResearchTechnologyTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place