Most information security and data protection events have a strong technology focus. After all, for the last decade or so, the rising tide of cybercrime has been largely seen as a technical arms race.
The good guys strengthen their defences, the bad guys escalate with a new attack vector. Then the good guys get stronger defences so the bad guys change their methods. Rinse and repeat ad infinitum.
But the security business has come to a realisation. Technology is not going to solve all the problems of InfoSec. This was the unexpected theme to come from this year’s CLOUDSEC event, hosted by Trend Micro in Sydney. This is the first time Trend Micro has brought this event to Sydney.
With over 500 attendees and around 20 exhibitors, CLOUDSEC 2016 brings together a broad cross-section of the InfoSec community.
The morning sessions, prior to the afternoon breakouts, were delivered by Rik Ferguson, the
Vice President Security Research at Trend Micro, Michael Barnes, the VP Research Director at Forrester Research, Timothy Wallach, the Supervisory Special Agent Cyber Taskforce at the FBI, and Dhanya Thakkar, Vice President of Trend Micro. The first three speakers then came together for a panel discussion.
All of the speakers had a common message. The age of technologically-led defence is behind us.
Instead, there needs to be a clear connection between cyber-risks, business risk, user behavior and corporate decision making. From Ferguson noting that many of the most expensive breaches coming from social engineering breaches such as business email compromise, to Wallach’s revelation that just 45 records were needed, from a pool of over 60 million that were stolen in one breach, to net the thieves over US$9M by breaching teller machines – it’s clear the bad guys are increasingly targeting specific individuals.
Throughout the day, speakers mentioned emerging techniques in the machine learning and artificial intelligence realms are becoming increasingly important. Their role is not to detect specific breaches directly but to identify anomalous behavior that may come from either an intentional breach or from users acting in ways that make them open to attack.
Throughout the day, there were continued references to the importance of people in security.
User education, everyone agreed, needed to be continuous, targeted and made relevant to the everyday activities of personnel. It was interesting to contrast the training programs employed by Trend Micro and the FBI. During the panel discussion, Ferguson described the internal security program at Trend Micro. It’s done without warning with a great many metrics collected. In particular, he said it was important to focus on positive behavior and reward it, as well as the negative.
In contrast, Wallach described the FBI’s program which relied on more traditional computer-based learning even though, he says, the FBI has a very strong internal security culture.
During a very interesting and engaging afternoon session – the last before the social part of the conference kicked off, Nick Klein, a trainer with SANS and an accomplished digital forensic investigator, discussed various tools and techniques that can be routinely employed when conducting a cybercrime investigation.
One of the key points he made was the reliance on “IT people” by management to investigate incidents. Although they might have strong technical skills, digital forensics is a very specific field. He noted that many investigations have either been made more difficult or completely destroyed by the actions of poorly trained, but well meaning, IT teams.
InfoSec is clearly at a pivot point. For the last two decades, since the first widespread malware attacks of the 90s, the security industry has been focused on delivering new technical solutions that addressed specific vulnerabilities. In response, threat actors have coalesced into loosely affiliated networks that share intelligence and tools.
But at the heart of every attack lies an end-point and that end-point is a person.
What was clear from CLOUDSEC 2016 is engaging business people, on their terms, is vital. This goes from how threats and risks are presented to board members, how users access systems and how IT people secure systems and investigate incidents.
Holding a scalpel doesn’t make you a surgeon. Similarly, running a bunch of security hardware and software doesn’t make you secure. It’s about training, skills and ongoing education. It’s about people.