That requires analytics. We need to be able to bring together data in a way that answers complex questions about the behavior of insiders, and look at meaningful deviations from the norm and then call that out and isolate it. And maybe sometimes out of thousands or millions of sessions, be able to look at it and say, 'This one is a threat'. So you need that analytics layer to give you visibility into what would otherwise be a ton of false positives, because most large organizations are contending with millions of incidents.
Do compliance requirements adequately address the threat?
OGREN: Compliance has been security's best friend for years, making it easy to say you just have to do this. But the down side of compliance is that it absolutely stifles innovation, because now it's harder to justify incremental security in this new world of mobility and virtualized data centers. I'd love to see compliance get a little more intelligent about involving new technologies and about new approaches to the problem. Because obviously it's not working today. People are getting breached all over the place and it's causing great damage to our economy.
Breached even when they are compliant, right?
OGREN: Absolutely. These companies are doing the best they can and they've got good people, they know the security issues and they're absolutely helpless, aren't they? So at some point we need to carve out space to find new things that move the state-of-the-art ahead. I think compliance has actually slowed down a bit that way.
AMMON: Never confuse compliance and security. They should be and to some degree are connected. But one doesn't necessarily equal the other, for sure.
Going back to the false positive question ... given that insiders are people, then false positives become really dangerous because you're fingering an employee. Has the industry done enough to limit false positives when it comes to insider threats?
RIFAI: Many companies are drowning in false positives. So it goes back to a need for analytics-based remediation to help you understand patterns, properly categorize incidents, diagnose the causes of these incidents, determine the right action, and in the process prevent a lot of these false positives from occurring.
AMMON: I believe you have to separate authentication from authorization. This idea that you authenticate yourself via legacy mechanisms like VPN and then you're allowed to move about can no longer be tolerated. You should authenticate yourself and only then be provided the specific access you need. It makes it much easier to monitor. You get rid of a lot of the noise, particularly with privileged users.
And once you're containing and controlling and monitoring that access, you have to move to a level of in-line enforcement rather than post analysis. So you want to be able to enforce your policy in a more proactive way, and I think you want to provide tools that are more efficient. I know we have moved away from using the log data as the primary format to a full recording of the session. So if it looks like someone has attempted a violation you can replay exactly what they were doing on the screen and that greatly reduces the task of trying to stitch together the pieces.
Sign up for MIS Asia eNewsletters.