BlackBerry this week announced their AI-Powered Intelligent Security product, and I’m very impressed, and I wish we’d had this decades ago. I’ve run several security units over the years across several companies. One of the recurring themes is that we don’t focus on employees enough, given that’s where most of the breaches I’ve tracked have originated. Now sometimes the breaches have been intentional like when a VP of sales gave a highly confidential document I created to a competitor before taking a job there. Some have been accidental like when a CEO left his laptop unsecured, and his son went in and renamed his critical files. And some have been retaliatory like when a CIO, after being fired over email, formatted his company’s drives because, after a long tenure. Since then, we’ve had phishing attacks, and ransomware gets into companies due to employee mistakes and both the risks and penalties surrounding breaches skyrocket.
I’ve been spending time looking at the Cylance acquisition by BlackBerry, and I think they finally have a way to address these kinds of exploits that have been driving CSOs to consider different careers. Let’s talk about Rethinking Security this week.
Cylance and Instrumenting the Employee with AI & ML
If we look back at all the issues I’ve observed over the years, all but one could have been caught and mitigated had the employee been instrumented and had an AI monitor. Now the one that wouldn’t have been caught is the VP of Sales because that was a written report that was delivered hard copy, so tracking had to resort to using things like watermarking after the fact. But the CEO who had left his laptop unsecured would have been protected by an AI that flagged and blocked the massive renaming of files and the CIO would have been flagged and stopped when he attempted to format the drives (given this wasn’t a task he regularly did and it would, and should, be red-flagged anyway).
Fishing and ransomware can also be flagged and stopped if the AI recognizes that the mass encryption of files and an employee sign-on from a location where the employee isn’t is flagged and the activity blocked. This focus on assuring the employee is all part of the Cylance’s, now BlackBerry Intelligent Security, solution.
BlackBerry Intelligent Security captures over days how an employee works, keeps track of the employee’s location, and then responds, based on policy, to what it sees. For instance, if an employee moves from a secured to an unsecured area, their permissions will become more restrictive and what they have access to more limited. If an employee signs on from a location different from where the system believes the employee is, it will, depending on the policy, restrict access, and alert immediately so that the potential breach can be prevented.
Even if an employee leaves their device, be it a cell phone, tablet, or PC, unattended were someone to gain unapproved access they would be faced with a policy response which should lock them out of the device and company resources.
Wrapping Up: Security In-Depth
We recognize that perimeter security isn’t working and that our greatest exposure, long term, is likely our employees because they are often the easiest path into a company. Part of security in depth must be to address this exposure, to make sure employees aren’t tricked into supplying illegal access, aren’t illegally gaining access themselves, and don’t become a vehicle for malware and ransomware. If we want to close off this unacceptable exposure, we must instrument the employees and put in place a solution that identifies when the employee behaves strangely with policies that can auto-execute. In some cases, the policy may just ask the employee to reauthenticate to make sure they are who they are supposed to be, and in others we may want to lock them out of the system until the concerns have been mitigated through other identity checks (multi-factor), personal contact, or other accepted authentication methods.
Whether it is BlackBerry or some other firm, the fact is we need to close all gaps in security across our firms and employees are the biggest existing gap out there. Now I’ll leave you with another story. While I was at IBM, we wanted to showcase that IBM had the best security in the world, so we created a secure site we believed was invulnerable. We then hired a consultant to break into it and expected him to find the task impossible. Within 24 hours he was into and in control of the secure site, and he did this by avoiding the secure site entirely, he instead breached by gaining access through a trusted vendor who was connected into the secure site. This example means we don’t just need to secure our employees; we need to make sure our trusted partners do the same with theirs otherwise the lesson I learned will be relearned and, odds are, that won’t be a good thing.