Leveraging Insights and Behaviors to Secure the Digital Workspace
In their 2018 report “The Human Factor in IT Security”, Kaspersky reported that 46% of information security breaches were caused by human carelessness, and in 30% of breaches, employees were actively working against their employers.
Enterprises are used to protecting against external threats, but now it looks like enterprises are being attacked from all sides.
How do you defend against an enemy that is already inside the gates? How do you keep a close eye on your own users, the vast majority of whom have no ill-intent?
This problem isn’t new, and there have been many interesting solutions over the centuries, most of them involving some form of surveillance.
In 1791, the social theorist Jeremiah Bentham came up with a revolutionary idea to ensure complete surveillance of prison inmates with a minimum number of prison guards.
His innovation involved building all of the prison cells in an array around a central guard tower. The cells had open aspects to the tower, meaning that the inside of each cell was visible to the guard tower. The tower itself used opaque glass, meaning that guards could see all of the inmates’ activities, but the inmates couldn’t see the guards.
He called his design ‘The Panopticon‘.
British prisons in the 18th and 19th centuries were grim places. The prevailing sentiment was that prison was for punishment and deterrence, rather than rehabilitation. This meant that inmates were not inclined to behave themselves, and quite often prison facilities were dangerous places for both inmates and guards.
The Panopticon, therefore, provided two main benefits. Firstly, it allowed the monitoring of the prison population with many fewer guards than a traditional prison. Secondly, inmates would behave as if they were under constant observation, as they wouldn’t be able to tell where the guards were looking.
The Traditional View
The traditional way of thinking about IT security is to view the network and resources as a castle with strong outer walls and many layers of defense. However, a castle’s main job is to prevent enemies from gaining access to the riches stored inside.
Castle walls aren’t going to do much good if the enemy is already inside the gates. If the enemy is already inside, what can be done to secure the castle?
This is where we need to start thinking like a prison guard. Prison guards have a completely different perspective to sentries standing on the castle walls. Rather than watching to see if someone is trying to get in, they need to understand the people on the inside and know intimately what their usual behaviors and interactions look like.
Let’s look at the example of a major UK supermarket information security breach in 2014. In that instance, the payroll details of 100,000 users were uploaded to news agencies and sharing sites. The culprit had not done something that would have triggered alerts in traditional SIEM systems. The culprit was a Senior Auditor, and therefore had full access to the systems he stole data from. A user accessing authorized systems isn’t going to trigger most security systems. This is evident from the fact that this activity was ongoing for four months!
However, let’s say that there was a central system that had visibility of his system access, along with an understanding of his usual habits and interactions. In that case, that system could flag up instantly that he was downloading 50GB of data, rather than the usual 50MB of data daily.
A New Approach
Gartner has recently created a new category of information security it calls User and Entity Behavior Analytics (UEBA). By baselining user actions over a period of time, a UEBA-based solution can learn what normal behavior for a user looks like. If the user then does something out of the ordinary, it will send an alert.
Where should an End User security solution sit if it is to have maximum access to user activity? On the endpoint? This is where we come back to the idea of Bentham’s Panopticon. The real innovation of this design was that the central tower had visibility of each inmate, their cells and their interactions. The cells the inmates currently occupied was not an important factor. Indeed, an inmate could move between cells, and this wouldn’t impact the functioning of the central tower.
How a Digital Workspace Helps
All of this leads nicely to the idea of a digital workspace solution as it relates to IT security. With a true digital workspace solution, all application and device access are controlled and monitored via a single entity. Once a user is authenticated against the platform, they are then granted onward access to other authorized systems. The applications delivered could be traditional Windows desktops or apps, mobile apps or SaaS apps. A record is then kept of that access.
User authentication and access are important data points, but user behavior and activity across various devices are just as important. For example, a user may use mobile or desktop devices to access applications. They may use these devices in multiple locations or at certain times. A digital workspace solution should be able to take all of these information points and build a model of the user. Any activity that doesn’t fit this model can then be flagged for further investigation. Gaining these types of insights is critical in helping increase security hygiene across a digital workspace.
Imagine if a secure digital workspace solution had been in place during the supermarket incident. The miscreant could have potentially been caught and identified within minutes, meaning that the activity could have been stopped before any information policies were breached. And with automation in place, actions could’ve been taken to help mitigate risk and quarantine, notify and resolve as needed.
The Secure Digital Workspace
Apart from an aborted attempt in Cuba, the Panopticon as designed by Jeremiah Bentham was never built. It’s concepts though can be seen today with the ubiquitous use of CCTV.
Big data analytics and AI are giving us new ways to understand human psychology and motivations. The future of human / technology interactions will be about ensuring intuitive access with transparent security. The digital workspace is how these concepts are being brought together. For more information on the secure digital workspace, visit https://www.vmware.com/products/workspace-one.html.