Many problems in information security are both perennial and intractable. Audits expose them year after year. Breach after breach occurs because of them. Information security managers are fired as a result of the inevitable breaches, and the deck chairs are rearranged again each time. And yet, the attack surface rarely changes. It’s a revolving door of breaches and personnel. Nothing ever gets fixed. It’s completely nuts, and we know it. Sure, there’s plenty of stuff you can buy in an attempt to delay the inevitable. Information security is a multi-billion dollar industry, after all. Unfortunately, most of the time the products it sells aren’t used effectively and amount to just so much closing the barn door after the horse has already left. Logs, alerts, endless haystacks in which to find discarded needles that can belatedly tell you that you’ve already lost data, trade secrets, or worse. Want to put your job in the hands of an algorithm (an option as good as any other)? There are plenty of products that purport to surface the important alerts. Only the really important ones. They promise. As an IT manager at a Fortune 500 company, I spent much of my career battling two such problems: tailgating and weak passwords. It was a regular occurrence to find unauthorized personnel in secure areas. It was also a regular occurrence to catch users misusing and mishandling passwords. Sure, like any company we had security policies. I had plenty of data to show me after I had already been breached. Fortunately, throughout my career, most of the time “breaches” actually just amounted to policy violations by employees who were in a hurry. But once, a thief came into the building stealing laptops. It was only through sheer dumb luck that the laptops stolen were obsolete and had already had the drives pulled (he wasn’t a very good thief). The thief tailgated, just like employees routinely do. That’s how he got in: it wasn’t seen as unusual. Practically every security policy in the history of ever has prohibited employees from tailgating. And yet everyone does it. I mean everyone. In hushed tones, people at Very Secret Government Agencies have told me of the epidemic they’re battling with People Who Should Know Better in Very Secure Places. What makes an information security problem intractable? It’s a problem that technology solutions cannot easily and/or cost-effectively address, and one where human nature is in play. Humans, in general, are a massive security vulnerability that cannot be patched. So, you can’t plug technology holes with security policy and expect it to work. And I’m sure you can relate: no sooner is the ink dry on a security policy—even the most well-intentioned and carefully developed security policy—before it is being violated wholesale. The architecture of information security has been fundamentally flawed because it traditionally fails to take into account the human element. People actually need access to systems to get work done. They need to share data with each other in order to get work done. And nothing like needing to get actual work done is a stronger motivation to violate security policy. However, it doesn’t have to be this way, if you just look at the perimeter a different, adaptive way. I first described the concept of adaptive security last year in a pompously named (and thoroughly tongue-in-cheek) manifesto I published and circulated. It gained considerable traction and influence in the field and a number of information security products (including our own) are starting to enter the market based around this concept. I think the coming wave of information security innovations will actually work because adaptive security starts with human beings interacting with information security systems. It doesn’t respect the traditional barriers of physical security, digital authentication and information security. Instead, adaptive security starts with the patterns of human behavior around which we can create a more secure world. By paying attention to what actual humans are doing and creating end-to-end scenarios that put previously disparate puzzle pieces together, security products can be more effective. However, this isn’t the only reason to take an adaptive approach. For the humans involved, it’s a completely seamless change. There isn’t any training required when, for example, a security product ensures the user is physically badged into the building before granting permissions on a Windows network. It’s security that isn’t annoying and actually works. And adaptive security products are often very simple to deploy. The most effective security measures are sometimes the simplest ones. By linking digital and physical security systems together—and by analyzing patterns of human behavior—we can build a digital world that is both more secure and easier to use. The next time you’re analyzing the results of an audit, consider whether an adaptive security solution is appropriate. You might be astonished at how much more secure your enterprise can become for a surprisingly small investment.
About the Author: Robert Walker is the founder and CEO of Seattle based PCPursuit, a startup backed by top infosec accelerator Mach37. He was previously IT manager for Microsoft Research Asia, and was a Microsoft employee for over 13 years. Robert believes that security works better when it is easier to use. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
