Making the Shift to Human-Centered Security

Forcepoint’s Richard Ford on Why We Need to Develop a New Set of Tools

Traditionally in cybersecurity, technology is the central focus. Adversaries act; security controls respond. But Richard Ford of Forcepoint says it is time to change the dynamic with a shift to human-centered security.The traditional, tech-centric approach cedes too much control to the attackers, says Ford, chief scientist at Forcepoint. “Essentially, they are playing the tune, and we’re dancing to it,” Ford says. “We’re very focused on threats. When I think of human-centered security, it’s that point of contact between the human and the data, and making certain that the data is most available and most valuable to you, but also most protected when it’s most at risk.”

In an interview about the shift to human-centered security, Ford discusses:

• The rationale behind making the shift;• The tools and skills necessary;• How human-centered security will aid response to modern

attacks such was WannaCry.

Dr. Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings more than 25 years of experience in computer security with knowledge in both offensive and defensive technology solutions. During his career, Ford has held positions with Virus Bulletin, IBM Research, Command Software Systems and NTT Verio. He has also worked in academia, having held an endowed chair in computer security, and worked as head of the computer sciences and cybersecurity department at the Florida Institute of Technology.

Human-Centered Security DefinedTOM FIELD: Richard, in today’s state of cybersecurity, how do you define this concept of human-centered security?

RICHARD FORD: I think, in part, you can look at what it’s not. If you think about how security looks, we’re very focused on threats. Human-centered is saying let’s put the human front and center. When is your data most valuable to you? Your data is more valuable to you when it’s at the point of access, when it’s being displayed and/or used by a person. That’s also when it’s at its most vulnerable. When I think about human-centered security, it’s that point of contact between the human and the data, and making certain that your data is most available and most valued to you

then, but also most protected then. Because that’s really when it’s most at risk.

How This Model is DifferentFIELD: How would you say this is fundamentally different from the traditional model of security that we consider?

FORD: If you think about what we do in security today, we’re really focused on attack. It’s about: This is a threat. This is a vulnerability. This thing is trying to attack my computer. The problem with doing that—and by the way those things are very important; I’m not saying we should be doing them—but the problem of looking at it that way is it allows the attacker to control the game. Essentially they’re playing the tune, and we’re dancing to it. I’m always reacting to what the attacker is doing. Now let’s turn it around. Let’s say you have a nice cup of tea. I’m a Brit, so let’s use a cup of tea in your hand. I want to steal that. It doesn’t matter how I get to you. It doesn’t matter if I come in through the door or in a window. Sooner

Richard Ford

“When I think about human-centered security, it’s that point of contact between the human and the data.”

Making the Shift to Human-Centered Security 2

or later, to get it, I’m going to have to touch it and grab it. If you pay very close attention to that access, it’s a way of sort of stopping that threat without having to think about all the different possible ways I might be able to get to that point of connection.

It moves from this threat-centric model, which I think we’ve demonstrated hasn’t really done us very well. We’re not winning that security war right now. And it augments or lifts that threat-centric model by looking at how data is accessed. That could be by a malicious insider, an accidental insider or a compromised insider. If you look at how we lose data, it’s usually one of those three.

Recent Attacks and the Need for ChangeFIELD: Richard, let’s put this into context. How would you say that some recent attacks, such as the WannaCry outbreak, and some of the other ransomware strikes, underscore the need for human-centered security?

FORD: If you think about it from the attacker’s point of view, for something like WannaCry, what did they need to do? They found or got access to an exploit, and then they ramped up that exploit with some code that allowed it to go from machine to machine, encrypting data. What they could do is they could kind of play with that code lots and lots of different ways, until they finally found a version that we [hadn’t] detected. Then they could, knowing that their attack would succeed, launch it. In other words, it’s like we’re playing rock, paper, scissors, and we always have to go first. The attacker tends to win in that game because they can try as many

times as they like until they find something that’s going to get through. They know it’s going to be mass, and it goes out.

If you take a human-centric spin on that, though, you don’t look at the individual threat coming in. You don’t worry about, is this a brand new exploit or is this a brand new piece of malware? What you do is quite different. You look at how that thing is moving around your files or touching your files. For example, I can’t remember a morning that I came into work and I decided to encrypt all my files and delete the unencrypted copies. That’s not something that Richard usually does when he comes into work. If you take a behavioral or human-centric view of the system, it’s quite easy to detect that one of those things is not like what I normally do, and then maybe call in the reinforcements and say, “Hey, this doesn’t look normal. This doesn’t look right. This is a very new behavior for Richard. Maybe this isn’t Richard. Maybe this is an attack.” As opposed to trying to sort, at the edge of the network, is this good or is this bad? Because that’s a very difficult job. Again, we’re always on the back foot with the attacker.

The other thing, though, that WannaCry, for me, really highlighted, and I think this is true of ransomware in general, is it’s only when your data is gone, or your data is encrypted, that you realize that that was really what you valued on your computer. If you think about what you would value most on your computer, it’s usually not the programs—it’s all the data; it’s all the time you’ve put in. I remember running from a hurricane in Florida when I lived down there, and what did I throw in my run bag? My hard drives, my computer—not for the computation, but the memories. I had all my pictures, those kinds of things. It’s those things that make our computers personal if you’re a home user, or valuable if you’re a business. Those are the things that it’s important to protect. I think by looking at the things that you want to protect and asking, “Is this normally how we use them?” is easier than trying to decide at the edge of the network, “Is this thing good or is this thing bad?”

Skills and Tools NeededFIELD: Richard, I’ve got a two-part question for you to follow up. First is, what are the skills necessary to enable the transition to human-centric security? In addition to the skills, what are the must-have tools?

FORD: That’s an interesting sort of two-part question. I think first of all, you have to start looking at the world a little bit differently. As a tech guy, I love to look at exploits. My first job in the industry was all about malware. We tend to think about tech, rather than think about

“Essentially they’re playing the tune, and we’re dancing to it. I’m always reacting to what the attacker is doing.”

Making the Shift to Human-Centered Security 3

people. When you start to make that transition to start thinking about people, I think the most important thing is, in fact, that you start to sort of change your mindset. You change those mental models. The mental models that you have around this are so important. How you view a problem, how you talk about a problem tends to sort of wire in the solutions that you think about for that problem.

You need to have skills that really look at humans and data access and understanding what data is. A file isn’t just a file. Maybe it’s a resume or maybe it’s a job application. Maybe it’s a patent. Understanding the life of the data within your organization, those sort of [lesser] ones and zero binary skills, but those more soft skills that help us move from the what, which we’re very good at by the way. As computer scientists, we’re really good about talking about [what] happened on a machine. You’ll hear me talk at times about this sort of continuum of intent, which speaks to the “why.” Why is this thing happening? Why has this file been emailed? Why are all these files, to go back to the example we were just talking about, being encrypted on a particular hard drive?

The skill sets—like knowledge of human behavior, psychology, understanding content, natural language processing and those kind of skills—get layered on top of the hardcore computer science kind of skills that we typically have.

In terms of tools, I think what we’re doing as an industry certainly is easing into this world view. It’s not like we’re going to throw out our firewalls. As a company that makes firewalls, I sincerely hope we don’t. They have a very important role in what we do. But we’re going to add new tools, tools that help measure user intent, better analytics that are focused not just on the programs that are running, but what they’re doing, and trying to turn those actions into a story. It’s like if you saw one frame from a movie. You wouldn’t know what the movie was about, no matter at what resolution you saw it in. You could go to QHD, it’s only one frame. But you could see a little hand-drawn picture of the movie, and if you animate it step by step, you get that picture in motion. That starts to tell you about what it’s about. I think tools will be connecting different things ... so you have sensors. You have enforcement, different types of enforcement. I think we’ll move from a world where it’s block or allow, which is sort of the world we’re in now, to where there’s more granularity. Maybe I allow it, but I monitor it. Maybe I allow it and encrypt it.

Making the Shift to Human-Centered Security 4

Finally, analytics. It’s the analytics that’s the smart part of the system that helps us go from what these individual events are, to what is the story these events are telling me. I think it’s that set of tools really that are the must-haves to start putting the muscles and flesh on the bones of this idea.

Time to Make Tools for Captain KirkFIELD: Richard, in previous conversations you’ve made the point to me that we build tools for Mr. Spock, but we need to start developing them for Captain Kirk. What do you mean specifically by this statement, and how is Forcepoint helping customers to now make this transition?

FORD: Right. I have to admit, I love saying that. Every time I say it, I smile. Because a) it’s true, but b) I’m kind of a Trek fan, so it lets me talk about something I love, as well as computer security all at the same time. What do I mean by that? I mean that one of the things that’s beautiful about being a human is that we’re not entirely rational. We’re risk-takers. We’re gamblers. We sort of cross our fingers and hope for the best. But when we build computer software, we often treat the user like they’re completely rational, that they’re going to sit and read the entire dialogue box that we just popped up in front of them, because that’s the logical thing to do. Instead, what the user is, is probably something that we like to call a task-centric, cognitive miser. That is, the user is trying to get something done, and this annoying dialogue box that popped up is just in the way. How do I get rid of it?

If you build tools for Mr. Spock, you assume that that’s all going to get read and they’ll make the logical choice. If you build a tool for somebody like Kirk, you’re trying to influence, you’re trying to say,

“Okay, I recognize this is a person. How would a person react to this interruption of their task? How can I encourage them to take the right action, as opposed to just assuming that they’ll take the logical action?” How do we make that transition? I think it’s a slow process. It starts to color how you build your systems.

As you move toward this more human-centric view of the world, you start to think not just about presenting the user with the data they need to make the right decision, but presenting it in a way that starts to encourage the right behavior. I think that’s one of the places where we still have quite a long way to grow as an industry, and even at Forcepoint. Getting that feedback about what’s risky and what’s not to a user is so very important. It usually doesn’t happen in a short time cycle. You might make a mistake, and it might be quite a long time until you realize that was the thing that you did that got your computer infected. Or maybe you never realized what it was. We need to work on closing that feedback loop.

One of the things that I think is important as we do this is, again, you start with starting to change the mindset, starting to change the words that you use, starting to change those mental models. Then you build that into your products to be more and more human-focused, to tell the story rather than just present a lot of points on a graph. So that an administrator or a defender can make the right contextual decision. We start to wire intent and context into our responses, as opposed to, “This is what happened. What do you want to do?” n

“As you move toward this more human-centric view of the world, you start to think not just about presenting the user with the data they need to make the right decision, but presenting it in a way that starts to encourage the right behavior.”

Making the Shift to Human-Centered Security 5

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io