Following the release of the Phishing Threat Trends Report, we recently hosted the Human Risk Summit, a virtual gathering of top industry leaders to discuss human risk in cybersecurity.
In this post, we’ll recap some of the key insights gathered on managing human risk using an adaptable cloud email security architecture during a discussion with three of our speakers – Mark Walmsley, CISO at Freshfields Bruckhaus Deringer; Matt Nears, VP of Global IT Security at Crawford & Company; and Tony Pepper, CEO of Egress.
“Managing human risk by email, using an adaptive cloud security architecture”
Tony Pepper, CEO of Egress
Tony Pepper opened the conversation by outlining how Egress recently launched its adaptive email security architecture to continuously assess risk and dynamically change policy controls at the user level. He clarified that while adaptive security isn’t a new concept, Egress are the first cloud email security company to deploy it.
He briefly outlined the challenges around adaptive security and how the Egress adaptive email security solution aggregates data derived from project telemetry, open source intelligence and applications within an existing security infrastructure to overcome said challenges.
Tony explained that human risk and pockets of data are stored in lots of different applications that then need to be aggregated to create an adaptive security profile for each user. The data could be stored in a number of places, for example:
- Performance and simulation data from a security awareness training (SAT) platform
- Activity and user profile information from endpoint security tools
- Traffic and activity data from your web security system
While organizations can access tons of data within different platforms and products, centralizing it to tell the whole story is a considerable challenge. Egress aggregates this data to produce a per user human risk score that is then used to adapt security to address the areas of risk for that specific individual. This includes Egress’ own controls, as well as informing other systems using live threat data – for example, to automate SAT.
In order to leverage an adaptive security model, we ultimately need to have a holistic view, a deep understanding of human risk. The challenge is that human risk and pockets of data are often stored in lots of different applications across the enterprise.”
Tony Pepper
“Focusing on the end threat goal when thinking about individual risk profiles”
Matt Nears, VP of Global Security at Crawford & Company
The conversation then shifted to Matt Nears, who discussed how his organization, Crawford & Company, thinks about constructing risk profiles and aggregating security data to support an adaptive security approach. He explained that while everyone in the cybersecurity industry is working with the same information, his company does risk analysis from a different direction.
They see an inbound malicious email and try to understand the end goal from a threat perspective. It starts with asking the generic threat questions:
- Who is the target end user?
- What is the threat actor trying to do? (Credential harvesting, malware, man-in-the-middle attack, etc.)
Matt outlined how they then go a step further. Instead of just the email, they evaluate the identity profile of the target:
- What data, apps, or systems does the user have access to?
- Does the user have the knowledge to identify and avoid malicious emails?
- Where else can this attack lead to in the ‘kill chain’ based on the user’s access and network design?
These insights dictate whether additional enforcement, monitoring, or security controls are required by looking beyond the singular data point, such as when a malicious email comes in.
Tony then clarified that this multi-point view requires data from sources that are often siloed. While individual applications can highlight risk factors, such as a SAT platform showing one person at higher risk or an audit log from a cloud email security tool showing one team more targeted than others, bringing together data is the only way to get the best insights for individual profiles.
Matt agreed, adding that combining data combats singular viewpoints and facilities more diverse analysis. He also stated that security needs to be a blanket responsibility for everyone across the organization. Creating individual profiles makes security more personal and engaging.
Instead of just looking at the [malicious] email, we [Crawford & Company] try to look at the identity. It’s how we perceive an email regarding overall enterprise risk. Does the target user have the education to know what to do with that email? Where else could it go on the kill chain? What data or applications do they have access to? It’s very much about looking at, ‘Okay, we have this single point, but what’s the end goal of that email from a threat actor perspective?’"
Matt Nears
“You get to security dashboard nirvana by setting dynamic risk-based profiles”
Mark Walmsley, CISO at Freshfields Bruckhaus Deringer
Mark Walmsley discussed what he commonly sees in how companies manage risk. He first addressed that most companies determine a risk profile for the entire organization and monitor success via one or two color-coded metrics on a system dashboard, for which everyone always wants to be in the green.
He then explained how to get to ‘dashboard nirvana,’ organizations must deploy dynamic risk-based profiles that treat users as individuals. Various factors will dictate what resource access is granted and the authentication controls and other measures required for each user:
- Geography or network location of each user
- Types of clients they work with
- Role of type of work they do
- System access (critical or non-critical)
- User security profile
Successfully adopting policy controls based on the individual will lead to dashboard metrics always being ‘in the green’ because they are dynamic and constantly changing. It addresses how each unique person should be protected based on their behaviors, role, and IT privileges. Mark then reiterated the challenges previously discussed by Tony Pepper and Matt Nears, explaining that successful implementation requires data from various integrated tools.
Currently, no single security platform can provide all the data in one system, as most providers are specialists. This reality creates a vast need for sharing intelligence between organizations, marking the beginning of a journey for companies to evolve into individual profile-based security. The burden is on the customers to drive demand for adaptive security, and generative AI will create huge opportunities to auto-analyze and construct dynamic profiles to outsmart adversaries.
As security providers, we have to trust each other, or everyone will be in second place and get further and further behind threat actors."
Mark Walmsley
“Making cybersecurity more engaging by creating personal, teachable moments”
Matt Nears, VP of Global Security at Crawford & Company
Tony Pepper quickly chimed in to express how the cybersecurity community must aggregate the data they collect to develop more holistic detection capabilities. Often each individual application would highlight a different risk posture. For example, and SAT platform might suggest that one user or team is high risk, while cloud email security logs might suggest a different team is being targeted by different threats. Tony poses the question to Matt about how he thinks we should bring these insights together and what new conclusions we may be able to draw.
Matt Nears returned to emphasize that one tool operating independently is not enough for an adaptive security approach. Security product providers must have conversations to discuss how they can better collect and share actionable intelligence, whether on their firewalls, gateways, public-facing apps, etc., to essentially create ‘SOAR on steroids’. These insights are vital to improving security tools and educating vulnerable users that can put the entire organization at risk.
Your weakest link in the chain will always be a point of entry for an attack.”
Matt Nears
The conversation shifted to how, traditionally, cybersecurity is not a positive experience for employees. It lacks engagement because organizations use a one-size-fits-all approach — treating all employees the same. Tony explained that employee experience, including cybersecurity, helps drive job satisfaction. He emphasized treating security as a team sport, moving away from the divide between having one cyber team and end users.
Matt painted this picture by discussing how Crawford & Company uses a “one community, one Crawford” approach to creating an organizational culture that prioritizes security and helps facilitate conversations at the individual level. He explained that their IT security team looks to create teachable moments constantly. Rather than, for example, just saying “no” to a user making a request, they explain why, based on that profile, they said “no” — helping make cybersecurity individualized for each person’s day-to-day activities.
We aren’t just saying no [to users] as a security team. We explain, ‘This is the reason why we do it’ to help create those teachable moments. Suddenly, individual users have that lightbulb moment, ‘oh, that makes sense’ or ‘this means something in my day-to-day,’ which is quite powerful from a security perspective.”
Matt Nears
“Empowering people to work with you towards better security practices”
Mark Walmsley, CISO at Freshfields Bruckhaus Deringer
Mark concluded by addressing the challenge of how current security professionals manage their users and how the approach to employee training needs to be more dynamic and personalized. Essentially, nearly all your employees are good by nature and want to do the right thing regarding security but may not understand what that looks like. That’s where it’s imperative to create guardrails that help users maintain security and create teachable moments that make security a part of their work.
He added that the relationship between employees and security teams must change. Dynamic risk profiles require professionals to go from saying “no” to “We are here to help you; here’s what you need to do for more IT freedom.”
If you look statistically at how workforces operate, they’re all good citizens. They show up on time, treat each other well, and follow processes. So, when you have security incidents or issues, less than 1% are naughty by nature. 99% of your staff wants to do the right thing but don’t know what that looks like.”
Mark Walmsley
Key takeaways:
- Reactive, manual policy controls are no longer enough to address human risk and protect organizations from today’s cyber threats
- The future of email security is adaptive; solutions should continuously assess risk and then auto-change policy controls at the individual level
- Adaptive security requires a complete understanding of human risk, which demands integrated data insights from numerous security tools
- Singular data viewpoints don’t tell you the whole story; with email security, you need to focus on the end goal of the threat actor and evaluate the individual target profile to understand overall enterprise risk
- Treating users as individuals with dynamic profiles improves your security posture by managing risk based on their specific location, role, system access, and behaviors
- Adaptive security at the individual level creates more teachable moments for improved security engagement and a better work experience for each employee
- Nearly all users are good by nature; they need guidance and dynamic controls that adapt to their profile for sound security.
Watch the “Moving from reactive to adaptive: Cloud email security for the real world” recording.