RIFAI: Surveys show people understand they have problems, but are preoccupied with defending the perimeter when they should be equally concerned about defending their interiors. Keep in mind that once an external attack breaches a network perimeter, it becomes an insider, so you really have to look at internal security as seriously as you do external security. And by definition an insider is a person, so you must pay attention to not only who is using your sensitive data today, but how they are using it.
That requires analytics. We need to be able to bring together data in a way that answers complex questions about the behavior of insiders, and look at meaningful deviations from the norm and then call that out and isolate it. And maybe sometimes out of thousands or millions of sessions, be able to look at it and say, 'This one is a threat'. So you need that analytics layer to give you visibility into what would otherwise be a ton of false positives, because most large organizations are contending with millions of incidents.
Do compliance requirements adequately address the threat?
OGREN: Compliance has been security's best friend for years, making it easy to say you just have to do this. But the down side of compliance is that it absolutely stifles innovation, because now it's harder to justify incremental security in this new world of mobility and virtualized data centers. I'd love to see compliance get a little more intelligent about involving new technologies and about new approaches to the problem. Because obviously it's not working today. People are getting breached all over the place and it's causing great damage to our economy.
Breached even when they are compliant, right?
OGREN: Absolutely. These companies are doing the best they can and they've got good people, they know the security issues and they're absolutely helpless, aren't they? So at some point we need to carve out space to find new things that move the state-of-the-art ahead. I think compliance has actually slowed down a bit that way.
AMMON: Never confuse compliance and security. They should be and to some degree are connected. But one doesn't necessarily equal the other, for sure.
Going back to the false positive question ... given that insiders are people, then false positives become really dangerous because you're fingering an employee. Has the industry done enough to limit false positives when it comes to insider threats?
RIFAI: Many companies are drowning in false positives. So it goes back to a need for analytics-based remediation to help you understand patterns, properly categorize incidents, diagnose the causes of these incidents, determine the right action, and in the process prevent a lot of these false positives from occurring.