David Bressler

The next twenty

Porn in the enterprise

One would think that after all this time of enter­prise con­nec­tiv­i­ty to the inter­net, the “prob­lem” of porn would have already been solved? 9,000 pages of porn at the US Geo­log­i­cal Sur­vey says oth­er­wise.

The prob­lem isn’t the porn itself but the fact that porn sites are a source of secu­ri­ty breach­es for a num­ber of human rea­sons.

The Wash­ing­ton Post arti­cle points out, the Office of the Inspec­tor Gen­er­al rec­om­mends a strong black­list pol­i­cy (shock­ing that it wasn’t already in place, don’t you think?). Also, there are already rules in place gov­ern­ing prop­er use of com­put­ers (which clear­ly didn’t help).

In truth, they were com­pro­mised by easy, known attack vec­tors:

The employ­ee, who was not named in the report, saved many of the porno­graph­ic images onto an unau­tho­rized USB device and a per­son­al cell­phone — which was also found to con­tain mal­ware. The Android phone was con­nect­ed to the employee’s gov­ern­ment-issued com­put­er, accord­ing to the report.

I mean, if we can’t solve prob­lems like these… prob­lems that have exist­ed since the dawn of com­put­ing, how are we to keep up?

What’s a com­pa­ny to do?

Check out Cymat­ic Secu­ri­ty, a SaaS offer­ing that ana­lyzes user behav­ior in real-time using AI/ML to pro­vide bet­ter threat dis­cov­ery and pro­mote user aware­ness.

The obvious metaphor of airport security

Any­time the top­ic of fire­wall secu­ri­ty comes up, the obvi­ous com­par­i­son is to air­port secu­ri­ty — where every­where but Israel secu­ri­ty is done at a bound­ary in a stan­dard man­ner. What dif­fers for the Israelis is that they look at con­text, and they have secu­ri­ty inside the perime­ter that mon­i­tors pas­sen­ger behav­ior for incon­sis­ten­cies.

Let me give a per­son­al exam­ple. A long time ago (geez, real­ly long) I was trav­el­ing with some friends to Israel.

All three of us had been there before, though I had only been once and my two friends had been mul­ti­ple times. Secu­ri­ty ques­tioned us about that. They ques­tion us about our back­grounds and my behav­iors were dif­fer­ent (the two of them cel­e­brat­ed the last jew­ish hol­i­day with their fam­i­lies, I did not; the two of them lived in Israel after high school, I did not; etc.).

As those dis­crep­an­cies came up, they split us up. I didn’t have some of the same behav­iors as my friends, so they probed. They took the con­text of our judaism (for lack of a bet­ter way to explain that) and probed into the incon­sis­ten­cies.

We all bring con­text to our secu­ri­ty eval­u­a­tion. The chal­lenge with most secu­ri­ty strate­gies is that they don’t take such con­text into account. Many ven­dor solu­tions, like CA Rapid App Secu­ri­ty are start­ing to incor­po­rate risk met­rics into API secu­ri­ty but com­pa­nies need more.

Much more.

Three fundamental end-user security requirements

Think­ing about secu­ri­ty for a large-scale set of users who are sen­si­tive to the expe­ri­ence of things (and there­fore resist the fric­tion of secu­ri­ty), com­pa­nies need three things:

  1. Com­pa­nies need their users to be aware of their own secu­ri­ty con­text — with aware­ness can come behav­ioral changes.
  2. Com­pa­nies need to under­stand the risk pro­file that the user brings with them so they can per­form bet­ter real-time threat analy­sis — Is the user on a net­work with a known breach? Are the user’s cre­den­tials com­pro­mised on the dark web? Is the user behav­ing in a known mat­ter or are they act­ing with incon­sis­ten­cies? How this infor­ma­tion be used to improve user secu­ri­ty in situ?
  3. Final­ly, com­pa­nies also need deep threat ana­lyt­ics so that they can know what’s hap­pen­ing in real time — for exam­ple, in the e‑commerce space can plat­form own­ers watch account takeovers hap­pen in real-time, rather than know after the fact when they’ve been com­pro­mised?

Easy to make a list, but how can com­pa­nies do this?

Apply new technology

Cymat­ic has imple­ment­ed the unique capa­bil­i­ty of insert­ing them­selves into the stream of user behav­ior with­out impact­ing per­for­mance. This unique capa­bil­i­ty allows them to:

  1. Eval­u­ate authen­ti­ca­tion requests based on the user’s behav­ior before they attempt­ed to login. Surf­ing porn? No judge­ment, but if you watch porn and then try to login to your bank account or shop online your bank or e‑commerce plat­form can have a high­er lev­el of authen­ti­ca­tion to ensure that you haven’t been com­pro­mised.
  2. Eval­u­ate user bio­met­ric behav­ior, such as how they type or move the mouse, to deter­mine if an account is being shared. Bio­met­ric analy­sis in-flight to the user authen­ti­ca­tion process is hard. See the next sec­tion of this post for my big reveal of how this works!
  3. Use oth­er avail­able infor­ma­tion to make in-flight authen­ti­ca­tion deci­sions — is the user on a known-to-be-com­pro­mised net­work (like hotel net­works)? Has the user’s cre­den­tials been com­pro­mised on the dark web? What was the user doing before they tried to login and does that behav­ior affect login secu­ri­ty? Is the user in a known loca­tion (for their behav­ioral pat­terns)?

Not only can you know your users’ secu­ri­ty con­text, impor­tant­ly, you can reme­di­ate the secu­ri­ty weak­ness in-flight of the authen­ti­ca­tion request and sur­face the risk assess­ment to the user to dri­ve user aware­ness. This is real­ly impor­tant stuff, even though it seems like it’s solv­ing a prob­lem we’ve already solved.

In my job work­ing with cus­tomers I often hear that I’m talk­ing about a prob­lem that’s already been solved. Sto­ries like the one about porn at the USGS make my job eas­i­er. If these prob­lems were eas­i­ly solved, that user at the Geo­log­i­cal Sur­vey wouldn’t have been able to watch 9,000 pages of porn, access the net­work from a com­pro­mised android device, or con­nect a USB device to their com­put­er.

How thor­ough­ly do you know your users? Using AI/ML Cymat­ic Secu­ri­ty adds in-flight con­text-aware authen­ti­ca­tion reme­di­a­tion, deep secu­ri­ty ana­lyt­ics, and helps to improve user secu­ri­ty aware­ness. Click To Tweet

In addi­tion to in-flight reme­di­a­tion using bio­met­ric and oth­er unique secu­ri­ty assess­ment tech­nolo­gies and to sur­fac­ing results to improve user aware­ness, Cymat­ic pro­vides deep secu­ri­ty ana­lyt­ics so that secu­ri­ty offi­cers have a real-time view of their secu­ri­ty pos­ture and can improve their own deci­sion mak­ing over time because the ana­lyt­ics gath­ered can inform secu­ri­ty pol­i­cy based on what’s actu­al­ly hap­pen­ing.

I got a demo

The CEO, Jason Hol­lan­der, is a friend. A guy who I trust implic­it­ly because of my expe­ri­ence work­ing with him at Actional/Progress for about five years. Jason has a deep bull-shit detec­tor for plat­i­tudes, for peo­ple say­ing “we’ve solved this prob­lem” when everyone’s eyes would indi­cate oth­er­wise.

I saw Jason recent­ly, and we talked about what he and Paul (the oth­er co-founder) have been work­ing on. They’ve been build­ing for two years to get it right. That’s a bit counter-cul­ture these days but impor­tant. I sug­gest you reach out to speak to them. When you do, set your expec­ta­tions high. They’ll still beat them.

Jason gave me his user­name, his lap­top, AND HIS PASSWORD and asked me to login (to their demo web­site).

It wouldn’t let me.

Let me repeat that in case it’s not clear.

I had Jason’s user­name.

I had Jason’s lap­top.

I had his freak­ing pass­word.

Yet still I couldn’t login.

Why? That’s the secret sauce. It could tell that my typ­ing cadence was dif­fer­ent than his. Based on that, and we looked at the ana­lyt­ics, is had my login attempt at a very low per­cent­age like­li­hood of it being Jason. In the real-world, it might have stepped up the authen­ti­ca­tion, for exam­ple, to two-fac­tor. But for the sake of the demo, it just didn’t let me in.

To be clear, when I hand­ed him his lap­top back, he just logged right in.

I have visions of get­ting on stage to demo this, call­ing some­one from the audi­ence and doing this.

I bet I’d have people’s atten­tion.

By the way, I real­ize that a lot of peo­ple don’t enter their pass­words man­u­al­ly these days. That same API could look at cur­sor move­ments, or oth­er behav­ior to deter­mine if they think it’s me or not. Because it oper­ates on stream­ing data… any time they like they can chal­lenge the user and do so sim­ply (like drag a UI ele­ment across the screen instead of forc­ing pass­word reen­try).

Have a look

If you’re respon­si­ble for e‑commerce, health­care, or bank­ing secu­ri­ty, you should have a clos­er look.

Jason was on TV last night:

 

If you’re real­ly curi­ous about how easy it is to imple­ment, request access.

David

If you like this post, you'll absolutely LOVE my book: 'The Elephant in the Room has a Paycheck: a fun & socially conscious blueprint to help the 99% get started investing'.

It's a quick read, and, if you can believe it considering that it's a book on investing, fun.

If you're looking for a simple and successful investing strategy, one that's purposely designed to keep you motivated, The Elephant's Paycheck is for you. And if you're already an accomplished investor, this book is likely for your spouse or your children so that they can become interested in what you're doing with the family's wealth.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.