One would think that after all this time of enterprise connectivity to the internet, the “problem” of porn would have already been solved? 9,000 pages of porn at the US Geological Survey says otherwise.
The problem isn’t the porn itself but the fact that porn sites are a source of security breaches for a number of human reasons.
The Washington Post article points out, the Office of the Inspector General recommends a strong blacklist policy (shocking that it wasn’t already in place, don’t you think?). Also, there are already rules in place governing proper use of computers (which clearly didn’t help).
In truth, they were compromised by easy, known attack vectors:
The employee, who was not named in the report, saved many of the pornographic images onto an unauthorized USB device and a personal cellphone — which was also found to contain malware. The Android phone was connected to the employee’s government-issued computer, according to the report.
I mean, if we can’t solve problems like these… problems that have existed since the dawn of computing, how are we to keep up?
What’s a company to do?
Check out Cymatic Security, a SaaS offering that analyzes user behavior in real-time using AI/ML to provide better threat discovery and promote user awareness.
The obvious metaphor of airport security
Anytime the topic of firewall security comes up, the obvious comparison is to airport security — where everywhere but Israel security is done at a boundary in a standard manner. What differs for the Israelis is that they look at context, and they have security inside the perimeter that monitors passenger behavior for inconsistencies.
Let me give a personal example. A long time ago (geez, really long) I was traveling with some friends to Israel.
All three of us had been there before, though I had only been once and my two friends had been multiple times. Security questioned us about that. They question us about our backgrounds and my behaviors were different (the two of them celebrated the last jewish holiday with their families, I did not; the two of them lived in Israel after high school, I did not; etc.).
As those discrepancies came up, they split us up. I didn’t have some of the same behaviors as my friends, so they probed. They took the context of our judaism (for lack of a better way to explain that) and probed into the inconsistencies.
We all bring context to our security evaluation. The challenge with most security strategies is that they don’t take such context into account. Many vendor solutions, like CA Rapid App Security are starting to incorporate risk metrics into API security but companies need more.
Much more.
Three fundamental end-user security requirements
Thinking about security for a large-scale set of users who are sensitive to the experience of things (and therefore resist the friction of security), companies need three things:
- Companies need their users to be aware of their own security context — with awareness can come behavioral changes.
- Companies need to understand the risk profile that the user brings with them so they can perform better real-time threat analysis — Is the user on a network with a known breach? Are the user’s credentials compromised on the dark web? Is the user behaving in a known matter or are they acting with inconsistencies? How this information be used to improve user security in situ?
- Finally, companies also need deep threat analytics so that they can know what’s happening in real time — for example, in the e‑commerce space can platform owners watch account takeovers happen in real-time, rather than know after the fact when they’ve been compromised?
Easy to make a list, but how can companies do this?
Apply new technology
Cymatic has implemented the unique capability of inserting themselves into the stream of user behavior without impacting performance. This unique capability allows them to:
- Evaluate authentication requests based on the user’s behavior before they attempted to login. Surfing porn? No judgement, but if you watch porn and then try to login to your bank account or shop online your bank or e‑commerce platform can have a higher level of authentication to ensure that you haven’t been compromised.
- Evaluate user biometric behavior, such as how they type or move the mouse, to determine if an account is being shared. Biometric analysis in-flight to the user authentication process is hard. See the next section of this post for my big reveal of how this works!
- Use other available information to make in-flight authentication decisions — is the user on a known-to-be-compromised network (like hotel networks)? Has the user’s credentials been compromised on the dark web? What was the user doing before they tried to login and does that behavior affect login security? Is the user in a known location (for their behavioral patterns)?
Not only can you know your users’ security context, importantly, you can remediate the security weakness in-flight of the authentication request and surface the risk assessment to the user to drive user awareness. This is really important stuff, even though it seems like it’s solving a problem we’ve already solved.
In my job working with customers I often hear that I’m talking about a problem that’s already been solved. Stories like the one about porn at the USGS make my job easier. If these problems were easily solved, that user at the Geological Survey wouldn’t have been able to watch 9,000 pages of porn, access the network from a compromised android device, or connect a USB device to their computer.
How thoroughly do you know your users? Using AI/ML Cymatic Security adds in-flight context-aware authentication remediation, deep security analytics, and helps to improve user security awareness. Click To TweetIn addition to in-flight remediation using biometric and other unique security assessment technologies and to surfacing results to improve user awareness, Cymatic provides deep security analytics so that security officers have a real-time view of their security posture and can improve their own decision making over time because the analytics gathered can inform security policy based on what’s actually happening.
I got a demo
The CEO, Jason Hollander, is a friend. A guy who I trust implicitly because of my experience working with him at Actional/Progress for about five years. Jason has a deep bull-shit detector for platitudes, for people saying “we’ve solved this problem” when everyone’s eyes would indicate otherwise.
I saw Jason recently, and we talked about what he and Paul (the other co-founder) have been working on. They’ve been building for two years to get it right. That’s a bit counter-culture these days but important. I suggest you reach out to speak to them. When you do, set your expectations high. They’ll still beat them.
Jason gave me his username, his laptop, AND HIS PASSWORD and asked me to login (to their demo website).
It wouldn’t let me.
Let me repeat that in case it’s not clear.
I had Jason’s username.
I had Jason’s laptop.
I had his freaking password.
Yet still I couldn’t login.
Why? That’s the secret sauce. It could tell that my typing cadence was different than his. Based on that, and we looked at the analytics, is had my login attempt at a very low percentage likelihood of it being Jason. In the real-world, it might have stepped up the authentication, for example, to two-factor. But for the sake of the demo, it just didn’t let me in.
To be clear, when I handed him his laptop back, he just logged right in.
I have visions of getting on stage to demo this, calling someone from the audience and doing this.
I bet I’d have people’s attention.
By the way, I realize that a lot of people don’t enter their passwords manually these days. That same API could look at cursor movements, or other behavior to determine if they think it’s me or not. Because it operates on streaming data… any time they like they can challenge the user and do so simply (like drag a UI element across the screen instead of forcing password reentry).
Have a look
If you’re responsible for e‑commerce, healthcare, or banking security, you should have a closer look.
Jason was on TV last night:
If you’re really curious about how easy it is to implement, request access.