Most CISOs are likely to agree: data science is the future of cybersecurity. This assertion is simply based on the growing number of vendors that advertise their data science and machine learning bona fides combined with the use of algorithms and deep learning in their products. All the enterprise needs to do is buy software or even update what they already have to the latest version, and their departments are using machine learning algorithms to influence and drive front line security controls (EDR, email filtering, log file correlation, PAM, etc.).
For me, data science is much more foundational to the way I do security control design. In my last two positions as CISO, first at Aetna and now at MassMutual, the first person I hired was a Chief Data Scientist. Initially, I thought I would get better analytics, which I did. We were able to identify patterns and produce analytic results to help make better decisions on how to allocate scarce resources to the highest risk. I thought this was the ultimate goal.
What I didn’t know seven years ago when I started down this path was that by running data models against data sources in real time using streaming technology, it’s possible to use those models to segment both customers and internal users based on behavioral attributes at a very granular level. Connecting this segment at a point in time to a specific treatment executed in an orchestration or workflow engine (IAM platform for provisioning/de-provisioning, DLP solution, CASB, etc.) enables an action (allow access, limit access, monitor privilege) for specific behavioral patterns. This orchestration represents real time decisions driven by behaviors and what I refer to as model-driven security.
One prime example of model-driven security is continuous authentication. For 60 years, the enterprise has used a primary set of credentials -- a username and password -- as the primary means of authentication. It’s worked remarkably well, so well that the idea that authentication is an event with a binary outcome is literally wired into the brains of security professionals. Once a consumer provides the correct key, the consumer is trusted in the network. In fact, the problem today isn’t the keys, it’s us humans. We just have too many digital assets that require authentication to remember passwords for, so we compensate by using the same combinations over and over. Even when using password managers, people often use repeat combinations rather than the long strings of random characters that are automatically generated for them. And multi-factor authentication only adds another layer of binary controls to the authentication event, at the cost of substantial friction to the user. In some cases, 30-50% of users simply opt out of using MFA in digital systems because they see the cost outweighing the benefit. MFA is creating a poor consumer digital experience that consumers are avoiding.
Cyber criminals and fraudsters have long since figured out that it is infinitely easier to get the keys to the house and walk in the front door than to find other ways to break in. With data science and automation, they harvest billions of user id/password combinations to millions of websites and put them up for sale or exchange on the dark web. Using tools like Sentry MBA, buyers can try out those credentials on active websites. On an average list of 10,000 credentials, the hit rate is 2%. It might not sound like much, but that’s 200 accounts with potentially valuable information which can then be aggregated and re-sold, linked to money-mule accounts, used to make fraudulent purchases, or used as legitimate email addresses from which to send phishing emails.
This hits not just the consumer’s bottom line, but the enterprise as well. Today, 50-90% of all digital log-in attempts are criminals attempting credential stuffing – which means that most of the cost of your IT infrastructure is paying for criminals attempting to log into your site. If you told a board member with fiduciary responsibility that, you can be sure they’d ask you to find a better way.
With model-driven security, there is a better way. Here’s how it works:
To be clear, this is does not require highly sophisticated AI. Financial services firms have been writing rules into processing systems for 20 years. You take a pattern of behavior, represent it mathematically, use that as a cornerstone measure to measure real time behavior against the pattern, come up with a deviation score, and then assign a treatment based on the score. If the deviation is too large, revoke access.
This approach has clear benefits. First, the user experience is much better – the user literally does nothing; no passwords, tokens or third party authenticator apps are necessary. Second, the cost is lower. You save all the time spent on authenticating and resetting usernames and passwords, and all that cost of your digital infrastructure being used by criminals. And third, the security is better. Letting behavioral analytics continuously drive access decisions means the human is removed from the process, so the human can step back and study trends and focus on controls design as opposed to implementation. With the right infrastructure investment and skills, it becomes a closed loop model that scales from the smallest to the largest enterprise. Simply put: this is a game-changer.
The catch, beyond the initial investment in the people and systems, is that moving to this system requires a paradigm shift in the minds of the security team. They must unlearn the fundamental tenet of cybersecurity that authentication is a binary event with a beginning and end. This turns out to be harder than it sounds, which is part of the reason we still have passwords when they are clearly marching towards obsolescence. The other reason we do not yet see this at wide scale across the industry is that with large firms who have hundreds of apps in use both internally and externally, this kind of transformation is a years-long process. But it is happening at the most sophisticated firms. And it will happen across many more security processes, across the industry.
Data science is fundamentally transforming cybersecurity. By establishing behavioral models and continuously measuring them against user actions, anomalies can be detected and treated in real time, without human intervention. The result is a better user experience for the customer and better security at a cheaper cost. This change will require a paradigm shift by security teams, but it can and will happen at every scale, across the industry.
© 2021 FS-ISAC, Inc. All rights reserved.
Jim Routh is the Head of Enterprise Information Risk for MassMutual in Boston. Mr. Routh was formerly a security leader for many large companies including: CVS Health, Aetna, JP Morgan Chase, KPMG,...Read More
DTCC and American Express. At Aetna, he developed one of the most mature converged security programs in the private sector. He serves as a board member and advisory board member for several companies including: University of California Berkeley Center for Long Term Security, Clear Sky Advisory Board, Cyber Starts Advisory Board and the Global Cyber Alliance. He is the former Chair of the Health Information Sharing & Analysis Center (HISAC) and former board member of the FS-ISAC. He serves on the board of Acceptto and ZeroNorth. He serves as an advisory board member for Agari and Gurucul. Mr. Routh has been recognized by many industry awards for Cyber Security Leadership (CSO Hall of Fame, Shared Assessments Lifetime Achievement Award, SINET Impact Award and others). He regularly publishes articles on innovative practices and capabilities to improve enterprise resilience across industries.