Why Users Matter

By Eric Ouellet at 2/18/2015 1:19 PM
Filed Under: Big Data, Big Data Analytics, cybersecurity, Risk Fabric, Risk Management

Whether its employees, system entities, clients or partners, users are the ultimate focus of everything we do within our IT environment. We create new services and support new tools to enable our users to be more effective to increase the value of our organizations in the eyes of our clients and shareholders. When things go wrong we seek to hold people/users accountable.


So why do we spend so much of our security analysis time focusing on events?


Every user generates hundreds and even thousands of events every day. It would seem that the traditional approach of investigating individual events from each of the security solutions we have deployed is the most inefficient way to gain a global understanding of users’ activities in our environments. Shouldn’t we focus on users and what each of them do instead?


This may seem obvious, but our security environments do not operate that way and there are many benefits to this user-focused approach. 


By stitching together the details of user actions across individual security solutions, we can more easily build a user narrative, the real story behind the actions. 


This narrative could indicate that a user has malicious intent, or that in fact it is just someone that didn’t know any better and needs training. By combining different sources of information, we can determine that a user account has been compromised because we have noticed unusual behaviors and the personal system they are using appears to have a vulnerability that has been exploited. We can identify that a group of users is behaving in a way that does not match their previous behaviors and that perhaps there is a risk that the team will attempt to secede and become a competitor. This level of insight is impossible to obtain when we are focused on investigating individual events. This insight is only achieved when we look at the big picture.


By focusing our efforts on users, organizations can dramatically reduce their security operations workload. This is incredible leverage; in most cases it can represent 1000-to-1 or more! 


We have client environments that generate hundreds of thousands of events each day. By simply focusing on users they can reduce the effective workload down to several thousand users. 


By leveraging automated machine-learning User Behavior Analytics (UBA), they can further reduce the workload to a few hundred users per day – users that clearly show evidence of unusual behaviors when compared to their own past behaviors and that of their peer group. 


By further leveraging automated workflows in addition to machine-learning UBA they can automatically route users to different remediation streams depending on their characteristics. Suspicious users can be automatically routed to an investigations queue. Non-malicious users are assigned just-in-time training, and so on.


Scaling a team to investigate hundreds of thousands of individual events is not possible, no matter the amount of resources we throw at it. However, scaling a team to investigate a few hundred users that have already been identified as having unusual behaviors, that is something we can all do, even in the most modest of environments. 

Time to Take a Temperature

By Eric Ouellet at 1/26/2015 3:16 PM
Filed Under: Big Data Analytics, cybersecurity, Risk Management, Security Analytics

Speaking with organizations from every possible vertical and industry, I’ve come to understand that the most important issue facing organizations today in their quest for better security isn’t the next new widget that will secure this or that platform, or the one that will give you more control over cloud or BYOD, or the one that will help you better protect any of your hundreds of applications located inside and outside your environment. The fact is that these are relatively simple issues that can be efficiently addressed by selecting any one or more solutions from dozens of vendors vying for just five minutes of your precious time. No, the most important issue you are facing as an organization is one of confidence.


Specifically, organizations are at a cross-road when it comes to the level of confidence they have in their own security and risk environments. 


When even the largest organizations with exceptionally mature security and risk programs are falling prey to determined attackers, who wouldn’t have a crisis of confidence?


Confidence comes from a sense of trust, a belief in one’s abilities and level of certainty that things will turn out as planned even when faced with difficult odds in previously unseen situations. Confidence is knowing that no matter what, there are resources available to surmount any challenge and that people and systems will operate as intended when needed most. But how do you get to this point?


In one word - intelligence.


Organizations, now more than ever, are facing threats that attempt to exploit any and all possible attack vectors – from the most mundane to the most advanced – and each security component deployed in an environment, be it staff or technical solution, must operate in a coordinated fashion at all times. Not only that, security and risk operations must act and react as a single overall dynamic unit that is contextually aware of itself, all of the members of the group, and how each of them individually and together respond at any given moment.


This goes beyond having simple static dashboards, key risk indicators (KRIs) and metrics displayed in colorful graphs and charts that report on the underlying plumbing and operations of individual solutions. That approach provides a false sense of security that dulls the senses and opens the door to attackers.


No, today’s threat environment requires a level of sophisticated intelligence and deep understanding of your complete environment in context. One that not only has direct visibility into what is happening at an individual component level moment by moment, but one that can also stitch together each individual narrative across all domains to get a fully contextualized and complete view of the security and risk profile of any given action, behavior, system and individual as it stands against itself and relative to every other. 


This is how you achieve the necessary level of confidence in your security and risk operations to answer the most difficult questions facing your organizations today. This is how you achieve the confidence that each piece of the puzzle will be up to the task to address today’s ever-changing threat environment and how you can evolve your security and risk programs into the uncharted future. 


This will be my focus of the next few posts.  My goal is to demystify and plainly state the core concepts and views for aligning effective security and risk intelligence in an ever-changing world.

Why I left Gartner for a Startup

By Eric Ouellet at 1/12/2015 5:39 PM
Filed Under: Big Data Analytics, cybersecurity, Risk Fabric, Risk Management

For the last six months since leaving Gartner, the most common question I get is “Why did you leave Gartner for a startup?” Over the course of the decade I spent at Gartner, I was exceptionally blessed with being part of a great team that was at the cutting edge of information security trends and market research. The unfettered opportunities to learn about the leading issues impacting our clients and helping them develop core approaches and solutions to address their needs provided a very unique viewpoint, specifically as it related to the fast-evolving world of information security. In fact, that is how I was introduced to Bay Dynamics.


Our industry is at the dawn of what I call the “Contextually-Aware Era” of information security. Never before have we been in a position to be able to truly answer some of the most important and deceptively simple-sounding (but exceptionally difficult) questions in security. Questions like “Where are my risks?”, “What should I worry about the most today?”, “Do I have any bad actors in my environment?” and so many more.


To answer these questions in a meaningful way requires the synthesis of massively large and ever-growing data sets merged from dozens of isolated solutions that speak their own language and have their own personalized view of the security world. But that is not enough. The answers must also leverage the most advanced technologies available to help organizations identify what they are truly looking for, not just what they think they should be looking for. And lastly the answers must be prioritized, directly actionable and, most importantly, contextualized to each member of the security audience – from the hands-on technical staff to the business managers to the board members.


While solutions exist that tap into and manually codify organizational experiences of past good and bad security behaviors, the most important tenet to them lies in understanding the “why” and “how” behind each experience before an organization can leverage them.  


Despite its potential virtues, the reality is that codifying prior experience is a severely flawed approach because when most people are asked about good and bad security behaviors, beyond the most basic scenarios, the answer inevitably becomes “I’ll know when I see it.” It is impossible to codify an “I’ll know when” experience and as a result tools become severely limited because they can only codify the knowns that are well understood. This leaves the door wide open to unknown and unanticipated threats that are now the preferred attack vectors in our modern cyber threat landscape.


What if there was another way?  An automated way? One that didn’t require any manual configuration? One that was automatically self-learning using all available data? One that was infinitely flexible and could speak the language used across an entire organization – from the hands-on technical users to business manager users and even board members? And lastly, one that provided actual actionable results in less than five days?


Perhaps that would also get you motivated to make a startup your new home and see how you could change the security world in your own way, just a little.