Human Layer Security
5 Key Takeaways Tessian’s VentureBeat Webinar
By Maddie Rosenthal
27 March 2020
As a follow-up to our feature in VentureBeat’s special issue AI & Security, Tessian’s Co-Founder and CTO Ed Bishop spoke with Joe Maglitta, Senior Contributor/Analyst at VentureBeat, to dive deep into how and why we need a different type of machine learning to protect people at work on email.  While you can watch and listen to the webinar on-demand here, below are some of the key takeaways from the discussion and live Q&A that followed.  The way we work has changed and will continue to change Over the last decade, business has moved – and continues to move – towards digital interfaces. That means that email is now the main artery of communication and, importantly, where an organization’s most sensitive information is shared.  Unfortunately, email isn’t secure. It wasn’t created to be secure and – the surprising truth is – it hasn’t changed much since its inception. When you compound that with the fact that people are more connected than ever, using phones, tablets, and even watches to check and respond to emails, you can see why it’s so important that we protect people – and therefore data – on email.  This evolution towards digital interfaces has come to a head over the last several weeks as most of the world’s organizations have moved to remote-working in light of the outbreak of COVID-19.  Since the outbreak, Tessian has seen a 20% increase in the number of emails sent; that means there are more opportunities for data loss on email and opportunistic phishing attacks than ever before.
Human Layer Vulnerabilities are the cause of data breaches  Employees control business’ most sensitive systems and data, whether that’s someone in your finance department who oversees billing and banking platforms or someone in your HR department who controls employee social security numbers and compensation plans. They are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. But, these vulnerabilities don’t cause small issues. They’re responsible for big problems. They’re the number one cause of data breaches, with 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) being caused by human error.  This fact was highlighted in a live poll conducted during the webinar in which 40% of viewers said phishing was the security breach they’re most concerned about. This came first, followed by accidental data loss (30%) and ransomware (30%).  No one cited Denial of Services or Ransomware as their biggest concern.
IT and security leaders often don’t have visibility of the problems associated with human error within their organization While human error on email is a problem in itself, the fact that many CISOs and other executives don’t know it’s a problem makes it even more of a challenge to solve. In the second poll of the webinar, viewers were asked: “How confident are you in the measures your organization has in place to prevent data breaches caused by people making mistakes, breaking rules, or being hacked?”  Respondents were split down the middle.
But, according to Ed, confidence – especially from security leaders – is the wrong way to measure it, especially when their visibility of the problem relies on their employees repointing mistakes or other breaches. “We like to look at what the data says. When we go in and do historical analysis, we’re able to show that the number of misdirected emails is as great as 20-30 times larger than CISOs think. A 10,000-person organization will send 130 misdirected emails a week, but the CISO doesn’t necessarily know that because only a few get reported to him or her a quarter.” Human Layer Security isn’t replacing machine layer security, DLP, or training There are thousands of security products on the market. That’s in addition to the policies and procedures implemented within individual organizations. Human Layer Security isn’t a replacement for your entire security stack; it’s a vital addition. Machine layer security  – often based on rules – is still effective in detecting malware. DLP solutions for physical security are still necessary. But, for those situations that can’t be defined or covered by “if this, then that” algorithms, you need something else.  Advanced threats caused by human error like spear phishing, misdirected emails, and data exfiltration all fall into that category and the only way to solve for them is by protecting the Human Layer.
Stateful machine learning is the best way to balance security, productivity, and effectiveness  Everything involving humans is dynamic and in flux. Relationships are formed during the duration of a project and then fall away. For example, you may have worked with a counterparty a lot a year ago, but now it’d be unusual for them to email you asking for an invoice to be paid. Stateful machine learning considers all of this by combining historical data with real-time analysis to answer the question: “At this exact moment in time, for this person, and their relationship, does this behavior look unusual?” Beyond this, though, stateful machine learning and Tessian’s Human Layer Security platform do not get in users’ way; this helps balance productivity and effectiveness in a way that policies, training, removal of access and rule-based technology all do. This is key; security should empower and enable your employees, not detract from their ability to do their jobs. For more information about how Tessian uses stateful machine learning to protect people on email, read the full VentureBeat article, watch the webinar, or get in touch for a demo.
Data Loss Prevention Human Layer Security
How Can Organizations Empower People to Prevent Data Exfiltration?
By Maddie Rosenthal
24 March 2020
As data has become valuable currency, data exfiltration is a bigger issue now than ever before. And, while it’s a complex problem to solve, it’s not a losing game. Techniques and technologies have been evolving and today we are better able to control and prevent data exfiltration. To successfully prevent data exfiltration, you have to understand the various moving parts. When it comes to protecting data, there are three key challenges: People Processes Technology
Preventing Data Exfiltration With People: The Role of Training Since old-school software and keyword tracking tools have proven largely ineffective at preventing exfiltration, some security teams have proposed that rather than relying only on software, people should be trained on how to safely manage data and information.  Training allows employees to learn about internal policies, regulations like GDPR and CCPA, and other best practices around data. But, it’s important that organizations reinforce training with practical applications. Some training will reinforce company policies and compliance with data privacy regulations. but the majority of training and awareness programs center on teaching employees about inbound threats like phishing attacks and BEC. Very few training and awareness programs educate employees about outbound security risks like accidental and deliberate data loss.  Preventing Data Exfiltration With Processes: In-Situ Learning To really empower employees to work securely and prevent data exfiltration, organizations have to look beyond compliance training to in-situ learning opportunities provided by contextual warnings, triggered by suspicious activity.  Beyond preventing breaches, these warnings help promote safe behavior by asking employees to pause and think “Am I making the right decision?” But, too many warnings or pop-ups may have the opposite effect. Take, for example, pop-ups that prompt you to accept cookies on websites. Because most of us encounter these on every website we visit, we ignore them or blindly click to consent. This is called alert fatigue; the more pop-ups you see, the less you care about them. The same applies to in-situ learning. If employees encounter notifications warning against risky behavior on 25% of emails they send, they’ll stop paying attention to them. So, what’s the solution? Warnings should only trigger when there’s a genuine security risk. That means security software must be able to distinguish between normal emails and suspicious ones with the utmost accuracy. Warning notifications should also contain relevant and easy-to-comprehend information about why the email has been flagged to help reinforce security training with context.  Tessian Enforcer, Guardian, and Defender do just that. 
Preventing Data Exfiltration With Technology: Machine Learning Even with training and in-situ learning, organizations need a final line of defense against data exfiltration. For many organizations, that last line of defense is rule-based technology.  But, rule-based solutions are blunt instruments.  The best way to illustrate this is through an example.  To prevent data exfiltration on email, an organization might block communications with freemail accounts (for example, @gmail, @yahoo, etc.). But, imagine the marketing department outsources work to a freelancer. In that case, the freelance worker may use a freemail account. When the employee attempts to communicate with this trusted third-party, the email would be blocked and the employee will be unable to carry out their work. Unlike rule-based solutions, ML-based solutions like Tessian are agile.  Tessian’s machine learning algorithms are trained off of historical email data to understand evolving human relationships on email. Instead of relying on rules to flag suspicious emails, it relies on context from millions of data points from the past and present. That way, solutions like Tessian Enforcer and Tessian Guardian are able to uniquely understand every email address in an organization’s network and can, therefore, automatically (and accurately) identify whether a recipient is a trusted third-party or an unauthorized non-business account.   Learn More About How Tessian Empowers People to Work Securely Preventing data exfiltration requires well-trained employees and intelligent solutions. To learn more about how Tessian combines in-situ learning with machine learning to reinforce training and prevent data loss, request a demo.  
Customer Stories Human Layer Security
Cybersecurity Awareness Should Be People-Centric, Too
13 March 2020
The first speaker at Tessian Human Layer Security Summit on March 5 was Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential.  He started his presentation by citing three fundamental flaws in cybersecurity awareness training: It’s boring It’s often irrelevant  It’s expensive 
So, should we do away with it entirely? Not quite. Cybersecurity training is a necessary evil Cybersecurity professionals who implement training programs and employees who take part in these training programs can no doubt attest that the three flaws Mark mentioned are an unfortunate reality.  But, what’s the solution? Training is, after all, a necessity. Without it, employees would rely entirely on often small and overworked IT and cybersecurity teams to prevent incidents and mitigate the consequences afterward.  That’s not just a tall order; it’s completely unfeasible, especially when human error is the most prevalent cause of data breaches. That means every individual must be held accountable.  By educating employees about data privacy laws, password best practices, and how to spot phishing scams, cybersecurity becomes the collective responsibility of the organization, not just those who have a relevant title. With that said, Mark isn’t suggesting that organizations do away with cybersecurity awareness training. Instead, he’s saying that in order for it to be effective, it needs to be aligned to the individual business.  To do that, you have to get to know the business, the people in it, and their attitudes towards security. And, according to Mark, the best indicator of future behavior is confidence. The cybersecurity culture survey
Influenced by the work of Phillip Tetlock, Mark created a survey with predictive power. But, unlike your average survey that simply gauges knowledge, this survey gauges confidence.  Importantly, the survey focused on five key competencies: Business focus Cyber risk assessment Policy and best practice Cybersecurity advocacy Personal practice The thought process is simple: a survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence. Both responses signal the potential for equally risky behaviors. Beyond that, though, the responses – either correct or incorrect – represent an area that requires targeted training and intervention. How can you apply this to your cybersecurity strategy? While Mark shared the results of the survey he conducted (which you can see by watching the full presentation on our YouTube channel) his findings won’t help cybersecurity professionals fine-tune their own training. The key here is that awareness training needs to be customized.  Without gauging not just the knowledge but the confidence of your employees, you’re essentially blind to the cybersecurity risks within your organization. And, of course, your efforts run the risk of being deemed “boring”, “irrelevant”, and “expensive” with no tangible upside. For more insights garnered from Tessian Human Layer Security Summit, click here.  #HumanLayerSecuritySummit20  
Human Layer Security
How to Create an Enduring and Flexible Cybersecurity Strategy
11 March 2020
At Tessian Human Layer Security Summit on March 5, four of Tessian’s customers engaged in an in-depth panel discussion about cybersecurity trends for 2020, the importance of creating a positive security culture in an organization, and the impact of human error.  All of the panelists, including Timor Ahmad from Lloyds of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance offered incredible and diverse insights and, in pulling these insights together, we’ve created a mini-guide for other cybersecurity professionals. Here are five things to consider when creating and implementing a cybersecurity strategy according to Tessian’s customers.
Cybersecurity strategies must constantly evolve While cybersecurity strategies are long-term and take time to both implement and iterate, they must also be mutable. Why? Because in addition to the ever-evolving threat landscape,  there are plenty of other internal and external factors to consider. For example, privacy laws, regulations, compliance standards, company size, board members, budgets, and individual employees all affect an organizations’ security posture and should, therefore, influence strategies. Even a global health crisis like Coronavirus, which Mark Parr from HFW referenced, is something that impacts security strategies, especially with more and more organizations implementing remote working policies due of the outbreak. While, yes, It’s a minefield, organizations have to consider and reconsider these moving parts and, in doing so, constantly evaluate and re-evaluate their strategies and frameworks to keep data, networks, devices, and people secure.  Privacy laws and regulations are top-of-mind With the two-year anniversary of GDPR just around the corner, other nations and even individual states in America are adopting their own data privacy laws. These, of course, are in addition to those already enforced by government agencies like the FCC and the ICO.
The growing number of regulations are especially pertinent for organizations that handle customer or client data. And, while the fines for a breach are hefty under these new compliance standards, organizations have a lot to gain by keeping internal and external data secure. Being transparent and secure about data protection bolsters credibility and trust. Security can (and should) fuel overall business objectives As data becomes more and more of an asset to protect, cybersecurity is becoming a less siloed department and more integrated into overall business functions. Again, this is especially the case for organizations that handle customer or client data. In fact, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  Engaging with employees about security is tough, but not impossible As the Human Element continues to be one of the biggest risk factors in data breaches, it’s absolutely essential that those in cybersecurity leadership positions make a pointed effort to engage with their employees to communicate risks and responsibilities.
Of course, anyone in a cybersecurity leadership position knows this is no easy task.  According to our panelists, though, the key is to find new ways to tell the same story. Some use gamification and positive reinforcement while others rely on more interactive content like videos and podcasts.  Whatever the method or medium, the most important thing is that risks and responsibility – which the entire organization bears the burden of – are translated so that everyone across departments and levels of seniority can understand. Accountability is required company-wide As we’ve said, cybersecurity is no longer siloed. That means that accountability is required company-wide in order to make policies, procedures, and tech solutions effective. But, according to our panelists, employees and even board members are becoming less passive in their roles as they relate to cybersecurity.  This is a big relief for IT and security teams, especially when the threat of human error is one of the biggest challenges we’re up against.  Learn more Keen to watch the full Human Layer Security Summit and see what our other guest speakers – including a hacker – had to say? Watch the video on our YouTube channel. You can also read key takeaways from the day here. #HumanLayerSecuritySummit20
Human Layer Security Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
09 March 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
#HumanLayerSecuritySummit20
Human Layer Security
Insights from Tessian Human Layer Security Summit | London 2020
05 March 2020
On March 5, 2020, Tessian hosted the world’s first Human Layer Security Summit where we brought together speakers from Prudential, Lloyd’s of London, Herbert Smith Freehills, Clifford Chance, HFW and Tradecraft to talk about security culture, the Human Element, and the evolving threat landscape. We had hundreds of people join us in-person in London and from around the world via livestream. In case you missed it, you can watch a recording of the event here:  While the focus of the Summit centered around Human Layer Security and why we need to protect people (not just networks and devices), the speakers and panelists offered a diverse range of insights into the challenges cybersecurity professionals are up against and, importantly, how they try to solve them.
It takes a village to secure an organization’s data, devices, and networks Accountability is required company-wide in order to make policies, procedures, and tech solutions effective. That’s why those in cybersecurity leadership positions are laser-focused on finding new ways to engage with employees through gamification, interactive content, podcasts, and more.
According to Timor Ahmad from Lloyd’s of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance, employees are, fortunately, becoming less passive in their roles as they relate to cybersecurity.  As the Human Element continues to be one of the biggest risk factors in data breaches, individuals have to do their part to supplement their cybersecurity stack. This is especially important because, by empowering your employees, you’re taking the burden not only off them, but off of your information security team. For smaller teams, this is vital. For more insights from the panel discussion, click here. Cybersecurity frameworks and strategies can’t be static There’s a lot that goes into creating an effective cybersecurity framework and strategy. They take months – even years – to create and implement. But, they have to constantly evolve in tandem with both external and internal factors. Privacy laws, regulations, compliance standards, company size, board members, budgets, individual employees – even the Coronavirus! – all effect and should, therefore, influence strategies. It’s a minefield, but unless all these things are considered and constantly re-evaluated, organizations will put themselves at risk.  It takes a cybersecurity strategy that’s customized, and re-customized, to keep networks and devices secure and to empower and enable employees to make smart security-related decisions. Breaking in is easier than defending While spam, phishing scams, and more targeted attacks like spear phishing are relatively easy for attackers to pull off, spotting these nefarious emails is hard…even with training. Interestingly, though, according to Glyn Wintle, an ethical hacker and penetration tester, employees tend to be incredibly confident in their ability to spot phishing emails, with just 3% of people saying they have a low probability of falling for a phishing scam.
Unfortunately, confidence doesn’t equate to actual ability, especially when hackers combine bulk email lists, technical acumen, and social engineering.  By abusing trust, piquing curiosity, and/or creating a sense of urgency, hackers can get whatever it is they’re after – from log-in credentials to a bank transfer – from at least one person out of the tens, hundreds, or thousands they’ve emailed. Interested in learning more about cybersecurity from a hacker’s perspective? Click here. There are some fundamental problems with cybersecurity awareness training Mark Logdson sees three problems with cybersecurity awareness training: it’s often irrelevant to the audience or user, it’s generally quite boring, and it’s expensive in terms of investment and lost productivity during the training itself.  Mark said it best, “We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect “Johnny” to be grateful for having spent that time in the training and to have been thoroughly entertained.” You also hope he’s learned something. This likely sounds familiar to both cybersecurity professionals who implement awareness training programs and the employees who take part in – or should we say endure – quarterly or annual training sessions. Of course, Mark isn’t suggesting that organizations do away with cybersecurity awareness training; he’s simply saying it needs to be more tailored to the risk areas in each individual organization in order to be most effective. You can read more about Mark’s approach here.
Cybersecurity isn’t just a support function, it’s an enablement function While cybersecurity has historically been a very siloed department within organizations, it’s becoming not only more integrated into overall businesses, but it’s also becoming an enablement function. In short, board members and employees across departments see the value in information security. In fact, more and more, representatives from cybersecurity teams are being called on to promote a business’s value proposition through its security. It makes sense, though, especially for organizations that handle large amounts of external data for clients or customers. In this case, security becomes a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  The insights offered at our first-ever Human Layer Security Summit were invaluable, not only for cybersecurity professionals, but also for employees and consumers. We’ll be announcing the next Human Layer Security Summit soon, so be sure to subscribe to our newsletter for the latest industry and company updates.   #HumanLayerSecuritySummit20
Human Layer Security
RSA Recap: The Human Element is More Than a Buzzword
By Erez Haimowicz
04 March 2020
Last week, Tessian was at RSA 2020 in San Francisco. While this was only my fourth month at Tessian, this was my ninth year at the annual cybersecurity conference, which I’ve previously attended on behalf of Mimecast, Proofpoint, and Cofense when I was part of their respective teams.  Last year the agenda was very much focused on automation, machine learning (ML), and artificial intelligence (AI), but this year, the theme was much more…human. More specifically, it was the Human Element. What is The Human Element? This theme, of course, resonates with all of us here at Tessian. After all, it’s why we’ve created Human Layer Security.  Humans and our propensity to break the rules, make mistakes, and get hacked are the foundation for everything we do at Tessian. We believe humans are an organization’s biggest asset, so long as they are empowered to make smart security-related decisions.  But, how do you actually enable and empower people to make those smart security-related decisions? How do you actually protect the Human Element?  While Tessian is clear and confident that stateful machine learning is the most effective way to protect the Human Layer, it seemed like a lot of other vendors relied on strong messaging alone to align with this year’s RSA theme and didn’t necessarily have the technology or functionality to back that messaging up. The Human Element Applies to Both Inbound and Outbound Threats If you look at cybersecurity historically, solutions have been focused on protecting networks, endpoints, and devices. You know, machines. But phishing isn’t a machine or technology-related problem. It’s a human problem. Sure, we can use spam filters or Secure Email Gateways (SEGs) to mitigate the risk, but it’s inevitably people that are both behind the attacks and the last line of defense. What about awareness training and phishing simulations? While this type of solution may have a positive effect in the short-term, the immediate gains wane over time as people forget the training and revert back to old behaviors. Tessian even published a report examining this problem. Phishing is – and has been – a hot topic and the inbound space is crowded with vendors that claim to protect organizations from this type of attack. But, the Human Element isn’t limited to inbound threats. It’s just as – if not more – relevant to outbound threats. Misdirected emails, insider threats, accidental data loss…these are all human problems that not only rely on people being aware of security policies and best practice, but also rely on people doing the right thing 100% of the time. This is a tall order when they are in control of more sensitive data and systems than ever before. Unfortunately, to err is human. And that – in a nutshell – is the problem. Humans will make mistakes. Humans will break the rules. Humans will get tricked or hacked. Visibility is Key Fundamentally, CISOs and other IT decision-makers understand this, but they may not have always understood exactly how big of a problem the issue of human error is. And, in my experience, visibility of the scope of the problem is the lifeblood to any cybersecurity strategy or framework.  Vendors know this, which is why we see so much messaging focused on fear-mongering; messaging focused on the size and scale of the problem with alarming stats that seem to only be trending upwards. We’ve been guilty of this in the past, too. But CISOs are tired. They want strong solutions, not strong messaging.
Strong Messaging Doesn’t Solve Cybersecurity Challenges It’s safe to say – especially given this year’s theme – that today, the cybersecurity industry and professionals within the industry have started to wise up to the problem of human error beyond phishing. In particular, they understand the challenges and consequences associated with accidental data loss and data exfiltration, and are beginning to have visibility of the scope of these problems, too. But they have very few solutions. While a lot of vendors shouted about the Human Element this year, their product offering hasn’t changed since last year, when they were shouting about AI, ML, and automation.  SEGs and other cybersecurity solutions don’t suddenly empower employees to inspect and identify threats with 100% accuracy just because their messaging is now more people-focused than it has been historically. Actually solving problems related to the Human Element takes innovation and disruptive technology that challenge widely-accepted – albeit ineffective – approaches that have previously been classed as best practice. A new tagline isn’t enough. The Future of People-Focused Cybersecurity Solutions Cybersecurity is a broad, expansive industry that seeks to solve an incredible range of problems. There are firewalls, web applications, password managers, sandboxes, and simple spam filters and new start-ups are cropping up nearly every single day claiming to solve for one or more of these problems. Why? Because the industry is one of the most important today given the digital landscape and is incredibly valuable because of that. In fact, the global cybersecurity market has grown 30x in the last 13 years and the industry received record venture capital investment in 2019.  But, growth is only good if we as an industry look at the problems we’re solving holistically. If we collectively recognize the Human Element is a challenge we’re up against, the next generation of cybersecurity solutions have to take a new approach to protecting human-digital interactions. Tessian is doing just that by creating Human Layer Security, a new category in the industry. We protect people on email from both inbound and outbound threats with stateful machine learning.  It’s not just messaging, it’s our genuine product offering.  Interested in how Tessian’s Human Layer Security platform can protect your data by protecting your Human Element? Book a demo now.
Human Layer Security
To protect people, we need a different type of machine learning
By Ed Bishop
29 February 2020
Despite thousands of cybersecurity products, data breaches are at an all-time high. The reason? For decades, businesses have focused on securing the machine layer — layering defenses on top of their networks, devices, and finally cloud applications. But these measures haven’t solved the biggest security problem — an organization’s own people. Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex. This is why “stateful machine learning” models are critical to security stacks. The people problem
The problem is that people make mistakes, break the rules, and are easily hacked. When faced with overwhelming workloads, constant distractions, and schedules that have us running from meeting to meeting, we rarely have cybersecurity top of mind. And things we were taught in cybersecurity training go out the window in moments of stress. But one mistake could result in someone sharing sensitive data with the wrong person or falling victim to a phishing attack. Securing the human layer is particularly challenging because no two humans are the same. We all communicate differently — and with natural language, not static machine protocols. What’s more, our relationships and behaviors change over time. We make new connections or take on projects. These complexities make solving human-layer security problems substantially more difficult than addressing those at the machine layer — we simply cannot codify human behavior with “if-this-then-that” logic. The time factor We can use machine learning to identify normal patterns and signals, allowing us to detect anomalies when they arise in real time. The technology has allowed businesses to detect attacks at the machine layer more quickly and accurately than ever before. One example of this is detecting when malware has been deployed by malicious actors to attack company networks and systems. By inputting a sequence of bytes from a computer program into a machine learning model, it is possible to predict whether there is enough commonality with previously seen malware attacks — while successfully ignoring any obfuscation techniques used by the attacker. Like many other threat detection problem areas at the machine layer, this application of machine learning is arguably “standard” because of the nature of malware: A malware program will always be malware. Human behavior, however, changes over time. So solving the threat of data breaches caused by human error requires stateful machine learning.  Consider the example of trying to detect and prevent data loss caused by an employee accidentally sending an email to the wrong person. That may seem like a harmless mistake, but misdirected emails were the leading cause of online data breaches reported to regulators in 2019. All it takes is a clumsy mistake, like adding the wrong person to an email chain, for data to be leaked. And it happens more often than you might think. In organizations with over 10,000 workers, employees collectively send around 130 emails a week to the wrong person. That’s over 7,000 data breaches a year. For example, an employee named Jane sends an email to her client Eva with the subject “Project Update.” To accurately predict whether this email is intended for Eva or is being sent by mistake, we need to understand — at that exact moment in time — the nature of Jane’s relationship with Eva. What do they typically discuss, and how do they normally communicate? We also need to understand Jane’s other email relationships to see if there is a more appropriate intended recipient for this email. We essentially need an understanding of all of Jane’s historical email relationships up until that moment. Now let’s say Jane and Eva were working on a project that concluded six months ago. Jane recently started working on another project with a different client, Evan. She’s just hit send on an email accidentally addressed to Eva, which will result in sharing confidential information with Eva instead of Evan. Six months ago, our stateful model might have predicted that a “Project Update” email to Eva looked normal. But now it would treat the email as anomalous and predict that the correct and intended recipient is Evan. Understanding “state,” or the exact moment in time, is absolutely critical.
Why stateful machine learning? With a “standard” machine learning problem, you can input raw data directly into the model, like a sequence of bytes in the malware example, and it can generate its own features and make a prediction. As previously mentioned, this application of machine learning is invaluable in helping businesses quickly and accurately detect threats at the machine layer, like malicious programs or fraudulent activity. However, the most sophisticated and dangerous threats occur at the human layer when people use digital interfaces, like email. To predict whether an employee is about to leak sensitive data or determine whether they’ve received a message from a suspicious sender, for example, we can’t simply give that raw email data to the model. It wouldn’t understand the state or context within the individual’s email history.
People are unpredictable and error prone, and training and policies won’t change that simple fact. As employees continue to control and share more sensitive company data, businesses need a more robust, people-centric approach to cybersecurity. They need advanced technologies that understand how individuals’ relationships and behaviors change over time in order to effectively detect and prevent threats caused by human error. *This article is part of a VentureBeat special issue. Read the full series here: AI and Security.
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
28 February 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Human Layer Security
Tessian Human Layer Security Summit: Meet the Speakers
07 February 2020
On March 5, Tessian will host the first Human Layer Security Summit in London. We’ll be welcoming 10 speakers with diverse backgrounds to the stage as we take a deep dive into what exactly people-centric security means. On the day, attendees can expect thought-provoking presentations by leaders from renowned institutions, a panel discussion about Human Layer Security featuring some of Tessian’s customers, and an analysis of emerging social engineering threats from an ethical hacker.
Keynote Speakers Mark Logsdon, Head of Governance and Assurance Prudential Mark – who has held senior security positions at top-tier financial service companies for over a decade – will be highlighting the challenges and opportunities associated with creating and maintaining a positive security culture within an organization. Attendees can expect a multi-faceted presentation that covers how cybersecurity can and should enable business objectives, the value in creating a proactive security environment, and the importance of collaboration across departments for cybersecurity advocacy. Tanja Podinic, Assistant General Counsel  Dentons Working at the intersection of tech and legal, Tanja is in a unique position to highlight the implications the digital transformation has had on risk for businesses. She’s particularly interested in how innovations in technology can help mitigate the risks around people. Now, with Dentons having implemented Tessian’s solutions – Tessian Guardian and Tessian Enforcer – she’ll also be joining the panel session to discuss how machine learning has helped her organization prevent misdirected emails and data exfiltration on email. Read more about how Tessian has helped Dentons protect their data here.
Panel Session Timor Ahmad, Head of Data Governance & Privacy Lloyd’s of London Timor – who believes data should be treated as an organization’s core asset – has years of experience managing data protection, privacy, and quality. With a special interest in business enablement, Timor has seen how Human Layer Security can give businesses across industries a competitive edge. Jamie Travis, Head of Information Security Herbert Smith Freehills With a great deal of experience in leading large-scale security improvement projects, Jamie has a strong interest in understanding how risk management and human behavior go hand-in-hand. This requires that he not only create strong security policies, but also that he fosters strong internal and external relationships. He now uses Tessian to mitigate risk associated with human error and people-centric security is a key focus for 2020. Mark Parr, Global Director of Information Technology HFW After a 27-year military career delivering command and control networks and communications and information systems, Mark moved into the financial sector to focus on people operations within cybersecurity. Currently heading up Information Technology at a global law firm, he’s using his expertise in Risk Management and Information Assurance alongside Tessian to navigate challenges associated with human error. Ethical Hacker Glyn Wintle, CEO & Founder  Tradecraft  Having started his career as a penetration tester, Glyn has incredible, hands-on experience in helping organizations defend themselves against ever-evolving threats. He’ll detail how hackers combine psychology and technical know-how to create highly targeted (and highly effective) phishing attacks and other forms of social engineering. Join us at Tessian Human Layer Security Summit Over the next several weeks, we’ll be releasing even more information about Human Layer Security Summit and the speakers who will be attending. Follow us on LinkedIn to be the first to get these updates. If you haven’t yet saved your seat to join those who are putting people-centric security at the top of their agenda, do so now! Spaces are filling up quickly.
Human Layer Security
The Ultimate Guide to Human Layer Security
By Tim Sadler
24 January 2020
There’s a big problem in cybersecurity. Despite over 3,000 products in the market, data breaches are at an all-time high. Businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Worse still, this increase in security breaches is happening despite organizations spending more than ever to protect their systems and data, up from $1.4 million to $13 million. Why is this happening? Businesses haven’t been protecting their most important asset: their employees. Historically, email security solutions have layered defenses first on top of networks, then devices, and finally cloud applications. The majority of these solutions provide blunt protection, or rely on retroactive threat detection and remediation, which leaves obvious (and unfortunate) gaps in a business’ armor. So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people?
What is Human Layer Security?
Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category over a year ago, and it was the thesis for our Series B fundraise.  Since then, we’ve seamlessly deployed Tessian solutions to customers across industries from SMBs to multi-national enterprises, and are now detecting and preventing millions of inbound and outbound threats on email.
Why do we need Human Layer Security? Your employees now control both your systems and your data and, the fact is, people make mistakes, people break the rules, and people can be hacked. It’s no wonder that 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.” After all, employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file via a single email. Instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that, and these solutions can be explored by the specific type of human error they protect against. People break the rules Whether done maliciously or accidentally, people in every organization can and do break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware of policies related to – and the risk associated with – sending emails containing work-related information to domains outside of their own organization. Take, for example, an employee who sends a file to their personal email account so that they can work from home over a long weekend. Sometimes, though, work-related information is extracted with more nefarious intent and, unfortunately, this can happen in even the most secure environments. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident, either; more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000.
People make mistakes To err is human and, entrusted with both systems and data, employees put themselves in decidedly vulnerable positions as they maneuver dozens of human-digital interactions each day. From a simple typo to a misconfigured firewall, mistakes are inevitable in the workplace. Unfortunately, though, the consequences of these mistakes are far-reaching. If an employee accidentally fires off an email containing sensitive customer data to the wrong person – otherwise known as a misdirected email – penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too, with misdirected emails no doubt causing employees and supervisors tremendous anxiety and even putting them at risk of being terminated.
People can be hacked Businesses of all sizes work with a web of suppliers, contractors and customers spanning different time zones and regulatory environments. As a result, we’ve seen a rise in targeted spear phishing attacks where cybercriminals are convincingly impersonating internal and external contacts. Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise acts as an entry point for a bad actor to gain access to your network? With the average cost of a data breach in the United States climbing to $8.19 million in 2019, the company will likely take a hard hit, especially with the sharp increase in GDPR fines.
Why focus on email? To be truly effective, Human Layer Security must protect all human-digital interactions within the enterprise. This is a massive remit. So, Tessian started with email, because it’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel.
But why is email currently so poorly protected and how does Tessian fit into larger security frameworks to keep your people and your data safe? Rule-Based Technology Traditional email security solutions are static, disruptive and admin-intensive. Some demand that employees manually classify every email based on sensitivity or tag all emails being sent to external contacts; this is time consuming and not reliable. (Alert fatigue is real.) Others may require that employees encrypt emails, which adds friction and slows the pace of business. These older technologies can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Training Aware of these tech shortcomings, most companies layer in security training. The hope is that through a combination of training and policies, employees will adopt secure behaviors. Unfortunately, though, two thirds of employees are not regularly trained about cyber threats on email, which is the #1 threat vector in an organisation. What’s more, a significant percentage of those who are trained don’t retain what they’re taught. Training is incomplete, irregular and doesn’t stick. Hence the need for HLS. Human Layer Security In addition to policies, training, and other security solutions, organizations need an extra layer of security. Human Layer Security works by understanding and adapting to human behavior without compromising productivity. This is only made possible by machine learning (ML), and Tessian built our HLS platform out of the gate using stateful ML. We built our outbound email protection first, and leveraged the email data from hundreds of customers (with their consent, of course) to build our inbound threat stack. Our stateful ML models analyze historical email data in order to understand human relationships and communication patterns. Once we know what normal and abnormal look like, Tessian can automatically predict and prevent security breaches.
How is Tessian using machine learning to secure the human layer on email? We get it—ML/AI are used often and interchangeably in the cybersecurity space. But, the simple truth is that a solution built on ML enables better email protection because ML models get smarter and better over time as more data is ingested. Tessian’s Human Layer Security platform consists of intelligent and fully customizable email filters. For every inbound and outbound email, our filters analyze a vast array of data points in real time to create a comprehensive assessment of the correspondence. In the simplest terms, to determine whether an email is safe or unsafe to send/receive, we examine: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real time: if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof by detecting an unusual IP address.on Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. As a result, our filters automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Tessian understands and adapts to how people work, so it can prevent threats before they happen. It gets out of the way so people can proceed confidently with business as usual without being slowed down, or having to add threat detection to their to-do list. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.
Customer Stories Data Loss Prevention Human Layer Security
Insights on Human Layer Security from Tim Fitzgerald, CISO of Arm
23 January 2020
In case you missed it, on January 22 Tim Sadler, Tessian’s CEO and co-founder, hosted our first webinar of the year which explored the biggest threat to an organization’s security: its employees. To understand the risk of human error in the workplace and how Tessian’s Human Layer Security platform is able to mitigate that risk, Tim S. was joined by Tim Fitzgerald, the CISO of Arm for a live Q&A. Before joining Arm over two years ago, Tim F. served as the CSO of Symantec for over five years. He has a special interest in digital data and human security. Arm is a customer of Tessian’s, and has deployed Tessian Defender,  Tessian Guardian, and Tessian Constructor. Consequently, Tim F. is not just attuned to the security risks associated with employees making mistakes, he understands how best to combat those risks. While you can listen to the full webinar and Q&A on-demand here, below are some of the key takeaways from Tim Fitzgerald. Where does risk really exist? Tim Fitzgerald: “It is very ‘sexy’ in security to talk about big hacking groups and use that as justification to invest in security. And there’s a lot of legitimacy behind that. But the other side of the narrative – which we spend more time on now than nation-state type threats – is how do we not do it to ourselves? Because now we’re more often dealing with avoidable events caused by predictable human error.” “I think, in general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem rather than just passing blame.” To err is human, but people are (generally) well-intentioned TF: “I very much chafe at the idea that we think of our employees as the weakest link. It underserves peoples’ intent and how they choose to operate. Rather than that, we try to take a look in the mirror and say ‘What are we not providing our employees to help them avoid these type of scenarios?’” “At Arm, we take the ‘people-are-people’ view. Not that they’re the weakest link; not that they don’t come with good intent; or that they don’t want to be good at their job; or that they take shortcuts just to get that extra moment of productivity. But, actually, everyone wants to do a good job and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.” The role of a CISO is people-centric TF: “I view my job in human security as somewhere between a sociology and a marketing experiment. We’re really trying to change peoples’ behaviors in a moment. Not universally, not their personal viewpoints. But will they make the right decision in this moment to do something that won’t create security risk for us? Evolving that strategy relies not just on how we influence behavior in that moment of time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job?” “Security is ultimately my responsibility. But, we very much rely on what we consider our extended security team, which is all of our employees. Our view is that they can undo all the good that we’ve done behind them to try to compensate for the risk that normal human beings create.” Security solutions should empower employees TF: “By far the biggest single challenge we have is Arm’s ethos around information sharing. We have a belief – that has proven to be true – that this level of information sharing has allowed Arm to be extraordinarily successful and innovative. There’s no backing up from that, and that represents a huge amount of challenge; that level of information sharing is quite difficult to manage. “Rather than saying people are an intractable problem and therefore we can’t conquer this, if we start thinking about how we can mobilize them as a part of our overall cybersecurity defense mechanism, it causes you to rethink whether or not you’re serving your populous correctly.”
Machine learning enables Human Layer Security TF: “What I liked about Tessian is that it gave us an opportunity to use the ML in the background to try and develop context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. Either way, we can get a sense of whether or not what they’re doing is causing us risk. It doesn’t require us to be completely prescriptive about what we’re looking for, but it allows us to learn with the technology – and with the people – what normal patterns of behavior look like and, therefore, intervene when it matters and not have to react every time an alarm goes off. “You have all this amazing context of what people are doing on email, which is where people spend most of their time and where most of the risk comes for most organizations. How can we turn this into more than just making sure someone doesn’t fat finger an email address or send sensitive files where they’re not supposed to go? Can we take the context that we’re gaining through how people are using email and create more of those moments in time to connect with them?” Tessian fits into a larger security framework TF: “We have a whole bunch of other mechanisms to protect against traditional insider threats – the people who are really acting against our best interest – but that instance is infrequent and high impact. The person who makes the mistake is high frequency, medium-to high-impact. We were getting hammered on that sort of stuff, which is why we came to Tessian.”
“When used correctly and in a finite environment or a finite data set, DLP solutions are very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try to deploy that broadly though…you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. You end up trying to write these very complex rules that are hard to manage.” The future of Human Layer Security TF: “Can we start to mesh together what we know about the technology and the machines with real human behavior? It’ll not only help us find those bad guys in our environments who we know are there, but also to get out in front of people’s behavior rather than reacting to it after it happens. That’s the holy grail of what this could become. To get – if not predictive – at least start leading us toward where we think risk exists and allowing us an opportunity to intervene before things happen.” Want to learn more about how Tessian helps Arm catch and stop accidental data loss with Tessian Guardian and prevent spear phishing attacks with Tessian Defender? Read the case study here.
Page