Raffael Marty
VP Research and Intelligence
Head of X-Labs, Forcepoint
Cyber Security Beyond 2020 –
Will We Learn From Our Mistakes?
SIGS Kick-Off | January 2020 | Switzerland

A Brief Summary
We need a paradigm shift in security to escape the
security cat and mouse game
Integrated platforms - no more disjointed security
tools
Readiness for digital transformation challenges
Human factors and behavioral intelligence play a
key role in detecting and preventing cyber attacks
and insider threat

Raffael Marty
Sophos
PixlCloud
Loggly
Splunk
ArcSight
IBM Research
Security Visualization
Big Data
ML & AI
SIEM
Corp Strategy
Leadership
Zen

Beyond 2020
Cyber Security Today
The Imminent Paradigm Shift
Three Market Trends • Ever New Attack Surfaces
• Integrated Platforms
• Behavior and Risk Centricity

Cyber Security Today

Visibility Challenge –
Devices and Users
Disjointed security
products
Alert overload in the SOC
Cyber Security Challenges
Privacy and Regulations -
a security inhibitor
New technologies
constantly exposing new
threats
Talent shortage
Phishing
(now with deepfakes)
Discovering attacks too
late (‘right of boom’)
Ransomware

$1 Trillion Has Been Spent Over
The Past 7 Years On Cybersecurity,
With 95% Success … For The Attackers
46% say they can’t prevent attackers
from breaking into internal networks
each time it is attempted.
100% of CIOs believe a breach will
occur through a successful phishing
attack in next 12 months.
Enterprises have seen a 26% increase
in security incidents despite
increasing budgets by 9% YoY.
Source: CyberArk Global Advanced Threat Landscape Report 2018 Sources: Verizon 2018 Data Breach Investigations Report.

The Imminent Paradigm Shift?

© 2020 Raffael Marty | 9
Centralized Data Lakes and Analytics
Events
Threat Intelligence (IOCs)
Fixed rules
External Attacker
Infrastructure Security
Paradigm Shift
Decentralized Data and Analytics
Entity Based Activities
Behaviors and Context (IOBs)
Risk Adaptive
Compromised Accounts and Devices
User and Data Security
Escaping the Security Cat and Mouse Game

Extending / Improving the Kill Chain
Recon Weaponization Delivery Exploitation Installation Execution
Most Security Tools
• What if there is no exploitation?
• Generally focused on external attackers
• Focused on known attacks

Understand the Execution Phase
Recon Weaponization Delivery Exploitation Installation Execution
Discover
Explore
Collect
Exfiltrate, Modify, Destroy
Dwell time can be months
• Broaden focus from external attackers to compromised users and devices to include
insiders (malicious and accidental)
• Shift focus from latest attacks to what your users (and devices) are supposed to do
• Think beyond whitelisting
• Focus on the intersection of users and critical data

Moving ‘Left of Boom’
Recon Weaponization Delivery Exploitation Installation Execution
• Focus on behavior of humans and
devices
• Understand humans and intent to help
flag suspicious entities before harm is
caused
• Move to a risk-based approachMonitor human
factors
Monitor for deviations from norm
Assess peer group
membership
89
John

Three Market Trends

COVER NEW
ATTACK SURFACES
INTEGRATED
PLATFORMS
BEHAVIOR
AND RISK CENTRICITY
Three Market Trends

NEW ATTACK SURFACES
Artificial
Intelligence
IIoT Container
Workloads
5G
Digital transformation is driving ever new
technologies, accelerating changes in attack surfaces
Etc.
Is your environment set up to deal with new security tools that can be integrated into your existing setup,
processes and people?
Do you need new tools for every new type of attack? Or does your existing tooling cover more than just one type
of attack?
November
2019 - VC
Investments
• Training 3
• NetSec 5
• Phishing 3
• Identity 4
• Fraud 2
• Data 4
• Scanning 4
• Testing 1
• MSP 1
• Others

© 2020 Raffael Marty | 17
The Market is Creating Platforms
Motivations
- Coverage across endpoint and network with integration of
analytics
- Cover multiple product capabilities – (FW, DPI, IPS, VPN, Web, TI)
- Landgrab and ”dominance” (MSFT -> ID, AWS)
- Offering more services to existing customers
- “Service selection”
Challenges
- Acquisitions are hard – people, technology, and sales
approach integrations (GTM unification)
- What Platform do you bet on? What about vendor lock in?
Open standards?
- Does your ‘other’ security tool survive?
, AWS, Splunk, Google, Sophos, Proofpoint, BlackBerry, Broadcom, etc.
The average SOC runs 30 security tools

Third Market Trend –
Behavior and Risk Centricity

© 2020 Raffael Marty | 19
Revisiting Our Goals
Escape the cat and mouse game
Catch more than external attacks (including malicious insiders)
Moving left of the boom
Escape “event” overload

© 2020 Raffael Marty | 20
The Solution
Escape the cat and mouse game
Catch more than external attacks (including malicious insiders)
Moving left of the boom
Escape “event” overload
“The world's first dynamic 'non-factor’ based quantum AI encryption
software, utilizing multi-dimensional encryption technology, including time,
music's infinite variability, artificial intelligence, and most notably
mathematical constancies to generate entangled key pairs."
Revisiting Our Goals

© 2020 Raffael Marty | 21

Behavior and Risk Centricity
Monitor Entities
• Learn their normal behavior
• Learn how they behave relative to their
peers
• Learn how they interact with critical data
and IP
• Based on deviations, compute an entity risk
Understand Humans
• Track and assess human factors
Shift to a risk-based approach
• An ‘event’ can both be good or bad,
depending on the context of the entity
89
John

© 2020 Raffael Marty | 23
“Critical Path to Insider Threat”
• https://www.cia.gov/library/center-for-the-study-of-
intelligence/csi-publications/csi-studies/studies/vol-
59-no-2/pdfs/Shaw-Critical%20Path-June-2015.pdf
Sociotechnical and Organizational Factors for
Insider Threat (SOFIT)
• https://www.ieee-
security.org/TC/SPW2018/WRIT/WRIT%202018%
20SOFIT%20Sociotechnical%20and%20Organizati
onal%20Factors%20for%20Insider%20Threat.pdf
How Do We Understand / Characterize Humans?

© 2020 Raffael Marty | 24
Critical Path

© 2020 Raffael Marty | 25
SOFIT
Mapped Behaviors to
Risk Scores
Ontology reasoning through
insider actions
• Sabotage
• Data Exfil
• Fraud
• Workplace Violence
• Unintentional Threat
Indicators driving outcomes
• Boundary Violation
• Job Performance
• Life Narrative
• Etc.

Risk Today vs. Tomorrow – The Inclusion of Human Factors
Concerning
Behaviors
ADVERSE
OUTCOMES

Concerning
Behaviors
Risk
Adaptive
Protection
Risk Today vs. Tomorrow – The Inclusion of Human Factors
Stressors
Pre-
disposition
Human Context
Attributes
Intent
…
Device
Type
Mindset
Device Context
Exposure
Activities
Concerning
Behaviors
Business
Activity
Activities that, out of
context would be benign,
now flag an attack
”Detection Rules” that
normally generate a lot of
false positives are now
weighed by the risk of the
entities.

Am I here to work
for you, or for
someone else?
Regular
Activities
Activities
Predisposition Stressors
Concerning
Behaviors
• Seeking access or
clearance levels
beyond current need
• Testing security
boundaries
• Multiple usernames & identities
• Social and professional network
• Unreported travel
• Low communication, lack of
social connections in office
• None • Communication
with competitors

• Needs to be built with ‘privacy first’
• Nuances of regional regulations (GDPR, CCPA, etc.)
• Avoid using human factors for psychological diagnoses
• Securing collected data - Anonymization?
• Verifyability and explainability of approaches
• Where are the socio-ethical boundaries?
Challenges and Dangers

Shifting The Paradigm Left Of The Boom
You need a future proof platform that
provides complete visibility and insight
You need sensors
• For every possible point of contact
• Understand user interactions with critical
data
• Cover cloud, on prem, hybrid, and IIoT
You need a way to characterize what’s
normal for your users and devices – and
understands human factors ready

Questions?
@raffaelmarty
http://slideshare.net/zrlram