01/23/2020: Dr. Ryan Heartfield is a leading researcher at the University of Greenwich. He is also involved in several UK and EU EPSRC research projects in cybersecurity. In his keynote on "Active Cyber Defense with the human sensor: Leverage users as the strongest link in security operations against Social Engineering threats", he will also present the latest results from the EPSRC project ACCEPT.
The central theme of Command Control 2020 is cyber resilience. How do you understand this approach? And why should companies base their security strategy on this?
Heartfield: Cyber resilience, from a strategic and adversarial lens, is an entities capability to effect and deliver intended mitigations in the event of a realized cyber security risk; and potentially also its business impact.
Or described in an organizational context, and more simply, “when” an organization’s cyber security is compromised, an organization’s degree of cyber resilience is proportional to their efficacy and maturity in mobilization of people, process and technology to effectively absorb and recover from the event.
The concept of “Cyber Resilience”, is in fact, not fundamentally a new paradigm. Rather, there is a growing realization that having many siloed security point solutions (e.g., Firewall, AntiVirus, Intrusion Detection System and Security Awareness program etc.), and teams, is not a “Security Architecture”, and that to successfully orchestrate an organizations response to modern security threats requires a cyber security strate-gy that embodies all aspects of prevention, detection and response. To a degree, this requires being more “Active” in the cyber defence strategy by regularly exercising the organization’s security ecosystem (which consists of technology, but even more importantly humans!), against different compromise scenarios (and I am not talking about the mandatory once a year BCDR type exercise!). Then, coming out the other side not only more experienced, but also more prepared to respond in the future. The key here of course is not preparing for a specific attack but rather preparing for compromise in general.
In your opinion, is there a difference between cyber resilience and cyber hygiene?
Heartfield: Cyber resilience and cyber hygiene are typically distinct concepts, but crucially, not mutually exclusive. For example, a core tenet of cyber resilience in an organization is one that exercises good cyber hygiene practices. So, whilst cyber resilience is better viewed as a holistic capability that bridges across both technology and human considerations, cyber hygiene focuses in on measurable technical and non-technical processes and procedures (and the data they generate) which will encourage more secure user behavior. Again, put another way, generally you would avoid sharing your toothbrush with a colleague, so why share your password? By avoiding bad practices, and ensuring good hygiene, in the event of a cyber security incident cyber resilience is inherently improved.
At Command Control 2020, you give the lecture "Active Cyber Defense with the human sensor: Leveraging users as the strongest link in security operations against social engineering threats". Can you give us a little insight into what the visitors of the summit can expect?
Heartfield: In the lecture we begin by providing clarity on the high-level contexts and reasons for why semantic social engineering attack vectors cannot be solved by purely technical means. This provides the crucial pretext to why there is a growing need to systemati-cally integrate human users as sensors in the security architecture. But how to do this reliably? How do you treat the human user with like an endpoint defense system, or better yet individual Intrusion Detectors (and we are not just referring to report phishing emails here)? We will cover research that has shown how existing metrics and data that exists (or should be collected) in organizations today, can be leveraged to explore this capability. Whilst we will cover some technical concepts, the talk is accessible to all skills levels and experience, because the primary objective is to provide insight into the concept of “Human-as-a-Security-Sensor” and what that means for organizations. Finally, I will touch upon further developments in the HaaSS lifecycle, through ongoing research projects.
Employees or the so-called “human factor” are often considered to be one of the biggest weaknesses of a company when it comes to cyber security. Does your approach ensure that cybersecurity employees become a strength in the future? Which points should industry and economy definitely implement?
Heartfield: I would answer this by posing a rhetorical question: “Is an unpatched user any more insecure than an unpatched application, or out-of-date AntiVirus/EDR?”. Equally, from a different standpoint: “If you do not tune an Intrusion Detection System is that any more reliable than a user whom you do not measure for their recent security awareness training tests when reporting suspected threats?”. The point of course is perspective and focus on the human-factor. Cyber security professional focus on keeping systems updated and measuring vulnerabilities on platforms instead of the human users (as the common position to take is to protect the system from the user). Moreover, it is without doubt the human-factor is more complicated, especially as one can be fairly confident that if you update all AntiVirus/EDR clients with the same signature definitions, then they should typically all function with the same degree of reliability. The same cannot be easily argued for different users who receive the same security awareness training, but it does not make the concept any less relevant or compelling. Therefore, it is question of what to measure and how to predict reliability that is a concept I will cover and which industry will benefit from exploring further.
Awareness has always been an important issue in prevention. Many companies already conduct regular cyber risk training for their employees. What's new in your approach?
Heartfield:Cyber-risk training and security awareness training is not new, and in fact there are many many frameworks, extensive training materials, platforms, applications and evening games that aim to improve awareness. Although the majority tend to focus on the nuances of phishing emails and websites, rather than concepts which apply to range of social engineering attack characteristics. Our approach does not replace this training, instead it innovates on these existing frameworks by leveraging the data exhaust from the training (and other sources) for helping to determing how model user security efficacy.
The threat situation in 2020 is diverse. Are there scenarios / threats in which the "human sensor" is particularly effective?
Heartfield: The concept of the human sensor is to systematize users for directly combatting cyber security threats which target the human-factor rather than an information system directly. That is, specific attacks which employ deception vectors, rather that technical exploits, to deceive a user into executing an action that compromises their systems information security.
Command Control has three main visitor focus groups: Information Security Profes-sionals, Privacy Professionals / Risk Managers and C-Level Representatives. For which of the three target groups does your lecture offer the greatest added value?
Heartfield: This lecture applies to everyone involved in the cyber security space. Information security professionals in security operations and incident response, privacy and risk-management professionals, as well as senior management repesentatives will all gain value and new insight from the concept of “Human-as-a-Sensor”. The goal is to explain firstly WHY users can be highly valuable in the prevention and detection challenge, and then secondly, HOW to exploit and realize that value organizationally. In practice, when it comes to implementing cyber hygiene and user-based security change in organizations successfully, this requires the insight and support of all stake-holders in the business and this includes senior management, security professionals, IT Ops, software developers and yes, of course, the users.
Your lecture is based on extensive studies. Can you tell more about whom (company / chair / research partners) you work with and in which areas the study will focus on in the coming months? Have you been able to identify companies that you would call a best - practice?
Heartfield: Whilst I cannot comment on individual organizations or people involved in research experiments for data protection reasons, I am currently working with a number of UK Universities on extended research that incorporates the concept of the HaaSS feed-back loop. I am hoping that I can share more information during the conference itself.
In general - why are you looking forward to Command Control?
Heartfield: For me, it is the opportunity to bring together many different perspectives on cyber security responsibility within organizations, under one roof. For example, where the CISO, developer, CEO, user, SOC manager, risk and audit manager, PenTester and so on, have the opportunity to see their perspective and role in the same conceptual problem space and then therefore better understand how their interactions within the organization all contribute collectively to increased cyber resilience efficacy and maturity. It is something I like to refer to as building organizational empathy – and it is without doubt that this is crucial for improving cyber security.