Human Side of Cyber Security

In our technology-driven quest for the silver bullet it is easy to forget how important and the critical role people play in all things cyber security. If people were not behind the malicious activity on the network we wouldn’t need any security controls and countermeasures. I believe insight into human behavior is one of the best defenses we have. If we look at some of the largest enterprises in the world, they are able to use defensible technologies like firewalls, anti-virus, intrusion detection systems, intrusion prevention systems, router access control lists and many other tools and approaches to keep nine out of ten malicious intruders at bay. Most enterprise chief information security officers spend over half of their budgets on the one out of ten factor. It is impossible to “secure” anything today and a determined adversary will always find a way to penetrate your defenses. So what can we do?


I believe insight into basic human psychology and applying this to the cybersecurity realm will significantly help shape our risk management strategies moving forward. Our networks process billions of transactions per day and are under attack from hundreds of thousands of IP addresses and malicious sites. The tactics of malicious attackers are continually changing, and attack vectors are becoming increasingly sophisticated. While all of this is daunting and overwhelming I believe there is hope. Logically, it stands to reason that since people are behind the malicious activities and attacks that we can leverage the human factor to our advantage and begin to identify the human fingerprints in the network data to help us predict future activity and tactics. Humanity has been using insight into human behavior to manage risk since the beginning of time. We need to adapt and build predictive cyber intelligence programs to use and leverage within our enterprise risk management processes today.

Based on the last 20 years of history, we know the following:

  • Defensible technologies (Firewalls, IDS, IPS, AV) fail–and will continue to fail in the future
  • Advanced adversaries always find a way to breach your defenses
  • Insiders will continue to be a source of root cause
  • Defending and monitoring access points has proven to be ineffective for serious threats

As the new trends (mobility, cloud, virtualization) evolve, visibility must be at the center of your cyber-security strategy. Advanced adversaries will always breach your defenses and gain access because prevention strategies always fail. How well you are able to manage their access determines how much you loose. Only the network has the ability to see every connection from all users (authorized or malicious). The network identifies connected assets in real time, provides visibility into their actions including location, and has the ability to disrupt malicious activities. By combining the power of the network with a better understanding of human behavior, I believe we have a better chance at improving our risk management capabilities.

I have outlined some high-level goals that you can consider when thinking about your cyber-security strategy and program.

  • Increase visibility and comprehension of network traffic
  • Concentrate on interpreting traffic–don’t worry about installing every possible technology and tool
  • Build analytical techniques that do not rely on any single product
  • Give analysts the info they need to assess intrusions and make decisions—not identify recon patterns
  • Focus on protocol anomaly detection and how to use to your advantage

An organization that makes visibility a priority, manned by knowledgeable personnel, can be extremely hostile to persistent adversaries.

I like to try and end conversations on a positive note, so I have outlined some points below for your consideration.

  • Determined adversaries will inevitably breach your defenses, but they may not achieve their goals
  • Time is the key factor in your cyber strategy because intruders rarely execute their entire mission in the course of a few minutes, or even hours
  • In fact, the most sophisticated intruders seek to gain persistence in target networks — that is, hang around for months or years at a time. Even less advanced adversaries take minutes, hours, or even days to achieve their goals
  • The window of time from initial unauthorized access to ultimate mission accomplishment, gives defenders an opportunity to detect, respond to, and contain intruders before they can finish the job they came to do