Give or take a percentage point, annual reports on the state of cybercrime agree that 95% of malicious activity includes a human element. While this may be in the form of an external attack or an insider threat, it is a cold hard fact that overwhelming a person is involved at some point along the way. A second cold hard fact is that most legacy solutions do an inadequate job of recognizing one human from another. Some aren’t even good at identifying a person from a facsimile.
The reasons legacy solutions fall short are a combination of limited capabilities and misunderstandings of what they actually do. I’ll start with the latter because it’s a flimsy pillar on which so much cybersecurity is built – the combination of passwords and traditional Multi-factor Authentication (MFA). This combination is built on two falsehoods that sadly most people don’t consider. First, a credential is not a person. Your immediate response may be to say: of course it isn’t. However, consider how many times it is granted access as if it is. Even for organizations that regularly utilize MFA at login, if the shell is accessed, which by the way bypasses authentication, credentials are the super-pass that is rarely questioned.
And, what about that MFA check? Traditional MFA does not verify a person. It verifies a specific device at a point in time. The patents for Two-factor Authentication (2FA), the precursor of MFA, were filed in 1995 and 1998. MFA as most of us know had its first mainstream adoption in the early 2000s, aka two decades ago. What had at one point been cutting edge has evolved into the weak point cybercriminals exploit to gain access.
I purposely make a distinction between traditional MFA and what came later, which is an adaptive approach that may incorporate a biometric component, such as a fingerprint or facial recognition or risk-based MFA, which sets the level of access based on multiple factors simultaneously including user behavior in real-time. While not perfect, adaptive MFA and risk-based MFA provide significantly more certainty that the person being presented is the correct person.
As deepfakes and counter-deepfakes tactics continue to evolve, the multi portion of any MFA will become more important. While a deepfake or other AI-produced impersonations may be able to fool cybersecurity measures on a basic level, these tactics are less likely to know an individual when the number of data streams being accessed is doubled or tripled. This goes beyond alerting if there is a deviation from an established baseline. The approach should combine anomaly detection with true identification, such as biometrics or pattern matching. Either establishes a higher bar to confirm the individual is who is expected. The result is less false positives and more assurance the person accessing systems, data, or devices is the correct person. An additional benefit of person-based security is that it provides context of who is doing what. This isn’t possible when anomaly detection is used in a vacuum.
The shift to person-based security as a replacement for passwords and traditional MFA is much-needed and long overdue. Equally important is catching bad actions as they are happening. While few security professionals would claim their security posture is so superior that nothing can get through, their security processes don’t match what they will quickly admit – malicious activities will get through or are already inside. Too many organizations’ security protocols are based on the assumption that better locks will keep out bad actors. This is foolish at best, and negligent if there are known weaknesses that haven’t been addressed. This is why continuous person-based verification is critical.
In today’s world of VPNs with the ability to mask location, recognizing a Superman effect shouldn’t be the criteria for spotting a compromised credential. Instead, person-based security enables recognition and immediate action when an individual who doesn’t match all the defined characteristics of an expected person appears in a session. The time element is critical. A well-designed person-based security system will identify in real-time impersonation or malicious activity within a system before damage is done.
It’s impossible to stop malicious attempts; therefore, it must be every organization’s priority to quickly detect and respond to malicious activities with as much context as possible.
Join our LinkedIn group Information Security Community!
