Let's Take a Page from the Credit Card Industry's Playbook

The fallout from the Equifax breach will most likely continue well into 2018 as the criminals use the stolen data to break into other organizations. According to Verizon's 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen or weak passwords. We should assume that after big breaches like those experienced by Equifax and Yahoo, hackers already have enough information to put millions of people at risk of being compromised.

It's time that organizations shift their focus from keeping attackers out to detecting them once they are in.

The credit card industry has gotten very good at this process. To give a personal example, I recently received a call from my credit card company asking if I bought gas in Guatemala. I replied "no," and the company froze my account. The process was so seamless and efficient, I faced very little impact. On the other side, while visiting my family in Iowa, I received a text from my credit card company asking if I bought gas. I responded "yes," and faced no impact. I bought gas and made other purchases during that trip uninterrupted.

I am just one of millions of credit cardholders who have received these kinds of texts and calls. In fact, the credit card industry has become so good at detecting fraud that we expect to hear from them whenever we purchase something that's outside our norm.

The cybersecurity industry can learn a lot from the credit card industry, especially when it comes to monitoring and analyzing behaviors. If someone were to steal my credentials, log in to my corporate email account, and act in a way that's inconsistent with what I normally do, I would expect my company to flag the behavior and stop it with the same promptness as my credit card company when confirming I did not buy gas in Guatemala.

However, many organizations do not yet have that level of security sophistication. For some, it's a philosophical belief that monitoring and analyzing users' behaviors is an invasion of privacy.

Privacy and security are not at odds with each other. They are on the same side of the table. We need security to protect privacy. Today's criminals know more about us than ever before. They know our commonly used passwords, Social Security numbers, secret questions and answers, relationships, and more. Our private information has been compromised. Yet, if companies more efficiently spotted a bad actor walking in a legitimate employee's shoes and took immediate action, the risk of this private information being used against us would decrease.

The credit card industry also learned a valuable lesson. Instead of blocking everything that looks suspicious, the card company first proactively and quickly communicates with the cardholder, and then adjusts on the fly. Using the Iowa example, when I confirmed that I was in Iowa and bought gas, I did not hear from my card company again during that trip. If the cybersecurity industry were to adopt that same strategy, it would avoid inhibiting employees from doing their jobs and reduce wasted time chasing down false positives.

For example, an alert comes in that an employee is accessing a database that he, his peers, and the overall team would not normally log in to. The alert is sent to the application owner who manages the database, asking if the attempted access was justified by business or unusual. The owner affirms the employee was granted access to the database for a legitimate business reason. That alert is then whitelisted so that the behavior is not flagged again. As a result, the employee's behavior in relation to that database receives less scrutiny while the information on the database remains protected (security + privacy), and the employee can go about doing his job uninterrupted due to the automated verification that his behavior was business justified.

Finalizing the credit card fraud detection and mitigation process did not happen overnight. Enterprise security is at a turning point but far from its destination. Ten years from now (and earlier than that, I hope), I expect that all employees will have that same level of treatment and care when it comes to their credentials. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.