Forcepoint Puts Humans At The Center Of Security

How do you monitor the behavior of the humans in your organization without seeming creepy? That’s the challenge Forcepoint has set itself as it integrates the User Entity Behavior Analytics features of its RedOwl acquisition into its product portfolio.

Detecting when people put an organisation at risk—conducting industrial espionage on behalf of a competitor, or just inserting a USB stick full of malware into their work laptop—is something few would object to. But the process of monitoring people going about their daily work in order to do that detection can stray across a ‘creepy’ line without careful planning. Different cultures and areas of the world have different expectations about where this line should be drawn.

The way Forcepoint approaches things is to build in the greatest individual privacy protections it can, in order to support those jurisdictions—such as the EU—where privacy controls are strictest. Individual companies can then choose to use these robust privacy protections, or not.

Forcepoint (Supplied)

Lauren Webster, Senior Director of Product Management at Forcepoint

“We’re attempting to balance that need to have deep insights into various datastreams in order to make sense of what’s going on, while also protecting employee privacy,” said Lauren Webster, Senior Director of Product Management at Forcepoint. Getting this right means looking at more than just what technology is capable of.

“We’ve worked really closely with customers,” says Webster. “The technology has really been informed by programmatic considerations that surround the technology at each customer.”

Take the case of masking. The actions of employees captured by the Forcepoint system are masked so that they are pseudonymous; you can’t easily tell just by looking at the system who is performing the actions. This way the focus is on unexpected behavior irrespective of the individual involved. If someone normally only logs into development systems, and one day starts trying to log into production systems or copies data from production onto a USB stick on their laptop, that might trigger a flag to look into things in more details.

These actions may well be entirely innocent, but they are unusual and warrant further investigation. It’s this investigation portion that sits outside of the technology itself in the customer’s processes and procedures, and this is where Forcepoint is careful to work with customers to ensure the technology works as part of a larger, human-centric system.

“This isn’t a case of technology solving the problem by itself,” Webster said. “The customer also has to have in place the programmatic elements of who is allowed to do the unmasking, how that unmasking is performed, and so on.”

“We are very aggressively baking in this ‘privacy by design’ idea into our products,” she said.

The notion of personal privacy and informed consent is enjoying a resurgence, at least partly due to GDPR coming into force, but there’s a broader conversation that we should be having about what information security really means. Keeping information secure is about controlling access to information in a kind of Role Based Access Control for data. Who should have access to this data, and under what circumstances? If a person’s role changes, or the circumstances change, then access to information should also change. Doing this with purely manual systems struggles to scale as the amount of information, and the number of systems it is stored on, continues to grow.

These user behavioral monitoring systems can also be used to enhance privacy. For example, if a staff member is misusing their access to snoop on employee HR records, or improperly viewing customer data, a UEBA system like Forcepoint can flag that behavior and thus safeguard the information of individuals. Rather than being a creepy spying tool, it can actually deter creepy spying behavior.

Watch the Watchers is a well known concept, and it’s one we adopted really early on,” said Webster. “If a customer wants to implement a Watch the Watchers program, we can re-ingest all of the user’s activity in the UEBA product back into the system so that an audit function can independently monitor what the UEBA users are doing in the system.” This kind of capability indicates how carefully Forcepoint has designed the product to safeguard its proper use.

Of course, these capabilities are only useful if organizations actually implement robust oversight functions that can survive attempts to circumvent them. If there are no consequences for getting caught doing the wrong thing, bad actors can simply continue to act badly with impunity.

This is a conversation that we are likely to be having with increased frequency in coming weeks and months.

Verizon's Lesson That You Can't Buy Your Privacy And What It Means For Facebook

Surveillance camera. (Omar Marques/SOPA Images/LightRocket via Getty Images)

In the aftermath of the Facebook – Cambridge Analytica story, Sheryl Sandberg and Mark Zuckerberg both alluded to the idea of a paid version of Facebook where users could purchase an ad-free experience. Much of the public and tech press equated such a paid ad-free experience as implying a surveillance-free experience. In their eyes, if there are no ads, there is no surveillance, but just because you’ve paid to hide the trackers doesn’t mean you’ve paid for them to go away. Could they simply lurk beneath the surface, tracking your every move to be monetized, but simply hidden out of the way behind the one way mirror instead of right in front of you? Perhaps Verizon’s user location data resale could help shed some light.

It is perhaps one of the greatest falsehoods about our modern web, repeated so often and by such luminaries that it has become almost accepted fact: if you’re not paying for the product, you are the product and that you do pay your privacy is protected. The problem with this mantra is that it implies that by paying for a product, you are somehow purchasing your right to no longer be a product, rather than merely paying for the privilege to be surveilled.

The rise of paid cable television should have been enough to remind us that just because something that used to be free is repackaged as a paid product doesn’t mean that you’ll no longer be monetized. On the contrary, despite paying a hefty premium, all those ads and efforts to track you will still be there. Instead of ads being the Faustian bargain that makes the TV you enjoy available, you are now paying for the privilege of having to sit through them.

Today’s commercial web is built upon the idea that privacy is something of value and that by bartering it away, companies can generate sufficient value from us to warrant granting us free access to services, many of which are designed to help encourage us to give yet more of our privacy away.

The idea of bartering our privacy for free stuff is what has largely led to the false narrative that ad-supported services turn us into a product and that by paying for the service we are no longer the product. In a capitalist society, what company in its right mind would let its customers off the hook just because they’re purchasing its products? All that customer data is of substantial value in the right hands and what’s the point in having customers if you can’t make an extra buck off selling their data? The problem isn’t the ad-supported web, it is the entrenched notion in the corporate world that customer data is something to be sold.

Perhaps the problem is that we can see ads, but the majority of us are entirely oblivious to the massive shadowy world of data brokers that buy and sell nearly every data point ever created about us every moment of the day.

Just because you have a commercial relationship with a company in no way means that company won’t resell your data. In fact, in today’s world it is simply the accepted norm that any company or organization or government agency with which you do business will likely resell or make available your data in some form for someone else to profit off your information.

Whether it is your pharmacy commercializing your medical data, your grocery store selling your grocery list or your mobile phone company selling your location, really any company you do business with today is selling everything they can about you to the almost uncountable number of brokers that orchestrate all of this buying and selling, assembling vast dossiers on you that you have no right to see, let alone control.

To put it another way, the ad-supported web has become a lightening rod for the privacy debate because tracking ads are visible, but even when you pay a company for its products, you are surveilled and converted into data just as much. Either way you lose and would you rather pay to be turned into data or get something free in the process?

Verizon’s resale of its customers’ location data shows us just how far companies will go to commercialize their users and that even extremely dangerous and sensitive data is fair game to be resold without users having the faintest idea what’s being done with their extremely personal information.

If users paying Verizon a hundred plus dollars a month are still having their data resold and commercialized, why would we expect that Facebook offering a paid ad-free version of its website would eliminate trackers and surveillance as part of the deal?

Moreover, Facebook’s entire algorithmic existence depends on being able to build rich profiles about all its two billion users to guide the information seen by themselves and their friends. Eliminating surveillance isn’t just a matter of flipping a switch – it would undermine all of the data streams that feed Facebook’s algorithms and make its platform possible.

In short, even if Facebook offered a paid ad-free version of itself and even if that became an internet standard model adopted by all ad-supported websites, it is unlikely that “ad free” would mean “surveillance free” and the new pay-for-access web would likely follow in the footsteps of the data brokers that came before, a mirror of Verizon’s “buy our product and we’ll make you into a product too.”

Putting this all together, in today’s surveillance society, purchasing a product no longer protects you from becoming a product yourself and the concept of “buying” privacy and the right to not be surveilled is now merely a quaint notion from a bygone day.