We recently sat down with Fred Burton, a member of ALTR’s board of advisors, to hear his perspective on the landscape of threats to enterprise data security and integrity. Burton heads the global security practice of Stratfor. Before Stratfor, he was a counterterrorism agent for the U.S. State Department and leader of many high profile international investigations. He is an author whose four books include the best-selling “GHOST: Confessions of a Counterrorism Agent.”
ALTR: Your career in security has spanned the era of punch cards and rotary phones, the days of the first microcomputers, and now you have moved on to security in the age of cloud computing, AI and big data. How has protection of data moved from the periphery to the center of your field of vision?
BURTON: Well, the first line of concern has always been the insider threat. And that threat has been transformed by an order of magnitude through the transformation of information storage from paper and filing cabinets to servers and the cloud. In the government space in particular, we had plenty of insider threats in the 1950s, 1960s and 1970s, but there were limits to how many 201 files as we called them (source and personnel files) that you could walk out with in a briefcase or what you could photograph with a tiny Minox camera. Now even the ease of theft enabled by a memory stick is growing old as thievery is conducted from across the globe with stolen goods finding a ready market on the dark web. In today’s digital economy, the bad guys don’t even need to get out of their pajamas anymore.
ALTR: When you think about what we call insider threats, how do you see the interplay of internal threats conducted by truly bad actors vs. those that result from carelessness or ignorance, the classic problem of the 123321 password, for example?
BURTON: Actually, I think of it not in terms of the interplay of two categories of insider threat but three categories. For starters, you’ve got the need for digital solutions, be those at the heart of the data ecosystem as with ALTR or older solutions focused on the network or network endpoints.
The second category is what I call situational awareness. This is the training, the enforcement of internal security policies, the general commitment to security hygiene if you will. There’s a role of growing importance for HR to play in every enterprise. The last category that could use some more attention is the threat of intellectual property that can leak out of the C-suite if not protected by NDAs, policies for talent retention and ethics standards. Everybody’s chasing top talent these days and your most talented are usually reservoirs of knowledge about data if not data itself. This is where legal departments really need to step up their game.
ALTR: How are enterprises doing today? What’s working, what’s not?
BURTON: Well, cyber and data security is on the minds of just about every executive I talk to, from medium-sized domestic firms to global multinationals. And everyone is looking for a quick magic potion, a simplistic, brass ring of a solution that can be put on autopilot and spit out the next Edward Snowden before he’s done anything. What I think is more realistic and useful are security concepts that reduce and mitigate risks and those that quickly stem the bleeding when injury occurs. We need to think in terms of cocktail solutions and less about silver bullets.
ALTR: What do enterprises need to change to prevent future breaches?
BURTON: This follows really on my points about managing three categories of threats and the elusive hunt for magic potions. Enterprises need to be thinking broadly, not narrowly. But when it comes to action, it’s a similar kind of comprehensiveness in the solution architecture that is one of the things that appealed to me about ALTR’s technology from the first day I saw it. It’s not just about fire alarms to alert you to the conflagration – though you need those too. It’s about the smoke alarms that alert you before the fire actually erupts in flames and before the damage can spread. As a former investigator, you can well imagine that ALTR’s quick sand as I call it, the picture of digital truth that immutability records virtually all behavior in the interaction of personnel with data, is a very powerful and valuable tool. It’s this immutability enabled by blockchain that I believe is really critical to secure the future of the data economy.
ALTR: When it comes to data security, what keeps you up at night?
BURTON: I worry a great deal about systemic threats, the risks to the ecosystem of distinct businesses. It relates to our discussion of the transformation in a very short time from a world of filing cabinets to a world of cloud-based information measured in terabytes of data. And if enterprises need to spot the smoke before the fire, then business ecosystems need to spot the brush fire before it engulfs the entire forest. It’s not enough, sadly, for any enterprise to have its own house in order. If data integration along the supply chain is not protected, if vendors are breached or sales partners are careless, the result can be domino effects. From banking to hospitals to power grids, the potential of the domino effect is real and growing. And the fastest growing dimension of the overall threat matrix is, of course, the Internet of Things, IoT, that will be woven into the fabric of every enterprise. This is just one element of this that really does keep me up at night. It’s not a figure of speech.
ALTR: What’s your advice to security leaders out there?
BURTON: Think holistically. That’s the key in my view. A holistic approach to security, of course, needs to include the old school elements: hiring practices, an eye on personnel issues that may lead to desperation and carefully written contracts and NDAs. But far beyond that, the technology we use to confront threats to data, particularly insider threats, needs to be comprehensive and holistic. We need technology that protects data from being breached. But just building bigger walls and moats around the castle, which is where a great deal of thinking is stuck today, is not enough. To carry the analogy, we also need to know what’s going on inside the castle. We need deft use of technology that allows real time monitoring of data access, use and consumption. This is critical not only to enforcing policy on data, but also to establish policy. And lastly, as I mentioned, we need tools that yield a mitigation roadmap, a picture of digital truth, if and when a breach is attempted. This is the cocktail approach we need to embrace. Without this new tool set and attitude, risk mitigation and management is akin to a surgeon practicing without the benefit of X-rays.