Israel Bryski, CISO at MIO Partners on understanding the full story of sensitive information with data lineage

This episode spotlights Israel Bryski, CISO at MIO Partners. Also known as McKinsey Investment Office, MIO Partners, is a subsidiary of McKinsey & Company that manages nearly $20 billion in assets. It is a global investment and advisory institution for its clients, including McKinsey partners.

Israel speaks with host and Cyberhaven Solutions Engineer Silas Glines about:

• The frustrations and limitations of legacy DLP tools and why Israel replaced older solutions with Cyberhaven.
• How MIO’s security team seeks to build partnerships with external stakeholders like IT and non-technical employees.
• How Cyberhaven will play a role in MIO’s future threat-hunting initiatives.

Check out the highlights below, or watch the full discussion here.

The importance of DLP and data protection for MIO

For MIO, data protection is critical, given the firm’s regulatory obligations and the expectations that its stakeholders and clients have for the security of their information.

The core challenge MIO needed to solve to enable data protection

Like most organizations, MIO has a wide degree of variability in the types of data employees store and access to carry out their work. This means that what constitutes sensitive data is highly contextual. Israel realized early on how important technology, like data lineage, would be. With it, MIO’s security team can understand where data originates and how it’s being used.

“What happens if someone were to take some data out of RDS and put it into a spreadsheet? There shouldn’t normally be use cases for that, but maybe it happens once in a while. So, how should we track the lineage of that spreadsheet?”

– Israel Bryski, CISO, MIO Partners

How does MIO think about insider risk?

Insider risk can differ from organization to organization, but there are still general patterns that most security teams look for. Here, Israel speaks to some of MIO's considerations when evaluating or monitoring insider risk.

“The typical one that most people struggle with is resignations. When someone gives notice, how do you know what they took on their way out? Good telemetry will tell you the story of what that individual did.”

– Israel Bryski, CISO, MIO Partners

What were MIO’s challenges before adopting Cyberhaven?

Israel talks about some of the difficulties his team faced when relying on legacy DLP tools for data protection. Essentially, the expectation with most legacy solutions is that you must already have in mind what you’re trying to prevent and experiment to see if the solution can help.

With Cyberhaven, however, MIO’s security team could quickly identify and triage issues they weren’t even initially aware of. Additionally, the power of data lineage allowed for more detailed investigations, allowing the team to better understand and communicate risks to data.

“With legacy solutions, you have to understand the types of policies you want to set up. You have to think through each threat scenario and then come up with a configuration that either detects or prevents it. So you need to know all the threat scenarios ahead of time. But there are things that we won’t know until we see them.”

– Israel Bryski, CISO, MIO Partners

{{ promo }}

What’s the significance of data lineage for MIO?

One of the most important objectives of MIO’s data protection program is to help the security team develop an understanding of the incidents occurring within their environments. With this understanding, they can know how to address issues going forward and assess the effectiveness of their security policies. With data lineage, the team now has the “story” or series of events needed to understand precisely what happened for any given incident, which empowers them to make informed decisions and provide clear reports to external stakeholders.

“Having that full telemetry, I'm confident that if there is an issue, I have the right tools at my disposal to tell the story of what happened.” 

– Israel Bryski, CISO, MIO Partners

Who were the critical partners in adopting and rolling out Cyberhaven?

At MIO, information security and information technology are separate organizations, so the security team needed to loop IT into the implementation process as early as possible. Israel discusses why it’s essential to ensure that IT is consulted immediately as a stakeholder in projects like this and how, for Cyberhaven, in particular, he worked to demonstrate the initiative’s value to IT quickly.

“Bring IT into the problem space, explain to them why a tool like this is needed, and how it helps them conduct root cause analysis.”

– Israel Bryski, CISO, MIO Partners

How easy was it to get started with Cyberhaven?

MIO quickly set up policies that worked out of the box, leveraging Cyberhaven’s ability to monitor data flow at a granular level across tools like OneDrive. This avoided the most common pitfall of many legacy DLP tools, which have a high time-to-value and make it extremely difficult to see exactly how policies are being applied to data in your environments.

“Of course, not everything in OneDrive is sensitive. The idea is to watch the flow and see where the data goes. Once you understand this, you can figure out what shouldn’t happen. For example, data from a OneDrive folder supporting a critical business process involving the most sensitive investor information should never reach a webmail account.”

– Israel Bryski, CISO, MIO Partners

Why investigations were hard with legacy solutions

In this clip, Israel details exactly how much easier Cyberhaven makes investigations relative to legacy solutions, which cannot understand the context behind the data triggering alerts. This has enabled MIO’s team to carry out investigations and triage in just minutes when, historically, this took much longer.

“With tools that provide the data lineage and context, I can determine where something needs to go within minutes.”

– Israel Bryski, CISO, MIO Partners

How MIO evaluates security solutions

When MIO was evaluating tools, having as much visibility as possible was one of the key features that Israel and his team valued above all. Israel talks about how security teams can sometimes overprioritize a solution’s blocking capabilities when searching for a solution to the detriment of looking at the features they’ll actively use when they deploy the solution.

“My philosophy is visibility. I want to know what happened. Let me see what employees and contractors are doing with our data. Let me trace what's happening with our most sensitive information.”

– Israel Bryski, CISO, MIO Partners

MIO’s culture of security

Israel discusses why ensuring that his team creates a culture of transparency and a willingness for employees and partners to feel safe reporting incidents or self-disclosing mistakes is vital.

“The idea is that I try to dispel fear. I want people to self-report, feel comfortable engaging with security, and ask questions about our policies.”

– Israel Bryski, CISO, MIO Partners

MIO's future plans for Cyberhaven

In this final clip, Israel discusses MIO’s plans for building on the successes they’ve seen with Cyberhaven. One critical objective is to leverage Cyberhaven in a proactive threat hunting campaign by leveraging data lineage to understand the behaviors and movement of any data that looks like it is being used maliciously or inappropriately.

“Threat hunting will give us an opportunity to upskill our team. We’ll take turns executing different scenarios based on what we're concerned about, regardless of whether it's an internal malicious user, an insider, or an external actor trying to get into our environment.”

– Israel Bryski, CISO, MIO Partners

Learn from the industry’s top-notch security innovators

If you enjoyed this recap, join us for our next installment of the Data Security Innovator series by subscribing to our blog.