Interview with Jeff Kukowski, SecureAuth
July 28, 2017 - In a world where there seems [like] there is a major, security breach every day, where usernames and passwords are just not enough because they keep getting stolen, and where hackers have even started to hijack people's mobile phones to break into accounts, what do you do? Irvine-based SecureAuth (www.secureauth.com) has its own approach and opinions on what ought to be done. We spoke with SecureAuth's CEO, Jeff Kukowski, to learn more about what the problems are with cybersecurity, and how the company is attacking the problem. SecureAuth is backed by such firms as Vinny Smith's Toba Ventures, among others.
Let's talk about the problem you see right now with cybersecurity?
Jeff Kukowski: Over the last 20 years plus, the amount spent on cybersecurity has continued to go up. Last year, and in the year before, there was something like 70 to 80 billion spent across the board on security. That's securing the network, looking at endpoints, and making other security investments across the board, and on such things like mobile device management for mobile phones. Of all of that 80 billion spent, only about 5 billion is spent on stolen identity. However, if you look at things like the Verizon data breach report, stolen identity is the number one issue out there. It's the elephant in the room. In 2015, for example, 60 percent plus of attacks were somehow surrounding the root cause of misuse of stolen credentials. Plus, despite all this spending on cybersecurity, breaches went up another 4 percent, with misuse of credentials being the cause went from that 60 percent to 80 percent of breaches. The big elephant in the room is that these attackers, once they steal your username, or credentials, or hijack your phone, they're able to pretty easily walk through that 80 million dollars of investment, because companies think they look like you and me. It's a pretty [high-level] issue.
Why hasn't having a phone as a second factor helped?
Jeff Kukowski: Phones are ubiquitous, we carry them with us everywhere, and using a second factor on your phone is one more level of security. We think that's great. As a company, there are plenty of use cases where people use their phones for a second factor. I think the issue here, is that we don't believe that phone as a second factor is enough. If someone can hijack your phone, and there are now many ways to do that, they can not only look like you with your username and password, but they can also access your second factor. Our company is all about going beyond second factor. It's really the future of adaptive access control, where security comes in layers, and we are looking at other risk factors before we even show anyone—a real user or attacker—the front door of what they're trying to access.
I think the whole world realizes that a username and password aren't enough. We all know credentials get stolen, and who hasn't received a letter from a company saying there has been a breach and your credentials have been compromised? I think what's different here, is there are technology to make all of this not only more secure, but provide a better user experience, and not bother the user. The existing paradigm bothers the users, especially when you enable a second factor, when we ask you to prove you are you. That's where things are today. We as consumers don't want to take those steps. Even with prominent breaches at Yahoo, LinkedIn, and others, how many consumers actually take the time to enable that second factor? We are lazy. That's why things are changing. There are better technologies such as adaptive control, where we look at different risk factors. The technology paradigm is shifting, because businesses don't want friction in the process, and consumers don't want friction in the process. The extra reason that has come to light recently, is if you think about how we rely on our phones, phones are the next [frontier] of attacking us as users. It's the new perimeter. They are much more easily hijacked than people think, so if that's your method of second factor, there's some risk there.
So where do you fit into this landscape?
Jeff Kukowski: We started as an identity and access management company. But where we've morphed over the last four or five years, is we have brought in additional identity and access management talent, plus we brought on an entire team in the endpoint security space, the team that was at Mandiant. They had researched some of the most prominent breaches in modern history. The approach we take, is that we're a security company that does identity and access management well. We do things like single sign on, like anyone else, and second factor or multi-factor, or adaptive capabilities. However, we have a different view on the market. Identity and access management might be an important business problem, but we think that identity and access needs to be a security play first. The question is how do you provide adaptive access capabilities that make a company more secure, but don't bother a user. The risk attributes we look at are all about making sure you are who you say you are. That's really valuable to the security operations teams. When a credential is stolen, you want to know if they show up at your front door, and what might you want to with an account if it looks like it's being used by a cyber criminal known to be associated with malicious activity on the Internet? We not only do that identity management stuff, but we enable the ability to provide layers of protection and visibility, right at your front door. Those layers enable better and earlier detection of a compromise, so if someone gets it, you can remediate it more quickly.
Can you give an example of what you do differently?
Jeff Kukowski: From an overly simplistic perspective, is in addition to the identity and access management we provide, what we are best in the world at is the risk analysis we show before we even show someone a login screen. All those layers and risk analysis people talk about only check very simple things, such as if someone is coming from a blocked IP from North Korea, or if I recognize the device. You see those things commonly. What we're looking for, is if people are coming from a suspicious computer, or are anonymous, or if they're coming from a known anonymous or criminal IP address. We're looking to see if a phone number has been ported recently, or if it's coming from a virtualized network. We're looking at now whether or not there is suspicious activity from inside your company that needs to be factored in to restrict access outside. Our adaptive capabilities are the key to an incredible level of security, and also the key to an incredible amount of usability. If there are no yellow flags, why should you ever bother a user for that second factor?
How is SecureAuth backed?
Jeff Kukowski: We are now at over 180 people, and privately held. The main institutional money in the company is a firm called Toba Ventures. You might remember Quest Software and Vinny Smith. Vinny Smith was the founder of Quest, and Toba Ventures is his venture capital firm. We also have the CEO of Forescout on our board, the CIO of Malwarebytes, and lots of other different security leaders who are familiar with this space.
Finally, what's next for you and what are your big goals?
Jeff Kukowski: The world needs to move away from passwords. We're enabling organizations to move to a passwordless approach, because users, all of us, hate dealing with passwords. That's something front and center. Using machine learning, and being able to deduce other risk factors may be items worth considering for specific companies, and that's also a big focus for us as well. It's all about better enabling security and user experience, and provide better protection, early detection, and remediation.
This article appeared on July 28 in socalTECH.com