Knock, Knock! Who’s There? Finding out who’s really on the other end of that password
0:00:02.1 Bill Harmer: Talking about passwords and the user journey. The title of today’s presentation is “Knock, knock, who’s there? Finding out who’s really on the other end of that password.” My name is Bill Harmer. I’m the Chief Evangelist and CISO for SecureAuth. So what’s the fastest way to mess up someone’s knock, knock joke? Say it’s open. It’s also truthfully the fastest way to mess up your day if that’s your network or your security. So a little bit about me. I’ve been in this industry for 30 years now, I’ve been specializing in security for the last 20, privacy for the last 10. I’ve been the prior VP of Security and Global Privacy Officer for the Cloud division of SAP. Most recently, I was the Americas CISO for Zscaler, and currently, I’m now at SecureAuth. So let’s talk today a little bit about work. Work is something you do, it’s not a location. Nowadays, people are working on trains, they’re working in coffee shops, and with the current situation we’re seeing across the world today, everybody’s working from home or a lot of people are working from home, and they’re working with new types of apps.
0:01:02.3 BH: They’re working with Twitter, they’re working with Facebook, things that we never would have considered being commercial or enterprise grade apps back in the day, but today, they are. So you may ask why has this happened? Well, first and foremost it’s mobility. The global enterprise mobility market will be worth as much as $1.2 trillion by 2026. That is driving a massive, massive shift in where data goes. Currently today, we see 40 exabytes of data traversing mobile networks, that is per month, not per year, that is per month, and that’s 40 exabytes. In the next two years, we expect to see that grow to almost double at 77 exabytes per month traversing the mobile networks. It may come to the point where you realize that you don’t need a corporate network anymore, you’re just gonna be using a mobile network. And truthfully, we get to blame the millennials for this. They are 35% of the workforce and they are growing quickly. They have a different way of looking at things, they have a different way of working, a different ethic, a different desire in the choices and the tools that they use.
0:02:07.9 BH: For them to actually come in and start working on a system, they’re expecting things like Twitter to be there. They’re expecting things like Evernote, things like Skype and Teams, even Discord, a gaming system for communication is now being brought into the enterprise, and a lot of people are not used to that. They also have a different ethic on how they apply for jobs and how they work through it. I had no idea you could actually ghost a job. These people today will now apply for jobs, they’ll interview for jobs, they will get the job sign and accept the job and then simply not show up. And it’s creating a whole different set of challenges for how you manage the security of your enterprise. The other piece that’s really driving this is Cloud. I have gone on the record over and over about hating the term Cloud because it doesn’t really mean anything. I truthfully like software as a service, infrastructure as a service, tells you what you get, how you get it and that method of delivery, but for the sake of this, we will just refer to it all as Cloud.
0:03:10.0 BH: By the end of this year, we will see the Cloud shift affect a trillion dollars in IT spent, a trillion dollars, that means whether you like it or not, you, if you’re in the IT, if you’re in the technology world or in any company, if you use a computer, you are going to be affected by this in some way. You can look at things like AWS. Currently today, over 81% of companies with 1,000 employees or more are using testing or investigating AWS, and that’s just AWS. That is not including GCP, Azure or any of the others. AWS themselves have over a quarter of a trillion, excuse me, quarter of a billion users active today, it’s massive, but the real juggernaut on this, the one that really pushed corporate into using, as a service, beyond the Salesforces, beyond the SuccessFactors, was Office 365. When Microsoft came in and said, you could take all of your Exchange infrastructure and give it to us and they’ll rent it on a per user, per month cost basis, there isn’t an IT manager in the world that did not want to jump in that chance because Exchange was probably one of the most difficult applications to keep up running and available, and it needed four to five-nines availability because we still, irrespective of the number of millennials in the business right now, we still do all of our business across email.
0:04:34.4 BH: So what’s happened when we look at this, we look at the traditional infrastructure that’s been out there, that’s been built over the last 30 years. We’ve got these users that are moving out, they’re moving into those coffee shops, into those airports, working from hotels. We’ve got applications and infrastructure that’s going up into things like Azure or Salesforce and being moved out. And what I like to say is, welcome to the sprawl because now we have this new infrastructure that is connecting all these services and applications together. How are we bringing all of these different pieces to work seamlessly, no matter where a user is, no matter what a user’s device is, no matter what the end state is that they’re going to? So that’s when I say let the real telecommuting begin. What do CISOs have to work with when you’re dealing with this? Well, now that the infrastructure is up in the air, it could be yours, it could be theirs, it could be software as a service or it could be a little bit more where I own the operating system and some of the other pieces.
0:05:32.4 BH: If it’s a SaaS solution, all you get is the security that’s built into the SaaS solutions itself. You don’t get to put a firewall or a WAF in front of it, you don’t get to connect to the backend database and suck telemetry out or monitor behavior. So really, even though the data is extremely important, it’s harder to manage consistently across everything, and that’s where you have to start making some of those decisions. What you do have access to though, for the most part, is your users. Your user base is always the one that you control, and this is why we see a lot of enterprises, even in the world of building out, why they still hold on to that identity store. They need to hold the identity store for their employees and for their customers because that’s what they’re controlling and that’s where their lifeblood is. The problem with the users is, they’re having a fairly hard time delineating between the real and the fake, the way cyber criminals portray themselves or how television portrays them, and quite frankly I think the truth is that what they see on TV is more appropriate and it resonates better with them, and what that leads to is this vulnerability to everything that’s out there.
0:06:40.0 BH: They learn habits and they’re slow to learn habits because it’s not their job to learn security habits. I’m a security professional, that’s what I do, but if you were to put me in finance, I’m gonna last two weeks before you put me on a pit and I’m probably fired in three because finance is not my area. So with this is, you have these users that are now exposed to very expensive, high power mobile computing devices in iPhones and Samsungs, laptops, tablets, home computers, all of the smart stuff. All of this stuff is in their home, and they’re remembering the things that they’ve been taught over the years, they’re not necessarily current with them, so when those pop-up, show up and say, call support, it feels normal, that’s what things like these fake call centers take advantage of, they’re able to convince somebody that they are part of an identity that they associate with, they’re part of a recognized process, and they will walk you through how to pay them to do nothing effectively. But there is a multi-billion dollar business behind it.
0:07:43.4 BH: And when you think about it, over those years, we’ve built, we the security industry and security professionals, built really good security stacks in on-premise environments. We had firewalls, we had load balancers, we had SSL decryptors and we had IPS and DLP and sandbox, we had all these great things. And they did work, they worked when users were behind it, now you’re taking users and you send them home, and what do they have? They’ve got the router that the ISP gave them, now thankfully, they’ve at least started changing the default passwords on these things, but for the most part, they’re running basic configurations that are not acceptable in any form or fashion. They’re designed more to stop people breaking into the home electronically, but once the user has clicked on something or it’s even an SSL tunnel, that ISP is gonna accept no responsibility or provide no service to ensure that malware is not coming down to them. So what happens is access anywhere is what is being driven out, when you work from home, you have to connect in through a VPN. Your partners and your contractors, they’re connecting through that VPN as well, maybe a different one, maybe it’s WLAN something like that, but it’s happening on that side and from there, you’re being given access into the internal resources, whether it’s Exchange or whether it’s Office 365 in the Cloud environment, file shares, etcetera, that is what happens.
0:09:11.2 BH: And there’s a perceived perimeter, there’s this understanding or this idea that says, “Okay, I have firewalls, I’ve allowed users through those firewalls using the VPN, etcetera.” But any auditor out there will look at this and understand the truth of the matter is, VPN access is network access. You’re extending that perimeter, the real perimeter now encompasses your partners from your contracts at their premises, your users that are at home, because once you give somebody an IP address on the network, it’s a matter of time before they can own you if they want to. And that is what threat actors do, they look for those remote access possibilities and use them to be able to come in through a valid connection. And in the security world, when we did the always on VPN where all the traffic came through, it became slow, sluggish, and you know sooner or later somebody complained that ESPN or NFL network, whatever was going too slow and it was going back through the VPN, they split tunnelled it. And all that did, was create an opening to the outside and the inside at the same time. See that’s how bad could it be? Well, let’s take a look at some of the history of this, community health systems, employee credentials were used in that compromise, cost them $150 million. Home Depot, it was third-party vendor credentials and that was $180 million hacked.
0:10:30.5 BH: Target, we all remember Target with Fazio Mechanical Systems, where they used valid third-party VPN credentials to get in, total ran about 300 million for Target, and with JP Morgan Chase, that was employee credentials, perfectly valid credentials you use no real total number on it, but if you do the basic math at 83 million user records, about $154 for financial monitoring, that’s $12.5 billion. That is massive, massive amounts of money based on simple credentials. So this dated user conundrum, we tend to look at it more as treasure versus the weakest link. A lot of people have always said users are the weakest link. I think we should change that. We should start referring to them as the easiest target because then we’ll start to have a little empathy for what they’re trying to do in their lives as we go through it. And this is the challenge that we’re presented with. This whole digital transformation has come along, we’ve got a whole new world in which we’re trying to rationalize identities of people and relationships, we’re trying to figure out how to manage the changing expectations around the consumerization on of what we do.
0:11:41.9 BH: People in the old days of using things like SAP R-3 had one idea of this brand new system when they first rolled in, but nowadays it’s about how fast can I get on to something because my phone auto logs me in because it already has my facial recognition. These are the types of things that are being brought in, and of course there’s a larger discussion around national identity or self sovereign identity that are being pushed up to the front of things. You mix that in with business demands, right? How are we doing more with less? We’re outsourcing a lot of our stuff to partners, to third-parties, to contractors, customers are integrating with our systems, but we’re never getting rid of the technology debt, right? There’s a lot of stuff out that they will always be used, and we have to find ways to integrate with it. And of course, threat actors will absolutely drive innovation at every opportunity because there’s a lot of money to be paid out. When we saw the first million dollar brand somewhere paid out, it sparked a massive spike in the rest of it, it took off because when the company ended up paying that million dollars, everybody out there thought, “I could jump right on this and make money.”
0:12:50.2 BH: So the identity there has become the primary attack surface, because again, it goes back to the easiest target in the attack team. And that leads us to the understanding about access management maturity. This is something that I think a lot of organizations struggle with because for a long time, they got as far as single sign-on. And a lot of people thought, “Hey, that was a great security improvement.” In truth, the single sign-on was a security detractor or detriment. It rolled us back a little bit from a pure security perspective. What it did was it reduced the risk of users doing something stupid and it made things a lot easier, as we rolled out all of these different apps all over the place, and whether they were SaaS apps, or on-prem apps, or somewhere in between. It made it simpler. But we did put all our eggs in one basket where if you popped a single user’s credentials to their single sign-on, you had access to all of their applications behind it.
0:13:48.0 BH: But it did reduce the frustration and the workarounds. And in this world with security, if you have frustrated users, they will always find a way around you. So you have to find that balance and the balance was single sign-on. But then we moved into more advanced authentication. This was driven out of a risky compliance field. This was trying to decide, “Okay, if something’s risky, have I seen this browser before? I haven’t seen this browser, I’m gonna ask some questions” or “I’m going to pop two-factor authentication on this.” And this is driving towards zero trust. A lot of people think that once they’ve hit advanced authentication, the more questions, the higher the 2FA, that they’ve achieved zero trust, and they haven’t. They will not achieve zero trust in the identity world until they’ve hit full dynamic policies with context-based access. We’ll talk about that.
0:14:39.0 BH: So what are the steps to zero trust? As I said, originally it was operational efficiency, single sign-on. Single sign-on, again, nothing but operational efficiency. And then along came two-factor. And it’s really interesting when you talk to non-industry people. A lot of people are really proud of themselves that they found that Facebook or Twitter had 2FA, and they’ve enabled it. And I applaud them for that. It’s great that they’re doing it. But they are actually implementing something that is almost deprecated in some ways because the older the one-time passwords that are SMSed, they’re already becoming deprecate. I’ll talk about that in a little bit as well. We’re moving into multi-factor authentication, being able to have more than just two factors, more than just the password, and maybe the token or the biometric. How do you start to put together these different pieces? And then how do you advance that into an adaptive authentication methodology that’s supplying the right authentication at the right time, and not just blanket painting everything with the same choice? Every time in the security industry where we simply say, “Thou shalt all do the same thing,” it is usually not enough for one end. It’s too much for the others, and it frustrates the middle, and it never works.
0:15:51.7 BH: So we have to start thinking about this adaptive methodology. And then moving on to continuous, not just once, but always during the life of the user’s journey as they’re working through whatever transaction it is, where are you watching them and how much authentication are you gonna be looking at? That brings you to a true dynamic identity policy that is enabling both engagement and security, and that has that fine balance. So let’s look at passwords. Passwords are probably the single biggest problem we have today. First and foremost, they’re expensive. Between 20% and 50% of help desk calls today are due to password resets. At an average of anywhere between $20 and $70 per call, that can cost a company that has 10,000 employees over half a million dollars a year, just resetting passwords. That is a massive, massive waste. Imagine if you could actually save your company half a million dollars by not doing this, it would be fantastic. On the truth, they’re actually more expensive.
0:16:49.3 BH: When you think about the amount of time a user spends on average per week, either entering or resetting their password, it’s 12.6 minutes. Doesn’t sound like a lot. But when you start to think about this day and age where when the Google Maps come up and it says ETA, and most people think that’s an estimated time of arrival, in my world that seems to be time to beat ’cause I have to get there faster. We are a world of instant gratification and minute detail. 12.6 minutes is actually quite a lot, especially when you multiply it by 15,000 users on an average five-day work week. That is $5.2 million in lost productivity per year. Again, can you imagine being able to give your company back $5 million in productivity just by getting rid of passwords? And here’s another reason, they are easily compromised. We have gone through a whole bunch of different realms of “We should make the passwords more complex,” “less complex,” “changed in 30 days,” “changed in 90 days,” “Don’t change them.” All I can say is that when you look at 81% of all breaches who’ve all stolen credentials of some sort, you can’t stop them with the network, you can’t stop them with on-point security. Because once you have the credentials, once you have valid credentials, you’ve got a valid user, or that is today’s belief. And that’s why it’s so key to understanding who’s on the other end of that password.
0:18:10.6 BH: As I said, going into the 2FA, looking at the multiple choices that you have on 2FA, you’ve got the one-time passwords being done via SMS or email. NIS doesn’t even recommend it anymore, yet this is what a lot of today’s society is rolling up to. They’re now rolling this out and saying, “Hey, look how good I am.” Yeah, we’re going into something that’s basically deprecated. Tokens, they’re expensive, they’re difficult to maintain, and we’ve seen the past problems. We’ve seen companies that have lost control of the original seed, and had to replace literally every hard token they ever had that was out there in the world. Knowledge-based questions, easily, easily dealt with through social media. We all see these things on Facebook would say, “Hey, come on, play along. Answer these questions. I’d say it will be fun.” And all they’re doing is getting you to publicly display and share with the world all these little private details of your past, that help them figure out the knowledge-based questions. And then push-to-accept can be users. Again, we know what it’s like, it’s easy to manipulate them into doing the push-to-accept when they think they’re doing one thing, or they don’t realize they’re actually authenticating.
0:19:21.2 BH: So how do you enable the right identity journey? Well, typically, what we’ve seen today and in most cases, it’s this high/medium/low, right? You have these risk signals whether it’s the users, the devices, the services, whatever, it goes into a black box or scanned and listed at high, medium or low, and off that what do you do? You block, you throw MFA, or you allow, usually it’s those three. What we need to have happen is flexibility within that. We need to have the understanding and the identity of the user journey. It’s the risk signals, but it’s also the business requirements, and it’s the risk scores that maybe come from the user and from the public, from the telemetry that comes from the masses around, as well as the individuals, and be able to start increasing. Higher levels of authentication are being brought in, we’re all the way up to a block or maybe we’re just saying no SMS, or all the way down to password-less.
0:20:13.9 BH: And that’s what not a lot of people are talking about. They’re always talking about, “Let’s make it harder. Let’s make it tougher. Let’s make it more secure.” Well, truthfully, let’s talk about risk and maybe make it more secure because there’s less risk. So that’s where you could actually go to password-less, where you can accept the risk at that point because you’ve done the right things on the background. And how does that happen? Well, first and foremost, we know passwords with the single factor, and then in the two-factor world, we had hardware, we had the biometrics, the thumb prints and the face prints being done on the mobile devices. But to get to password-less, it requires a pre-authentication risk analysis, this understanding of all of the different things that happen before you ever present the user with a request for a password, because maybe you don’t need to.
0:20:57.5 BH: If you know and you can reliably say enough things about the user, the state of the phone, the location, all the different pieces are put together that you can reliably say, I will accept the risk of not presenting a password on this particular Access Request because the compromise if it does happen is so low, I can start to put passwords elsewhere so the user isn’t getting frustrated and not finding ways to get around it. And then, of course, on top of that you add your biometrics, you add your hardware pieces, those are your up-levels, those are your higher levels of authentication that get to commit. And then, of course, backwards fit the pre-authentication risk analysis into your former pieces. That’s how you take yourself through the journey to password-less. And it’s by no means easy, but it means necessary. So if we look at that, like I said, you’ve got these threat services out there we can look at or whether it’s a known IP address or what have you that threats are coming in, you can do large chunks of risk analysis and culling early on to get rid of a lot of those threats.
0:22:09.8 BH: Then you can start looking at things like geo-location and geo-velocity. Is the user logging in from the normal place? Did they suddenly log in from 10,000 miles away when it was only 15 minutes later? Those are simple, easy ones to also start ticking off. You throw in device recognition, have I seen this device before? Is this device a known compromised device? Has it been jail-broken? Etcetera. You can look at different pieces around that. Same with phone number fraud. Has it been SIM-jacked? Is it on a known list of compromised phones? And call out those ones. And then go all the way through to user behavior as well. Is the user doing what they normally do? Do they normally log in? Do they normally make one mistake before they log in? Are they suddenly becoming the perfect user or the worst user? You can start to push through all of those things. And then throw MFA only if a risk is found that’s unacceptable, or maybe just log them in without a password because you’ve created such a reliable understanding of the user that you can let them in.
0:23:08.1 BH: So, most of what happens today is because we wanna trust people, we wanna trust our users. Nobody wants to go into their business and say “I don’t trust my users.” They seem like nice people, they look like nice people, and I wanna help them. But sometimes you shouldn’t. It just does become one of those conditions where you have to start thinking about this. And why? If you look at it in 2019, we spent more money in the security industry protecting things. We saw a 17% rise in breaches reported, 80% of those hacks were related to weak or stolen credentials, so this is very obvious where the problem is. 32% involved phishing. It’s easy to get somebody to click on a link in presenting information to a user. They are not adept at hovering over or trying to figure out what URL it’s going to. They’re trying to do their job. They’re just trying to get through the day, finish their work, make their bonus, get home to their family. So that’s what’s happening, there are these things that are being presented to. And when you look at the average cost of a breach in the US, it’s now passed $8 million. It’s lower around the world and I think that’s probably due to the potential for litigation in the US.
0:24:23.6 BH: So let’s take a look at a single customer of ours and see what that would look like. Over a four-week period during the peak season, the adaptive layers that we provided saw that potential misuse of credentials over 13,000 times. That is over 486 bad things a day or 20 bad things an hour, 24 hours a day, seven days a week. Now again, you can see that you can chop out large chunks of it. Over 13,500 were suspicious log-ins coming out of the dark web, so that’s easy for us to cut off. 14 more were coming from known log-ins associated with known criminal activities, so there’s an association that helps you understand what’s happening. Other ones trying to mask their IP address and location. Maybe that’s a valid reason, maybe it’s not but it starts to heighten your awareness of what’s happening with that particular user credentials.
0:25:14.9 BH: So I’ll leave you with the idea that there is really only one new reality. There’s one network in the world today, one corporate network, it’s called the internet, and you have to know it and love it because that is where business will be done. Modern security fundamentally requires you to change the architecture that you’re applying to everything and how you address security. And the only way to… The absolute key to true security is to have a reliable identity because you can build all these great cloud-based security solutions, you can outsource it or insource it, however you want, but if you’re building good reliable tunnels from point A to point B but you do not know who is on the first end or the other end of the key at point A, you could be letting in the bad guys. And that’s really what happens. So I’ll leave you with this, the concept that identity is simply who you are. Or as I like to say, it’s who you wanna be. And with that, I’ll say thank you and close up this session.