Webinar: 2018 Cybersecurity Predictions

Security experts Garrett Bekker, 451 Research, and Chris Sullivan, SecureAuth, peek into emerging trends in cybersecurity and identity in 2018. They share insight on why network-based approaches to security are no longer sufficient and why identity is the new gating factor for access. Learn about practical approaches and more.


+ Read the Transcript

Marie: Hello everyone, I am Mary Carl from 451 Research, and I will be your moderator today. On behalf of SecureAuth and Core Security and 451 research, I'd like to welcome everyone and say thank you for attending today's webcast. Presenting on today's webinar will be Garrett Bekker, 451 Research Principle Security Analyst. Following Garrett will be Christopher Sullivan, SVP Chief Information Security Office of SecureAuth and Core Security.

By way of housekeeping, today's event will run between 45 and 60 minutes, including the Q&A period following the two presentations. Please submit your questions at any time during the webinar, and a copy of the slides will be available for download to all attendees. We also ask that you provide us with any feedback that you may have from today's webinar. And with that I'll pass it over to Garrett.

Garrett: Well sorry folks, I was on mute. So thanks Mary, calling y'all from sunny Houston, Texas. Before we get started just a few words, I'm one of five analysts currently on the information security team here at 451. And my primary coverage areas are identity and access management, so things like authentication, single sign-on, identities of service, et cetera, and also data security, so DOP encryption, tokenization, things like that. I also spend a lot of time on cloud security and IOT security since identity and data security are pretty commonly used in those environments as well.

Real quick about us, 451 has been around since 2000. For those of you who may not have heard of us, we've got over 300 employees, about 150 analysts. And if anyone is curious like I was where the name came from, any of you science fiction fans may have guessed it came from the novel Fahrenheit 451 by Ray Bradbury. So just to summarize some of the key points I want to make in the talk today, I made a number of predictions as we had in the title, it was predictions for 2018. So really I'm going to make four predictions, the first one is that identity becomes the new perimeter.

And we'll also start out, we'll look at some data from 451 on cloud adoption, and some discussions about how to secure the cloud. And basically make the case that network based security is no longer sufficient as we increasingly use things like cloud, mobility, IOT, et cetera. The second is one that's been around for a while, but this idea that passwords will die. I'm not sure that they'll ever completely die, but the main point is we're going to rely more and more on identity. We're going to need some new approaches than what we've been doing for the past 15 years or so.

So we'll talk a little bit about the pros and cons of passwords and multi-factor authentication. Third one is a new theme we've been working on at 451 regarding the rapid spread of advanced analytics like machine learning and artificial intelligence. And then lastly I'll wrap up, I'll talk a little bit about the cloud security landscape and how that's evolving.

So this first slide is a pretty simple point, but basically we're seeing tons of security companies in the market. And if anyone is counting we are up to close to 1,800 vendors that we're tracking at 451 in cyber security, which is quite a lot. A lot of that has been driven by a lot of the new threats, and new computing architectures, it's resulted in a lot of VC money flowing into cyber security. Some other interesting tidbits, we see about nine or ten new security startups every month, roughly 100 or more per year, and roughly five or new security categories every year, so quite a lot of ground to cover.

Now a lot of these vendors were formed for basically on-prem environments, things like anti-virus, end-point security, firewalls, et cetera. I remember I started in security in the early 2000s, really all you really needed to feel safe was maybe a firewall and a VPN for remote access. Maybe some hardware tokens for your employees that left the office occasionally, and then we started adding more things like IPS, and web app firewalls and [SIEM] et cetera. And eventually it started adding up. I don't have any hard data, but I have a lot of conversations with customers. And I always ask them how many security vendors they have in their environment, and not uncommon for me to get answers of anywhere from 15 to 25.

Heard in some cases as many as 50 internally. Now obviously this can create some problems for enterprise in terms of evaluating these vendors, purchasing them, but also integrating them and running them on an ongoing basis. And as we'll talk about a little bit later, this is also starting to happen in cloud security as well. So this slide comes from a service at 451 we call the voice of the enterprise, and basically what we do is we survey several hundred senior level security executives on a regular basis to help us get insights into spending patterns and trends, et cetera.

A few things jump out on this chart that I thought were worth highlighting. One is the most common type of cloud resource being deployed, not surprising, is software as a service since they've been around the longest. And at the very low end is platform as a service. The other thing I wanted to highlight is that the percentage of respondents using private cloud, whether that be on-premise private cloud or hosted private cloud actually declined a bit. While conversely public cloud, public-hosted cloud, infrastructures, service, et cetera, actually increased. In other words firms are actually becoming more comfortable with public versus private cloud.

Probably the bigger point I wanted to make is that most organizations are using a variety of cloud architectures. And yet in the media there is a tendency I think to talk about cloud as if it's a homogenous thing, but it really isn't. Cloud isn't one single architecture, it's multiple architectures. And each of them has different technical requirements for security. Now this next slide, also from vote data, and we haven't updated this in a while. But it hold pretty well, if you look at overall enterprise deployment, so that include on-prem, cloud, hybrid, hosted, et cetera, the most deployed security tool by far is the trusty old network firewall. Virtually every enterprise has a firewall, 95 percent.

The other thing I think is interesting on this slide is if you look at towards the bottom identity related tools, like multi-factor authentication, single sign-on are near the bottom when we look at overall deployments. Now if you consider all the data breach activity we've seen in recent years it should be clear, at least it is to me that firewalls are no longer sufficient by themselves to secure our networks. We hear about new attacks and breaches practically every week, and it's fairly trivial for attackers to get beyond our perimeter devices. Yet we keep spending the bulk of our resources and energy on network security.

As an aside, I've been doing some security work with a client, and we surveyed them in terms of what they consider most effective for preventing data breaches and what they're spending the most of their money on. What we find is that consistently network security is at the top of the list in terms of spending, even though it's not necessarily the most effective in terms of stopping breaches. We've also done some market sizing and we estimate roughly a third of the 40 billion or so that are spent just on security products probably goes toward network security. But again, the punchline here is network security isn't enough, and something Sully will talk about a little bit later.

But it's basically the definition of insanity, we keep doing the same thing over and over. And we keep expecting a different result. Now this slide is similar to the other in terms of deployments, but instead of overall architectures we're looking at cloud only. And we see a completely different picture. Most of the top choices in the overall environment, the non-cloud world, actually fall down. So firewalls were the top, they moved down to eighth place. Web app firewalls fall into last place, and conversely a lot of the security categories that were at the top, now in the cloud world, move up in terms of strategic priority. So identity and access management moves up into second place, DOP moves from last place up into third place, multi-factor authentication moves up into fourth, et cetera.

So really the key takeaway from this slide is that when we move from the on-prem to the cloud world, our security priorities are almost a mirror image of what they were in the old world. So this brings us to prediction number one, which is basically that identity is the new perimeter. And not the first person to use this term, it's almost getting to be a little bit of a cliché, but it's pretty accurate I think. The basic idea is when you add things like cloud, mobility, and IOT into the picture you could make the case that not only are network based security tools easy to bypass, but they're actually becoming less and less relevant.

And if you take an extreme example, say you have a remote mobile user, and they're on an unmanaged mobile device. And they're accessing a SaaS application from a Starbucks, at no point will this user ever touch the corporate network or pass through your firewall unless you're doing some sort of traffic rerouting or forcing your users to go through a VPN or something like that. The point is though you can't just take your old security infrastructure and import it to the cloud. And this idea that everyone on the outside is untrusted, everyone on the inside is trusted it really doesn't apply anymore in the new world.

So if that's the case, the only real alternative is to base access to resources more squarely on users' or machines' identity. And that may seem logical, but if you think about it for much of the last 20 years we've controlled access to resources largely using firewalls and firewall rules based on things like IP address and port. And it's kind of if you think about it, it's kind of like if you went to the airport and you went to the security, and the security guard asked you where you're going, where you're coming from, but never bothered to ask you to see your ID or let alone look inside your luggage.

So in the old world we typically based a lot of access control on trust and domain. So we only trusted devices that we managed, but in the new world with BYOD we really need to focus on managing and securing content as well. Device used to be based on the domain, excuse me, so if you were on the domain you were trusted. But now we establish device trust via things like enrollment. And then the last one is fairly important, but controlling access is more based on who you are in your role than where you're located. Now location can certainly be an extra input that we can use, and that can have an impact on how security policies are enforced, but it's no longer the only or main input into our access control decisions.

So the next prediction, passwords will die, and this may be an overstatement. And I'm not sure if passwords will ever fully go away, but if your users and applications that your folks are trying to access are scattered all over the place, they are no longer behind the perimeter, one of the most important things you can do to control access is verify that users are who they say they are. And one of the most common ways to still do this is the good old username and password. I think everyone pretty much knows the limitations of passwords these days, they're hard to remember, they're easy to guess, et cetera, et cetera,  but yet they’re still around.

A couple months ago I was actually cleaning out my office and I came across a really interesting research paper by an industry analyst friend of mine, and made some really good predictions how over the next three or four years passwords would be completely obsolete. Everyone would be using some form of multi-factor authentication. The only problem was this paper was actually written in 2001. So here we are 16 years later, and passwords are still pretty prevalent.

So the question is, if everyone knows why passwords are so bad why are we still using them? And the issue is, I think there are a few answers. One I think it's just inertia and old habits die hard. In many cases also passwords are fine. I use passwords for things like my fantasy football team, because I really don't care if anybody gets access to my fantasy football team as long as I'm not reusing that password somewhere else or that account is not linked to another account. I think the bigger reason is a lot of stronger forms of authentication have their own drawbacks. They can be expensive to purchase and deploy. They can be inconvenient, it might be something extra you have to carry, something else you have to worry about. It can change your workflows, et cetera. Developers, excuse me, may find authentication challenging to integrate into applications, different standards to support, et cetera.

Another big issue though is that authenticators aren't always necessarily matched to the transaction at risk level. There are tons of different types of authenticators for strong authentication, literally hundreds of vendors that I track with hardware tokens, software tokens, phone based authenticators, browser based, smart cards, biometrics, you name it. What I've found is, excuse me, they all have their advantages and disadvantages, and are also suited to certain use cases. Hardware based tokens are secure, but you have to carry them around. They're expensive, the batteries die, et cetera, phone based authenticators are fine, but phones can be lost.

They're also mini-PCs if you think about it, so smart phones can also have security vulnerabilities. So some firms may prefer to install digital certificates on phones to make them a little bit more secure. But the point is there really no single authenticator to rule them all. There is always typically some sort of tradeoff in terms of complexity, user convenience, level of security, or even personal preference. So really access controls and strong authentication in my mind need to be convenient and cost effective. They also need to be flexible and adaptable, but I also think they need to be risk based. And this is something that Sully is going to talk about I think in a little bit more detail in his section.The idea is that you match the strength of the authenticator to the actual risk-level of the transaction.

This leads me into prediction number three, and this is something we've written about extensively here at 451. Each year we produce a report that highlights the top five themes that we believe will impact the security industry in the coming year. And this year one of the key predictions that we made was that every security company will be an analytics company. And if you go to security conferences like RSA or Black Hat you may have noticed in the past year that virtually every vendor has some sort of analytics, or AI, or claims to. If you walk the floor analytics, AI, machine learning is all over the place.

There are a lot of reasons for that, one, certainly there has been a chronic shortage of skilled security staff. And by deploying machine learning and advanced analytics in many ways you can eliminate or reduce manual processes. And automate some of your security functionality, it's also been driven to some extent that analytics has become a lot easier to add. You don't necessarily need to anymore hire a team of data scientists and build your own algorithms. Nowadays there are APIs available from I believe AWS and Microsoft. You can actually plug into their own machine learning and AI algorithms to do some interesting stuff without building your own.

Partly as a result of that, we've seen analytics make some pretty big strides in several areas of security in the past few years. One of which is in end-point security, most of the end-point security vendors have been adding machine learning as a way to help them better detect threats and look for anomalous activity. Certainly this is a follow on to things that they've been doing for years. Honeypots certainly have been around for a while, where you can use automation to learn about characteristics of files. You can use it to lure attackers to gain some insights into how they're looking to behave.

Network security vendors are certainly adding a lot of analytics, using analytics to help detect attack behaviors and also identify end-points that maybe have been recruited or doing things that they shouldn't be doing. Anti-fraud is another area that using a lot of analytics and machine learning to help detect unusual behavior. And the last one I wanted to talk about is identity management. Identity management is one of those areas where advanced analytics can be most effective. And one area where multi-factor authentication and single sign-on are somewhat limited is that they're typically binary.

For example, once you login you're in, and the multi-factor authentication solution has no idea what you're doing once you've logged in. But if you leverage analytics then you can do some interesting things, like you can look for unusual user behavior after the user has logged in. And if you see something odd it could be an indication that maybe they've been subject to a man in the middle attack, or their credentials have been stolen. And therefore you might ask them to login again, use a stronger factor, or maybe present them with a challenge question, or maybe even terminate their session.

So two more slides before I turn over to Sully, but basically this ties back to the earlier discussion I had about the proliferation of security vendors, 1,800 different vendors. We're seeing similar things in cloud security as well, and this is very high level. But I've broken it down into at least five different categories of cloud security vendors. Now I put in web gateways, we may have subsumed those within CASB these days, but really they were the first ones that were designed to protect cloud apps, a lot of whom basically used an online proxy to help protect against web-based threats. And later that architecture we used to do things like fast encryption gateways, and also proxies where basically the foundation for what's now known as cloud access security brokers, or CASBs.

And CASBs have been around for a few years, but basically they started out doing things like discovering unsanctioned SaaS applications running in your network. So you can get a handle around the risk they might pose. And then they later added things like DLP, and encryption, and even some aspects of identity management. We've also seen vendors that are focused on doing security for cloud infrastructure, so whereas CASBs are mostly focused on SaaS apps, cloud infrastructure security vendors are more focused on infrastructure, the service. So things like AWS, and Azure, Google, what have you. Then last but not least and these have probably been around the longest, are vendors that have been doing single sign-on for SaaS or cloud apps, or what's known as identity as a service.

So really the point of this slide was we're seeing a pretty rapid proliferation of vendors focused just on cloud security. In fact we've identified close to 100 of them at 451, and we expect that list to grow. So that leads me to the final prediction before I turn it over to Sully, but given that there are so many different security vendors we hear quite often from customers that we talk to that are looking to do more with cloud, that they don't necessarily want to add four or five more vendors on top of the 15, or 20, or 30 that they're already dealing with just to do cloud security. So I think over the next few years we're going to see increasing convergence of the cloud security marketplace.

That's going to happen in a number of forms, one certainly we're going to see internal development. A lot of these vendors are busy building out extra features, and as a result there is maybe more overlap between them. Maybe not so much between CASB and IDAZ, but certainly within each of those segments. And we're starting to see some boundaries blurring. We've also seen a fair amount of partnerships, and that's where the cross-pollination is occurring between identity as a service and CASB. I think we'll see more of that in the next few years. We're also seeing a lot of M&A, mostly on the CASB side for the past few years. Just last week we saw McAfee bought Sky High Networks, one of the leading CASBs.

I think we've seen about ten CASB deals in the last few years. We've also seen some identity as a service deals, and I expect to see more of those. And then the last one is native cloud provider or cloud providers are providing their own native security services as well. Certainly Microsoft and AWS, and big ones like Box and Salesforce, but I also think there are a lot of cloud applications, thousands of SaaS applications that will probably never have their own internal security. And also most vendors or most organizations we're talking to are using on average three, four, or even five different infrastructures of service vendors. So certainly there is going to be a role for third party security vendors to address those multi-cloud environments.

But in any event I think we're going to see convergence of this cloud security market, and that's going to happen within the next few years. And with that I'll turn it over to Sully.

Sully: Alright, thank you, Garrett. So I am Chris Sullivan, most people call me Sully. I am with SecureAuth in Core Security, we'll talk a bit more what that means if you don't know the companies. But what I wanted to talk today, was I wanted to follow up on sort of Garrett's comments around centered network security is not enough. People think about everyone is driven to digital business, and in digital business there is some important parts to that. One is, as Garrett mentioned, we don't actually own a lot of the bits that we want to plug together. Two is, the scale compared to traditional enterprise business models is astronomically higher. And three is, it’s moving very quickly, so we need to think about how do I deal with these things, the scale, the complexity and the fact that we don’t own these bits.

You know, so we need a new way, so I'm going to walk through a big about why the old way doesn't work, and what sort of new ways might actually work, and what folks can be doing about it. Garrett also mentioned there has been a lot of convergence in the security markets, expects to see more of that, we certainly agree with that. So SecureAuth and Core Security came together a few months ago, and we've actually been on a mission for the last two and a half years to bring together these bits of security domains that we believe need to be integrated so that folks can actually go solve the problem.

So at this stage we brought together SecureAuth, which is access management, single sign-on, really great strong authentication, as well as Core Security, which traditionally was a vulnerability management, doing things like attack path analysis to let you understand which vulnerabilities in your network were really important. It's not just that one patch hasn't been made, or maybe you can't make it, but how does that actually fit into sort of your higher-level risk model? Some great pen testing tools and services. With Damballa, we have threat detection, and we can see some of the numbers up there on the right. But we actually see about 1.2 trillion DNS queries per day, we see about 60 percent of the US internet traffic.

Garrett was mentioning that security companies need to become analytics companies, all of that is analytics. We're looking at that to figure out which devices at banks for customers and ISPs in government agencies, which devices are compromised based on the way that they behave. So that's all machine learning. That's all analytics, and we can talk a bit more about what that is. And we also do identity management, which is key to understanding sort of who actually really has access to what. We'll talk a bit more about that as well, but that's a bit more than Sully has a csullivan on a Core Security domain. But it's actually what is that given access to, and what are those permissions given access to, and oh by the way Sully has a bunch of different applications that are connected.

We also bought Secure Reset, which is a multi-factor authentication company, and Bay 31, which was purely a security analytics company. So we brought those companies together over the last two and a half years or so, and what we're doing in addition to driving better analytics into each one of those domains, is we're thinking about how to solve problems in between those domains. There is a resource called Core Labs, you can find that on coresecurity.com, there is a Core Labs page right at the top. But you'll find things there like approaching 300 security advisories, which are quite specifically where our researchers have found vulnerabilities that people don't know about, so at that time, zero days in all kinds of vendors, like Oracle, Microsoft, SAP, what have you.

We then work with those vendors to address those issues, and then release a press release and a security advisory that talks about here is how you know if you have it. Here is the indicators of compromise, here are patches and compensating controls, what have you. So that's the kind of work that we do. Going back to the issue of you know, are we getting it right? Do we sort of have this upside down and backwards? Garrett showed some data that showed hey, what's the security priorities for people and they tend to be flipping. This is a bit different way to think about that, with respect to most security controls today we tend to a pretty good job about efficiency. We do an okay job at risk management, you know, you can open up the newspaper. We could talk about all these different breaches but they don't seem to be abating.

And then in terms of enabling digital business, can we allow the business to move forward? Can we allow customer, you know, great experiences for people so that they just get in, get what they need, and move on, in a security fashion? We're doing a terrible job at that. When I say we, I certainly don't mean to say SecureAuth and Core Security. I mean to say the industry, you know, industry in general. So let's talk a bit about why, this is sort of traditional network security, defense in-depth, we're looking at a bunch of different things. Monitoring a bunch of different devices, that creates a tremendous amount of information that analysts have to deal with. You know, if you look at a lot of breaches, the data was actually there. You know, we knew the vulnerability existed.

We knew malware had been detected, what have you, and that you know, we can talk about specific big name breaches you know, in the last couple of years where those things have happened. And yet they weren't dealt with because there is just too much information for the existing staff, the short staff to deal with. And so we try and bring all this information together, all these silos together, and then we actually have analysts looking at large volumes of data. It just doesn't scale, it's not responsive enough.

And then ultimately, apologies these builds are just a wee bit slower than I would like, yes, ultimately we have a manual response, which says hey what are we going to do about this? Should we disable this account? Should we re-image this machine, what have you? What's missing from that model is the identity context, Garrett talked about that, but traditionally identity management is thought about as a different, you know, profession, a different discipline in security. That's changing, the more people I talked to you know, over the last year and a half, and then increasingly over the last six months, a lot more identity folks are reporting into security organizations, which I think is great. There is this buzzword being thrown around called orchestration. Hey we need orchestration, orchestration, that's basically playbooks. It says hey, we need to automate the workflows, we need to automate these processes, so that when things happen we know what to do.

You know, we're not just looking at an incident saying oh my gosh well we better go collect identity context, what have you. Certainly there is analysis, we'll talk more about what that actually means. Case management is something that you find in other business disciplines. But it's where we're saying hey, we want to put this together. We're suspicious of this device, we start adding more and more information to it until it's convicted. And then we can actually present that case to someone that can take action. And then importantly automation, we talk about autonomous cars, what have you, there is so much going on here. And we'll talk a little bit about the scale in a minute or two.

But there is so much going on here, we have to get to a point, even though it's not comfortable where we just trust that actions are taken, accounts are disabled, ports are shut down, what have you, without humans involved. That doesn't mean humans aren't involved in an oversight capacity. It doesn't mean humans aren't accountable, but we certainly need to get there. So let's talk about where we're at, so here is a pretty nice model, you know, sort of architecture. On the left we have any device, I want to come in from my mobile, my desktop, whatever, my phone, through any network, and then out to any application in the world. And got all, that sounds really good, right?

In practice though it's a lot more complicated than that. In practice if we talk about digital business the scale we're dealing with is huge. So this is actually just a graphic of air traffic in one day worldwide. Even just in the US there is about 23 billion, excuse me 23 million people flying around in the air every single day. That translates to about 28 billion pounds of steel, and jet fuel, and flesh that's moving around in you know, three axes very, very fast, sometimes in very close proximities. And they almost never ever ever have a problem.

That's pretty amazing, and if you had humans doing that it wouldn't work. So the way you do that successfully is you have things that you start to hear now in audit and security around continuous monitoring. You have sensors. You have analytics. You have decision support systems, you have all of these things that we've been lacking in the security discipline. And if you don't have them, if the air traffic control system goes down, you still might fly some planes. But you back them off, right, so instead of a half a mile between the planes because of turbulence you have five miles between the planes, you know, to give the pilots a chance to react. That kind of stuff, everything winds down. We've all been there when the air traffic control system goes down, it's not a good thing.

So that's sort of the case for we need this kind of stuff or the complexity we have to deal with. Here is some case for, you know, here is the complexity we have to deal with. So here is a very very simple network diagram. People think about you know, in the Equifax case, you know, we have the vulnerability, right? It's not just about having a vulnerability, you got to think about where that vulnerability is within your network. Here is a very simple network, adversaries actually they get to one vulnerability but that typically doesn't get them to the prize, to the process or the information that they want. They have to move very quickly somewhere else.

So they go from one vulnerability to the next, they move through your network. And it's important to understand how they move through your network, especially when you know, in today's world, in a cloud based world you don't even own or control lots of that network. So this gives you lots of permutations, lots of paths to think about, and lots of ways through that might be weighted by here is the critical vulnerability that allows me to take over that machine. Here is one that just allows me to read what's on there. Importantly if you map that on to you know, this architecture that says any device, you know, any network, any application, instantly you're up to hundreds of millions of billions of combinations of things that we need to think about, how they're interacting. So that we can provide effective security.

So one more bit about that, that we talked about and Garrett mentioned as well, that network, excuse me, access and access management people, identity people are starting to think of themselves as security people. Adversaries have been thinking that way for a long time, so we have sort of your traditional networks on the right. And again these are very simplified pictures, but we also have access on the left, and identity on the left. And identity we think about Sully, but Sully has just on the business side probably ten accounts. I have an AD account. I have O365 account. I have a WebEx account. I have a Salesforce account, which has a lot of really confidential information in it. So as we start to put all this together we have to think about oh here is Sully, but Sully has access to all of these things. Sully might have specific permissions assigned to those, but those permissions might have permissions that might have permissions that might have permissions, and in some way who knows Garrett, and I might actually be connected through some permissions.

So again the combinations are astronomical, and adversaries don't actually move through, you know, infrastructure vulnerabilities like they did in the first step of Equifax. But they move very quickly to identity, get as far and fast as they can by jumping identities. Maybe they get a key-logger on that machine, now they have Sully's AD account. But guess what? They just picked up his Salesforce account as well, so now I can jump over to an application in the cloud. And then I'm going to move back when I get as far as I can with identity I'm going to move back to infrastructure, and then back to identity and that kind of stuff. So we can talk about a happy, you know, if you want to contact me afterwards. But the same as RSA breech, exactly that pattern infrastructure to identity, infrastructure to identity over and over again.

Equifax breach exactly that pattern, Target breach exactly that pattern, you could go on and on. I think if you look at the Verizon data breach incident report it's either 83 or 86 percent of the major attacks, and you know, are leveraging some kind of identity context. So let's talk about how that's evolved. We already mentioned in the early days it was about you know, identity management, access management, it's about really efficiency. How do I automate some of this stuff? Get the numbers down, what have you? Then we moved into compliance, you know, I have to attest or assure that I know who has access to what, and the business user has to do that. It’s very important, even today.

But we sort of evolved to take care of that, and then we moved into the cloud. So all of a sudden scale pops up, and all of a sudden we don't own all of these things, so we solve that problem with APIs from Federation, what have you. So we're here, where we're moving into now you know, where the, the evolution is going on now, is around security. So in the same way that we need to understand and connect to and integrate with all of these things in the cloud, we have to integrate our security infrastructure as well. Whether it's on premise or on the cloud, it doesn't really matter, we need those kinds of APIs. And we've also stepped into as we talked about a level of scale and complexity that is clearly unprecedented. We don't have the people to deal with it, we don't have the resources to deal with it, and importantly we don't have the time to deal with it.

So that's where we have to add real intelligence and analytics. And then finally as we really want to drive the business transformation we have to do all of that stuff. But we have to add user experience as well, so if you want to be successful in digital business, you know, gone are the days of “to make it more secure I'm going to make it harder on the user.” Because in the digital business world people just won't accept it. You got to find creative ways to be you know, really smart about it, to step up security when you have to, but do it in a way that is not stepping up the burden for the user.

So key to that as Garrett mentioned I think a couple times is analytics and intelligence. So if we think about you know, the old way was all of these security domains. The new way is we have to think about you know, any user, any device could be a mobile device from a partner, from a customer, what have you. Getting through any path, and when we think about that stuff we have to think about the context. We have to be able to when something happens, you know, perhaps we detected some malware on a specific device in the network, we have to automate and we have to collect the context. So I know what device in the middle of the network was compromised, who has been logging into that device, that's adding identity context. Whoa, Sully logged into that device, now we have to add the context that by the way Sully has Salesforce, or Sully has privileged access to specific parts of our business.

Maybe it's the, you know, back when I was on the development side, maybe it's the product and the actual intellectual property, right? Or maybe it's finances or legal or what have you, so we have to start to add context to that very quickly. Not have the incident response team asking people for hey, can you tell me what these accounts actually have access to, what have you. And then we have to automate that investigation, so we think about attack paths analysis. That's something that we've done for many years, where we say how would an adversary move through this network? Well if you tell me a device is compromised in the middle of the network then I would like the analytics to tell me from here how would an adversary move, or how has the adversary already moved from here? What are the attack paths? And by the way those attack paths again couldn't just go through infrastructure. But they should go through the potentially compromised vulnerabilities, you know, that we call humans or accounts, what have you.

And then finally we have to take action, right, so we have to say okay, in this instance disable this account. Sometimes that can be very dangerous. You can be a lot more sophisticated about it these days, you might just step down the access they have. Or you might just step up authentication, because Sully was known to be on this machine. It was known to compromise, but we don't know that Sully was compromised. We do want Sully to step up his authentication, provide a second factor, a third factor if he's outside our traditional perimeter because we still do have physical offices. And at least we know that Sully is sitting in the seat, so I might step up his authentication to sort of vet and prove who he really is. I might actually revoke his session tokens, so that he has to authenticate again. Even though he's in the middle of a session, he's already logged in.

So that's the new way, and again it relies on all of this sort of new infrastructure on identity context and orchestration, case management, what have you. What does that actually look like? I love this screenshot, this is actually presented by one of our customers. The guy runs a cyber security audit for one of the largest banks in New York, and these are the tools that they use for audit. So in the upper left, and by the way our screenshots of our products, but in the upper left you're seeing access, right? Looking at access and saying who has which permissions in the company. If you didn't organize it, it'd be like looking up at the stars, it's just a bunch of bits. In the upper right is a link analysis to that access, so you can go through and say, hey this is Sully. Sully is connected to these accounts. I can pivot out to those accounts. I can say, you know, what does his Salesforce account have access to?

I can pivot through that. I can drive down to, hey, Sully shouldn't have access to this. And by the way he has access four different ways to that, who else has access to this? And then pivot to now I'm looking at from that entitlement who else has that entitlement. So I can work through that spider web in a way that's very organic and very natural to the user. Below is attack path analysis, very similar thing, except you're thinking about the analytics, you're thinking about how to run through the spider web. And then to the left is something called cluster analysis, it's a different analytics technique. So we're seeing hey, what are the relationships here in the data. This is very useful if we're thinking about things like role management, where traditionally I would say give me ten tellers at the bank in New York. And I'll just tell you all of them have this access, and 90 percent have that access. That's interesting, but it is what people have today, right, from, it's kind of rot analysis.

What might be more interesting is to say tell me about the relationships in this data, do cluster analysis, tell me which of these permissions are close to each other. Closely in line, and then give this person a slice, or the analyst a slice that says slice that by New York City, slice that by this branch, what have you, and then I can start to see oh my god, this is what they have. So it's a different way of coming at the same problem. Attestations or user access, another big problem if I have 30 people that work for me and 20 permissions each that's 600 rows in a traditional attestation. If I give you this cluster analysis you can say oh this cluster of people they're all teleones, I can drag and drop the 20 by 30 block that 600 attestations. It's done, and by the way I have some idea of what I just did.

So there is different ways to think about it with analytics. On the adaptive offside, you know, Garrett mentioned how do you actually deal with all this complexity. In the old way it was password. Passwords are not dead, but it is one factor, and sometimes not the most important factor. We now have customers, pretty large financial institutions running without passwords. So you might say Sully, that's crazy, you know, how does that actually work? But if you think about it, it's just one way, password is just one way to authenticate the user. And it's not great, because a lot of people use the same or very similar passwords in their private lives than they do in their public lives.

And basically all of your passwords in the private lives have been exposed, in Yao's case they've probably exposed it ten times by now. So the idea that your Office365 you know, employee passwords are strong passwords and secure, I could probably grab one of your employees, you know, off the dark web. I could grab what they use for passwords and very quickly I could sort of reverse engineer what their Office365 passwords are, very simple to do, right? So there is lots of other ways to solve that problem, the point here is you could break passwords. You can also break every single additional second factor method. Detroit Police Department by the way, they get fingerprints from peoples' records, they get fingerprints from people they arrest. They actually used their fingerprints with a court order to unlock iPhones by printing out a fingerprints with a digital printer.

Right, so you don't have to fight a legal battle with Apple to unlock an iPhone, right, you just print it out. I can tell you myself, I was actually at a security conference recently. I took a free Clear, so Clear is the service where you can do a retinal scan or a fingerprint scan and jump the TSA pre-line because I'm too impatient to wait in the TSA pre-line. So I took a free Clear subscription, but I gave them my retinal scan and my fingerprints. And I do worry who is protecting that? And I asked the person there, and I said, you know, what happens when you get breached. And she said, we won't get breached. We're very secure, we'll never get breached. That did not provide me a huge amount of comfort. So the point here is we can look at where you are, sure you have a password, a token, a click-to-accept, geo location, distance, time, we can look at 15, 20 different parameters to figure out who you are.

Even things like the machine learning work we're doing now with things like how does your hand move across the keyboard. I wasn't taught to type formally. I misspell the same words, I put the wrong letters in the wrong order all the time. That's very detectable with machine learning, so we can actually get to a point where we can say okay, Sully maybe walked away from his workstation. Didn't lock it, Garrett just sat down in front of it, he's typing differently. Maybe we should revoke his token, maybe we should challenge again, that kind of stuff. It's not that passwords don't have any value, but if we have ten or fifteen different ways to measure who you are and continuously authenticate who you are maybe we don't need passwords. Maybe we can be stronger without it, and also any one of these can be beat. But can you really beat 15 at the same time?

That's pretty secure. Very quickly, a bit about machine learning because I have I don't know, somewhat of an advantage with respect to people who run around and say big data, machine learning, analytics, what have you. A lot of people don't really know what it means, so I just want to give you one simple example. These are two lines, if you will. If you're looking at them it's just the best I could draw very quickly with a mouse. But they're two lines, and a human would look at that and know that. But a machine wouldn't, right? And you can train machines to do that. But you'd have to give it like a million different samples of lines, and machines would so some math to figure out that those are lines.

The math that they do is actually to use statistics to vibrate the bits, this is one technique called a Bolts Machine. They vibrate the bits around the bits that are set there, and statistically those two things will start to converge. And they can say hey, these two things are alike. So that's called a Restrictables Machine, a Bolts Machine, excuse me. Deep learning is something that's very cool, the pictures that you see here, the face and the cat, those are actually generated by Google. Not by giving the machine learning engine a million photos that would characterize those faces or cats. But by just giving them a million photos. And what each layer of this machine with these nodes that you see is a Boltzmann machine that's locked down, and then it's called the Restrictables machine, you move to the next layer, next layer. So in the first layers you do those kind of vibrations, and you start to say hey, you know, there is some kind of things, patterns here where these bits are set next to each other.

By the time you get down to the fourth layer, they see things like lines and curves and the machine starts to recognize those on its own. By the time you get down to the seventh or eighth layer it comes up with this thing, it doesn't know it's a human face. But it actually says there is something here, and it can print it out. It can visualize it for you. You get even further down, you can say hey, here is a specific cat, it's not just a face but here is a cat. And so what you can do then is rather than saying, you know, machine learning is labor intensive as well. I have to categorize a million pictures that these are a house, or a cat, or a dog, you just have the machine do the deep learning on its own. And then say hey, what is this? And you can say it's a human face, it's a cat, what have you, and forever more that machine will recognize that.

These machines now are very very fast. People have done prototypes where they can beat Apple's voice recognition in a development project that takes a couple of weeks. In a relatively small amount of code, so now we have to think about how is that applied to security, can I do analysis like this on security models and then say hey, this looks anomalous, have an analyst weigh in, and furthermore automate that. Okay, so I've said a lot, I want to get back to Garrett and get a chance to answer some questions. I've also said we do a lot of this stuff. We're happy to provide that to you, so you can reach out to us at either one of the websites or myself personally, csullivan@coresecurity.com. We'll actually come in and do one of these assessments very quickly for you, and we'll look at your environments and show you the analytics in your environment across the network side, across the access side, across the infrastructure side, what have you.

So we're happy to do that if you just give us a call, it's actually quite easy for us to do. Alright, so with that I'm going to turn it back to wrap it up, to Garrett.

Garrett: Thank Sully, appreciate it. So yes, we went over this earlier, but again just to recap the four predictions I made. One, again identity is becoming the new perimeter. Really that's the key point here is that really networks are becoming less effective, but also less relevant as the perimeter starts advantage with things like cloud, mobility, IOT, and what have you. The second one, prediction number two, passwords will finally die. Perhaps I should have rewritten this one, thinking about this, but I think the point here is that passwords will certainly diminish. And we're going to see more use of stronger authentication.

But I think to Sully's point and actually to the point I made earlier, passwords have been around for a very long time. They've got the uses in certain situations, and I don't see them ever going completely away. But really the bigger point is we'll see more use of stronger forms of authentication, and applying it to prediction number three, every vendor is an analytics vendor. Those authentications will be more closely aligned with risk. And then the last point, prediction four, again cloud security will converge. We're seeing a lot of fragmentation in the cloud security market, but I think the cloud security market will look very different in the next couple of years. So I'll turn it back to Mary, and I think we may have some questions.

Marie: Thank you, Garrett. Thank you, Sully. So the first question, I believe, is for Garrett. Biometrics seem to be getting a lot of attention, and we are seeing more fingerprint sensors and voice and facial recognition in mobile devices. What are your views of biometrics?

Garrett: Yes, so great question. Something I've been wrestling with for quite a long time, certainly have been looking at biometrics since, for like the past 15 years. It seems like there is always a lot of hype in this view of biometrics as being the panacea that's going to solve all problems. But again going back to my earlier point. I'm not a believer that there is a single authenticator to rule them all. Biometrics certainly have their advantages, but they also have their weaknesses. You know, Sully alluded to some of it, you know, they can be compromised. There have been demonstrations of biometrics being hacked for one, for two they're not deterministic.

You know, a one time passcode, whether it's 326354, it's either 326354, or it's not. There is no ambiguity. Biometrics always require some sort of measurement, so there are degrees of freedom I guess you'd say. And they're subject to false positives and false negatives. But the biggest thing that scares me is I've only got ten fingers as Sully was alluding to. If that's every compromised and certainly if you talk to any vendor that says well, we'll never be breached, I'd say run don't walk. But certainly scares me that biometric, you know, if my password gets compromised I can change it. But I've only got ten fingers, I've only got one voice, and I've only got one face. So I don't know if Sully you had anything to add to that.

Sully: No, no, I share that concern. There was a company that did vending machines for lunch in the US for manufacturing shop floors. So the idea is I'm working the shop floor, I don't want to carry my wallet, what have you. I just go scan my fingerprint, I get my lunch, they were compromised about a year ago. So they lost everyone's thumbprints, and like I said when I went to Clear, you know, out of convenience I did it. But I'm very worried that I'm going to lose my retinal scans and my fingerprints if they're not out there already. Yes, and then what do you do? You do self-service, yes, it's self-service retinal scan reset? I mean what do you do if it gets compromised, so yes, I think it's a great idea. But you know, it's an arms race I guess.

Garrett: Yes, just to add on that too, I don't know if you saw there was a bunch of researchers in Japan a couple weeks ago or maybe Korea that actually were able to construct a cheap facial mask. And basically they were able to fool the facial recognition, I believe, on the iPhone, so that was another interesting example.

Sully: You probably 3D print a face, right. But I do think that comes back to you know, if we say okay, Garrett, you know, like I have your facial scan because you're in front of the computer with a camera on it. But I also know how you're striking the keyboard, I also know that your browser hasn't been upgraded or just got a new plugin or hasn’t. I mean if I start to look at all of those things at once that gets pretty hard to beat. It gets pretty hard for an adversary to say okay, I'm going to model all of this at the same time. You know, in a time frame that seems normal to the machine learning systems, then I think there is some hope. That said, and Garrett, I'd be curious about your view on this, you know, make no mistake the adversaries, they're going to start to build smarter and smarter systems, and machine learning systems as well, right, so I'm sure that will happen.

Garrett: Yes, well it's so interesting, we're doing a survey right now with a client that I alluded to earlier. And one of the questions we asked them, because this really speaks to the duality of security right? Like almost all technology, everything can be used for good or bad, right? You can use dynamite to build new roads, you can also use it to blow things up. Similarly with AI we asked a question with AI and machine learning do you think it will be, you know, used by enterprises to help make them more secure, or will it also be used by the bad guys as a tool to help them do more hacks?

And I think the results came in about 63 percent that AI was going to make us more secure, and about 40 some percent, I don't know, I guess the math doesn't work there. But it was roughly 60-40 let's say in favor, those who thought that AI and ML would actually be used by the bad guys.

Sully: Yes, you think about orchestration, automation, all these things that we think are going to help. I've read in the Equifax breach the attack Apache stucks vuln, the day it was announced as a CVE, then Equifax was tested with that vuln, and they actually just, you know, they just did a who am I on the local machine, right? So they did nothing innocuous, but they tested okay, can we get this machine? So that's pretty clearly an automated process of them going out doing continuous monitoring, right, which is what we'd like to do to know here the vulnerabilities are, which is what we'd like to do right? So that's pretty clearly automation, orchestration, that kind of stuff, and then two months later you know, they come back and they start the attack, right, after they're properly prepared. So I do think it would be naive to think that the adversaries aren't going to continue to advance as well. So that's what makes it fun actually, but--

Garrett: Indeed, so Mary did we have more questions?

Mary: Yes, I think we have time for one more question. What are your opinions on behavioral biometrics beyond static biometrics?

Sully: I can go, Garrett, if you want.

Garrett: You want to take that one, Sully.

Sully: Sure, go ahead.

Garrett: I'll take it real quick, and then I'll pass it to you. I think it's a really interesting area. To my knowledge there aren't a ton of vendors that do it right now. I'm aware of three or four that I've spoken to. Seems like a really interesting idea. The question is whether you're using it for the initial login, or you're using it after, some of the vendors are actually using it as a compliment to the initial login. Mainly to detect fraudulent behavior after somebody is logged in. one of the nice things I think about it is that it's fairly frictionless, the users don't have to do anything. One of my concerns would be how much of a sample do you need before you need to actually do it accurately?

You know, if somebody is only logging into a banking app once a month a typing in 20 keystrokes, I'm not sure how accurate that would be. But conceptually at least I think it's really neat, and it fits into this whole adaptive risk-based theme that I'm a big proponent of. I don't know, Sully, do you want to add to that?

Sully: Yes, no, I share exactly the same comments I guess, that I think it offers a lot of hope. We're certainly working on some really cool things with respect to that. If you have a user like I do, you know, that spends a lot of time on the keyboard then that's you know, not too challenging to get low false positives. The other thing you got to worry about though is, you know, what's normal if what you have is not right to begin with? So if you already have adversaries in your network, if you already have malicious behavior, what have you, then you have got to be very careful to think about am I modeling the baseline for normal against something that I shouldn't be? So it's just a different dimension I think people need to be cognitive of.

Mary: Perfect, thank you, Sully, and thank you, Garrett. Okay, that's all the time we have today. Feel free to reach out to both Chris or Garrett if you have any further questions. And on behalf of today's presenters I'd like to thank you for attending today's webinar, and we hope to see you on another webinar soon. Thank you, and have a great day.

[End of recorded material 01:01:52]

Resources Recommended for You

Pin It on Pinterest