All right. Good afternoon everybody. Thank you for joining us on this webinar where we’ll be discussing the understanding and safeguarding of credentials, and in particular why law firms we feel need to act fast. A quick jump into the agenda for this meeting. So by way of introduction, just to mention that this webinar is being recorded and there is obviously the feature to ask questions as we go through using the features of the webinar. And we’ll have a bit of time at the end for a Q&A session.
What we’ll be covering today is in particular around how bad actors are gaining access with valid credentials. How to safeguard those credentials. But also to talk a little bit about how law firms, Steven’s & Bolton have deployed SecureAuth’s technology to help secure access to their cloud services. As I say, a bit of time for Q&A at the end.
So to jump into it, your speaker today, myself, Andy Brown. I’m the chief technology officer here at Mobliciti. I look after all of our technology partnerships or our technology strategy. Pleased to be joined by James Romer who is chief security architect at SecureAuth and Core Security. And delighted to have David Thomas from one of our customers, Stevens & Bolton to talk about their implementation.
A brief introduction to those of you who may not have come across Mobliciti before. Mobliciti are very much focused on delivering IT mobility and cloud access services into the enterprise. We built our proposition around four key pillars of procure, connect, manage and secure of mobile devices. And really what we’re all about is bringing together innovative market leading technologies and helping customers to implement this either delivering on premise, in the cloud or increasingly it’s a fully managed service where we provide all of that for the customer.
In terms of what we’re doing in legal, we have implemented a range of technologies across the legal sector. So mobile, while in the same cloud securities, 14 of the top 100 law firms, it’s been a real pioneer with the deployment of mobile device management across the legal sector using mobile iron technology in particular.
We’ve done managed wireless services, mobile threat solutions. And increasingly an area we’re focusing on and doing a lot of business is around enabling cloud adoption through intelligent IDC access management. Just to emphasize, we’ve been focused on legal since our inception. Pleased to say that we have a broad selection of legal clients who work with us. Very delighted to have them on board.
In terms of context of what we’re discussing today, just to give a bit of a view. We talk at high level about some of the key trends in the market that are going on right now. There’s an awful lot of content here, so what I’ll do is really just focus in on the two things that are relevant for what we’re going to be discussing today.
In particular around Office 365 and Cloud, we’ve seen a real step change in the last 12 months or so of adoption of cloud services and in particular, Office 365 across all of our customer base and very much so in the legal sector. And with that, the need to think beyond the traditional perimeter security model. And one of our key messages that we’re saying is around the idea of looking to the identity of the user, making sure that you protect that effectively as this is the front door to all of your services.
So moving forward, I’d love to hand over please to James Romer who is going to go into a bit more detail about SecureAuth Technology, one of our market leading partners.
Good afternoon everybody. So as Andy mentioned, I work for SecureAuth and SecureAuth is all about securing credentials and securing identities and the statistic on the screen here that we see, this 81 percent of breaches are known to leverage stolen and/or weak credentials. It’s a stat that obviously at SecureAuth we wish to bring down. So SecureAuth is all about preventing the misuse of credentials.
One of the issues that we see currently in the industry really is the fact that if a bad actor or a malicious actor has compromised credentials, compromised accounts, then they can’t actually just walk through the front door. So we know that network security and endpoint security alone is not enough to actually prevent the misuse of those credentials. Yet unsurprisly, we know that credential misusers are nearly 20 percent over the last year. Breaches are also on the rise.
We see that every day in the press more or less. But the surprising piece is that actually the money that is spent predominately is still on the end points of the network security piece. There’s a fraction of that money is spent on identity security. Of course there’s still a large chunk being spent there, but quite clearly the problem is not being solved. And that’s really because the focus is not been traditionally on wrapping the nets around the identity as it moves around the infrastructure. It’s more being focused on securing the end points, securing the files and actually looking at threat management, statistics, actor and authentication after it’s happened.
So at SecureAuth, we do this slightly differently but we’re going to look at a use case first of all to really just explore an easy way that bad actors or malicious actors can actually gather credentials. And obviously talking around the legal space, I have a use case here on the screen. This is actually a research company that has published this on January the 22nd. So it was published this year so very fresh, very relevant. Essentially what this research company did was troll with artwork and for the top 500 UK legal firms email credentials or email addresses. Supply the domain name, they trolled through the dooms that are available on the dark web. From those dooms, they got 1.1 million email addresses.
Of those 1.1 million email addresses, they were able to correlate 80 percent of them against other known breaches. Specifically the LinkedIn breach. The LinkedIn breach also showed compromised passwords. So using the email addresses and they got from those corporate emails, the names, they were able to cross reference, again, the breach information and actually find passwords that may relate to those corporate and enterprise credentials relevant to those email credentials.
This is obviously very concerning in the sense that with those valid credentials, the bad actors can just walk through the front door. This is exactly what they’re looking for. This was not obviously a hard thing to do. This is all about doing a search and doing a mapping against another breach, another compromised system. As I said before, in this instance, it was actually the LinkedIn breach. A lot of those passwords, they’re actually exposed to a LinkedIn breach, are actually clear text as well. So it’s making the bad actor, the malicious actor’s job even easier. Just to put all the numbers down slightly more. We’re talking about an average of 2,000 creds per company. The largest law firm actually accounted for 30,000 of those leaked email addresses alone. So I see a huge problem there.
Now of course not all of those email accounts will of have the same passwords and they’re shared between LinkedIn and their corporate credentials, but equally a handful or a selection of them will. Because of the very way we work, the way we are, how human behavior, we do share passwords across multiple applications. So it’s nothing conceivable that a number of those passwords will be reused from the corporate perspective and in the sort of social area as well. So very simply, for this research company to actually go ahead and actually make a map in between the credential and the password.
So what does this really mean? Well, from this point on, we know it’s every actor point is now a potential breach. By that, we’re really talking about the fact that it doesn’t matter whether you’re trying to get an external application via mobile app, via VPN, they’re all a potential breach site. If you’ve got those common credentials, the correct credentials, and no endpoint security and no network security is going to prevent somebody walking through the front door.
We know that there is a huge push to cloud-facing applications or public facing applications. They’re not always protected in the right way. They’re not always using even basic two FA. They’re often just using an easy password. When we look at examples such as Minecast and Office 365 and Salesforce, they’re out there in the cloud space where we can actually do a lot to secure them, but more often than not, they’re just username and password. There is also a challenge of BYOD. The credentials are walking out to the front door. Legacy protocol such as active strength still been in use. Passwords being stored in those clients, obviously embracing BYOD in itself gives a huge challenge to all organizations. Especially when everybody wants the latest and greatest and the shiniest. It’s very hard to control that.
That’s what’s very hard to control any credentials walking out of the front door. So we need to very easily mind when we’re looking at the landscape around our infrastructure and how those boundaries have moved from the traditional enterprise. Where each department and each business unit decides if they want to start using a new cloud application because it’s what they need for their business. But rather than going through the normal IT processes, they could use a business credit card or whatever they need to do to get access to new environment.
So this again is causing a huge problem in terms of shared credentials, in terms of data that’s been easy to find out there on the dark web as well and being a correlation between. One of the bigger issues here is not just about finding the easy data, it’s about the fact that obviously the law firms have the highly sensitive information. And this is really what the bad actors are interested in. So that initial breach using that correlated data and the easy to find information is really all about the initial penetration and we’ll get onto it a bit more in a couple of slides.
Very simply, putting two factor everywhere, if it’s a broken model. It’s very high friction. Also we’ve already spoken about how passwords are there on the web. They’ve already been compromised. And those two FA deployments today rely on the password as one of those factors, the something you know element. So we really should be looking at ways of moving away from the password completely if possible. Or at the very least securing those passwords correctly and securing the authentication methods correctly in an intelligent way.
So let me talk about security. What does it really mean to people? Well, it means different things. It could be mobile security. Mobile app security. It could be VPN security. Could be hard application security. Could be legacy application security. It really is a whole host of different entities, different access points. But ultimately for an organization, they all boil down to the same thing. When we’re talking about credential theft, we’re looking at that initial penetration using compromised credentials, we’re looking at the establishment and then actually just laying low potentially, observing, doing some reconocense while they’re in your network. It actually works out if they can leverage any vulnerabilities.
Utilize exploits to escalate privileges. Once they’re escalated, those privileges, can they create new accounts? Can they start to clean up their tracks from the initial breach? Can they then do some natural movements? Some pivoting around the network? Are they able to get to the data that they want and complete their mission? And would the organization ever know? And this is really where we need to start to look at not just the traditional way of preventing the initial penetration through standard static two FA, we need to start to look at adaptable authentication and elegance around that initial penetration factor.
But also look at where vulnerabilities exist among the network. Where exploits may exist within the network. And any misconfiguration items we can highlight. To look at pivot points, to look at lateral movement past to actually prevent these things from happening before they happen.
How do we do this? Really the simplest way and it is a very simple way. Every authentication request, every actors request, be that in the cloud, be that on premise, be that in a mobile app, be that through a spot, be that through the VPN, whatever it may be. Every request should be centralize. And the power of centralized authentication request means that you’re in control. It means you can start to leverage which intelligence, you can leverage the right authentication methods. You can actually make the user experience a lot nicer. So we’re not talking about high friction here. What we’re talking about is protecting the user experience from a securities perspective but equally from a usability perspective.
We apply intelligence to this model. So we’re pulling in many layers of pre-authentication risk and I will go through those very shortly. To actually make sure that the actors request is a legitimate request. A lot of requests coming from anonymous sources for example. It may be the business rule that we just do not process those requests. So the fact that we’re centralizing the authentication means that we are now in control of the whole process, regardless of where the application is or the access point.
This in turn is protecting the individuals’ identity as well as securing the authentication method. So typically we’re looking at doing this at the identity level to actually provide the best user experience with the best security. This allows us to block any malicious access requests at source. So they’re not post authentication, this is very much before the user is prompted for authentication. This also allows us to build a framework that’s future proof. So SecureAuth provides essentially a very rich threat service which is a framework which we’ve built into vertical or traditional threat feeds as we need to to really compliment an organization’s posture around threat management.
I’ll go a bit more into that later on as well. And ultimately the end here is to achieve identity security automation. So at SecureAuth, we’re an active adaptive access control management platform but actually it’s a larger portfolio, SecureAuth with Core Security, we have the tools to allow us to fully automate the identity security piece. Which basically means we’re getting stronger and enriching the entire prevention of the initial exploits, vulnerability and credential misuse as well as tying into governance tools, provisioning tools, and equally the threat management space.
So this is a single platform. I’ll just very quickly explain this. This is the where the roles of identity, access management and security truly meet. So in the middle there, the identity security automation. It’s all about having an engine, which understands the provisioning process, the governance process, the threat feeds, the authentication flues. It’s tying everything together so that actually nothing is working in isolation. So in other words, if we see a high risk user attempting access, the governance talk and tell us the user is high risk through the number of entitlements and privileges they have or maybe they’re in segregation -- violation of segregation of legitimately policy. We can tell the authentication process about that due to the fact they’re sharing the same policy engine.
They’re also sharing the same remediation tools, provisioning tools and de-provisioning tools. So we can actually react real-time to risk as it occurs. The same with feeding into the authentication flows. Where are the exploits, where are the vulnerabilities, what’s all the potential exploits, can we stop the lateral movement by triggering MFA, adaptable authentication premises. So this is talking about working as an ecosystem, a true ecosystem. However, when we look at the secure access management piece from SecureAuth as it is today, why does SecureAuth really help? So it is designed to evolve with the organization as new threats emerge.
This allows us to take the pain of managing threat management away from the organization as new threat feeds come on board, we can feed them into our framework and we can pull them into our authentication processes. This allows an organization to keep ahead of threats without having to invest in new infrastructure. We are a true authentication broker and centralized authentication solution. We use all the standards that you would expect, but we have the richest integration story on the market. We really do cover all the bases and assets. This is not just about securing one portfolio of application. This is about securing your entire estate in the best way for the user through centralized policy control.
We go through 10 layers of risk checks and I’ll go through those very shortly so I want to labor that point. We also provide many methods of authentication. Actually 25 methods to be exact. This gives us huge flexibility, huge control and equally huge usability from an end-user perspective because we’re not having to show the same 2FA approach every time. We can change the experience dynamically based on those risk checks to give the user the best experience. We can ask the user for a bit more information, but equally we can step them down because we know enough about reducing the friction completely. This also allows us to secure the authentication methods before showing it to the user prompting them for authentication.
SSO of course. Responsible SSO, very important. We provide that out of the box. It’s supporting all common web standards. Again, we’re talking about removing passwords, removing passwords from applications. It’s a huge attack right there. If we can remove that by initiating and integrating SSO, federation and passive authentication techniques, then absolutely we should do that. And normalize the password to the primary authentication point. So the user doesn’t have to remember 10, 20, 30, 40 passwords and use the same password around those applications, as typically happens. So increasing usability, but equally keeping hold of that user as they move watchfully around applications so we can still ask them to authenticate again if we need to. So this allows us to balance security and usability very easily.
Just to go on that point, only show the risk or the MFA when the risk says we need to. That’s key to a usability perspective. We can step up, step down, and provide the SSO responsibly after we’ve gone through all our pre-analysis and pre-auth checks. And of course self-service. Huge, huge benefits to the end user. Let’s give the end-user some power to let them be password self-service or profile management or enroll themselves into applications. We can do that because we’re proving the user.
Okay. Just another example here of how we sort of label risk from the pre-authentication to the actual authentication request. We’re looking at low risk, medium risk, high risk potentially. This is a decision tree that the organization can really push the user through to different workflows, to block access attempts from anonymous sources or bad IPs etcetera. Just giving you that flexibility as an organization.
And just very quickly to finish off here, I want to show you those layers that we’re going through. The title here on the screen, I’ll start at the top. I’ve probably got about a minute to do this. So here we have a trusted device. Very simple. Is the device seen by us before? If we do, we can lower the risk. If we trust the device, we can lower the risk. We can allow the user a nicer experience. We pull information from our first intelligence feed. You know, I’ll be using anonymous VPNs, anonymous browser, what’s their IP reputation? This is huge. This is all huge. This is all pre-authentication.
This is before the authentication challenge is shown. We go across directory stores. Any scripture data, to pull a very rich profile of that user during authentication. We go through geo rules, geo location, geo velocity, geo fencing. This allows us to tighten that identity net, that identity security net around the user to make sure they’re actually attempting access from the locations they should be. It starts to make the geo rules very strong. You can’t get around the geo location rule by popping out through the Tor Exit Node or a VPN because our threat service will see that. And will feed that information into your infrastructure.
Our frame for prevention so we can strengthen the delivery of OTPs by activating voice. Without impacting on the end-user experience. We also have the ability to look at the typing within an application, the flight, the sequence. As a user uses an application to make sure you who you say you are within an application. We pull information from governance tools, GBA tools, looking for anomalies, looking for high risk users as well, working as an ecosystem to actually complement the true identity security storage. Okay. So that was a whistle stop tour.
I’m now going to say thank you and pass you over to David. Thank you.
Thank you, James. I hope everyone can hear me okay. As Andy mentioned before, my name is David Thomas, and I’m the head of IT for Stevens & Bolton. We’re a Gilford based law firm of around 250 people with a fading mobile workforce. In 2016, our main IT partner announced that they’d no longer be reselling the 2FA product that we were using at the time. This kind of helped accelerate our review of this area.
We started looking at identity providers that offered a little more than just traditional multi-factual authentication. And around that time, I attended Mobliciti’s annual conference and saw a demonstration of SecureAuth. I was very impressed by the demo. I immediately connected with SecureAuth’s analogy of adaptable authentication being like layers in a bulletproof vest. That made sense to me. I also really liked the idea of behavioral biometrics which identify the user by learning his or her keystrokes and mouse movements.
Immediately in my mind, I thought that would be a good way for us to perhaps secure the windows workstations on our land. So that compromised user credentials might become useless. So liked what I saw in the product. We had two main requirements at the time. They were finding a single product that would provide single sign on as well as multi-factual authentication to allow our growing list of cloud apps to be seamlessly accessed via our intranet which is the general Launchpad for people to access these cloud-based solutions.
Of course we wanted to find something that was easy to use and that didn’t make life difficult for our people, but didn’t compromise on security. So most of our mobile workers are equipped with iPhones and we wanted to find a good app that provided a one-time password or push to accept technology. As we were already a customer of Mobliciti for a number of years, they’d helped us secure our mobile devices using mobile online. It made it easier to go with a partner that we already knew and trusted.
We decided in 2016 to implement SecureAuth as an on premise solution with one appliance inside our network to handle the single sign on, and another device in our DMZ, the demilitarized zone just outside of our firewall for multi-factual authentication. So this was done because we were in the process of implementing a cloud first strategy and certainly the goal is to move those appliances into either private or third-party hosted environments.
So with that on-premise solution, we protect a number of cloud-based systems that include our own remote access solution, some HR and intranet platforms. This, in reality, means that we can provide internal seamless single sign-on from our network using the windows cobras token that is issued when somebody logins into a windows PC. And for direct external access to cloud platforms like our intranet, we can safely apply multi-factual authentication.
It was touched on earlier, but I personally found one of the hidden gems inside SecureAuth was the self-service portals. There is a portal for my IT staff to be able to remotely manage certain aspects of SecureAuth like resetting user fingerprints if people get into trouble or can’t access SecureAuth for whatever reason. The other portal is actually for end-users. This takes some pressure off the help desk because it allows end-users to unlock active directory accounts that may have been locked out, or even reset their own forgotten AD passwords using push to accept or one-time password via SecureAuth.
Obviously that only happens if they’ve successfully passed through the adaptive authentication layers that look at things like the device footprint. And those other layers that James mentioned a few minutes ago. That really is a quick summary of how we’ve deployed the product and over to Andy. Thank you.
Thank you, David. Yep. Just quickly to summarize. So we’re keeping very busy at the moment deploying SecureAuth across legal and finance sectors. Increasingly delivering this as a managed service back to our customers so we can take the SecureAuth technology and host that back for customers and wrap it in all of our delivery and support capabilities, host it back for them. But I’ll leave it there for now and now for Q&A.
So a quick question. James, what does this offer in addition to Zero and ADFS? James, I suspect you’ll be best placed to answer that one.
Thanks, Andy. The flexibility is the key thing to mention really. The number of authentication methods, not having to rely on just register a device through this smartphone app. The ability to integrate with any application from any vendor, with any VPN to any handset, from any device, it really does give you true flexibility. And just to really stress, you know, typically, traditionally ADFS with this jule you’re going to be doing the authentication, using a password and then you’re going to be challenged for a second factor. And I know now that a jule has built in some very basic fraud detection. And they’re essentially plugging up things such as anonymous VPN access or anonymous proxy access to handle the geolocation, etcetera after you’ve already authenticated into ADFS.
So you put your username and password in, so the valid credentials and then the flag occurs. In our world, we make the flag before and the authentication request is even shown. Before the authentication method is made. So actually it’s completely different security model. I would sum it up by saying the usability, the flexibility and the richness of the pre-authentication to protect not only the identity but also the authentication method.
Okay. Thank you. And as a follow-up to that question that just popped in. Would this be a replacement for ADFS?
Well, another great question. So yes, but having said that, we also equally can layer the intelligence and the pre-authentication, intelligence and all the authentication methods influence of ADFS. So we work with a lot of customers who have a lot of applications tied to ADFS so to actually review that, to replace that from day one would be challenging for them. So they typically deploy all the authentication methods and create authentication intelligence in front of ADFS and we act as a claims provider and actually working with ADFS. None of the application and integration or configuration needs to change. So yes, we can ultimately replace ADFS. We have SSO supports. And equally, we can also co-exist.
Thank you. Thank you everybody for your time. We’ll end the webinar there. Thank you.
[End of recorded material 30:30]