Shut the Front Door! Eliminating Passwords and Other Ways to Stop Ransomware

Watch the full video.

Shut the Front Door! Eliminating Passwords and Other Ways to Stop Ransomware

Listen to the following security experts share their insights in the webinar:

  • Tom Field, Senior Vice President of Editorial with Information Security Media Group
  • Jasson Casey, Chief Technical Officer at Beyond Identity
  • Rick Holland, Chief Information Security Officer and Vice President of Strategy at Digital Shadows
  • Patrick McBride, Chief Marketing Officer at Beyond Identity

Transcription

Tom Field

Hi there. I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. I'm delighted to welcome you to this webinar today. The topic of this, yes, this is the topic of it, “Shut the Front Door! Eliminating Passwords and Other Ways is to Stop Ransomware.” 

Your presenters today, and they're the ones that gave it this title by the way include Jasson Casey, he's the chief technology officer with Beyond Identity, Rick Holland, CISO and VP of strategy with Digital Shadows, and Patrick McBride, chief marketing officer with Beyond Identity. 

Now, before we turn this over to a panel discussion, let me give you a little bit of background on what they're going to talk about here today. The threat of ransomware and other credential theft attacks has only grown over the past year. Just look at the news over the past two months. 

According to the latest Verizon Data Breach Incident Report, credential theft accounted for 89% of web application breaches and phishing attacks increased by 44% across 2020. 

The recent attack against the Colonial Pipeline Company proves that these attacks are only getting bolder. What are the most effective strategies their security leaders can use to defend against this threat? Is multifactor authentication the answer? What about new passwordless technology

Well, you're going to join our conversation today where we discuss how organizations can prevent ransomware and credential theft attacks by understanding the tactics that the threat actors are using along with eliminating the insecure password. Now, we'll take a few moments and tell you about my organization, Information Security Media Group. We're a 15-year-old media company based in Princeton, New Jersey. 

You might know us best by one of our 35 or so media sites, BankInfoSecurity, or BlogInfoSecurity, DataBreachToday. In all, we reach an audience of 950,000 security leaders around the world. And each day we give them a diet of news, analysis, events, research, and educational opportunities just like this one here. 

Also, I do need to remind you today's session is copyrighted material and is meant for today's replay and for individual study purposes only. If you'd like to use any of the information presented today or if you're looking for customized training materials, please contact us. 

Delighted to introduce our sponsor today, Beyond Identity. Beyond Identity created the most secure authentication platform on the market. Customers use Beyond Identity to reduce risks from ransomware, account takeovers, and other cyber attacks where passwords are the primary attack vector. The company's innovative platform replaces passwords with asymmetric crypto and X.509 certificates-proven technology that's the backbone of internet security today. 

The solution cryptographically binds a user's identity to their device and secures the private key in the device TPM to prevent credentials from being moved or copied. It continuously checks the security posture of every device during every authentication transaction to enforce true zero-trust authentication. 

Now let's meet our panelists today. Again, I mentioned Jasson Casey is the CTO of Beyond Identity. Serves as a fellow in cybersecurity with the Center for Strategic and International Studies and the National Security Institute. Jasson pleasure to have you here with us today. 

Jasson Casey

Thanks for having me. 

Tom

We've got Rick Holland who's VP of strategy at Digital Shadows. He's a seasoned cyber security executive with a unique background as a practitioner, a cyber cybersecurity vendor executive, and Forrester Research industry analyst. He currently manages the global team responsible for Digital Shadows security and information technology needs. 

He also runs Photon Research, the commercial cyber threat intelligence experts at Digital Shadows. Rick, I don't know how you found time for us, but glad to have you here. 

Rick Holland

I'm so excited to be here. Thank you.

Tom 

And, of course, we've got Patrick McBride, chief marketing officer at Beyond Identity. He has over 20 years of experience in the cybersecurity arena as a practitioner, analyst, and in the vendor space. Patrick, thank you so much for bringing us together here today. 

Patrick McBride

Yeah, thanks for having us, Tom. And we're super excited. Jasson and I get to talk all the time, so we're pretty excited to have Rick on as well. A great addition to the panel. 

Tom

Terrific. Okay. I got a lot of questions for you. I want to start here. I'm going to bait you with this one. Is the ransomware topic overblown? I understand it even showed up on John Oliver's show this past week on HBO. 

Are we seeing a real uptick or is it just more press coverage in media paying attention to it because we're home and we don't have other things to do? I know the answer, but I want to hear your responses. 

Rick

Yeah, I can start with a data point on it. We track the ransomware actors that are out there. And in 2019, there was two main groups that we were tracking Sodinokibi, also known as REvil, which may be familiar from the Acer attack, and Maze. And then, so that was in Q4-ish of 2019. 

By the summer of 2020, we were tracking over 20 groups. And now, we're tracking over 30 groups. And these are active groups that are out there and some retire, rebrand, others come. So the trend has definitely been up. I do agree that the media attention is much greater now than it has been at any point over the past few years. But when you have things like Colonial Pipeline, you know, meat packers, Accenture, you know, if you just look at the headlines that we've had and there's countless others I haven't mentioned, the media is definitely going to pick up on it more. 

And the John Oliver bit like that's great. You know, it's definitely on mainstream when John Oliver's doing a segment on it. 

Tom 

And, by the way, he was pretty accurate too. 

Patrick

Yeah, he did a great job with it. I think if it was Jeff's Accenture, you know, and some other, you know, smaller items it would have been one thing, but when somebody impacts our oil price or decides they want to take away our meat, then we're listening and the press is all over it. But, you know... 

Rick

I'm from Texas, don't take away my beef. I need that for brisket.

Patrick 

Exactly. So I'd agree. I mean, you know, being the cybersecurity market out here, there's not a hypey thing that, unfortunately, cybersecurity marketers, you know, won't grab a hold of often. But this is just one of the trends, as Rick said. Not only the threat actors out there but just the massive amount of money. 

You know this is one of the few things we can actually trace somewhat because we get some understanding of how much gets paid out by monitoring certain kind of cryptocurrency transactions. 

So, you know, it's clearly an issue. Yeah, the press has jumped on it recently, but it's clearly an issue that isn't going away. It works, right? I mean, bad guys continue to do things that work and so far we haven't stopped it from working. 

Jasson

The one thing I would add is it does present an opportunity to actually try and explain to my mom what I do, right? If it's in the big frame. Except that she's not going to watch John Oliver, so that doesn't quite work. But, in seriousness, to piggyback off something Patrick said, so we stay in close contact with our friends over in the insurance industry who underwrite a lot of this policy. 

And, you know, without getting into some of the specifics, the number one thing that they are concerned with throughout the year of 2020 and 2021 is ransomware risk and mitigation. And they're not creating much headspace or mindshare to really worry about any other risk as far as kind of the portfolios they have, the books they're underwriting. 

So again, you know, they're never going to give you the details of what's going on under the hood, but I think that's a telling signal. If the only thing they're interested in right now is ferreting out ransomware risk and applying mitigations to policies that they've underwritten. It is telling about the importance of this specific issue in our industry. 

Tom

One thing to add on that, I just renewed a cyber insurance policy. So I can tell you that the rigor between this summer's renewal and the previous summer's renewal and caps that were put on the policy and things like that, and they're really digging into the data that could be extorted and things like that. 

So and I actually kind of think maybe some of the cyber insurance providers have taken on a lot of because they have policies that they don't fully understand if it's there. 

Tom

They do now. 

Rick

This could be the understatement of the year right here. but yeah, I just went through, I wouldn't call it painful, but it was definitely, you know, more diligence on that renewal for us. 

Tom

Oh, I've talked to some organizations that would describe it as painful, Rick. Yeah. The tougher questions out. 

Now, let's look at the past few months and what we've seen. We've seen ransomware attacks on critical infrastructure. We've seen it through third-party partners. We have seen healthcare, in particular, take a beating. 

Rick, what are the trends that stand out the most to the Digital Shadows team and then Patrick and Jasson, I welcome your input as well? 

Rick

I think obviously, the big headlines that have been targeted, one of the things that we are seeing, of course, is the rebranding. So DarkSide rebranded as BlackMatter. So people go dark, come out of something new. Maze retired last year, you know, before any of this happened. And so that's one trend is that the actors retire. 

Some of them probably could legitimately retire because they've got money that they've made or they just rebrand. Sometimes they're using very similar TTPs and things like that, you can detect that. One of the bigger trends, it's not necessarily new, but there is a shift in some of the groups that we track. Well, they're not extorting for data. It's tough, right? 

They're not encrypting the data anymore. They're just stealing the data that they gain access to and then putting it up on a leak site. Like, we're tracking, I think 33 active leak sites right now. So they're not even bothering with the encryption side of the house. Getting environment, initial access, and we'll probably talk a lot more about how people are getting initial access to the environment as we go on, pivot around, find the data. My joke is that the threat actors do a better job of data discovery than we do as defenders. 

They do a better Crown Jewels Analysis than defenders do. And then they just go out and put it up on sites. Like, Marketo is one of the newer sites where they're leaking that data. And they're skipping the ransomware extortion encryption game altogether and just doing the data extortion. 

Patrick

To follow something even from the last question, I had heard, you know, fairly recently we've talked to a couple of insurers directly and, you know, they were somewhat minting money, you know, with some of their old policies. As Rick pointed out, they were probably taking on more risks than they thought they were. It went from loss ratios above a dollar, you know, where every dollar that they had taken in and premium, they're getting $1, $25, $30 in actual profit from that to something like to half of that, you know? 

So they took a big bruise this year. And as Rick said, they're not only scrutinizing. In some cases, we've heard from CISOs that they either won't write the policies or it's got so many caps and exclusions it's almost not worth it. You know, to some extent, they're actually taking a step back and saying, "Hey, wait a minute." So, you know, whether, you know, on the threat actor side, obviously, it's certainly a vibrant market in that territory. 

And companies have less choice now in what they can do. You can't slough your risk off on to necessarily an insurance company. So, you know, this is one of those situations, whether they're actually ransoming it or we're giving it away and leaking the data, you know, we're going to actually have to up our controls game. You know, so I think that that actually has a pretty interesting implication for this. 

It's, well, there's obviously lots of different ways you can deal with risk, but, you know, one of them, isn't probably off the table forever, but they'll either...you know, the insurance stuff's going to be either as, you know, Rick and Jasson have said highly scrutinized or unavailable for some period of time. 

Tom

Yeah, transferring risk is just going to get a lot harder. With it, in fact, the other trend that we've been, I wouldn't say it's a trend, but there's two examples, a French insurance company called AXA, and then CNA, it was another one where the ransomware actors are going after the insurance providers themselves. 

It actually wouldn't be a bad model to own the insurance network, know who the customers are that have a policy, and then pop those customers because, you know, you're going to get paid out. 

So it's anecdotal evidence, but certainly, it's an interesting attack model for them. 

Jasson

Yeah. And just to kind of piggyback on that and address two questions that kind of popped up in a minute. The question was like more of the say that we hear a lot about big-name companies in the news, but not necessarily small breaches. And, of course, you know, it's almost never in a company's interest to talk about the bad things that's going on. 

And they're almost always compelled to for kind of compliance and laws and whatnot. The view into the smaller side companies and breaches largely happens in the insurance side of the world. And we were talking about 2020, and Rick mentioned earlier, like they didn't really understand the risks they had. They had underwritten a lot of organizations and they either took it at face value that the organizations were exercising proper controls or assumed the likelihood and event was not that important. 

And one of the trends that they're going through right now, the insurance companies, is they're extending much, much deeper into these client networks and client architecture. And this isn't at the top end. This is at the medium and the low end in terms of what is your proof of identity control? What is your proof of multifactor? What is your proof that you actually have some sort of update and patching process in place? 

This was almost unheard of for an enterprise that was under 1,000 employees two years ago, three years ago.

Tom 

Good points. You know, I think back to just this past year, when you look at organizations such as FireEye, SolarWinds, Colonial Pipeline could say the organizations that have come through the best are the ones that have been the ones that have stood up, taken the tough questions, and been as open as they could be. 

So, you know, I think that it might not be in a company's best interest to divulge this information. It certainly is not in their best interest to try to sit on it and not be as transparent as they can. Now, gentlemen, talk to me about this, tactics. What changes in tactics have you seen most recently? Like, I see a lot more double extortion now in some of the attacks that we're seeing. And I always hear, it's almost become cliche that the nation-state actors are taking on the tasks of the cybercriminals and the cybercriminals are taking on the techniques that previously were the realm of the nation-state actor. 

What are the tactics you're paying attention to? 

Rick

Well, vulnerabilities, Jasson kind of touched on it with how are you patching? I mean, it's not sexy. It's not breaking news. Many of them are going after patches that have been available for quite some time. SISA put a nice report. SISA have been doing some great alerts, you know, over the past 18, 24 months. 

And they did one July 27th, 28th. It was vulnerability exploitation for 2020 and 2021 to date. And it was, of course, the zero-days that were mentioned in there, but a lot of them were these cybercriminals going after your VPNs, Citrix, Pulse VPN, Accellion was mentioned in there as well. 

So our remote applications are where the criminals and the nation-states are going after. And why write a zero-day exploit if I can just go after your Juniper or Pulse secure VPN, that stuff? So it's almost like, you know, how much did the tactics actually change for most of the adversaries? 

Passwords are still weak. Passwords are still reused. Like, you know, why change your game if your playbook already works? 

Patrick

- Yeah. Don't burn the zero-day if you don't need to. It's kind of or the other way to say the threat actors go downhill like water. They're going to go to the easiest spot that they can get to. And if they don't have to burn something more complex or complicated, they won't. We see it along that thread, Rick. We're seeing, you know, certainly continued RDP brute-force attacks

And, you know, kind of tactically, it's interesting. I mean, I think, you know, most of our audience probably knows this, but maybe not everybody does. I mean, there tend to be multiple actor groups involved. Some of the folks that are just popping networks and figuring out how to get in and then sell that access off the folks that will actually execute or pay the ransomware as a service provider to execute the attacks. 

Sometimes, you know, I don't need to actually, you know, exploit something in RDPs or any one of the remote access points that I find, I can actually sell that access for some... I don't know if you guys have... Do you guys collect numbers on what those things are? 

Rick

Yeah, we call them initial access brokers. We're not the only Intel provider in this space that does it. And we did trends in 2020 and we've done trends in.... we've done a quarterly one. I'm looking at what we saw last time, the average selling price, if you want to buy access to an environment we looked at 250 listings in queue to was $7,100. So I can buy access to your environment for that. 

And it can be for ransomware. It could be for extorting data. It could be for whatever, you know, nefarious purpose there. But it does highlight the, you know, cybercrime is a business and you have people that specialize in it. 

And we've done some blogs recently where we were on some of the Russian forums for initial assets brokers, and I think they had a pen tester job description. And if I was to show you this job description, like blind test here's one for a pentester at Digital Shadows and here's one for a pen tester for initial access broker, you might not be able to fill the difference, or you would see a lot of similarities there. 

So, yeah, you have groups that their whole job is they don't want to mess with the extortion, they don't want to have to deal with law enforcement and the middleman that do the negotiations, they just want to get that access. 

And they're getting access through password reuse, password brute-forcing, the unpatched vulnerabilities, and then if they have to zero-days there. So yeah, there's a whole economy for these initial access brokers, but for $7,000, you can get access to someone's Citrix and do what you like in that environment. 

Patrick

And you mentioned it before Rick, that I didn't make sure that does a fly-by to effect. I mean, it's not, and Tom, you did as well. It's not only that the bad actors are ransoming data in some cases they're either selling the data or using it as a separate extortion factor. 

I mean, the kind of case study example was the Metro Police in DC where the ransomware actors said, "Hey, you know, we locked up your stuff, you know, pay us," the DC guys politely, you know, dropped in the middle finger and said, "No." And then they said, "Well, you might want to reconsider." 

And then they started leaking. And I think they'd leaked dossiers on, like, 22 of the officer's, you know, home addresses and things that obviously, if you're a cop, you wouldn't want out on the street. So I would suspect that that tactic either to prompt somebody to pay the ransom or just selling off some of the data and like Rick said, bypassing the whole ransoming piece as well maybe continue to to be a pretty interesting trend that we're going to see. 

Rick

We're supporting a client because we track these actors have about a $40 million ransom, but it's not an encryption story. And it's interesting because you get on the calls and you have these brokers that are middlemen that will speak to the ransomware on behalf of the company. 

But, you know, you want to quickly find out if it's an affiliate you're dealing with or it's the actual group proper. You can also tell some of these groups are more mature than others. Some of them actually understand the internal processes required to get approval, to pay a ransom, know that it's time and stuff like that. 

So what you don't want to have, this sounds bad, what you don't want to have is like a rookie ransomware crew that doesn't appreciate or understand how you operate things that you need to go through because they can start harassing you. "You haven't responded to me, here's the data. I'm going to go to the press. I'm going to go to the leak site." So and they can get combative. 

So I guess the one thing I would say there is definitely want to do an extortion tabletop exercise, be it encryption or double extortion with data because when you're in the midst of getting... You know, back in the day, law enforcement used to do the "Hey, China has popped you," or "Russia has popped you." 

Now, what law enforcement is doing in Europe and in the U.S. is saying, "Hey, you're about to get exported." We have somebody to tell you what their collection is, but it's coming. And then a couple of days later, you get the extortion letter. 

Tom

Guys, we got a lot to cover here and just the time is going quickly. I mean, let's start this question. And Jasson, I'd love for you to tackle this first, given everything we've talked about, ransomware, we're going into the latter third of 2021 looking toward 2022, where's ransomware headed? It's not going away, too lucrative. 

Jasson

Indeed it's too lucrative. Something that was obvious when you threw that number out earlier, Rick $7,000, I'm just thinking that's way cheaper than the pen tests I've paid for. But yeah, coming back to where is ransomware going? You know, it's not going to go anywhere until we actually start raising the costs and the ease in which it can spread, right? And unfortunately, where we're starting from is a large swath of businesses, largely medium and small, but obviously, there's outliers, just don't have basic controls in place to prevent unauthorized access, right? We've talked about this a couple of times, valid credentials are oftentimes what's used for initial access in an invalid or unauthorized sense, right? 

So step one and one of the first things that companies have to deal with is how do they improve that problem, right? I'm sure the questionnaire is different now, but back in 2018, there was like the magic three questions that the insurance companies would use on you if you were under a certain size and they'd write you a policy just based on your answer to these three questions. 

Not proof, but the answer. And the questions were do you use a password manager uniformly? Do you have a patching program for your systems? And do you have multifactor enabled? And those three questions, in their mind, were really kind of the breakdown distance between kind of acceptable and unacceptable risk.

We're still not in a point in the world where those three things are effectively utilized and some of them can be fixed and some of them are structurally broken. And, you know, I kind of pick on the password manager, MFA password dance, just because technically, they're not in the truest sense, a bad idea, but any solution that doesn't consider human factors especially that's a security solution, it's going to trigger a behavior in your end-users where they find workarounds, right? 

So number one, a lot of people still don't use password managers, right? The UX hasn't really been figured out there. Number two, people don't remember passwords well. How many services does an average person have? Like something like 200 and they regularly access 10 to 20. Do you really think they have a unique high entropy string for each one of those? 

So, you know, obviously, this is kind of the argument that we start to make here at Beyond Identity.  But one of the first problems that has to be addressed from a corporation's perspective is access. Like, how do you secure access in a way that eliminates both of the usability problem of kind of traditional access without giving up and possibly enhancing the controls from the security audience? And that's kind of front and center in what we put in front of, you know, companies when we talk to them. 

Like, the benefit of eliminating passwords is its part ease of use, but there are other things too, that come into play once you actually decide on a method. So when you actually use asymmetric crypto as authentication where you're actually using hardware to glue private keys in place, you're eliminating a whole vector of initial access attacks, right? 

Because keys can't be removed except under extremely intense circumstances and then the blast radius is one device, as opposed to all the services that kind of reuse this knowledge secret. Tying that into things like device trust and whatnot. I'm getting ahead of myself, I'll reel it back in. But that really is kind of the first thing that must be moved in my opinion. 

Patrick

One of the things I'd love to kind of throw in there since we're on a little bit of this thread is, and it's a little bit soapboxy, so pardon me for a second, but it's, you know, a lot of folks in... 

You know, I was in the same thing when I was kind of on the practitioner side of it. And, you know, a lot of people think about passwords as being, you know, the main way to get them is having them crack, you know, somebody steals the database, somebody grabs an encrypted one in flight and, you know, un-encrypt it. 

And so the obvious answer is longer, stronger, high entropy, you know, technical term passwords, which really mitigates that it doesn't fix it all together, but it certainly mitigates it and raises a cost as Jasson said for the attacker. 

But it also belies the issue that a lot of passwords is just pure phishing. I've got keystroke loggers in, they're typing a password into a phishing site. You know, if I have a 400 character password or a 4-character password, the phishing site is happy to grab either one of them. So, you know, a lot of the ways these things are initially, you know, captured isn't just, you know, decrypted. 

And so you got to keep both of those things in mind. So, you know, kind of brings us to the conclusion that longer, stronger passwords really aren't the issue. Some variation of MFA would be the issue, but we can go into that a little bit later, certainly, but, you know, certainly, that's had its challenges with user adoption. 

Tom

- Guys want to combine a couple of questions here, where do you see organizations most exposed today to ransomware? And what are some of the leading companies doing to deal with the threat now? Where can we learn some lessons? 

Rick

- Yeah. Well, I think it's a, we haven't touched on a little bit, it's a low-hanging fruit. You know, multi-factor authentication on any external service, you know, should be your starting point, right. You know, you can do things beyond that, of course. I do have to agree with kind of Jasson's comment. I just looked, I have 350 passwords in my 1Password and they're all unique, but the way I do passwords is not the way the majority of employees at Dell's companies do passwords and things like that. So we already have a challenge right there. 

But I think the MFA stuff, and then patch. Patch the external-facing services. That will reduce a lot of the attack services. It won't eliminate it at all. But I think what's important there, as you think about my security operations team, we're small, right? We have limited resources. 

If I can just get my detection funnels smaller so the things that I'm focused on are the more high impact, more risky things versus, you know, some commodity ransomware actor that's been able to get me that's really important. So that when I do get popped, I can detect it faster and respond faster. 

Patrick

Jasson, I can let you hit it too. But, in my head, I hate just as a practitioner, starting from the right end of boom, you know, from the other side of the boom. But, you know, there are a lot of folks that are, you know, just kind of responding to the broader question of what are other folks doing. You know, certainly having your backup game, you know, is important and getting those things offsite. It's, you know, I don't like the turtle position, just roll over and assume you're going to get popped. I would rather work on the left side of that and try to eliminate, you know, or reduce the ability for folks to pop me. 

But the reality is, is, you know, it can happen to you so having your backup and restore game in a good place and making sure that those things aren't are offline. I mean, you need some offline storage for that. Otherwise, those cases one, I'm not only ransoming, you know, and encrypting the main data, I'm also encrypting the backups, and then you're kind of really SOL. 

So, you know, that's a key piece. There's a middle piece on detection, but I would just echo, you know, Rick's. I mean, pay attention. You know, not all pieces of infrastructure are created equal. The ones that are internet-facing are more equal than others. 

Pay more attention to them in terms of making sure you've got really tight access controls and the patching, you know, so that those services are just as up-to-date as possible. Just, you know, do what we've always done, reduce our attack surface. 

Jasson

So my visibility has changed a little bit over the years so this answer might be a little bit dated. But the number one thing that I used to see in the ransomware field was really paying attention to how you have RDP configured. And it doesn't matter if it's external or internal, right? It's pretty easy for someone to get... Most networks are still perimeter networks. Most architectures are still perimeter architectures. They might have more than one perimeter, but there's still perimeters and it's not terribly difficult to get through a perimeter. 

So assume you're RDP ports are going to get brute-forced, assume you're RDP ports are going to get accessed by someone with valid employee credentials. How do you catch it? How do you stop it? Worst case scenario, how do you log it? 

Tom

Jasson, should we be rethinking controls across prevention, detection, and response areas? 

Jasson

It's funny you ask Tom. Yeah, so absolutely. Hundred percent think we should. And there's a couple of catalysts that honestly, they haven't started a new idea. I think they've accelerated an idea that we've all been poignant with for years. And that's this idea that, you know, we used to build a perimeter and we say the job of security is to move on trusted things from one side to make them trust it onto the other. 

And all of a sudden we realized kind of like a bad heist movie, we're moving the dirty laundry with the criminals out of the prison or we're moving them back into the prison and going to get free ride. 

And so a lot of work has kind of gone into this thinking at a high level called zero trust, but we can throw away the fancy marketing term and really just say, what does this mean? It really means being explicit or precise about how you establish trust, really almost at the transactional level. 

So in the old security model, we start with this big blob of stuff and then we try and wrap it with like a balloon of security. In this new model, you don't start with anything. And you say, by definition, I'm secure because I have nothing to worry about. And then as you enter, as you bring new things into the realm, you try and figure out how do you secure them? 

All right. So that sounds abstract. How do I tie it to something real? Well, in the world of COVID and from everything the news is telling us/scaring us, we're constantly going to be influx. We're going to be a hybrid work environment, best case for quite some time. Our workers are going to want to work from anywhere. They're not always going to have devices explicitly under our managed control. 

And they're going to want to access whatever services they need to do their job. So the security practitioner says, "That's great. All right, how do I do my standard things, right? How do I identify the assets this person can touch and that they have? How do I know that they're protected? How do I detect bad things when they happen? How do I do something about it, right? How do I establish security controls?" 

And so in this, if you accept this modern network architecture set of requirements, that basically everything's fluid, you're then faced with a choice, do I go try and one-off these security controls for everything I could imagine this person is going to do in the future or you can kind of pump the brakes, take a step back, tilt your head like an inquisitive puppy and realize, wait a minute, everything is going to go through my identity system? 

It doesn't matter who you are. It doesn't matter where you are in the world. It doesn't matter if you're using BYOD device or not, you're going to have to go through an identity system to gain access to whatever service you're trying to do. So if that identity system had some ability to have real-time inspection or real-time kind of trusted communications with the device the person is working from, then all of a sudden you have this foundation or this way of at least building a set of unified security controls that give you both kind of visibility and response capabilities at kind of a transactional level. 

So we go back to that zero trust model, right? We're saying we don't want to take a big thing and try and make it secure we want to just bring things that we know are secure into a secure environment. Well, if for the side of my assets, that humans drive, right, so not machine the machine, but human the machine, identity is seen in the middle of everything. If identity has some concept of being able to understand device posture, then in relation to every transaction, you could always understand some risk of who is the identity driving this transaction? What is the security posture of the device? Like, is it capable of receiving critical data, or do I trust it to, you know, manipulate the sensitive control remotely with real-time data fit to a corporation's policy? Like, so how is the world changing? What are the things that we ought to be doing? 

Whether it's with us or not, like, ultimately everyone needs to be thinking about how do they do a bottoms-up security model in this fluid world where things are fundamentally going to change. 

And, you know, we're no different than the criminals in terms of like, we're looking for simple solutions that scale, right? And so the identity stack that builds security controls and from the baseline is really kind of that solution for managing your workforce. I think. We think. 

Patrick

I'd throw one thing there. I mean, basically, the key tenant of zero trust marketing, you know, to the side is don't allow transitive trust. Trust nothing. And, you know, just because I got through the bouncer at the front door doesn't mean I get to go into the cool room in the back or something. 

I get, you know, checked every time. They're checking that it's me, they're checking that I'm not bringing... It's the way the airport operates, right? I mean, that's when we go through the airport, they check our...well, in the future, they'll be checking our new real ID to make sure that, you know, the identity is strong, but they always put us through a magnetometer or something more stringent and they always put her bag through the scanning machine. They don't trust us to not walk in with everything. So it's kind of that model, you know, pushing all the way out to the perimeter. You know, so some the physical example being the airport. 

Tom

Rick, I'm going to ask you this to piggyback on what Patrick and Jasson said. What role do you think that credential theft and stronger authentication plays?

Rick

I mean, it's a huge initial access vector if you look at MITRE ATT&CK. I think they have three sub techniques around credentials that are in there. So and they're almost like the bane of my existence as a defender and a CISO. And I'm sure people out here they're doing operations, it's just a challenge. 

And, you know, my joke is I eat our own barbecue instead of saying eat your own dog food or drink your own champagne. Digital Shadows, I eat my own barbecue and I use the service. So we have our own credential monitoring service, and I will see the password reuse that comes in. Now, the one thing that's important, and somebody did have a question here about, have I been pwned? 

A lot of times they're old credentials. I mean we will still see stuff from 2012 LinkedIn dump they get replayed sometimes. Now, a lot of times that may be more successful on the consumer side, but if you haven't educated your staff about, you know, how to try to use their passwords and stuff, they're going to get reused and they're just going to be... I just see credentials as the attack vector into my environment either brute-force or legitimately used. And so they're actually one of the things that keep me up at night. That and then privileged access as well, and step-up authentication, which I think is a really important thing for organizations to do to, again, go back to Patrick's kind of analogy, validate that you are the admin from a jump host who's trying to use whatever elevated privilege that you're requesting. 

Patrick

Yeah. Since I kind of defamed it a little bit, let me give it a little color there. You know, Rick and I agree 100% on having multiple factors. I mean, you know, the idea that raises the cost of the attack for the bad guy, you know, conspicuously. 

But we would say, you know, only use strong factors. So if a password is one of them, you know, it obviously can be bypassed. We know all that. And we've got lots of examples of, you know, weak second factors, like, you know, something a pin code send through... 

Rick

Oh, yeah. Stay away from SMS. If you're using SMS for your second form of authentication, you're done. 

Patrick

Yeah. You know, so pin codes or...but, you know, there's, you know, pass the hash. There's all kinds of techniques. SolarWinds, you know, started with the infamous solarwinds123 but the bad guys to get to the hardest SolarWinds also had to bypass MFA. Now, these were pretty sophisticated actors. So this isn't in the range of all the everybody. 

But, you know, even some of the stronger MFA has had issues. So kind of our take on it is get the two-for. You know, get rid of the password and then use things like, you know, biometric, you know, things that are built into modern devices. As, you know, you've got two factors. with asymmetric crypto, you know, plus a biometric gives you two very, very strong factors. 

So kind of raises the cost of trying to figure it out exponentially. And as Jasson pointed out if you can tie that out to a device, like if you can bind cryptographically bind that out to a device, then your blast radius is one. You know, it's one user. It's not that stole the whole password database or was able to bypass other MFA links because I, you know, control your email or your SMS. 

So it's thinking about that in a way that, you know, how do I put a control in its scales? And, you know, I would say the other reason that some of the traditional MFA is let's face it, who loves to go in, in the morning and log into six or seven or eight different applications that you use all the time and get a second-factor challenge for every one of them? 

Rick

Or how much can you deploy MFA? Like, passwords have been in my existence, but MFA's not scalable. Like Jasson said, scalable. And that's such a I think critical component here is like, what can you scale operations? Can you really have MFA across a large enterprise and all your applications and things like that? 

I just love Jasson talking about the scalability, like, because there's the on-paper kind of vision of where we are and then there's the people in the trenches that are trying to implement this stuff. And it's super hard. So scalability and automation should be two really key tenants of any security program. 

Jasson

And I would piggyback off of something Rick said like not that time, but the previous time. And it was to a question we got from the audience when they were saying, hey, it's going to be hard to eliminate all of these passwords. 

I just remind everybody that you're kind of on a risk prioritization journey, right? Just because you can't eliminate all the bad things from happening doesn't mean you don't try to eliminate any of the bad things, right? Like, what is your big surface area and just kind of start working through it, right? And then the second thing is I've never gotten to eat your own dog food thing either. Like, who wants to eat dog food? 

Tom

Hey guys, we have about five minutes. You want to try to tackle two more questions before we wrap up. And the first of them is this, can we improve things by converging the disparate identity and security processes and technologies? I'm assuming the answer is yes. 

Patrick

You know, with every CISO we talk to, if you roll the clock back five, six, seven years, and Rick, I won’t put you on the spot, but, you know, CISOs, you know, a lot of the identity platforms had nothing to do with security. They were built to be able to scale an organization when they bring new employees in, when an employee is transferred from one department to another, can I easily move them along and get them access? 

It was all about getting them access to the things. In fact, for a long time, it wasn't even about taking access away. So we had, you know, players like SailPoint and other vendors in that hill, you know, come along to make sure that we were doing the right kind of hygiene on who had access to what at any given time. You know, people would retire. We actually just did a survey, like, a couple of thousand people and it was surprising how many of them still have passwords that worked into their old employer. 

So, you know, identity was about it easy in the beginning, you know, to onboard people, move people around, and then even off-board people. And then, you know, other identity tools came on top because we weren't doing well. The exception probably to the role was like privileged identity management. That was always about security. 

You know, we recognize that certain accounts, you know, in Orwellian terms, you know, privileged accounts are more equal than others, right? And you really want to protect those or lock those down, you know, because you can have access to the crown jewels. But they were kind of separate things. Really in the last three, four, or five years, the CISOs I'm talking to understand that, you know, the root of trust in many ways ends up being your directory. 

You've got to protect the hell out of that. And then things, you know, merge from beyond that. So, you know, identity systems have to become much more secure, not just in the protocols they're using, but they have to do things in a secure way. So, you know, easy magic links to remove passwords, but only from a convenience perspective, not from a security perspective, doesn't make a lot of sense. 

If you can get both if you can get more convenient and more secure, then you've got a win, but if you're just trying to eliminate a password to make it more convenient than user you probably haven't finished the job. So yeah, I think these are coming inextricably coming together. 

Jasson

And my compressed way of saying that was everyone should expect their identity stack to become a security product, right? You don't take security onto a product it is a security product that enables the security team or it doesn't. 

Rick

Just guys, please solve the password problem for me. My day-to-day job as a security leader would be so much easier. 

We'll actually feel. Surprising, I have been, you know, peppered here for that discussion, but I will. And, you know, for the readers out there or for the listeners out there, we've got a free version of this. If you've got a single sign-on product and, you know, want to hit us up and we'll give you a password that's for free. 

That's, you know, Rick has the same issue. Everybody's got this password issue. So we, you know, thought we'd bite that one-off. And we're just, I don't know, competent enough to think that we've got some really other cool features that people will be interested in beyond that. 

Jasson

So, you know, the journey starts with general worker passwords, but the other thing and this kind of deserves its topic into itself, but we can also help you secure your code for those of you that actually develop whether it's DevOps infrastructure or your software development organization. Like, you are someone in the supply chain, how do you know the meat and the vegetables you're feeding to your processing pipeline is not adulterated and comes out the end as what you actually expected it to be? 

Everyone thinks of code signing, but code signing really just puts your stamp on the end product. It doesn't really help you measure the integrity of what goes into the process against what comes out. And so that is something that we're actually releasing momentarily. 

Tom

Last question, gentlemen, Rick, maybe you can take this first. What additional steps can we take to advance a zero-trust strategy? 

Rick

Well, I guess first throw the marketing terms around out. You know, my former colleague, John Kindervag came up with a great term and it's been usurped. But just because something's a marketing term, doesn't mean it's bad. 

I think, in that front, it's look at your use cases. What are your use cases? And you definitely need an identity story because identity is the perimeter. I don't remember who I heard say that. So you definitely need that component. But break down zero trust into discreet bundles of what it is. It could be remote access to kill the VPN and move it into someone else's cloud, that sort of stuff. But come up with something that's digestible. And then Jasson had a point that I wanted to just briefly build on to. He was talking about just because it's hard or big doesn't mean you shouldn't do it it's going to take time. 

Our journey, these networks that we're running and the infrastructure were not built in a day, right? It's going to take years for us to train unless, for some greenfield cloud-native solution environment, you're going to be good. So, you know, every six months take a new project and move it forward. It's going to take time. And even though it's going to take time, it could be challenging, doesn't mean you shouldn't try it. 

Tom

Very good. Well, Jasson, Patrick, Rick, thanks so much for your time today. It went by really quickly, but hopefully, we got through some engaging points for our audience. Terrific insight. So thanks so much for being a part of this.