Thought Leadership

TEN: ISE Fireside Chat

Written By
Published On
Jul 29, 2021

Listen to the following security experts share their insights in the webinar:

  • Marci McCarthy, CEO and President at T.E.N.
  • Patrick McBride, Chief Marketing Officer at Beyond Identity
  • Mike Towers, Chief Information Security Officer at Takeda Pharmaceuticals

Transcription

Marci

Hello, and welcome to our ISE Fireside Webinar. We're thrilled to be here with you on the very last day of June and getting ready for the July 4th holidays. We appreciate you joining us this afternoon. We're very excited to have Beyond Identity as our sponsor and appreciate their partnership with us. Our topic today is "Eliminate Ransomware, Phishing, and Other Credential-Based Attacks by Eliminating Passwords." 

Great conversation, and a very timely topic, certainly, for sure. Let's go ahead and jump into our agenda and some few housekeeping things, and we'll hear from our panelists in just a second. So, we will certainly learn about our panelists in a couple of minutes. And we're thrilled to have them with us today. And we will also hear from Beyond Identity and a little bit about what they do and why they're doing some really very innovative things out there. 

We'll jump into our panel discussions. And then from there, we'll have our Q&A session. We're going to ask all of our viewers as they think of their questions today, to put that Q&A question into the Q&A chat window. This way, we'll have some great conversation and hear from you towards the end of our show. 

If you are joining us and are in need of a CPE credit, we kindly ask that you fill out the survey to its completion, and let us know that you need that information. We will send you an email tomorrow with your CPE accreditation, and you will need to upload that into your account. You will need to attend the webinar in its entirety to be receiving that CPE credit. Thank you again for joining me today.

All right. Let's jump into our panelist discussions. Our panelist introductions, I should say. So, our first panelist is Mike Towers, chief information security officer for Takeda Pharmaceuticals. Mike, how's it going? I hear you're in Boston and it's like Hotlanta up there. 

Mike

Yeah. Good to see you, Marci. And thanks for having me. Very, very hot this week. It's supposed to cool down for the July 4th weekend, but, obviously, Boston can get very cold in the winter and, I guess, very hot in the summer. So, by way of introduction, I'm Mike Towers, as Marci mentioned. I am the CISO at Takeda Pharmaceuticals. 

Roughly, number eight pharmaceutical company in the world, operating in about 110 countries. Thirty-three billion dollars revenue, 70,000-person workforce. And been here for about 2.5 years and been doing security leadership for about 13 years. And I've been a long friend and ally of the T.E.N. team.  So, I look forward to the session. 

Marci

We appreciate all your support and your friendship, Mike, over these many years in working with you. So, thanks for joining us today. Patrick McBride, chief marketing officer with Beyond Identity. Great to have you here with us, and we appreciate also your partnership with us. So, Patrick, take it away, and tell us a little bit about yourself, and share a little bit about Beyond Identity. 

Patrick

Will do. Well, I'm the mid-point, you know. So, we got the line all the way up, Marci, in Atlanta. I'm actually back in the D.C. area in Northern Virginia. And so, nice little dotted line up Route 95 all the way up to Mike. And I think we'll look like we sent the hot weather his way as well. I also am a fanboy of the T.E.N. team for quite some time. 

Beyond Identity has been a good partner with the group over the last couple of years. But, you know, I've spent most of my almost 30-year career, all of it, in tech, and the vast majority have been cybersecurity. So, identity management in the early days in a PIM/PAM vendor, and then off to a company in threat intel. I ran marketing for iSIGHT Partners and then ran marketing for a company, industrial cybersecurity with Claroty, and then joined the Beyond Identity team here back in kind of the late, it was, I guess, 2019 timeframe, September 2019. 

It seems like, you know, five years ago now. We've had a lot to do and got a lot done. We launched in April of 2020. So, we're just a little over a year old. We were founded by a gentleman named Jim Clark, who you may recognize that name from history if you've got any bit of gray hair. 

Jim founded a company called Silicon Graphics, which ended up being one of the pretty storied, you know, interesting tech companies in the valley for a number of years and kind of highly regarded as one of the best engineering teams in the valley. He went on after that to hire some guys out of the University of Illinois at Urbana-Champaign, colluding with a guy named Marc Andreessen.

So, he co-founded Netscape and built that up. And the reason I even tell that backstory is there is some relationship. So, the Netscape team, if you, for some of you, may recall, invented something called SSL, Secure Socket Layer, at the time, which gave us the ability to make sure that we were talking to secure servers or that we were talking to the server we thought we were and then having a private conversation. 

And at Beyond Identity, we're leveraging a lot of the same underpinning technology, you guys now know it as TLS, to eliminate passwords. And that was really our first goal. So, the company was founded to eliminate passwords. You know, so we call ourselves passwordless, although that's a really janky term that we can talk about a little bit later. But we decided, you know, that was a waypoint on the way to doing something, you know, much more strong in authentication. 

Eliminating passwords was only step one, but doing things like device trust and, you know, risk-based authentication was some of the other kinds of capabilities that we needed. So, we started in passwordless, and it progressed beyond that, and ergo, the name.

Marci 

Well, excellent. Thank you, Patrick. You guys are definitely leading the way in this endeavor. So, thanks for being here. And thank you both for the kind words about T.E.N. We really appreciate that. Let's just jump into our discussions. 

Our first topic today is really the state of ransomware. I think that is probably the head of the news for everybody across the board. We've seen, certainly, many successful ransomware attacks lately, like Colonial Pipeline, and we're seeing how they can really spread. And they're targeting companies that you just wouldn't even think would be a target per se. 

They're looking at schools and hospitals, critical infrastructure, and more. You know, it's really amazing, overall, when you have people working remotely and the ransomware attacks have really grown in number. Because I think the work structure or the technology environments have absolutely changed very dramatically over the last 16 or so months. 

We've rapidly moved into the cloud, and ransomware as a service is a lucrative business for those threat actors out there, especially when you're willing to pay millions and millions of dollars for it. Some are actually paying money in cryptocurrencies, and it's very hard to track. So, it's sort of the Wild Wild West of the modern times. 

So, Mike, I'd love to get your perspective here, well, you know, about the news and the ransomware attacks that have certainly come to light. Do you think the threat's overblown, or is it getting worse and maybe we're just sort of hearing about it more? You know, when you buy that white car and every single car is a white car, you know, in the traffic type of thing, or is it really something real that we should to be thinking about as security executives and professionals out there? 

And, you know, how should we be looking at it with law enforcement and our insurance companies, too? 

Mike

Yeah. So, I think it's...I mean, the answer to the question may vary by industry or by perspective. But obviously, the attacks are becoming more numerous, more well-known, and more acute. I do think that the threat tactics are, frankly, not all that different other than perhaps the new wrinkles that have become more prominent recently, where it's not just about destruction or getting your data back, there's actually capabilities built-in that can actually expose the data, or so they claim that they can if you don't pay. 

So, that is a little bit new wrinkle. Because I think, historically, ransomware and, you know, more generically destructive malware type of attacks, obviously, your risk was your systems weren't running, but you didn't have to worry about data invasion. 

That's definitely changed. But what I do sense and what I do see is the threat actor community is getting smarter in who they target. And they tend to be going after companies that have historically...and industries, that for no fault of their own, have historically underinvested in controls or are more likely to pay. 

You know, most large companies, frankly, that have been doing pretty strong cybersecurity for a while, generally speaking, their attitude and their position is that they won't pay. So, they stopped, I think, trying, and they're starting to go after areas in my industry, biopharmaceuticals, and healthcare, generally speaking. That's the hospitals. 

So, if you have 115 patients in an ICU, you're not going to wait for a backup to be found and restored. You're going to pay the ransom. So, I think it's becoming, just generally speaking, a targeting improvement more than maybe a tactical one. 

Marci

So, basically, it's the cost of doing business nowadays, is what you're saying, Mike, right? 

Mike

Yeah, absolutely. It's definitely a hazard, if you will, that it is almost as common as some other traditional ones that from a broad business perspective, we've been dealing with for a while. Absolutely. 

Marci

So, Patrick, that's pretty tough to swallow there, the cost of doing business. So, where do you think what institutions are ransomware groups targeting now and why? I mean, Mike talked about the healthcare industry and smaller hospitals being great targets. But how can these attacks continually be successful, or are people just not paying attention? They're not locking down the fort? They're just leaving the front door open and the back door as well? 

Patrick

Yeah, a little all of the above. I mean, I totally agree with Mike. I think the wrinkle in TTPs, which I'll come back to, is pretty interesting and may, again, yet again, change the targeting a little bit. But, you know, the idea...you know, they really didn't get the attention of America until they shut down our oil and turned off our beef. 

You know, that was, you know, when the whole rest of the community, the broader community, understood. The news started covering it. You know, Mike and I have been watching this stuff every day. So, yeah, it's been happening at an increased pace. 

So, they have zeroed in on targeting, and they've actually zeroed in on the pricing mechanisms. They know not only who is more likely to pay, but what, you know...They're running sophisticated models to figure out, kind of, what do they think they can? Where do you set the ransom so that it's something that, you know, it's more likely to get a yes. 

But the wrinkle that Mike talked about. Also, the idea of not only locking stuff down, but extracting that data out and being able to share it. I was following one, and I actually lost track of it. 

Mike, you may or may not have continued with the story. The Metro Police here in Washington, D.C. got hit with attack and their stance was, you know, "We're not paying." You know, I guess they felt they had the, you know, appropriate backups and stuff. And so they employed, you know, the second part of the tactic, which is, "Okay. If you don't pay, we're going to release some of this data." And they ended up releasing dossiers on, you know, 17 police officers with, you know, family member names and addresses and that sort of thing, which obviously is something that the folks don’t want out.

So, I think Mike's exactly right. It's increasing. It's not just the white car syndrome, Marci. The tactics, as Mike had mentioned, have, you know, changed, or the ability, you know, probably not in every scenario. I mean, some of the actors are more advanced than others in some of the software that they use, the software that they use is better at doing that. 

And you can't always count on that. But that also may change the targeting. Some combination of, you know, a firm that's more well-protected if they get in and they've got good backups. You know, if there's anything interesting, whether it's IP or something embarrassing, think the Sony hack or something like that. So, it'll be interesting to see if that rebroadens the scope. 

Mike's exactly right. I mean, they really targeted in on folks that they believed would have a higher likelihood to pay and tune their models to make sure that they would. With this second wrinkle in the tactic, that may be, you know, broadened to people have real, you know, important IP that they want to protect, you know, or if you find embarrassing stuff that you really don't want out. 

It may be, you know, the second leg of the stool. So, you know, I think that's an open question as to where it goes. And, you know, you had mentioned the insurance piece of it, and, you know, any of us who've bought or, you know, negotiated those policies has never seen more fine print ever. So, you know, yeah, it is a cost of doing business, whether it's the controls that we have to put in place to protect ourselves, or the better backup strategies that we have to do to recover more quickly, or, you know, insurance payments to help cover ransom if we have to have to pay it. 

So, yeah. I think it's here. You know, we'll see if the targeting remains more at some of the lower-security organizations or they go back at some bigger ones with a new tactic. 

Marci

Well, it sounds like these tactics, techniques, and procedures, you kind of touched on it, TTPs, of these ransomware-as-a-service groups out there are really, really sophisticated or just taking...you know, to some degree taking advantage of some slacks, things that might have been already in place. But do you guys both think collectively it's because the remote working policies that we've really kind of really changed our environment so quickly and dramatically? 

And for some, we kind of threw security to the wayside to get into the cloud quickly so we could remain productive during COVID. What do you think? 

Patrick

You want to take a shot at that, Mike? I've got some thoughts, too. 

Mike

Yeah, I'll start. So, I think that...you know, again, another question that's very company or industry specific, but I know here at Takeda, we were marching down the Zero Trust route for a while, and COVID basically accelerated that for us. So, in some respects, broadly speaking, we were fortunate that it was a strategy to basically turn everybody into their own domain, if you will, that we were marching for a while. 

But, you know, think about, and I'll use Takeda numbers, for example, we went from a 520-site company to a 71,000-site company because of everybody logging in from home. So, your attack factor, of course, increases quite a bit. But I think a lot of the TTPs, frankly, and the risk landscape, I would say, at least in my experience and what I've observed, is less around the technological elements and more about the human elements. 

Because a lot of this stuff that spreads, or if somebody is spoofed or somebody does something careless or makes an honest mistake that puts the company or your infrastructure at risk, human psychology shows us, you're much more likely to be careless if you're alone. So, I mean, fundamentally speaking and dynamically speaking, if you are in an office, surrounded by people, you're just basically subconsciously more careful. 

So, taking that into account and being much more tolerant of or knowledgeable of that and aware of that, and coming up with ways to better help people through from an awareness perspective and a good behavior perspective, and people are more willing to try things they weren't in the past. 

"I need to print to my home printer, but my PC's locked down." Or, "Hey, no one's looking over your shoulder. No one in the help desk can see me try to install this new piece of software." So, there's just a...generally speaking, it's a human behavioral thing that's put us at more risk as well. And of course, ransomware would fit into that category. But just as similarly as data exfiltration and other data exposure risks would as well. 

Patrick

I was going to say, Marci, I think the actors have gotten more sophisticated. And the actual ransomware software itself, you know, once it's been downloaded [inaudible] has certainly gotten more sophisticated. The way they get it on the networks hadn't changed in anything we're doing, whether we're talking about account takeovers, or ransomwares, or any of these things. 

It's, you know, the number one threat vector is, you know, stolen passwords and reusing. And in the work-from-home situation, one of the...you mentioned the cloud thing, but there's also, you know, people working from home, you know, 71,000 offices, who need to also get back to stuff, in some cases, on-prem. A lot of what we're seeing is, like, brute-forcing of an RDP session.

Or you had the two water...it was a water facility in California, another one in Florida, with TeamViewer hooked up. You know, all kinds of remote access tools have become a very important threat vector. And, you know, people just haven't...and, you know, I think Mike's right, that you haven't done some of the basic, you know, hygiene things. They've been a little careless. 

You know, not on purpose. Or they're setting up and trying to get back to work and do the things they need to do, but they left those things kind of exposed. And, you know, where the attacker sophistication has really come in is, and it's a multi-tiered group, the guys that are going and, you know, phishing for passwords, it's not really that they're cracking big databases anymore. That's still...they're popping databases and, you know, decrypting passwords and stuff like that and selling those. 

But they're also doing broad-scope phishing attacks. And there's a whole other group out there just looking for infrastructure that's left open. You know, a TeamViewer on a particular port or an RDP port that's exposed, and then just, you know, using traditional credential stuffing techniques and things like that in there to pop it. And that just gives the opening, you know. So, some ransomware comes in through, you know, an email, and, you know, I'm clicking on the wrong thing, and it, you know, drops it on my desktop and it expands. 

A lot of it is, you know, simply somebody, you know, the bad guys buy credentials and log in and, you know, put their...go to the server and install the ransomware. You know, it's a very direct kind of action. So, you know, it all trends back to stuff that we've known. So, the hygiene, you know, and carelessness come together. 

And I think that, you know, particularly when everybody was moving really fast. You know, COVID happened almost overnight to us. And so, it's, you know, not by no fault of...it's not a bunch of, you know, CIS admins who are trying to be careless. A bunch of CIS admins were working night and day, you know, tired to the bone, just trying to get everybody set up and doing what they needed to do to be productive. 

Marci

They were our very first frontline workers keeping America at work at the end of the day. So, you're absolutely right. And you have to do what you have to do to make that happen. So, I really think, after listening to both of you, we've got to rethink now, now we have a little bit of time to pause. We're going back to hybrid or going back to in-person type of working and endeavors overall.

So, I think we have to really take a step back and rethink our strategies overall. You know, Patrick, you touched about different techniques. And I think they're also pretty sophisticated with their modern automation tools, that they can scan the internet out there, find the weaknesses of your company.

And they're also using brute-force techniques out there just to exploit a simple common vulnerability that just has gone unpatched for years and months or it just sort of got put to the bottom of the pile, like, "Oh, we'll get to it tomorrow." But then 17 other things come up first. So, the prioritization factor. Because we don't really necessarily know always what's happening in our environments because we didn't really know the assets before. 

And now, here we are today, with a whole new set of playing cards out there that we had to put into play. To your point earlier, Mike, we're printing to home printers, where that was never allowed before, or other devices, and we're connecting to the internet, certainly, through our home networks, or hotspots, or however we can get online, or phones and things like that. 

And the backups, you know? The backup aspect. When you're sitting in your office, it's a lot easier to be logged into your network, traditionally, from a traditional sense, and then versus, you know, backing up there. So, we had to really think a lot of different ways of how the backup aspect. And backing up, certainly, as we all know, is one way to thwart a ransomware attack. Because if you already have your information and your data, you can just reset it back to the clock and maybe just lose a couple of days of information, which is a heck of a lot better than paying millions of dollars overall. 

So, Patrick, you know, what we've done in the past to protect against ransomware is certainly different to what we're going to be doing tomorrow. So, let's just sort of talk about some of these advanced tools out there and techniques that you think companies should be looking at and trying to protect themselves against these very sophisticated ransomware attacks, or very organized. 

I don't know if they're always sophisticated. I would call them more organized than sophisticated because some of the things are from the old playbook, but they just got a little bit more organized in how they approach it. 

Patrick

Yeah. It's really a horizontally integrated, you know, environment now. You know, different bad guys have different roles, and, you know, there's the password stealers, there's the finding open vulnerabilities and then leveraging the passwords or other techniques to get in, and then there's the guys that actually launch the ransomware. 

In fact, it's even more sophisticated than that. We've got the guys that build the ransomware infrastructure, the "ransomware as a service," you know, just like we can all sign up for software as a service. And, you know, so the guys that run that infrastructure are just, you know, taking a cut of whatever comes in, and, you know, they'll get other folks actually, you know, to launch the campaigns on there. You know, much in the same way I might launch a marketing campaign from a HubSpot or some other kind of marketing automation tool. 

I mean, it's not dissimilar at all to actually running a really vertically integrated business. You know, I actually start...you know, and this is not going to shock anybody, kind of, coming from the company I come from, but I start thinking about it as a...you know, I go forward back backwards forward. So, having good backups and secure backups offsite or, you know, in a different place than your, you know...you lock up the backups as well, then that's not helpful. 

I mean, people think they have backups, but when they get ransomed, when they go to restore and can't get them, that's like...so that's obviously a step that I would take right away. On the other end of it, kind of being proactive, it's, shut the front door. You know, the idea of having a password-protected remote access way into your network doesn't make a lot of sense, you know, into an on-prem environment. 

And we have the same thing in the cloud in environment. So getting to a much more robust, strong authentication method, kind of MFA, I'll steal Ant Allan's quote from what...there was something called Password Day, which is the most ridiculous celebration ever. You know, World Password Day, you know, where bad advice abounds. 

You know, make them longer, make them stronger, change them frequently. You know, and the reality is, do you think a phishing email, if I type my password into a phishing email or, you know, my tool, either my browser or one of the password manager tools, you know, drops it in there for me, does the malware care if it's four characters or 400 characters and whether it has a special character? No. 

I mean, it's going to steal it no matter what. And so, you know, passwords have been a bad idea ever since, you know, Jim Clark and those guys invented Netscape and didn't do anything about it. I sent him on an apology tour when we first started, you know, for apologizing, first off, for his original sin. 

So, that's one part of shut the front door, eliminate passwords. At least, you know, the minimum, bare minimum now, is a multi-factor authentication. And, you know, the better path now is multi-factor authentication that only uses strong factors. So, if you eliminate, you know, a password as one of the factors, you know, you've really upped up the game. 

And if you're not using any weak factors, like a magic link and an SMS, you know, or a code and an SMS text that, you know, can easily be stolen. You know, whether it's a SIM swap or, you know, I can get it in the pots, or, you know, the network. There's lots of different ways for mann in the middle stuff to grab those codes and reuse them. So that's my first recommendation I got, for a company that's in the passwordless business, not quite shocking, but shut the front door. I mean, let's do that. 

Marci

I love that. Shut the front door. Boom. So, Mike, I would love to get your perspective about security teams out there really trying to detect the ransomware. They're kind of stealthy sometimes. But how do you think you can find one that might be, or several, lurking in your network? And is there some red flags that we can look for, or is there some false alarms that they kind of trigger? 

And overall, what about the ransomware, you know, plan that companies should be looking at? Obviously, the cost of doing business is a very scary option, but, you know, preventing that from happening, you know, by looking for those clues, those needles in the haystack. 

Mike

Yeah. I think there are definitely some techniques to use from a protection perspective and a technological protection perspective that I'll talk about, and they are important. But I would advise a little bit of a more business lens to it. And one of the things that I would...that we've been doing in my industry and I've been doing within my company is focused a little bit on the health economics...or, I'm sorry, the economics of technology, and realized that, roughly speaking, I mean, this varies by industry, but, you know, there was a recent Wharton and Harvard business collaboration that said, you know, as recently as five, six years ago, the cost of goods to produce most business outcomes, technology was about 30% of that cost. 

It's now almost 60%. 

So, fundamentally speaking, most businesses are twice as dependent on technology as they used to be. So, and obviously, things like ransomware are a direct impact to technology availability. So, it's no longer a "IT or a security issue." It's a business issue if the stuff's not running. So, that's first and foremost, is to get that level of support and understanding so that you can...and that will have long-term implications that, to your point, Marci, if things do look suspicious or things do look wonky, that folks will report it more quickly. 

You know, obviously, without making them paranoid. But, you know, obviously, that helps. I think another... 

Marci

So, see something, say something, is what you're saying. 

Mike

Exactly. Like the Amtrak station in Penn Station in Manhattan always reminded me. But I think the other thing that we've learned over the years that I think applies here, too, is, as security professionals, again, we have a tendency to dive into the technology and, therefore, we go after the new shiny, sexy object without looking what are the basics. Most ransomware outbreaks are lapses in basic protection and basic hygiene. 

And I think a lot of them are due to the fact that the teams are too focused on the new cool technology, and not enough on the basics. And I would also think that in our zeal to try to standardize our controls, which, of course, makes economic sense, we have to realize that depending on the size and the makeup of our enterprise, the same type of solutions won't protect an office environment, an R&D lab, a field salesperson, and a manufacturing plant. If I take my company as an example. 

So, we've had to take a one-standard approach to three or four because we call it internally the 18-minute versus 18-year challenge. In my manufacturing plant, I've got systems that are old enough to vote. And in our digital environment, I have systems that are under 20 minutes old. The new modules that our DevOps teams are releasing. 

Those two environments cannot have the same level of control applied to them. So, don't try, you know. So, figuring out, of course, we don't want to have 10, 20, 30 versions, but we can't have one either. So, finding the right balance of understanding what protection capabilities. You know, maybe you have a really advanced malware protection that you can put on all your office machines, but that won't work on your 15-year and 20-year-old systems in the plants. 

So, I think different techniques for different parts of the environment is important as well. 

Marci

So, let's talk a little bit about stronger authentication and how that might be able to protect us a little bit about the credential thefts that are out there. You know, recently in the 2021 Verizon data breach report, they found that organizations lacking MFA were easier targets than those that deployed MFA. 

Kind of, if you think about it, those that use the security systems in their home versus not are easier targets for the ones that decide to leave it off or never, you know, put them on. Anyway, credentials are really a glaring vulnerability and an area of opportunity. I think, at the end of the day, they're their main route. They're part of your front-door access, as Patrick sort of talked about. 

So, I think we really do need some stronger authentication type of solutions out there if we're going to prevent these breaches from going forward. So, Patrick, I'm going to sort of switch over to you. Talk about what you've seen with the link being between stolen credentials and security breaches like ransomware. Is there a direct connection? Is MFA really going to help against a credential theft? Or is it just, you know, an additional piece of technology that we just need to maybe add, but it's not like...it's just putting the seatbelt on? 

Patrick

Yeah. No, it's one of the layered controls, and it absolutely will help. One thing I would say that, you know, like all car...to take your car analogy, it's not...you know, all cars aren't created equal in terms of safety, and all MFA methods aren't equally as good. And one of the...you know, starting...you know, Mike started from a business perspective, which I love, by the way, thinking about the economics is important. 

One thing, as I've talked to CISOs over the last two...really, the last two years, you know, having been one myself and a CIO and in the old days, I've been really shocked at how often CISOs are starting from a user experience perspective as well. I mean, it was a bit of a shit-show during COVID and getting everything else sorted, but there's really an interesting...as I've talked to them, UX and design ends up being...and really, you know, helping employees get done what they need to get done is a factor. 

And with a lot of MFA solutions, they're almost at odds, you know. And, in fact, a lot of security solutions we've put in place. We add another control and it, you know, incrementally makes, you know, the life of the end-user trying to do their work worse, you know. So, you know, one really important factor in whatever we choose to build stronger authentication is do it in a way...so, we started with passwords. You know, make them longer, make them stronger. You know, now they're writing them down, and all the reasons that, you know, a lot of us understand why that was, you know kind of a pain. But we also put the burden on users. Now it's just bad advice, as I had said before. It doesn't really matter. I can steal them. So, but MFA is the same thing. 

If you take an MFA solution that requires me to go...you know, for every app I'm logging into, I'm, you know, picking up a second device, grabbing a code, typing it in, clicking, you know, if it takes another 30, 40, 50 seconds and any given user is going to be logged on to six, eight, 10 applications, you really have to think about that. So, that's one real important consideration if you're evaluating this stuff. User experience matters. 

And on the other side of the equation, security matters. So, you know, a solution that could be super easy to use but is all weak factors, basically, you know, a password is a shared secret. If it's just another shared secret, you know, by another name, you know, called MFA, you know, as I like to say, a screen door in front of a screen door doesn't do you any good in terms of protecting you from somebody getting inside, you know? 

So, on the other hand, you don't want the door key, you know, if you have to iron doors and it's, you know, you have to turn the dial, you know, 15 different combination things to get in, that's not very helpful to people who actually need to get in where they're getting in. So, some balance of, you know, high security with strong usability ends up being important. You know, the password is just, you know, one of the pieces. 

One other thing, and we can come back to it later, is probably in this...you had mentioned it early, we're not only work from home, you know, Mike's got guys, you know, working in plants, you know, and, I'm sure, using on-prem software that he's got, services and software and probably a mix of cloud things. Like he said, you have different controls. One of the big gaps is people working from wherever on a range of devices, accessing cloud applications, where I can't assume my old perimeter network controls, "Hey, they're on my network. I can trust them." 

You know, Mike's gone down the Zero Trust path already. So, you know, there's an element of that, of not only figuring out who the user is, which device are they using, and is that thing secure enough to let into whatever I'm trying to get it in. Because very often, I'm not now, you know, going through my own network. I may be VPNing in, but it's kind of unpopular, you know, to send, you know, business users who need to access a cloud application, "Okay. Log into your VPN first, then trombone out, go through the pain of logging in, go through, you know, the slow, bad user experience just to get to some SaaS application." 

So, there's a piece of kind of Zero Trust element that, you know, authentication isn't just about the person anymore, it's also authenticating a device and understanding whether that device is secure enough to let into the resources you need. So, I think when I think about MFA, I think very, very broadly. Very narrowly, it has to be easy. And then more broadly, it has to accomplish some other jobs other than just authenticating users strongly. 

Marci

So, to bridge on what Patrick is saying, Mike, what stronger authentication methods do you think we can adopt? And how do we deploy them in a way that doesn't cause more friction? 

I know, like, users just hate having all these barriers and everything. They just want seamless to get around and do their jobs and not feel like they have to, you know, deal with a million different things while just trying to get the work done, especially in an environment that there may have been accustomed to be working in and now are turning back to. So, want to think about that with us? 

Mike

Yeah. And Patrick touched on some really powerful points here. I think that for a long time, security practitioners have continuously navigated the trade-off of experience with control. And it's time that we stop accepting that it's a trade-off and work really, really hard to provide better security and better experience at the same time. 

Because when you start thinking about moving authentication, for example, from an event-driven type of approach to a continuous approach, depending on exactly what technique you use, then theoretically, you're improving the experience, and you're improving security. I think there's a lot of philosophical things that, as an industry, that we've let persist for a long period of time. 

I know that I've heard a couple of leaders tell me, "Well, nothing that you've done five years ago is probably appropriate for today." Well, Fernando Corbato invented the password in 1960 at MIT. And here we are, 61 years later, and we still...as a collective industry, we allow it, and we... And even MFA, some of the RSA implementations for MFA are almost 20 years old. So, here we are, with this massive onset of a digital revolution, and we're still allowing these, by definition in the technology, ancient technologies to persist. 

So, I think that there's a significant amount of work we need to do from a practitioner perspective to eradicate that. I also think that there are some fundamental assumptions that we've made all along about how our various IT departments, our operations departments, want every machine to be connected to each other procedurally to manage them. 

And in my mind, it's analogous to having every house in the neighborhood collected by a stream of highly flammable liquids. So, God forbid, you have one house that catches fire. All of a sudden, they all are going to. Well, that's how we build our environments today to manage our PCs. So, there's a fundamental element of having each machine on their own island, if you will. And so that we could always control the radius of any kind of attack, limit it to that machine. Because that's how ransomware spreads is through common share protocols. 

So, I think there's a lot of almost completely ground-up rethinking of, you know, the kind of stuff that companies like Amazon and Apple have been thinking about for years, but for whatever reason, in corporate America, in corporate world, we've not adopted those themes, even though our collective user base is starting to view that as normal. 

And then we immediately bifurcate the experience from what they get from a really good consumer app to what they get at work. And in reality, the two constants need to come together. So, I think from a...in my mind, authentication has to become continuous, and it has to be tremendously easy to use. And I think people... 

And of course, any factor is better than just a password. 

So, if you're starting simple, push authentication to the phone, you know, all these things that are out there that are a good...point. And I think that, you know, again, we have to collectively stop accepting the burden excuse. Because things that persist, for example...I'll give you a real case study from a Takeda perspective. When we were originally rolling out push authentication, you know, going on four or five years ago now, we heard a lot of pushback that what about the people that don't have smartphones? 

Well, and even though we don't provide a smartphone for every person, we've realized that only one percent of our users didn't have a smartphone. So, how many cycles did we waste designing for a one percent exception? So, and you think about, well, they're not going to accept the company-installed app on their personal phone. 

Well, we don't provide everybody a car either, but we figure they'll get to the office. So, we can assume that they have these devices and we can leverage them as well. So, there's a lot of tactics that I think that we can partner with our user base to accept this as a norm rather than an exception moving forward. And that includes the other continuous authentication piece that I think is where we're heading. 

Patrick

Yeah, totally agree on continuous auth, for sure. 

Marci

Very reminiscent of my PeopleSoft implementation days. There was always, like, the scenario, "Oh, let's figure out this procedure," and, like, they've never had it in 30 years. But all good. We've had a great response from our audience with a lot of interesting questions. And I want to start with Frank Iglesias's questions, because we've never been really asked this question before, and, you know, I think it's an important consideration. 

So, I'm going to lump his two questions together. I'd love your feedback. What do you recommend for ADA folks, for example, like, a blind person? And then they have some various clients that are over the age of 70 with various issues. So, you know, there's challenges at the end of the day out there. And how would you approach that for Frank's folks? 

Mike

You want to start, Patrick? You got it. 

Patrick

Sure. Yeah, that's a fascinating and a very relevant question. You know, for our company, we've really got two kind of user bases that we support. The workforce, like, you know, Mike and his employees. We also work with companies who sell, you know, apps or, you know, financial apps and things like that. And so, you know, they call it the "CIAM," the Customer Identity and Access Management, you know, scenario. 

And, you know, it's relevant in both. So, the UX thing ends up, you know, kind of being easy if I've got multiple factors and I've got to go between devices. I don't know, though. I don't actually know the perfect answer to that question. You know, I think, you know, one of it is, you know, choosing software that follows the ADA guidelines. I mean, there are actually, you know, guidelines for how to do that and making sure that, you know, in some cases, if you've got blind or seeing-impaired people, that, it can...that there's voice kinds of prompts and things like that that they can get, not necessarily from the software, but even if it's not built in the software, can read over top of it. 

So, you know, making sure the UX, you know, of whatever solution is... The way we thought about it was, you know, we put an authenticator on each device. It's a little piece of authenticator code. And, you know, if that thing's telling you, you know, and prompting you for the next steps, you know, then it's fairly easy to follow for somebody with that kind of a disability. But, you know, that's a persistent problem across, you know, tech. 

I don't know, as an industry, candidly, that we've...you know, we've made some progress there, but I would...you know, if I graded us on a, you know, A, B, C, D, E, F, and, you know, we're barely getting a C, I would imagine, at this point. So, you know, it's a good reminder to software vendors like us that, you know, we need to do better in this regard in design. You know, it's not a one percent problem, it's, you know... 

Marci

Yeah. I wanted to say that's probably definitely not a 1% problem. Well, let's just jump into our next... Oh, did you want to add something, Mike? Because we only have a couple more minutes, and I'd love to get another question in. 

Mike

The only thing I would add very, very quickly is that being that we're in the business of, as Patrick mentioned, more of a CIAM approach, where we're developing more and more applications and mobile apps for, say, our patients, one of our therapeutic areas is oncology, which tends to have a lot of older patients who are not very tech-savvy, we've invested some energy in trying to address the UX issue by going with a companion care. 

So, a verification technique where maybe the person can't authenticate, but there's someone that they know and trust that can for them. And we go through a little bit of energy of verifying their authenticity as well so that they can get some help from a caregiver. 

Marci

Perfect. Well, our last question today is... This is a question from Vaughn Hazen, and "We've seen some studies where 80% of the companies paying the ransom experience another event. My guess is, is due to the fact that they did not address the root cause of the initial infection." Good assumption. 

Have you seen this work in what you're doing?" Have you seen this in the work overall? So, I'm going to have Patrick sort of answer that question. Are you seeing that they just didn't do a good job cleaning it up from the beginning and it's sort of, you know, a disease that just keeps getting infectious there? 

Patrick

That number seems high to me. I'd be interested in Mike. I actually don't have the exact data on that. You know, there's, you know, trust among thieves, you know, kind of thing. They're not likely to get hit by the same guys. Because if the same guys hit you multiple times, then their reputation, you know, dwindles, and the next guy that gets hit, it's like, "Well, I'm not going to pay the ransom because I'm going to..." 

They want to do everything to, you know, ensure that you actually pay. But this could be multiple different actors. So, I think, yeah, if you get hit twice, you know, you probably haven't done some of the basic hygiene stuff. Again, while the ransomware software itself has gotten more effective and more clever, the ways to get it on a system have not. 

So, it's a lot of basic hygiene. You know, it's... I don't know if, Mike, if you guys are doing any of the user education, you know, on clicking on the wrong link and all that stuff, because obviously, that's one way to get ransomware on the system. But as we've already talked about, credential theft and credential stuffing techniques and remote access tools ends up being the biggest vector. So, yeah, if they're getting hit again, it's likely hygiene. But I don't...that number seems very high to me. 

Mike

The only thing I would add is that, you know, we have to avoid, as an industry, and try really hard not to stigmatize people who get hit, because it's not a matter of if, it's when we'll all get hit. 

But I think what's happening is that people who pay a ransom, and there's a really, really good reason why a hospital would pay it, like I said before, or others would pay it, but people who pay a ransom basically demonstrate that they have control deficiencies. So, and they basically advertise themselves as a wider target. It's not just about the whole law enforcement thing. "Well, if I pay ransom because someone's been kidnapped, I'm more willing do it again. So, I'll be targeted again." 

There's a little bit of that as well. But I think ransom payment is, generally speaking, a recognition that there is other things wrong. So, you're going to be a bigger target from that point forward because of what that exposes. So, I agree completely that a lot of this, as I said before, is let's not be so tempted to look at the new, cool, sexy stuff and focus on the basics. Patching, hygiene, and just good general practice there. 

Marci

Going back to the basics. Well, thank you, all, for joining us today, and thank you to our panelists, Patrick and Mike. We loved your conversation and all the thoughts that you shared with us today.  

Stay healthy and safe, and have some fun in the sun. And be careful of some of the places that are having a heatwave. I want to say thank you to be Beyond Identity for being our sponsor today. And once again, thank you to Patrick and Mike for being our panelists.

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

TEN: ISE Fireside Chat

Download

Listen to the following security experts share their insights in the webinar:

  • Marci McCarthy, CEO and President at T.E.N.
  • Patrick McBride, Chief Marketing Officer at Beyond Identity
  • Mike Towers, Chief Information Security Officer at Takeda Pharmaceuticals

Transcription

Marci

Hello, and welcome to our ISE Fireside Webinar. We're thrilled to be here with you on the very last day of June and getting ready for the July 4th holidays. We appreciate you joining us this afternoon. We're very excited to have Beyond Identity as our sponsor and appreciate their partnership with us. Our topic today is "Eliminate Ransomware, Phishing, and Other Credential-Based Attacks by Eliminating Passwords." 

Great conversation, and a very timely topic, certainly, for sure. Let's go ahead and jump into our agenda and some few housekeeping things, and we'll hear from our panelists in just a second. So, we will certainly learn about our panelists in a couple of minutes. And we're thrilled to have them with us today. And we will also hear from Beyond Identity and a little bit about what they do and why they're doing some really very innovative things out there. 

We'll jump into our panel discussions. And then from there, we'll have our Q&A session. We're going to ask all of our viewers as they think of their questions today, to put that Q&A question into the Q&A chat window. This way, we'll have some great conversation and hear from you towards the end of our show. 

If you are joining us and are in need of a CPE credit, we kindly ask that you fill out the survey to its completion, and let us know that you need that information. We will send you an email tomorrow with your CPE accreditation, and you will need to upload that into your account. You will need to attend the webinar in its entirety to be receiving that CPE credit. Thank you again for joining me today.

All right. Let's jump into our panelist discussions. Our panelist introductions, I should say. So, our first panelist is Mike Towers, chief information security officer for Takeda Pharmaceuticals. Mike, how's it going? I hear you're in Boston and it's like Hotlanta up there. 

Mike

Yeah. Good to see you, Marci. And thanks for having me. Very, very hot this week. It's supposed to cool down for the July 4th weekend, but, obviously, Boston can get very cold in the winter and, I guess, very hot in the summer. So, by way of introduction, I'm Mike Towers, as Marci mentioned. I am the CISO at Takeda Pharmaceuticals. 

Roughly, number eight pharmaceutical company in the world, operating in about 110 countries. Thirty-three billion dollars revenue, 70,000-person workforce. And been here for about 2.5 years and been doing security leadership for about 13 years. And I've been a long friend and ally of the T.E.N. team.  So, I look forward to the session. 

Marci

We appreciate all your support and your friendship, Mike, over these many years in working with you. So, thanks for joining us today. Patrick McBride, chief marketing officer with Beyond Identity. Great to have you here with us, and we appreciate also your partnership with us. So, Patrick, take it away, and tell us a little bit about yourself, and share a little bit about Beyond Identity. 

Patrick

Will do. Well, I'm the mid-point, you know. So, we got the line all the way up, Marci, in Atlanta. I'm actually back in the D.C. area in Northern Virginia. And so, nice little dotted line up Route 95 all the way up to Mike. And I think we'll look like we sent the hot weather his way as well. I also am a fanboy of the T.E.N. team for quite some time. 

Beyond Identity has been a good partner with the group over the last couple of years. But, you know, I've spent most of my almost 30-year career, all of it, in tech, and the vast majority have been cybersecurity. So, identity management in the early days in a PIM/PAM vendor, and then off to a company in threat intel. I ran marketing for iSIGHT Partners and then ran marketing for a company, industrial cybersecurity with Claroty, and then joined the Beyond Identity team here back in kind of the late, it was, I guess, 2019 timeframe, September 2019. 

It seems like, you know, five years ago now. We've had a lot to do and got a lot done. We launched in April of 2020. So, we're just a little over a year old. We were founded by a gentleman named Jim Clark, who you may recognize that name from history if you've got any bit of gray hair. 

Jim founded a company called Silicon Graphics, which ended up being one of the pretty storied, you know, interesting tech companies in the valley for a number of years and kind of highly regarded as one of the best engineering teams in the valley. He went on after that to hire some guys out of the University of Illinois at Urbana-Champaign, colluding with a guy named Marc Andreessen.

So, he co-founded Netscape and built that up. And the reason I even tell that backstory is there is some relationship. So, the Netscape team, if you, for some of you, may recall, invented something called SSL, Secure Socket Layer, at the time, which gave us the ability to make sure that we were talking to secure servers or that we were talking to the server we thought we were and then having a private conversation. 

And at Beyond Identity, we're leveraging a lot of the same underpinning technology, you guys now know it as TLS, to eliminate passwords. And that was really our first goal. So, the company was founded to eliminate passwords. You know, so we call ourselves passwordless, although that's a really janky term that we can talk about a little bit later. But we decided, you know, that was a waypoint on the way to doing something, you know, much more strong in authentication. 

Eliminating passwords was only step one, but doing things like device trust and, you know, risk-based authentication was some of the other kinds of capabilities that we needed. So, we started in passwordless, and it progressed beyond that, and ergo, the name.

Marci 

Well, excellent. Thank you, Patrick. You guys are definitely leading the way in this endeavor. So, thanks for being here. And thank you both for the kind words about T.E.N. We really appreciate that. Let's just jump into our discussions. 

Our first topic today is really the state of ransomware. I think that is probably the head of the news for everybody across the board. We've seen, certainly, many successful ransomware attacks lately, like Colonial Pipeline, and we're seeing how they can really spread. And they're targeting companies that you just wouldn't even think would be a target per se. 

They're looking at schools and hospitals, critical infrastructure, and more. You know, it's really amazing, overall, when you have people working remotely and the ransomware attacks have really grown in number. Because I think the work structure or the technology environments have absolutely changed very dramatically over the last 16 or so months. 

We've rapidly moved into the cloud, and ransomware as a service is a lucrative business for those threat actors out there, especially when you're willing to pay millions and millions of dollars for it. Some are actually paying money in cryptocurrencies, and it's very hard to track. So, it's sort of the Wild Wild West of the modern times. 

So, Mike, I'd love to get your perspective here, well, you know, about the news and the ransomware attacks that have certainly come to light. Do you think the threat's overblown, or is it getting worse and maybe we're just sort of hearing about it more? You know, when you buy that white car and every single car is a white car, you know, in the traffic type of thing, or is it really something real that we should to be thinking about as security executives and professionals out there? 

And, you know, how should we be looking at it with law enforcement and our insurance companies, too? 

Mike

Yeah. So, I think it's...I mean, the answer to the question may vary by industry or by perspective. But obviously, the attacks are becoming more numerous, more well-known, and more acute. I do think that the threat tactics are, frankly, not all that different other than perhaps the new wrinkles that have become more prominent recently, where it's not just about destruction or getting your data back, there's actually capabilities built-in that can actually expose the data, or so they claim that they can if you don't pay. 

So, that is a little bit new wrinkle. Because I think, historically, ransomware and, you know, more generically destructive malware type of attacks, obviously, your risk was your systems weren't running, but you didn't have to worry about data invasion. 

That's definitely changed. But what I do sense and what I do see is the threat actor community is getting smarter in who they target. And they tend to be going after companies that have historically...and industries, that for no fault of their own, have historically underinvested in controls or are more likely to pay. 

You know, most large companies, frankly, that have been doing pretty strong cybersecurity for a while, generally speaking, their attitude and their position is that they won't pay. So, they stopped, I think, trying, and they're starting to go after areas in my industry, biopharmaceuticals, and healthcare, generally speaking. That's the hospitals. 

So, if you have 115 patients in an ICU, you're not going to wait for a backup to be found and restored. You're going to pay the ransom. So, I think it's becoming, just generally speaking, a targeting improvement more than maybe a tactical one. 

Marci

So, basically, it's the cost of doing business nowadays, is what you're saying, Mike, right? 

Mike

Yeah, absolutely. It's definitely a hazard, if you will, that it is almost as common as some other traditional ones that from a broad business perspective, we've been dealing with for a while. Absolutely. 

Marci

So, Patrick, that's pretty tough to swallow there, the cost of doing business. So, where do you think what institutions are ransomware groups targeting now and why? I mean, Mike talked about the healthcare industry and smaller hospitals being great targets. But how can these attacks continually be successful, or are people just not paying attention? They're not locking down the fort? They're just leaving the front door open and the back door as well? 

Patrick

Yeah, a little all of the above. I mean, I totally agree with Mike. I think the wrinkle in TTPs, which I'll come back to, is pretty interesting and may, again, yet again, change the targeting a little bit. But, you know, the idea...you know, they really didn't get the attention of America until they shut down our oil and turned off our beef. 

You know, that was, you know, when the whole rest of the community, the broader community, understood. The news started covering it. You know, Mike and I have been watching this stuff every day. So, yeah, it's been happening at an increased pace. 

So, they have zeroed in on targeting, and they've actually zeroed in on the pricing mechanisms. They know not only who is more likely to pay, but what, you know...They're running sophisticated models to figure out, kind of, what do they think they can? Where do you set the ransom so that it's something that, you know, it's more likely to get a yes. 

But the wrinkle that Mike talked about. Also, the idea of not only locking stuff down, but extracting that data out and being able to share it. I was following one, and I actually lost track of it. 

Mike, you may or may not have continued with the story. The Metro Police here in Washington, D.C. got hit with attack and their stance was, you know, "We're not paying." You know, I guess they felt they had the, you know, appropriate backups and stuff. And so they employed, you know, the second part of the tactic, which is, "Okay. If you don't pay, we're going to release some of this data." And they ended up releasing dossiers on, you know, 17 police officers with, you know, family member names and addresses and that sort of thing, which obviously is something that the folks don’t want out.

So, I think Mike's exactly right. It's increasing. It's not just the white car syndrome, Marci. The tactics, as Mike had mentioned, have, you know, changed, or the ability, you know, probably not in every scenario. I mean, some of the actors are more advanced than others in some of the software that they use, the software that they use is better at doing that. 

And you can't always count on that. But that also may change the targeting. Some combination of, you know, a firm that's more well-protected if they get in and they've got good backups. You know, if there's anything interesting, whether it's IP or something embarrassing, think the Sony hack or something like that. So, it'll be interesting to see if that rebroadens the scope. 

Mike's exactly right. I mean, they really targeted in on folks that they believed would have a higher likelihood to pay and tune their models to make sure that they would. With this second wrinkle in the tactic, that may be, you know, broadened to people have real, you know, important IP that they want to protect, you know, or if you find embarrassing stuff that you really don't want out. 

It may be, you know, the second leg of the stool. So, you know, I think that's an open question as to where it goes. And, you know, you had mentioned the insurance piece of it, and, you know, any of us who've bought or, you know, negotiated those policies has never seen more fine print ever. So, you know, yeah, it is a cost of doing business, whether it's the controls that we have to put in place to protect ourselves, or the better backup strategies that we have to do to recover more quickly, or, you know, insurance payments to help cover ransom if we have to have to pay it. 

So, yeah. I think it's here. You know, we'll see if the targeting remains more at some of the lower-security organizations or they go back at some bigger ones with a new tactic. 

Marci

Well, it sounds like these tactics, techniques, and procedures, you kind of touched on it, TTPs, of these ransomware-as-a-service groups out there are really, really sophisticated or just taking...you know, to some degree taking advantage of some slacks, things that might have been already in place. But do you guys both think collectively it's because the remote working policies that we've really kind of really changed our environment so quickly and dramatically? 

And for some, we kind of threw security to the wayside to get into the cloud quickly so we could remain productive during COVID. What do you think? 

Patrick

You want to take a shot at that, Mike? I've got some thoughts, too. 

Mike

Yeah, I'll start. So, I think that...you know, again, another question that's very company or industry specific, but I know here at Takeda, we were marching down the Zero Trust route for a while, and COVID basically accelerated that for us. So, in some respects, broadly speaking, we were fortunate that it was a strategy to basically turn everybody into their own domain, if you will, that we were marching for a while. 

But, you know, think about, and I'll use Takeda numbers, for example, we went from a 520-site company to a 71,000-site company because of everybody logging in from home. So, your attack factor, of course, increases quite a bit. But I think a lot of the TTPs, frankly, and the risk landscape, I would say, at least in my experience and what I've observed, is less around the technological elements and more about the human elements. 

Because a lot of this stuff that spreads, or if somebody is spoofed or somebody does something careless or makes an honest mistake that puts the company or your infrastructure at risk, human psychology shows us, you're much more likely to be careless if you're alone. So, I mean, fundamentally speaking and dynamically speaking, if you are in an office, surrounded by people, you're just basically subconsciously more careful. 

So, taking that into account and being much more tolerant of or knowledgeable of that and aware of that, and coming up with ways to better help people through from an awareness perspective and a good behavior perspective, and people are more willing to try things they weren't in the past. 

"I need to print to my home printer, but my PC's locked down." Or, "Hey, no one's looking over your shoulder. No one in the help desk can see me try to install this new piece of software." So, there's just a...generally speaking, it's a human behavioral thing that's put us at more risk as well. And of course, ransomware would fit into that category. But just as similarly as data exfiltration and other data exposure risks would as well. 

Patrick

I was going to say, Marci, I think the actors have gotten more sophisticated. And the actual ransomware software itself, you know, once it's been downloaded [inaudible] has certainly gotten more sophisticated. The way they get it on the networks hadn't changed in anything we're doing, whether we're talking about account takeovers, or ransomwares, or any of these things. 

It's, you know, the number one threat vector is, you know, stolen passwords and reusing. And in the work-from-home situation, one of the...you mentioned the cloud thing, but there's also, you know, people working from home, you know, 71,000 offices, who need to also get back to stuff, in some cases, on-prem. A lot of what we're seeing is, like, brute-forcing of an RDP session.

Or you had the two water...it was a water facility in California, another one in Florida, with TeamViewer hooked up. You know, all kinds of remote access tools have become a very important threat vector. And, you know, people just haven't...and, you know, I think Mike's right, that you haven't done some of the basic, you know, hygiene things. They've been a little careless. 

You know, not on purpose. Or they're setting up and trying to get back to work and do the things they need to do, but they left those things kind of exposed. And, you know, where the attacker sophistication has really come in is, and it's a multi-tiered group, the guys that are going and, you know, phishing for passwords, it's not really that they're cracking big databases anymore. That's still...they're popping databases and, you know, decrypting passwords and stuff like that and selling those. 

But they're also doing broad-scope phishing attacks. And there's a whole other group out there just looking for infrastructure that's left open. You know, a TeamViewer on a particular port or an RDP port that's exposed, and then just, you know, using traditional credential stuffing techniques and things like that in there to pop it. And that just gives the opening, you know. So, some ransomware comes in through, you know, an email, and, you know, I'm clicking on the wrong thing, and it, you know, drops it on my desktop and it expands. 

A lot of it is, you know, simply somebody, you know, the bad guys buy credentials and log in and, you know, put their...go to the server and install the ransomware. You know, it's a very direct kind of action. So, you know, it all trends back to stuff that we've known. So, the hygiene, you know, and carelessness come together. 

And I think that, you know, particularly when everybody was moving really fast. You know, COVID happened almost overnight to us. And so, it's, you know, not by no fault of...it's not a bunch of, you know, CIS admins who are trying to be careless. A bunch of CIS admins were working night and day, you know, tired to the bone, just trying to get everybody set up and doing what they needed to do to be productive. 

Marci

They were our very first frontline workers keeping America at work at the end of the day. So, you're absolutely right. And you have to do what you have to do to make that happen. So, I really think, after listening to both of you, we've got to rethink now, now we have a little bit of time to pause. We're going back to hybrid or going back to in-person type of working and endeavors overall.

So, I think we have to really take a step back and rethink our strategies overall. You know, Patrick, you touched about different techniques. And I think they're also pretty sophisticated with their modern automation tools, that they can scan the internet out there, find the weaknesses of your company.

And they're also using brute-force techniques out there just to exploit a simple common vulnerability that just has gone unpatched for years and months or it just sort of got put to the bottom of the pile, like, "Oh, we'll get to it tomorrow." But then 17 other things come up first. So, the prioritization factor. Because we don't really necessarily know always what's happening in our environments because we didn't really know the assets before. 

And now, here we are today, with a whole new set of playing cards out there that we had to put into play. To your point earlier, Mike, we're printing to home printers, where that was never allowed before, or other devices, and we're connecting to the internet, certainly, through our home networks, or hotspots, or however we can get online, or phones and things like that. 

And the backups, you know? The backup aspect. When you're sitting in your office, it's a lot easier to be logged into your network, traditionally, from a traditional sense, and then versus, you know, backing up there. So, we had to really think a lot of different ways of how the backup aspect. And backing up, certainly, as we all know, is one way to thwart a ransomware attack. Because if you already have your information and your data, you can just reset it back to the clock and maybe just lose a couple of days of information, which is a heck of a lot better than paying millions of dollars overall. 

So, Patrick, you know, what we've done in the past to protect against ransomware is certainly different to what we're going to be doing tomorrow. So, let's just sort of talk about some of these advanced tools out there and techniques that you think companies should be looking at and trying to protect themselves against these very sophisticated ransomware attacks, or very organized. 

I don't know if they're always sophisticated. I would call them more organized than sophisticated because some of the things are from the old playbook, but they just got a little bit more organized in how they approach it. 

Patrick

Yeah. It's really a horizontally integrated, you know, environment now. You know, different bad guys have different roles, and, you know, there's the password stealers, there's the finding open vulnerabilities and then leveraging the passwords or other techniques to get in, and then there's the guys that actually launch the ransomware. 

In fact, it's even more sophisticated than that. We've got the guys that build the ransomware infrastructure, the "ransomware as a service," you know, just like we can all sign up for software as a service. And, you know, so the guys that run that infrastructure are just, you know, taking a cut of whatever comes in, and, you know, they'll get other folks actually, you know, to launch the campaigns on there. You know, much in the same way I might launch a marketing campaign from a HubSpot or some other kind of marketing automation tool. 

I mean, it's not dissimilar at all to actually running a really vertically integrated business. You know, I actually start...you know, and this is not going to shock anybody, kind of, coming from the company I come from, but I start thinking about it as a...you know, I go forward back backwards forward. So, having good backups and secure backups offsite or, you know, in a different place than your, you know...you lock up the backups as well, then that's not helpful. 

I mean, people think they have backups, but when they get ransomed, when they go to restore and can't get them, that's like...so that's obviously a step that I would take right away. On the other end of it, kind of being proactive, it's, shut the front door. You know, the idea of having a password-protected remote access way into your network doesn't make a lot of sense, you know, into an on-prem environment. 

And we have the same thing in the cloud in environment. So getting to a much more robust, strong authentication method, kind of MFA, I'll steal Ant Allan's quote from what...there was something called Password Day, which is the most ridiculous celebration ever. You know, World Password Day, you know, where bad advice abounds. 

You know, make them longer, make them stronger, change them frequently. You know, and the reality is, do you think a phishing email, if I type my password into a phishing email or, you know, my tool, either my browser or one of the password manager tools, you know, drops it in there for me, does the malware care if it's four characters or 400 characters and whether it has a special character? No. 

I mean, it's going to steal it no matter what. And so, you know, passwords have been a bad idea ever since, you know, Jim Clark and those guys invented Netscape and didn't do anything about it. I sent him on an apology tour when we first started, you know, for apologizing, first off, for his original sin. 

So, that's one part of shut the front door, eliminate passwords. At least, you know, the minimum, bare minimum now, is a multi-factor authentication. And, you know, the better path now is multi-factor authentication that only uses strong factors. So, if you eliminate, you know, a password as one of the factors, you know, you've really upped up the game. 

And if you're not using any weak factors, like a magic link and an SMS, you know, or a code and an SMS text that, you know, can easily be stolen. You know, whether it's a SIM swap or, you know, I can get it in the pots, or, you know, the network. There's lots of different ways for mann in the middle stuff to grab those codes and reuse them. So that's my first recommendation I got, for a company that's in the passwordless business, not quite shocking, but shut the front door. I mean, let's do that. 

Marci

I love that. Shut the front door. Boom. So, Mike, I would love to get your perspective about security teams out there really trying to detect the ransomware. They're kind of stealthy sometimes. But how do you think you can find one that might be, or several, lurking in your network? And is there some red flags that we can look for, or is there some false alarms that they kind of trigger? 

And overall, what about the ransomware, you know, plan that companies should be looking at? Obviously, the cost of doing business is a very scary option, but, you know, preventing that from happening, you know, by looking for those clues, those needles in the haystack. 

Mike

Yeah. I think there are definitely some techniques to use from a protection perspective and a technological protection perspective that I'll talk about, and they are important. But I would advise a little bit of a more business lens to it. And one of the things that I would...that we've been doing in my industry and I've been doing within my company is focused a little bit on the health economics...or, I'm sorry, the economics of technology, and realized that, roughly speaking, I mean, this varies by industry, but, you know, there was a recent Wharton and Harvard business collaboration that said, you know, as recently as five, six years ago, the cost of goods to produce most business outcomes, technology was about 30% of that cost. 

It's now almost 60%. 

So, fundamentally speaking, most businesses are twice as dependent on technology as they used to be. So, and obviously, things like ransomware are a direct impact to technology availability. So, it's no longer a "IT or a security issue." It's a business issue if the stuff's not running. So, that's first and foremost, is to get that level of support and understanding so that you can...and that will have long-term implications that, to your point, Marci, if things do look suspicious or things do look wonky, that folks will report it more quickly. 

You know, obviously, without making them paranoid. But, you know, obviously, that helps. I think another... 

Marci

So, see something, say something, is what you're saying. 

Mike

Exactly. Like the Amtrak station in Penn Station in Manhattan always reminded me. But I think the other thing that we've learned over the years that I think applies here, too, is, as security professionals, again, we have a tendency to dive into the technology and, therefore, we go after the new shiny, sexy object without looking what are the basics. Most ransomware outbreaks are lapses in basic protection and basic hygiene. 

And I think a lot of them are due to the fact that the teams are too focused on the new cool technology, and not enough on the basics. And I would also think that in our zeal to try to standardize our controls, which, of course, makes economic sense, we have to realize that depending on the size and the makeup of our enterprise, the same type of solutions won't protect an office environment, an R&D lab, a field salesperson, and a manufacturing plant. If I take my company as an example. 

So, we've had to take a one-standard approach to three or four because we call it internally the 18-minute versus 18-year challenge. In my manufacturing plant, I've got systems that are old enough to vote. And in our digital environment, I have systems that are under 20 minutes old. The new modules that our DevOps teams are releasing. 

Those two environments cannot have the same level of control applied to them. So, don't try, you know. So, figuring out, of course, we don't want to have 10, 20, 30 versions, but we can't have one either. So, finding the right balance of understanding what protection capabilities. You know, maybe you have a really advanced malware protection that you can put on all your office machines, but that won't work on your 15-year and 20-year-old systems in the plants. 

So, I think different techniques for different parts of the environment is important as well. 

Marci

So, let's talk a little bit about stronger authentication and how that might be able to protect us a little bit about the credential thefts that are out there. You know, recently in the 2021 Verizon data breach report, they found that organizations lacking MFA were easier targets than those that deployed MFA. 

Kind of, if you think about it, those that use the security systems in their home versus not are easier targets for the ones that decide to leave it off or never, you know, put them on. Anyway, credentials are really a glaring vulnerability and an area of opportunity. I think, at the end of the day, they're their main route. They're part of your front-door access, as Patrick sort of talked about. 

So, I think we really do need some stronger authentication type of solutions out there if we're going to prevent these breaches from going forward. So, Patrick, I'm going to sort of switch over to you. Talk about what you've seen with the link being between stolen credentials and security breaches like ransomware. Is there a direct connection? Is MFA really going to help against a credential theft? Or is it just, you know, an additional piece of technology that we just need to maybe add, but it's not like...it's just putting the seatbelt on? 

Patrick

Yeah. No, it's one of the layered controls, and it absolutely will help. One thing I would say that, you know, like all car...to take your car analogy, it's not...you know, all cars aren't created equal in terms of safety, and all MFA methods aren't equally as good. And one of the...you know, starting...you know, Mike started from a business perspective, which I love, by the way, thinking about the economics is important. 

One thing, as I've talked to CISOs over the last two...really, the last two years, you know, having been one myself and a CIO and in the old days, I've been really shocked at how often CISOs are starting from a user experience perspective as well. I mean, it was a bit of a shit-show during COVID and getting everything else sorted, but there's really an interesting...as I've talked to them, UX and design ends up being...and really, you know, helping employees get done what they need to get done is a factor. 

And with a lot of MFA solutions, they're almost at odds, you know. And, in fact, a lot of security solutions we've put in place. We add another control and it, you know, incrementally makes, you know, the life of the end-user trying to do their work worse, you know. So, you know, one really important factor in whatever we choose to build stronger authentication is do it in a way...so, we started with passwords. You know, make them longer, make them stronger. You know, now they're writing them down, and all the reasons that, you know, a lot of us understand why that was, you know kind of a pain. But we also put the burden on users. Now it's just bad advice, as I had said before. It doesn't really matter. I can steal them. So, but MFA is the same thing. 

If you take an MFA solution that requires me to go...you know, for every app I'm logging into, I'm, you know, picking up a second device, grabbing a code, typing it in, clicking, you know, if it takes another 30, 40, 50 seconds and any given user is going to be logged on to six, eight, 10 applications, you really have to think about that. So, that's one real important consideration if you're evaluating this stuff. User experience matters. 

And on the other side of the equation, security matters. So, you know, a solution that could be super easy to use but is all weak factors, basically, you know, a password is a shared secret. If it's just another shared secret, you know, by another name, you know, called MFA, you know, as I like to say, a screen door in front of a screen door doesn't do you any good in terms of protecting you from somebody getting inside, you know? 

So, on the other hand, you don't want the door key, you know, if you have to iron doors and it's, you know, you have to turn the dial, you know, 15 different combination things to get in, that's not very helpful to people who actually need to get in where they're getting in. So, some balance of, you know, high security with strong usability ends up being important. You know, the password is just, you know, one of the pieces. 

One other thing, and we can come back to it later, is probably in this...you had mentioned it early, we're not only work from home, you know, Mike's got guys, you know, working in plants, you know, and, I'm sure, using on-prem software that he's got, services and software and probably a mix of cloud things. Like he said, you have different controls. One of the big gaps is people working from wherever on a range of devices, accessing cloud applications, where I can't assume my old perimeter network controls, "Hey, they're on my network. I can trust them." 

You know, Mike's gone down the Zero Trust path already. So, you know, there's an element of that, of not only figuring out who the user is, which device are they using, and is that thing secure enough to let into whatever I'm trying to get it in. Because very often, I'm not now, you know, going through my own network. I may be VPNing in, but it's kind of unpopular, you know, to send, you know, business users who need to access a cloud application, "Okay. Log into your VPN first, then trombone out, go through the pain of logging in, go through, you know, the slow, bad user experience just to get to some SaaS application." 

So, there's a piece of kind of Zero Trust element that, you know, authentication isn't just about the person anymore, it's also authenticating a device and understanding whether that device is secure enough to let into the resources you need. So, I think when I think about MFA, I think very, very broadly. Very narrowly, it has to be easy. And then more broadly, it has to accomplish some other jobs other than just authenticating users strongly. 

Marci

So, to bridge on what Patrick is saying, Mike, what stronger authentication methods do you think we can adopt? And how do we deploy them in a way that doesn't cause more friction? 

I know, like, users just hate having all these barriers and everything. They just want seamless to get around and do their jobs and not feel like they have to, you know, deal with a million different things while just trying to get the work done, especially in an environment that there may have been accustomed to be working in and now are turning back to. So, want to think about that with us? 

Mike

Yeah. And Patrick touched on some really powerful points here. I think that for a long time, security practitioners have continuously navigated the trade-off of experience with control. And it's time that we stop accepting that it's a trade-off and work really, really hard to provide better security and better experience at the same time. 

Because when you start thinking about moving authentication, for example, from an event-driven type of approach to a continuous approach, depending on exactly what technique you use, then theoretically, you're improving the experience, and you're improving security. I think there's a lot of philosophical things that, as an industry, that we've let persist for a long period of time. 

I know that I've heard a couple of leaders tell me, "Well, nothing that you've done five years ago is probably appropriate for today." Well, Fernando Corbato invented the password in 1960 at MIT. And here we are, 61 years later, and we still...as a collective industry, we allow it, and we... And even MFA, some of the RSA implementations for MFA are almost 20 years old. So, here we are, with this massive onset of a digital revolution, and we're still allowing these, by definition in the technology, ancient technologies to persist. 

So, I think that there's a significant amount of work we need to do from a practitioner perspective to eradicate that. I also think that there are some fundamental assumptions that we've made all along about how our various IT departments, our operations departments, want every machine to be connected to each other procedurally to manage them. 

And in my mind, it's analogous to having every house in the neighborhood collected by a stream of highly flammable liquids. So, God forbid, you have one house that catches fire. All of a sudden, they all are going to. Well, that's how we build our environments today to manage our PCs. So, there's a fundamental element of having each machine on their own island, if you will. And so that we could always control the radius of any kind of attack, limit it to that machine. Because that's how ransomware spreads is through common share protocols. 

So, I think there's a lot of almost completely ground-up rethinking of, you know, the kind of stuff that companies like Amazon and Apple have been thinking about for years, but for whatever reason, in corporate America, in corporate world, we've not adopted those themes, even though our collective user base is starting to view that as normal. 

And then we immediately bifurcate the experience from what they get from a really good consumer app to what they get at work. And in reality, the two constants need to come together. So, I think from a...in my mind, authentication has to become continuous, and it has to be tremendously easy to use. And I think people... 

And of course, any factor is better than just a password. 

So, if you're starting simple, push authentication to the phone, you know, all these things that are out there that are a good...point. And I think that, you know, again, we have to collectively stop accepting the burden excuse. Because things that persist, for example...I'll give you a real case study from a Takeda perspective. When we were originally rolling out push authentication, you know, going on four or five years ago now, we heard a lot of pushback that what about the people that don't have smartphones? 

Well, and even though we don't provide a smartphone for every person, we've realized that only one percent of our users didn't have a smartphone. So, how many cycles did we waste designing for a one percent exception? So, and you think about, well, they're not going to accept the company-installed app on their personal phone. 

Well, we don't provide everybody a car either, but we figure they'll get to the office. So, we can assume that they have these devices and we can leverage them as well. So, there's a lot of tactics that I think that we can partner with our user base to accept this as a norm rather than an exception moving forward. And that includes the other continuous authentication piece that I think is where we're heading. 

Patrick

Yeah, totally agree on continuous auth, for sure. 

Marci

Very reminiscent of my PeopleSoft implementation days. There was always, like, the scenario, "Oh, let's figure out this procedure," and, like, they've never had it in 30 years. But all good. We've had a great response from our audience with a lot of interesting questions. And I want to start with Frank Iglesias's questions, because we've never been really asked this question before, and, you know, I think it's an important consideration. 

So, I'm going to lump his two questions together. I'd love your feedback. What do you recommend for ADA folks, for example, like, a blind person? And then they have some various clients that are over the age of 70 with various issues. So, you know, there's challenges at the end of the day out there. And how would you approach that for Frank's folks? 

Mike

You want to start, Patrick? You got it. 

Patrick

Sure. Yeah, that's a fascinating and a very relevant question. You know, for our company, we've really got two kind of user bases that we support. The workforce, like, you know, Mike and his employees. We also work with companies who sell, you know, apps or, you know, financial apps and things like that. And so, you know, they call it the "CIAM," the Customer Identity and Access Management, you know, scenario. 

And, you know, it's relevant in both. So, the UX thing ends up, you know, kind of being easy if I've got multiple factors and I've got to go between devices. I don't know, though. I don't actually know the perfect answer to that question. You know, I think, you know, one of it is, you know, choosing software that follows the ADA guidelines. I mean, there are actually, you know, guidelines for how to do that and making sure that, you know, in some cases, if you've got blind or seeing-impaired people, that, it can...that there's voice kinds of prompts and things like that that they can get, not necessarily from the software, but even if it's not built in the software, can read over top of it. 

So, you know, making sure the UX, you know, of whatever solution is... The way we thought about it was, you know, we put an authenticator on each device. It's a little piece of authenticator code. And, you know, if that thing's telling you, you know, and prompting you for the next steps, you know, then it's fairly easy to follow for somebody with that kind of a disability. But, you know, that's a persistent problem across, you know, tech. 

I don't know, as an industry, candidly, that we've...you know, we've made some progress there, but I would...you know, if I graded us on a, you know, A, B, C, D, E, F, and, you know, we're barely getting a C, I would imagine, at this point. So, you know, it's a good reminder to software vendors like us that, you know, we need to do better in this regard in design. You know, it's not a one percent problem, it's, you know... 

Marci

Yeah. I wanted to say that's probably definitely not a 1% problem. Well, let's just jump into our next... Oh, did you want to add something, Mike? Because we only have a couple more minutes, and I'd love to get another question in. 

Mike

The only thing I would add very, very quickly is that being that we're in the business of, as Patrick mentioned, more of a CIAM approach, where we're developing more and more applications and mobile apps for, say, our patients, one of our therapeutic areas is oncology, which tends to have a lot of older patients who are not very tech-savvy, we've invested some energy in trying to address the UX issue by going with a companion care. 

So, a verification technique where maybe the person can't authenticate, but there's someone that they know and trust that can for them. And we go through a little bit of energy of verifying their authenticity as well so that they can get some help from a caregiver. 

Marci

Perfect. Well, our last question today is... This is a question from Vaughn Hazen, and "We've seen some studies where 80% of the companies paying the ransom experience another event. My guess is, is due to the fact that they did not address the root cause of the initial infection." Good assumption. 

Have you seen this work in what you're doing?" Have you seen this in the work overall? So, I'm going to have Patrick sort of answer that question. Are you seeing that they just didn't do a good job cleaning it up from the beginning and it's sort of, you know, a disease that just keeps getting infectious there? 

Patrick

That number seems high to me. I'd be interested in Mike. I actually don't have the exact data on that. You know, there's, you know, trust among thieves, you know, kind of thing. They're not likely to get hit by the same guys. Because if the same guys hit you multiple times, then their reputation, you know, dwindles, and the next guy that gets hit, it's like, "Well, I'm not going to pay the ransom because I'm going to..." 

They want to do everything to, you know, ensure that you actually pay. But this could be multiple different actors. So, I think, yeah, if you get hit twice, you know, you probably haven't done some of the basic hygiene stuff. Again, while the ransomware software itself has gotten more effective and more clever, the ways to get it on a system have not. 

So, it's a lot of basic hygiene. You know, it's... I don't know if, Mike, if you guys are doing any of the user education, you know, on clicking on the wrong link and all that stuff, because obviously, that's one way to get ransomware on the system. But as we've already talked about, credential theft and credential stuffing techniques and remote access tools ends up being the biggest vector. So, yeah, if they're getting hit again, it's likely hygiene. But I don't...that number seems very high to me. 

Mike

The only thing I would add is that, you know, we have to avoid, as an industry, and try really hard not to stigmatize people who get hit, because it's not a matter of if, it's when we'll all get hit. 

But I think what's happening is that people who pay a ransom, and there's a really, really good reason why a hospital would pay it, like I said before, or others would pay it, but people who pay a ransom basically demonstrate that they have control deficiencies. So, and they basically advertise themselves as a wider target. It's not just about the whole law enforcement thing. "Well, if I pay ransom because someone's been kidnapped, I'm more willing do it again. So, I'll be targeted again." 

There's a little bit of that as well. But I think ransom payment is, generally speaking, a recognition that there is other things wrong. So, you're going to be a bigger target from that point forward because of what that exposes. So, I agree completely that a lot of this, as I said before, is let's not be so tempted to look at the new, cool, sexy stuff and focus on the basics. Patching, hygiene, and just good general practice there. 

Marci

Going back to the basics. Well, thank you, all, for joining us today, and thank you to our panelists, Patrick and Mike. We loved your conversation and all the thoughts that you shared with us today.  

Stay healthy and safe, and have some fun in the sun. And be careful of some of the places that are having a heatwave. I want to say thank you to be Beyond Identity for being our sponsor today. And once again, thank you to Patrick and Mike for being our panelists.

TEN: ISE Fireside Chat

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Listen to the following security experts share their insights in the webinar:

  • Marci McCarthy, CEO and President at T.E.N.
  • Patrick McBride, Chief Marketing Officer at Beyond Identity
  • Mike Towers, Chief Information Security Officer at Takeda Pharmaceuticals

Transcription

Marci

Hello, and welcome to our ISE Fireside Webinar. We're thrilled to be here with you on the very last day of June and getting ready for the July 4th holidays. We appreciate you joining us this afternoon. We're very excited to have Beyond Identity as our sponsor and appreciate their partnership with us. Our topic today is "Eliminate Ransomware, Phishing, and Other Credential-Based Attacks by Eliminating Passwords." 

Great conversation, and a very timely topic, certainly, for sure. Let's go ahead and jump into our agenda and some few housekeeping things, and we'll hear from our panelists in just a second. So, we will certainly learn about our panelists in a couple of minutes. And we're thrilled to have them with us today. And we will also hear from Beyond Identity and a little bit about what they do and why they're doing some really very innovative things out there. 

We'll jump into our panel discussions. And then from there, we'll have our Q&A session. We're going to ask all of our viewers as they think of their questions today, to put that Q&A question into the Q&A chat window. This way, we'll have some great conversation and hear from you towards the end of our show. 

If you are joining us and are in need of a CPE credit, we kindly ask that you fill out the survey to its completion, and let us know that you need that information. We will send you an email tomorrow with your CPE accreditation, and you will need to upload that into your account. You will need to attend the webinar in its entirety to be receiving that CPE credit. Thank you again for joining me today.

All right. Let's jump into our panelist discussions. Our panelist introductions, I should say. So, our first panelist is Mike Towers, chief information security officer for Takeda Pharmaceuticals. Mike, how's it going? I hear you're in Boston and it's like Hotlanta up there. 

Mike

Yeah. Good to see you, Marci. And thanks for having me. Very, very hot this week. It's supposed to cool down for the July 4th weekend, but, obviously, Boston can get very cold in the winter and, I guess, very hot in the summer. So, by way of introduction, I'm Mike Towers, as Marci mentioned. I am the CISO at Takeda Pharmaceuticals. 

Roughly, number eight pharmaceutical company in the world, operating in about 110 countries. Thirty-three billion dollars revenue, 70,000-person workforce. And been here for about 2.5 years and been doing security leadership for about 13 years. And I've been a long friend and ally of the T.E.N. team.  So, I look forward to the session. 

Marci

We appreciate all your support and your friendship, Mike, over these many years in working with you. So, thanks for joining us today. Patrick McBride, chief marketing officer with Beyond Identity. Great to have you here with us, and we appreciate also your partnership with us. So, Patrick, take it away, and tell us a little bit about yourself, and share a little bit about Beyond Identity. 

Patrick

Will do. Well, I'm the mid-point, you know. So, we got the line all the way up, Marci, in Atlanta. I'm actually back in the D.C. area in Northern Virginia. And so, nice little dotted line up Route 95 all the way up to Mike. And I think we'll look like we sent the hot weather his way as well. I also am a fanboy of the T.E.N. team for quite some time. 

Beyond Identity has been a good partner with the group over the last couple of years. But, you know, I've spent most of my almost 30-year career, all of it, in tech, and the vast majority have been cybersecurity. So, identity management in the early days in a PIM/PAM vendor, and then off to a company in threat intel. I ran marketing for iSIGHT Partners and then ran marketing for a company, industrial cybersecurity with Claroty, and then joined the Beyond Identity team here back in kind of the late, it was, I guess, 2019 timeframe, September 2019. 

It seems like, you know, five years ago now. We've had a lot to do and got a lot done. We launched in April of 2020. So, we're just a little over a year old. We were founded by a gentleman named Jim Clark, who you may recognize that name from history if you've got any bit of gray hair. 

Jim founded a company called Silicon Graphics, which ended up being one of the pretty storied, you know, interesting tech companies in the valley for a number of years and kind of highly regarded as one of the best engineering teams in the valley. He went on after that to hire some guys out of the University of Illinois at Urbana-Champaign, colluding with a guy named Marc Andreessen.

So, he co-founded Netscape and built that up. And the reason I even tell that backstory is there is some relationship. So, the Netscape team, if you, for some of you, may recall, invented something called SSL, Secure Socket Layer, at the time, which gave us the ability to make sure that we were talking to secure servers or that we were talking to the server we thought we were and then having a private conversation. 

And at Beyond Identity, we're leveraging a lot of the same underpinning technology, you guys now know it as TLS, to eliminate passwords. And that was really our first goal. So, the company was founded to eliminate passwords. You know, so we call ourselves passwordless, although that's a really janky term that we can talk about a little bit later. But we decided, you know, that was a waypoint on the way to doing something, you know, much more strong in authentication. 

Eliminating passwords was only step one, but doing things like device trust and, you know, risk-based authentication was some of the other kinds of capabilities that we needed. So, we started in passwordless, and it progressed beyond that, and ergo, the name.

Marci 

Well, excellent. Thank you, Patrick. You guys are definitely leading the way in this endeavor. So, thanks for being here. And thank you both for the kind words about T.E.N. We really appreciate that. Let's just jump into our discussions. 

Our first topic today is really the state of ransomware. I think that is probably the head of the news for everybody across the board. We've seen, certainly, many successful ransomware attacks lately, like Colonial Pipeline, and we're seeing how they can really spread. And they're targeting companies that you just wouldn't even think would be a target per se. 

They're looking at schools and hospitals, critical infrastructure, and more. You know, it's really amazing, overall, when you have people working remotely and the ransomware attacks have really grown in number. Because I think the work structure or the technology environments have absolutely changed very dramatically over the last 16 or so months. 

We've rapidly moved into the cloud, and ransomware as a service is a lucrative business for those threat actors out there, especially when you're willing to pay millions and millions of dollars for it. Some are actually paying money in cryptocurrencies, and it's very hard to track. So, it's sort of the Wild Wild West of the modern times. 

So, Mike, I'd love to get your perspective here, well, you know, about the news and the ransomware attacks that have certainly come to light. Do you think the threat's overblown, or is it getting worse and maybe we're just sort of hearing about it more? You know, when you buy that white car and every single car is a white car, you know, in the traffic type of thing, or is it really something real that we should to be thinking about as security executives and professionals out there? 

And, you know, how should we be looking at it with law enforcement and our insurance companies, too? 

Mike

Yeah. So, I think it's...I mean, the answer to the question may vary by industry or by perspective. But obviously, the attacks are becoming more numerous, more well-known, and more acute. I do think that the threat tactics are, frankly, not all that different other than perhaps the new wrinkles that have become more prominent recently, where it's not just about destruction or getting your data back, there's actually capabilities built-in that can actually expose the data, or so they claim that they can if you don't pay. 

So, that is a little bit new wrinkle. Because I think, historically, ransomware and, you know, more generically destructive malware type of attacks, obviously, your risk was your systems weren't running, but you didn't have to worry about data invasion. 

That's definitely changed. But what I do sense and what I do see is the threat actor community is getting smarter in who they target. And they tend to be going after companies that have historically...and industries, that for no fault of their own, have historically underinvested in controls or are more likely to pay. 

You know, most large companies, frankly, that have been doing pretty strong cybersecurity for a while, generally speaking, their attitude and their position is that they won't pay. So, they stopped, I think, trying, and they're starting to go after areas in my industry, biopharmaceuticals, and healthcare, generally speaking. That's the hospitals. 

So, if you have 115 patients in an ICU, you're not going to wait for a backup to be found and restored. You're going to pay the ransom. So, I think it's becoming, just generally speaking, a targeting improvement more than maybe a tactical one. 

Marci

So, basically, it's the cost of doing business nowadays, is what you're saying, Mike, right? 

Mike

Yeah, absolutely. It's definitely a hazard, if you will, that it is almost as common as some other traditional ones that from a broad business perspective, we've been dealing with for a while. Absolutely. 

Marci

So, Patrick, that's pretty tough to swallow there, the cost of doing business. So, where do you think what institutions are ransomware groups targeting now and why? I mean, Mike talked about the healthcare industry and smaller hospitals being great targets. But how can these attacks continually be successful, or are people just not paying attention? They're not locking down the fort? They're just leaving the front door open and the back door as well? 

Patrick

Yeah, a little all of the above. I mean, I totally agree with Mike. I think the wrinkle in TTPs, which I'll come back to, is pretty interesting and may, again, yet again, change the targeting a little bit. But, you know, the idea...you know, they really didn't get the attention of America until they shut down our oil and turned off our beef. 

You know, that was, you know, when the whole rest of the community, the broader community, understood. The news started covering it. You know, Mike and I have been watching this stuff every day. So, yeah, it's been happening at an increased pace. 

So, they have zeroed in on targeting, and they've actually zeroed in on the pricing mechanisms. They know not only who is more likely to pay, but what, you know...They're running sophisticated models to figure out, kind of, what do they think they can? Where do you set the ransom so that it's something that, you know, it's more likely to get a yes. 

But the wrinkle that Mike talked about. Also, the idea of not only locking stuff down, but extracting that data out and being able to share it. I was following one, and I actually lost track of it. 

Mike, you may or may not have continued with the story. The Metro Police here in Washington, D.C. got hit with attack and their stance was, you know, "We're not paying." You know, I guess they felt they had the, you know, appropriate backups and stuff. And so they employed, you know, the second part of the tactic, which is, "Okay. If you don't pay, we're going to release some of this data." And they ended up releasing dossiers on, you know, 17 police officers with, you know, family member names and addresses and that sort of thing, which obviously is something that the folks don’t want out.

So, I think Mike's exactly right. It's increasing. It's not just the white car syndrome, Marci. The tactics, as Mike had mentioned, have, you know, changed, or the ability, you know, probably not in every scenario. I mean, some of the actors are more advanced than others in some of the software that they use, the software that they use is better at doing that. 

And you can't always count on that. But that also may change the targeting. Some combination of, you know, a firm that's more well-protected if they get in and they've got good backups. You know, if there's anything interesting, whether it's IP or something embarrassing, think the Sony hack or something like that. So, it'll be interesting to see if that rebroadens the scope. 

Mike's exactly right. I mean, they really targeted in on folks that they believed would have a higher likelihood to pay and tune their models to make sure that they would. With this second wrinkle in the tactic, that may be, you know, broadened to people have real, you know, important IP that they want to protect, you know, or if you find embarrassing stuff that you really don't want out. 

It may be, you know, the second leg of the stool. So, you know, I think that's an open question as to where it goes. And, you know, you had mentioned the insurance piece of it, and, you know, any of us who've bought or, you know, negotiated those policies has never seen more fine print ever. So, you know, yeah, it is a cost of doing business, whether it's the controls that we have to put in place to protect ourselves, or the better backup strategies that we have to do to recover more quickly, or, you know, insurance payments to help cover ransom if we have to have to pay it. 

So, yeah. I think it's here. You know, we'll see if the targeting remains more at some of the lower-security organizations or they go back at some bigger ones with a new tactic. 

Marci

Well, it sounds like these tactics, techniques, and procedures, you kind of touched on it, TTPs, of these ransomware-as-a-service groups out there are really, really sophisticated or just taking...you know, to some degree taking advantage of some slacks, things that might have been already in place. But do you guys both think collectively it's because the remote working policies that we've really kind of really changed our environment so quickly and dramatically? 

And for some, we kind of threw security to the wayside to get into the cloud quickly so we could remain productive during COVID. What do you think? 

Patrick

You want to take a shot at that, Mike? I've got some thoughts, too. 

Mike

Yeah, I'll start. So, I think that...you know, again, another question that's very company or industry specific, but I know here at Takeda, we were marching down the Zero Trust route for a while, and COVID basically accelerated that for us. So, in some respects, broadly speaking, we were fortunate that it was a strategy to basically turn everybody into their own domain, if you will, that we were marching for a while. 

But, you know, think about, and I'll use Takeda numbers, for example, we went from a 520-site company to a 71,000-site company because of everybody logging in from home. So, your attack factor, of course, increases quite a bit. But I think a lot of the TTPs, frankly, and the risk landscape, I would say, at least in my experience and what I've observed, is less around the technological elements and more about the human elements. 

Because a lot of this stuff that spreads, or if somebody is spoofed or somebody does something careless or makes an honest mistake that puts the company or your infrastructure at risk, human psychology shows us, you're much more likely to be careless if you're alone. So, I mean, fundamentally speaking and dynamically speaking, if you are in an office, surrounded by people, you're just basically subconsciously more careful. 

So, taking that into account and being much more tolerant of or knowledgeable of that and aware of that, and coming up with ways to better help people through from an awareness perspective and a good behavior perspective, and people are more willing to try things they weren't in the past. 

"I need to print to my home printer, but my PC's locked down." Or, "Hey, no one's looking over your shoulder. No one in the help desk can see me try to install this new piece of software." So, there's just a...generally speaking, it's a human behavioral thing that's put us at more risk as well. And of course, ransomware would fit into that category. But just as similarly as data exfiltration and other data exposure risks would as well. 

Patrick

I was going to say, Marci, I think the actors have gotten more sophisticated. And the actual ransomware software itself, you know, once it's been downloaded [inaudible] has certainly gotten more sophisticated. The way they get it on the networks hadn't changed in anything we're doing, whether we're talking about account takeovers, or ransomwares, or any of these things. 

It's, you know, the number one threat vector is, you know, stolen passwords and reusing. And in the work-from-home situation, one of the...you mentioned the cloud thing, but there's also, you know, people working from home, you know, 71,000 offices, who need to also get back to stuff, in some cases, on-prem. A lot of what we're seeing is, like, brute-forcing of an RDP session.

Or you had the two water...it was a water facility in California, another one in Florida, with TeamViewer hooked up. You know, all kinds of remote access tools have become a very important threat vector. And, you know, people just haven't...and, you know, I think Mike's right, that you haven't done some of the basic, you know, hygiene things. They've been a little careless. 

You know, not on purpose. Or they're setting up and trying to get back to work and do the things they need to do, but they left those things kind of exposed. And, you know, where the attacker sophistication has really come in is, and it's a multi-tiered group, the guys that are going and, you know, phishing for passwords, it's not really that they're cracking big databases anymore. That's still...they're popping databases and, you know, decrypting passwords and stuff like that and selling those. 

But they're also doing broad-scope phishing attacks. And there's a whole other group out there just looking for infrastructure that's left open. You know, a TeamViewer on a particular port or an RDP port that's exposed, and then just, you know, using traditional credential stuffing techniques and things like that in there to pop it. And that just gives the opening, you know. So, some ransomware comes in through, you know, an email, and, you know, I'm clicking on the wrong thing, and it, you know, drops it on my desktop and it expands. 

A lot of it is, you know, simply somebody, you know, the bad guys buy credentials and log in and, you know, put their...go to the server and install the ransomware. You know, it's a very direct kind of action. So, you know, it all trends back to stuff that we've known. So, the hygiene, you know, and carelessness come together. 

And I think that, you know, particularly when everybody was moving really fast. You know, COVID happened almost overnight to us. And so, it's, you know, not by no fault of...it's not a bunch of, you know, CIS admins who are trying to be careless. A bunch of CIS admins were working night and day, you know, tired to the bone, just trying to get everybody set up and doing what they needed to do to be productive. 

Marci

They were our very first frontline workers keeping America at work at the end of the day. So, you're absolutely right. And you have to do what you have to do to make that happen. So, I really think, after listening to both of you, we've got to rethink now, now we have a little bit of time to pause. We're going back to hybrid or going back to in-person type of working and endeavors overall.

So, I think we have to really take a step back and rethink our strategies overall. You know, Patrick, you touched about different techniques. And I think they're also pretty sophisticated with their modern automation tools, that they can scan the internet out there, find the weaknesses of your company.

And they're also using brute-force techniques out there just to exploit a simple common vulnerability that just has gone unpatched for years and months or it just sort of got put to the bottom of the pile, like, "Oh, we'll get to it tomorrow." But then 17 other things come up first. So, the prioritization factor. Because we don't really necessarily know always what's happening in our environments because we didn't really know the assets before. 

And now, here we are today, with a whole new set of playing cards out there that we had to put into play. To your point earlier, Mike, we're printing to home printers, where that was never allowed before, or other devices, and we're connecting to the internet, certainly, through our home networks, or hotspots, or however we can get online, or phones and things like that. 

And the backups, you know? The backup aspect. When you're sitting in your office, it's a lot easier to be logged into your network, traditionally, from a traditional sense, and then versus, you know, backing up there. So, we had to really think a lot of different ways of how the backup aspect. And backing up, certainly, as we all know, is one way to thwart a ransomware attack. Because if you already have your information and your data, you can just reset it back to the clock and maybe just lose a couple of days of information, which is a heck of a lot better than paying millions of dollars overall. 

So, Patrick, you know, what we've done in the past to protect against ransomware is certainly different to what we're going to be doing tomorrow. So, let's just sort of talk about some of these advanced tools out there and techniques that you think companies should be looking at and trying to protect themselves against these very sophisticated ransomware attacks, or very organized. 

I don't know if they're always sophisticated. I would call them more organized than sophisticated because some of the things are from the old playbook, but they just got a little bit more organized in how they approach it. 

Patrick

Yeah. It's really a horizontally integrated, you know, environment now. You know, different bad guys have different roles, and, you know, there's the password stealers, there's the finding open vulnerabilities and then leveraging the passwords or other techniques to get in, and then there's the guys that actually launch the ransomware. 

In fact, it's even more sophisticated than that. We've got the guys that build the ransomware infrastructure, the "ransomware as a service," you know, just like we can all sign up for software as a service. And, you know, so the guys that run that infrastructure are just, you know, taking a cut of whatever comes in, and, you know, they'll get other folks actually, you know, to launch the campaigns on there. You know, much in the same way I might launch a marketing campaign from a HubSpot or some other kind of marketing automation tool. 

I mean, it's not dissimilar at all to actually running a really vertically integrated business. You know, I actually start...you know, and this is not going to shock anybody, kind of, coming from the company I come from, but I start thinking about it as a...you know, I go forward back backwards forward. So, having good backups and secure backups offsite or, you know, in a different place than your, you know...you lock up the backups as well, then that's not helpful. 

I mean, people think they have backups, but when they get ransomed, when they go to restore and can't get them, that's like...so that's obviously a step that I would take right away. On the other end of it, kind of being proactive, it's, shut the front door. You know, the idea of having a password-protected remote access way into your network doesn't make a lot of sense, you know, into an on-prem environment. 

And we have the same thing in the cloud in environment. So getting to a much more robust, strong authentication method, kind of MFA, I'll steal Ant Allan's quote from what...there was something called Password Day, which is the most ridiculous celebration ever. You know, World Password Day, you know, where bad advice abounds. 

You know, make them longer, make them stronger, change them frequently. You know, and the reality is, do you think a phishing email, if I type my password into a phishing email or, you know, my tool, either my browser or one of the password manager tools, you know, drops it in there for me, does the malware care if it's four characters or 400 characters and whether it has a special character? No. 

I mean, it's going to steal it no matter what. And so, you know, passwords have been a bad idea ever since, you know, Jim Clark and those guys invented Netscape and didn't do anything about it. I sent him on an apology tour when we first started, you know, for apologizing, first off, for his original sin. 

So, that's one part of shut the front door, eliminate passwords. At least, you know, the minimum, bare minimum now, is a multi-factor authentication. And, you know, the better path now is multi-factor authentication that only uses strong factors. So, if you eliminate, you know, a password as one of the factors, you know, you've really upped up the game. 

And if you're not using any weak factors, like a magic link and an SMS, you know, or a code and an SMS text that, you know, can easily be stolen. You know, whether it's a SIM swap or, you know, I can get it in the pots, or, you know, the network. There's lots of different ways for mann in the middle stuff to grab those codes and reuse them. So that's my first recommendation I got, for a company that's in the passwordless business, not quite shocking, but shut the front door. I mean, let's do that. 

Marci

I love that. Shut the front door. Boom. So, Mike, I would love to get your perspective about security teams out there really trying to detect the ransomware. They're kind of stealthy sometimes. But how do you think you can find one that might be, or several, lurking in your network? And is there some red flags that we can look for, or is there some false alarms that they kind of trigger? 

And overall, what about the ransomware, you know, plan that companies should be looking at? Obviously, the cost of doing business is a very scary option, but, you know, preventing that from happening, you know, by looking for those clues, those needles in the haystack. 

Mike

Yeah. I think there are definitely some techniques to use from a protection perspective and a technological protection perspective that I'll talk about, and they are important. But I would advise a little bit of a more business lens to it. And one of the things that I would...that we've been doing in my industry and I've been doing within my company is focused a little bit on the health economics...or, I'm sorry, the economics of technology, and realized that, roughly speaking, I mean, this varies by industry, but, you know, there was a recent Wharton and Harvard business collaboration that said, you know, as recently as five, six years ago, the cost of goods to produce most business outcomes, technology was about 30% of that cost. 

It's now almost 60%. 

So, fundamentally speaking, most businesses are twice as dependent on technology as they used to be. So, and obviously, things like ransomware are a direct impact to technology availability. So, it's no longer a "IT or a security issue." It's a business issue if the stuff's not running. So, that's first and foremost, is to get that level of support and understanding so that you can...and that will have long-term implications that, to your point, Marci, if things do look suspicious or things do look wonky, that folks will report it more quickly. 

You know, obviously, without making them paranoid. But, you know, obviously, that helps. I think another... 

Marci

So, see something, say something, is what you're saying. 

Mike

Exactly. Like the Amtrak station in Penn Station in Manhattan always reminded me. But I think the other thing that we've learned over the years that I think applies here, too, is, as security professionals, again, we have a tendency to dive into the technology and, therefore, we go after the new shiny, sexy object without looking what are the basics. Most ransomware outbreaks are lapses in basic protection and basic hygiene. 

And I think a lot of them are due to the fact that the teams are too focused on the new cool technology, and not enough on the basics. And I would also think that in our zeal to try to standardize our controls, which, of course, makes economic sense, we have to realize that depending on the size and the makeup of our enterprise, the same type of solutions won't protect an office environment, an R&D lab, a field salesperson, and a manufacturing plant. If I take my company as an example. 

So, we've had to take a one-standard approach to three or four because we call it internally the 18-minute versus 18-year challenge. In my manufacturing plant, I've got systems that are old enough to vote. And in our digital environment, I have systems that are under 20 minutes old. The new modules that our DevOps teams are releasing. 

Those two environments cannot have the same level of control applied to them. So, don't try, you know. So, figuring out, of course, we don't want to have 10, 20, 30 versions, but we can't have one either. So, finding the right balance of understanding what protection capabilities. You know, maybe you have a really advanced malware protection that you can put on all your office machines, but that won't work on your 15-year and 20-year-old systems in the plants. 

So, I think different techniques for different parts of the environment is important as well. 

Marci

So, let's talk a little bit about stronger authentication and how that might be able to protect us a little bit about the credential thefts that are out there. You know, recently in the 2021 Verizon data breach report, they found that organizations lacking MFA were easier targets than those that deployed MFA. 

Kind of, if you think about it, those that use the security systems in their home versus not are easier targets for the ones that decide to leave it off or never, you know, put them on. Anyway, credentials are really a glaring vulnerability and an area of opportunity. I think, at the end of the day, they're their main route. They're part of your front-door access, as Patrick sort of talked about. 

So, I think we really do need some stronger authentication type of solutions out there if we're going to prevent these breaches from going forward. So, Patrick, I'm going to sort of switch over to you. Talk about what you've seen with the link being between stolen credentials and security breaches like ransomware. Is there a direct connection? Is MFA really going to help against a credential theft? Or is it just, you know, an additional piece of technology that we just need to maybe add, but it's not like...it's just putting the seatbelt on? 

Patrick

Yeah. No, it's one of the layered controls, and it absolutely will help. One thing I would say that, you know, like all car...to take your car analogy, it's not...you know, all cars aren't created equal in terms of safety, and all MFA methods aren't equally as good. And one of the...you know, starting...you know, Mike started from a business perspective, which I love, by the way, thinking about the economics is important. 

One thing, as I've talked to CISOs over the last two...really, the last two years, you know, having been one myself and a CIO and in the old days, I've been really shocked at how often CISOs are starting from a user experience perspective as well. I mean, it was a bit of a shit-show during COVID and getting everything else sorted, but there's really an interesting...as I've talked to them, UX and design ends up being...and really, you know, helping employees get done what they need to get done is a factor. 

And with a lot of MFA solutions, they're almost at odds, you know. And, in fact, a lot of security solutions we've put in place. We add another control and it, you know, incrementally makes, you know, the life of the end-user trying to do their work worse, you know. So, you know, one really important factor in whatever we choose to build stronger authentication is do it in a way...so, we started with passwords. You know, make them longer, make them stronger. You know, now they're writing them down, and all the reasons that, you know, a lot of us understand why that was, you know kind of a pain. But we also put the burden on users. Now it's just bad advice, as I had said before. It doesn't really matter. I can steal them. So, but MFA is the same thing. 

If you take an MFA solution that requires me to go...you know, for every app I'm logging into, I'm, you know, picking up a second device, grabbing a code, typing it in, clicking, you know, if it takes another 30, 40, 50 seconds and any given user is going to be logged on to six, eight, 10 applications, you really have to think about that. So, that's one real important consideration if you're evaluating this stuff. User experience matters. 

And on the other side of the equation, security matters. So, you know, a solution that could be super easy to use but is all weak factors, basically, you know, a password is a shared secret. If it's just another shared secret, you know, by another name, you know, called MFA, you know, as I like to say, a screen door in front of a screen door doesn't do you any good in terms of protecting you from somebody getting inside, you know? 

So, on the other hand, you don't want the door key, you know, if you have to iron doors and it's, you know, you have to turn the dial, you know, 15 different combination things to get in, that's not very helpful to people who actually need to get in where they're getting in. So, some balance of, you know, high security with strong usability ends up being important. You know, the password is just, you know, one of the pieces. 

One other thing, and we can come back to it later, is probably in this...you had mentioned it early, we're not only work from home, you know, Mike's got guys, you know, working in plants, you know, and, I'm sure, using on-prem software that he's got, services and software and probably a mix of cloud things. Like he said, you have different controls. One of the big gaps is people working from wherever on a range of devices, accessing cloud applications, where I can't assume my old perimeter network controls, "Hey, they're on my network. I can trust them." 

You know, Mike's gone down the Zero Trust path already. So, you know, there's an element of that, of not only figuring out who the user is, which device are they using, and is that thing secure enough to let into whatever I'm trying to get it in. Because very often, I'm not now, you know, going through my own network. I may be VPNing in, but it's kind of unpopular, you know, to send, you know, business users who need to access a cloud application, "Okay. Log into your VPN first, then trombone out, go through the pain of logging in, go through, you know, the slow, bad user experience just to get to some SaaS application." 

So, there's a piece of kind of Zero Trust element that, you know, authentication isn't just about the person anymore, it's also authenticating a device and understanding whether that device is secure enough to let into the resources you need. So, I think when I think about MFA, I think very, very broadly. Very narrowly, it has to be easy. And then more broadly, it has to accomplish some other jobs other than just authenticating users strongly. 

Marci

So, to bridge on what Patrick is saying, Mike, what stronger authentication methods do you think we can adopt? And how do we deploy them in a way that doesn't cause more friction? 

I know, like, users just hate having all these barriers and everything. They just want seamless to get around and do their jobs and not feel like they have to, you know, deal with a million different things while just trying to get the work done, especially in an environment that there may have been accustomed to be working in and now are turning back to. So, want to think about that with us? 

Mike

Yeah. And Patrick touched on some really powerful points here. I think that for a long time, security practitioners have continuously navigated the trade-off of experience with control. And it's time that we stop accepting that it's a trade-off and work really, really hard to provide better security and better experience at the same time. 

Because when you start thinking about moving authentication, for example, from an event-driven type of approach to a continuous approach, depending on exactly what technique you use, then theoretically, you're improving the experience, and you're improving security. I think there's a lot of philosophical things that, as an industry, that we've let persist for a long period of time. 

I know that I've heard a couple of leaders tell me, "Well, nothing that you've done five years ago is probably appropriate for today." Well, Fernando Corbato invented the password in 1960 at MIT. And here we are, 61 years later, and we still...as a collective industry, we allow it, and we... And even MFA, some of the RSA implementations for MFA are almost 20 years old. So, here we are, with this massive onset of a digital revolution, and we're still allowing these, by definition in the technology, ancient technologies to persist. 

So, I think that there's a significant amount of work we need to do from a practitioner perspective to eradicate that. I also think that there are some fundamental assumptions that we've made all along about how our various IT departments, our operations departments, want every machine to be connected to each other procedurally to manage them. 

And in my mind, it's analogous to having every house in the neighborhood collected by a stream of highly flammable liquids. So, God forbid, you have one house that catches fire. All of a sudden, they all are going to. Well, that's how we build our environments today to manage our PCs. So, there's a fundamental element of having each machine on their own island, if you will. And so that we could always control the radius of any kind of attack, limit it to that machine. Because that's how ransomware spreads is through common share protocols. 

So, I think there's a lot of almost completely ground-up rethinking of, you know, the kind of stuff that companies like Amazon and Apple have been thinking about for years, but for whatever reason, in corporate America, in corporate world, we've not adopted those themes, even though our collective user base is starting to view that as normal. 

And then we immediately bifurcate the experience from what they get from a really good consumer app to what they get at work. And in reality, the two constants need to come together. So, I think from a...in my mind, authentication has to become continuous, and it has to be tremendously easy to use. And I think people... 

And of course, any factor is better than just a password. 

So, if you're starting simple, push authentication to the phone, you know, all these things that are out there that are a good...point. And I think that, you know, again, we have to collectively stop accepting the burden excuse. Because things that persist, for example...I'll give you a real case study from a Takeda perspective. When we were originally rolling out push authentication, you know, going on four or five years ago now, we heard a lot of pushback that what about the people that don't have smartphones? 

Well, and even though we don't provide a smartphone for every person, we've realized that only one percent of our users didn't have a smartphone. So, how many cycles did we waste designing for a one percent exception? So, and you think about, well, they're not going to accept the company-installed app on their personal phone. 

Well, we don't provide everybody a car either, but we figure they'll get to the office. So, we can assume that they have these devices and we can leverage them as well. So, there's a lot of tactics that I think that we can partner with our user base to accept this as a norm rather than an exception moving forward. And that includes the other continuous authentication piece that I think is where we're heading. 

Patrick

Yeah, totally agree on continuous auth, for sure. 

Marci

Very reminiscent of my PeopleSoft implementation days. There was always, like, the scenario, "Oh, let's figure out this procedure," and, like, they've never had it in 30 years. But all good. We've had a great response from our audience with a lot of interesting questions. And I want to start with Frank Iglesias's questions, because we've never been really asked this question before, and, you know, I think it's an important consideration. 

So, I'm going to lump his two questions together. I'd love your feedback. What do you recommend for ADA folks, for example, like, a blind person? And then they have some various clients that are over the age of 70 with various issues. So, you know, there's challenges at the end of the day out there. And how would you approach that for Frank's folks? 

Mike

You want to start, Patrick? You got it. 

Patrick

Sure. Yeah, that's a fascinating and a very relevant question. You know, for our company, we've really got two kind of user bases that we support. The workforce, like, you know, Mike and his employees. We also work with companies who sell, you know, apps or, you know, financial apps and things like that. And so, you know, they call it the "CIAM," the Customer Identity and Access Management, you know, scenario. 

And, you know, it's relevant in both. So, the UX thing ends up, you know, kind of being easy if I've got multiple factors and I've got to go between devices. I don't know, though. I don't actually know the perfect answer to that question. You know, I think, you know, one of it is, you know, choosing software that follows the ADA guidelines. I mean, there are actually, you know, guidelines for how to do that and making sure that, you know, in some cases, if you've got blind or seeing-impaired people, that, it can...that there's voice kinds of prompts and things like that that they can get, not necessarily from the software, but even if it's not built in the software, can read over top of it. 

So, you know, making sure the UX, you know, of whatever solution is... The way we thought about it was, you know, we put an authenticator on each device. It's a little piece of authenticator code. And, you know, if that thing's telling you, you know, and prompting you for the next steps, you know, then it's fairly easy to follow for somebody with that kind of a disability. But, you know, that's a persistent problem across, you know, tech. 

I don't know, as an industry, candidly, that we've...you know, we've made some progress there, but I would...you know, if I graded us on a, you know, A, B, C, D, E, F, and, you know, we're barely getting a C, I would imagine, at this point. So, you know, it's a good reminder to software vendors like us that, you know, we need to do better in this regard in design. You know, it's not a one percent problem, it's, you know... 

Marci

Yeah. I wanted to say that's probably definitely not a 1% problem. Well, let's just jump into our next... Oh, did you want to add something, Mike? Because we only have a couple more minutes, and I'd love to get another question in. 

Mike

The only thing I would add very, very quickly is that being that we're in the business of, as Patrick mentioned, more of a CIAM approach, where we're developing more and more applications and mobile apps for, say, our patients, one of our therapeutic areas is oncology, which tends to have a lot of older patients who are not very tech-savvy, we've invested some energy in trying to address the UX issue by going with a companion care. 

So, a verification technique where maybe the person can't authenticate, but there's someone that they know and trust that can for them. And we go through a little bit of energy of verifying their authenticity as well so that they can get some help from a caregiver. 

Marci

Perfect. Well, our last question today is... This is a question from Vaughn Hazen, and "We've seen some studies where 80% of the companies paying the ransom experience another event. My guess is, is due to the fact that they did not address the root cause of the initial infection." Good assumption. 

Have you seen this work in what you're doing?" Have you seen this in the work overall? So, I'm going to have Patrick sort of answer that question. Are you seeing that they just didn't do a good job cleaning it up from the beginning and it's sort of, you know, a disease that just keeps getting infectious there? 

Patrick

That number seems high to me. I'd be interested in Mike. I actually don't have the exact data on that. You know, there's, you know, trust among thieves, you know, kind of thing. They're not likely to get hit by the same guys. Because if the same guys hit you multiple times, then their reputation, you know, dwindles, and the next guy that gets hit, it's like, "Well, I'm not going to pay the ransom because I'm going to..." 

They want to do everything to, you know, ensure that you actually pay. But this could be multiple different actors. So, I think, yeah, if you get hit twice, you know, you probably haven't done some of the basic hygiene stuff. Again, while the ransomware software itself has gotten more effective and more clever, the ways to get it on a system have not. 

So, it's a lot of basic hygiene. You know, it's... I don't know if, Mike, if you guys are doing any of the user education, you know, on clicking on the wrong link and all that stuff, because obviously, that's one way to get ransomware on the system. But as we've already talked about, credential theft and credential stuffing techniques and remote access tools ends up being the biggest vector. So, yeah, if they're getting hit again, it's likely hygiene. But I don't...that number seems very high to me. 

Mike

The only thing I would add is that, you know, we have to avoid, as an industry, and try really hard not to stigmatize people who get hit, because it's not a matter of if, it's when we'll all get hit. 

But I think what's happening is that people who pay a ransom, and there's a really, really good reason why a hospital would pay it, like I said before, or others would pay it, but people who pay a ransom basically demonstrate that they have control deficiencies. So, and they basically advertise themselves as a wider target. It's not just about the whole law enforcement thing. "Well, if I pay ransom because someone's been kidnapped, I'm more willing do it again. So, I'll be targeted again." 

There's a little bit of that as well. But I think ransom payment is, generally speaking, a recognition that there is other things wrong. So, you're going to be a bigger target from that point forward because of what that exposes. So, I agree completely that a lot of this, as I said before, is let's not be so tempted to look at the new, cool, sexy stuff and focus on the basics. Patching, hygiene, and just good general practice there. 

Marci

Going back to the basics. Well, thank you, all, for joining us today, and thank you to our panelists, Patrick and Mike. We loved your conversation and all the thoughts that you shared with us today.  

Stay healthy and safe, and have some fun in the sun. And be careful of some of the places that are having a heatwave. I want to say thank you to be Beyond Identity for being our sponsor today. And once again, thank you to Patrick and Mike for being our panelists.

TEN: ISE Fireside Chat

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Listen to the following security experts share their insights in the webinar:

  • Marci McCarthy, CEO and President at T.E.N.
  • Patrick McBride, Chief Marketing Officer at Beyond Identity
  • Mike Towers, Chief Information Security Officer at Takeda Pharmaceuticals

Transcription

Marci

Hello, and welcome to our ISE Fireside Webinar. We're thrilled to be here with you on the very last day of June and getting ready for the July 4th holidays. We appreciate you joining us this afternoon. We're very excited to have Beyond Identity as our sponsor and appreciate their partnership with us. Our topic today is "Eliminate Ransomware, Phishing, and Other Credential-Based Attacks by Eliminating Passwords." 

Great conversation, and a very timely topic, certainly, for sure. Let's go ahead and jump into our agenda and some few housekeeping things, and we'll hear from our panelists in just a second. So, we will certainly learn about our panelists in a couple of minutes. And we're thrilled to have them with us today. And we will also hear from Beyond Identity and a little bit about what they do and why they're doing some really very innovative things out there. 

We'll jump into our panel discussions. And then from there, we'll have our Q&A session. We're going to ask all of our viewers as they think of their questions today, to put that Q&A question into the Q&A chat window. This way, we'll have some great conversation and hear from you towards the end of our show. 

If you are joining us and are in need of a CPE credit, we kindly ask that you fill out the survey to its completion, and let us know that you need that information. We will send you an email tomorrow with your CPE accreditation, and you will need to upload that into your account. You will need to attend the webinar in its entirety to be receiving that CPE credit. Thank you again for joining me today.

All right. Let's jump into our panelist discussions. Our panelist introductions, I should say. So, our first panelist is Mike Towers, chief information security officer for Takeda Pharmaceuticals. Mike, how's it going? I hear you're in Boston and it's like Hotlanta up there. 

Mike

Yeah. Good to see you, Marci. And thanks for having me. Very, very hot this week. It's supposed to cool down for the July 4th weekend, but, obviously, Boston can get very cold in the winter and, I guess, very hot in the summer. So, by way of introduction, I'm Mike Towers, as Marci mentioned. I am the CISO at Takeda Pharmaceuticals. 

Roughly, number eight pharmaceutical company in the world, operating in about 110 countries. Thirty-three billion dollars revenue, 70,000-person workforce. And been here for about 2.5 years and been doing security leadership for about 13 years. And I've been a long friend and ally of the T.E.N. team.  So, I look forward to the session. 

Marci

We appreciate all your support and your friendship, Mike, over these many years in working with you. So, thanks for joining us today. Patrick McBride, chief marketing officer with Beyond Identity. Great to have you here with us, and we appreciate also your partnership with us. So, Patrick, take it away, and tell us a little bit about yourself, and share a little bit about Beyond Identity. 

Patrick

Will do. Well, I'm the mid-point, you know. So, we got the line all the way up, Marci, in Atlanta. I'm actually back in the D.C. area in Northern Virginia. And so, nice little dotted line up Route 95 all the way up to Mike. And I think we'll look like we sent the hot weather his way as well. I also am a fanboy of the T.E.N. team for quite some time. 

Beyond Identity has been a good partner with the group over the last couple of years. But, you know, I've spent most of my almost 30-year career, all of it, in tech, and the vast majority have been cybersecurity. So, identity management in the early days in a PIM/PAM vendor, and then off to a company in threat intel. I ran marketing for iSIGHT Partners and then ran marketing for a company, industrial cybersecurity with Claroty, and then joined the Beyond Identity team here back in kind of the late, it was, I guess, 2019 timeframe, September 2019. 

It seems like, you know, five years ago now. We've had a lot to do and got a lot done. We launched in April of 2020. So, we're just a little over a year old. We were founded by a gentleman named Jim Clark, who you may recognize that name from history if you've got any bit of gray hair. 

Jim founded a company called Silicon Graphics, which ended up being one of the pretty storied, you know, interesting tech companies in the valley for a number of years and kind of highly regarded as one of the best engineering teams in the valley. He went on after that to hire some guys out of the University of Illinois at Urbana-Champaign, colluding with a guy named Marc Andreessen.

So, he co-founded Netscape and built that up. And the reason I even tell that backstory is there is some relationship. So, the Netscape team, if you, for some of you, may recall, invented something called SSL, Secure Socket Layer, at the time, which gave us the ability to make sure that we were talking to secure servers or that we were talking to the server we thought we were and then having a private conversation. 

And at Beyond Identity, we're leveraging a lot of the same underpinning technology, you guys now know it as TLS, to eliminate passwords. And that was really our first goal. So, the company was founded to eliminate passwords. You know, so we call ourselves passwordless, although that's a really janky term that we can talk about a little bit later. But we decided, you know, that was a waypoint on the way to doing something, you know, much more strong in authentication. 

Eliminating passwords was only step one, but doing things like device trust and, you know, risk-based authentication was some of the other kinds of capabilities that we needed. So, we started in passwordless, and it progressed beyond that, and ergo, the name.

Marci 

Well, excellent. Thank you, Patrick. You guys are definitely leading the way in this endeavor. So, thanks for being here. And thank you both for the kind words about T.E.N. We really appreciate that. Let's just jump into our discussions. 

Our first topic today is really the state of ransomware. I think that is probably the head of the news for everybody across the board. We've seen, certainly, many successful ransomware attacks lately, like Colonial Pipeline, and we're seeing how they can really spread. And they're targeting companies that you just wouldn't even think would be a target per se. 

They're looking at schools and hospitals, critical infrastructure, and more. You know, it's really amazing, overall, when you have people working remotely and the ransomware attacks have really grown in number. Because I think the work structure or the technology environments have absolutely changed very dramatically over the last 16 or so months. 

We've rapidly moved into the cloud, and ransomware as a service is a lucrative business for those threat actors out there, especially when you're willing to pay millions and millions of dollars for it. Some are actually paying money in cryptocurrencies, and it's very hard to track. So, it's sort of the Wild Wild West of the modern times. 

So, Mike, I'd love to get your perspective here, well, you know, about the news and the ransomware attacks that have certainly come to light. Do you think the threat's overblown, or is it getting worse and maybe we're just sort of hearing about it more? You know, when you buy that white car and every single car is a white car, you know, in the traffic type of thing, or is it really something real that we should to be thinking about as security executives and professionals out there? 

And, you know, how should we be looking at it with law enforcement and our insurance companies, too? 

Mike

Yeah. So, I think it's...I mean, the answer to the question may vary by industry or by perspective. But obviously, the attacks are becoming more numerous, more well-known, and more acute. I do think that the threat tactics are, frankly, not all that different other than perhaps the new wrinkles that have become more prominent recently, where it's not just about destruction or getting your data back, there's actually capabilities built-in that can actually expose the data, or so they claim that they can if you don't pay. 

So, that is a little bit new wrinkle. Because I think, historically, ransomware and, you know, more generically destructive malware type of attacks, obviously, your risk was your systems weren't running, but you didn't have to worry about data invasion. 

That's definitely changed. But what I do sense and what I do see is the threat actor community is getting smarter in who they target. And they tend to be going after companies that have historically...and industries, that for no fault of their own, have historically underinvested in controls or are more likely to pay. 

You know, most large companies, frankly, that have been doing pretty strong cybersecurity for a while, generally speaking, their attitude and their position is that they won't pay. So, they stopped, I think, trying, and they're starting to go after areas in my industry, biopharmaceuticals, and healthcare, generally speaking. That's the hospitals. 

So, if you have 115 patients in an ICU, you're not going to wait for a backup to be found and restored. You're going to pay the ransom. So, I think it's becoming, just generally speaking, a targeting improvement more than maybe a tactical one. 

Marci

So, basically, it's the cost of doing business nowadays, is what you're saying, Mike, right? 

Mike

Yeah, absolutely. It's definitely a hazard, if you will, that it is almost as common as some other traditional ones that from a broad business perspective, we've been dealing with for a while. Absolutely. 

Marci

So, Patrick, that's pretty tough to swallow there, the cost of doing business. So, where do you think what institutions are ransomware groups targeting now and why? I mean, Mike talked about the healthcare industry and smaller hospitals being great targets. But how can these attacks continually be successful, or are people just not paying attention? They're not locking down the fort? They're just leaving the front door open and the back door as well? 

Patrick

Yeah, a little all of the above. I mean, I totally agree with Mike. I think the wrinkle in TTPs, which I'll come back to, is pretty interesting and may, again, yet again, change the targeting a little bit. But, you know, the idea...you know, they really didn't get the attention of America until they shut down our oil and turned off our beef. 

You know, that was, you know, when the whole rest of the community, the broader community, understood. The news started covering it. You know, Mike and I have been watching this stuff every day. So, yeah, it's been happening at an increased pace. 

So, they have zeroed in on targeting, and they've actually zeroed in on the pricing mechanisms. They know not only who is more likely to pay, but what, you know...They're running sophisticated models to figure out, kind of, what do they think they can? Where do you set the ransom so that it's something that, you know, it's more likely to get a yes. 

But the wrinkle that Mike talked about. Also, the idea of not only locking stuff down, but extracting that data out and being able to share it. I was following one, and I actually lost track of it. 

Mike, you may or may not have continued with the story. The Metro Police here in Washington, D.C. got hit with attack and their stance was, you know, "We're not paying." You know, I guess they felt they had the, you know, appropriate backups and stuff. And so they employed, you know, the second part of the tactic, which is, "Okay. If you don't pay, we're going to release some of this data." And they ended up releasing dossiers on, you know, 17 police officers with, you know, family member names and addresses and that sort of thing, which obviously is something that the folks don’t want out.

So, I think Mike's exactly right. It's increasing. It's not just the white car syndrome, Marci. The tactics, as Mike had mentioned, have, you know, changed, or the ability, you know, probably not in every scenario. I mean, some of the actors are more advanced than others in some of the software that they use, the software that they use is better at doing that. 

And you can't always count on that. But that also may change the targeting. Some combination of, you know, a firm that's more well-protected if they get in and they've got good backups. You know, if there's anything interesting, whether it's IP or something embarrassing, think the Sony hack or something like that. So, it'll be interesting to see if that rebroadens the scope. 

Mike's exactly right. I mean, they really targeted in on folks that they believed would have a higher likelihood to pay and tune their models to make sure that they would. With this second wrinkle in the tactic, that may be, you know, broadened to people have real, you know, important IP that they want to protect, you know, or if you find embarrassing stuff that you really don't want out. 

It may be, you know, the second leg of the stool. So, you know, I think that's an open question as to where it goes. And, you know, you had mentioned the insurance piece of it, and, you know, any of us who've bought or, you know, negotiated those policies has never seen more fine print ever. So, you know, yeah, it is a cost of doing business, whether it's the controls that we have to put in place to protect ourselves, or the better backup strategies that we have to do to recover more quickly, or, you know, insurance payments to help cover ransom if we have to have to pay it. 

So, yeah. I think it's here. You know, we'll see if the targeting remains more at some of the lower-security organizations or they go back at some bigger ones with a new tactic. 

Marci

Well, it sounds like these tactics, techniques, and procedures, you kind of touched on it, TTPs, of these ransomware-as-a-service groups out there are really, really sophisticated or just taking...you know, to some degree taking advantage of some slacks, things that might have been already in place. But do you guys both think collectively it's because the remote working policies that we've really kind of really changed our environment so quickly and dramatically? 

And for some, we kind of threw security to the wayside to get into the cloud quickly so we could remain productive during COVID. What do you think? 

Patrick

You want to take a shot at that, Mike? I've got some thoughts, too. 

Mike

Yeah, I'll start. So, I think that...you know, again, another question that's very company or industry specific, but I know here at Takeda, we were marching down the Zero Trust route for a while, and COVID basically accelerated that for us. So, in some respects, broadly speaking, we were fortunate that it was a strategy to basically turn everybody into their own domain, if you will, that we were marching for a while. 

But, you know, think about, and I'll use Takeda numbers, for example, we went from a 520-site company to a 71,000-site company because of everybody logging in from home. So, your attack factor, of course, increases quite a bit. But I think a lot of the TTPs, frankly, and the risk landscape, I would say, at least in my experience and what I've observed, is less around the technological elements and more about the human elements. 

Because a lot of this stuff that spreads, or if somebody is spoofed or somebody does something careless or makes an honest mistake that puts the company or your infrastructure at risk, human psychology shows us, you're much more likely to be careless if you're alone. So, I mean, fundamentally speaking and dynamically speaking, if you are in an office, surrounded by people, you're just basically subconsciously more careful. 

So, taking that into account and being much more tolerant of or knowledgeable of that and aware of that, and coming up with ways to better help people through from an awareness perspective and a good behavior perspective, and people are more willing to try things they weren't in the past. 

"I need to print to my home printer, but my PC's locked down." Or, "Hey, no one's looking over your shoulder. No one in the help desk can see me try to install this new piece of software." So, there's just a...generally speaking, it's a human behavioral thing that's put us at more risk as well. And of course, ransomware would fit into that category. But just as similarly as data exfiltration and other data exposure risks would as well. 

Patrick

I was going to say, Marci, I think the actors have gotten more sophisticated. And the actual ransomware software itself, you know, once it's been downloaded [inaudible] has certainly gotten more sophisticated. The way they get it on the networks hadn't changed in anything we're doing, whether we're talking about account takeovers, or ransomwares, or any of these things. 

It's, you know, the number one threat vector is, you know, stolen passwords and reusing. And in the work-from-home situation, one of the...you mentioned the cloud thing, but there's also, you know, people working from home, you know, 71,000 offices, who need to also get back to stuff, in some cases, on-prem. A lot of what we're seeing is, like, brute-forcing of an RDP session.

Or you had the two water...it was a water facility in California, another one in Florida, with TeamViewer hooked up. You know, all kinds of remote access tools have become a very important threat vector. And, you know, people just haven't...and, you know, I think Mike's right, that you haven't done some of the basic, you know, hygiene things. They've been a little careless. 

You know, not on purpose. Or they're setting up and trying to get back to work and do the things they need to do, but they left those things kind of exposed. And, you know, where the attacker sophistication has really come in is, and it's a multi-tiered group, the guys that are going and, you know, phishing for passwords, it's not really that they're cracking big databases anymore. That's still...they're popping databases and, you know, decrypting passwords and stuff like that and selling those. 

But they're also doing broad-scope phishing attacks. And there's a whole other group out there just looking for infrastructure that's left open. You know, a TeamViewer on a particular port or an RDP port that's exposed, and then just, you know, using traditional credential stuffing techniques and things like that in there to pop it. And that just gives the opening, you know. So, some ransomware comes in through, you know, an email, and, you know, I'm clicking on the wrong thing, and it, you know, drops it on my desktop and it expands. 

A lot of it is, you know, simply somebody, you know, the bad guys buy credentials and log in and, you know, put their...go to the server and install the ransomware. You know, it's a very direct kind of action. So, you know, it all trends back to stuff that we've known. So, the hygiene, you know, and carelessness come together. 

And I think that, you know, particularly when everybody was moving really fast. You know, COVID happened almost overnight to us. And so, it's, you know, not by no fault of...it's not a bunch of, you know, CIS admins who are trying to be careless. A bunch of CIS admins were working night and day, you know, tired to the bone, just trying to get everybody set up and doing what they needed to do to be productive. 

Marci

They were our very first frontline workers keeping America at work at the end of the day. So, you're absolutely right. And you have to do what you have to do to make that happen. So, I really think, after listening to both of you, we've got to rethink now, now we have a little bit of time to pause. We're going back to hybrid or going back to in-person type of working and endeavors overall.

So, I think we have to really take a step back and rethink our strategies overall. You know, Patrick, you touched about different techniques. And I think they're also pretty sophisticated with their modern automation tools, that they can scan the internet out there, find the weaknesses of your company.

And they're also using brute-force techniques out there just to exploit a simple common vulnerability that just has gone unpatched for years and months or it just sort of got put to the bottom of the pile, like, "Oh, we'll get to it tomorrow." But then 17 other things come up first. So, the prioritization factor. Because we don't really necessarily know always what's happening in our environments because we didn't really know the assets before. 

And now, here we are today, with a whole new set of playing cards out there that we had to put into play. To your point earlier, Mike, we're printing to home printers, where that was never allowed before, or other devices, and we're connecting to the internet, certainly, through our home networks, or hotspots, or however we can get online, or phones and things like that. 

And the backups, you know? The backup aspect. When you're sitting in your office, it's a lot easier to be logged into your network, traditionally, from a traditional sense, and then versus, you know, backing up there. So, we had to really think a lot of different ways of how the backup aspect. And backing up, certainly, as we all know, is one way to thwart a ransomware attack. Because if you already have your information and your data, you can just reset it back to the clock and maybe just lose a couple of days of information, which is a heck of a lot better than paying millions of dollars overall. 

So, Patrick, you know, what we've done in the past to protect against ransomware is certainly different to what we're going to be doing tomorrow. So, let's just sort of talk about some of these advanced tools out there and techniques that you think companies should be looking at and trying to protect themselves against these very sophisticated ransomware attacks, or very organized. 

I don't know if they're always sophisticated. I would call them more organized than sophisticated because some of the things are from the old playbook, but they just got a little bit more organized in how they approach it. 

Patrick

Yeah. It's really a horizontally integrated, you know, environment now. You know, different bad guys have different roles, and, you know, there's the password stealers, there's the finding open vulnerabilities and then leveraging the passwords or other techniques to get in, and then there's the guys that actually launch the ransomware. 

In fact, it's even more sophisticated than that. We've got the guys that build the ransomware infrastructure, the "ransomware as a service," you know, just like we can all sign up for software as a service. And, you know, so the guys that run that infrastructure are just, you know, taking a cut of whatever comes in, and, you know, they'll get other folks actually, you know, to launch the campaigns on there. You know, much in the same way I might launch a marketing campaign from a HubSpot or some other kind of marketing automation tool. 

I mean, it's not dissimilar at all to actually running a really vertically integrated business. You know, I actually start...you know, and this is not going to shock anybody, kind of, coming from the company I come from, but I start thinking about it as a...you know, I go forward back backwards forward. So, having good backups and secure backups offsite or, you know, in a different place than your, you know...you lock up the backups as well, then that's not helpful. 

I mean, people think they have backups, but when they get ransomed, when they go to restore and can't get them, that's like...so that's obviously a step that I would take right away. On the other end of it, kind of being proactive, it's, shut the front door. You know, the idea of having a password-protected remote access way into your network doesn't make a lot of sense, you know, into an on-prem environment. 

And we have the same thing in the cloud in environment. So getting to a much more robust, strong authentication method, kind of MFA, I'll steal Ant Allan's quote from what...there was something called Password Day, which is the most ridiculous celebration ever. You know, World Password Day, you know, where bad advice abounds. 

You know, make them longer, make them stronger, change them frequently. You know, and the reality is, do you think a phishing email, if I type my password into a phishing email or, you know, my tool, either my browser or one of the password manager tools, you know, drops it in there for me, does the malware care if it's four characters or 400 characters and whether it has a special character? No. 

I mean, it's going to steal it no matter what. And so, you know, passwords have been a bad idea ever since, you know, Jim Clark and those guys invented Netscape and didn't do anything about it. I sent him on an apology tour when we first started, you know, for apologizing, first off, for his original sin. 

So, that's one part of shut the front door, eliminate passwords. At least, you know, the minimum, bare minimum now, is a multi-factor authentication. And, you know, the better path now is multi-factor authentication that only uses strong factors. So, if you eliminate, you know, a password as one of the factors, you know, you've really upped up the game. 

And if you're not using any weak factors, like a magic link and an SMS, you know, or a code and an SMS text that, you know, can easily be stolen. You know, whether it's a SIM swap or, you know, I can get it in the pots, or, you know, the network. There's lots of different ways for mann in the middle stuff to grab those codes and reuse them. So that's my first recommendation I got, for a company that's in the passwordless business, not quite shocking, but shut the front door. I mean, let's do that. 

Marci

I love that. Shut the front door. Boom. So, Mike, I would love to get your perspective about security teams out there really trying to detect the ransomware. They're kind of stealthy sometimes. But how do you think you can find one that might be, or several, lurking in your network? And is there some red flags that we can look for, or is there some false alarms that they kind of trigger? 

And overall, what about the ransomware, you know, plan that companies should be looking at? Obviously, the cost of doing business is a very scary option, but, you know, preventing that from happening, you know, by looking for those clues, those needles in the haystack. 

Mike

Yeah. I think there are definitely some techniques to use from a protection perspective and a technological protection perspective that I'll talk about, and they are important. But I would advise a little bit of a more business lens to it. And one of the things that I would...that we've been doing in my industry and I've been doing within my company is focused a little bit on the health economics...or, I'm sorry, the economics of technology, and realized that, roughly speaking, I mean, this varies by industry, but, you know, there was a recent Wharton and Harvard business collaboration that said, you know, as recently as five, six years ago, the cost of goods to produce most business outcomes, technology was about 30% of that cost. 

It's now almost 60%. 

So, fundamentally speaking, most businesses are twice as dependent on technology as they used to be. So, and obviously, things like ransomware are a direct impact to technology availability. So, it's no longer a "IT or a security issue." It's a business issue if the stuff's not running. So, that's first and foremost, is to get that level of support and understanding so that you can...and that will have long-term implications that, to your point, Marci, if things do look suspicious or things do look wonky, that folks will report it more quickly. 

You know, obviously, without making them paranoid. But, you know, obviously, that helps. I think another... 

Marci

So, see something, say something, is what you're saying. 

Mike

Exactly. Like the Amtrak station in Penn Station in Manhattan always reminded me. But I think the other thing that we've learned over the years that I think applies here, too, is, as security professionals, again, we have a tendency to dive into the technology and, therefore, we go after the new shiny, sexy object without looking what are the basics. Most ransomware outbreaks are lapses in basic protection and basic hygiene. 

And I think a lot of them are due to the fact that the teams are too focused on the new cool technology, and not enough on the basics. And I would also think that in our zeal to try to standardize our controls, which, of course, makes economic sense, we have to realize that depending on the size and the makeup of our enterprise, the same type of solutions won't protect an office environment, an R&D lab, a field salesperson, and a manufacturing plant. If I take my company as an example. 

So, we've had to take a one-standard approach to three or four because we call it internally the 18-minute versus 18-year challenge. In my manufacturing plant, I've got systems that are old enough to vote. And in our digital environment, I have systems that are under 20 minutes old. The new modules that our DevOps teams are releasing. 

Those two environments cannot have the same level of control applied to them. So, don't try, you know. So, figuring out, of course, we don't want to have 10, 20, 30 versions, but we can't have one either. So, finding the right balance of understanding what protection capabilities. You know, maybe you have a really advanced malware protection that you can put on all your office machines, but that won't work on your 15-year and 20-year-old systems in the plants. 

So, I think different techniques for different parts of the environment is important as well. 

Marci

So, let's talk a little bit about stronger authentication and how that might be able to protect us a little bit about the credential thefts that are out there. You know, recently in the 2021 Verizon data breach report, they found that organizations lacking MFA were easier targets than those that deployed MFA. 

Kind of, if you think about it, those that use the security systems in their home versus not are easier targets for the ones that decide to leave it off or never, you know, put them on. Anyway, credentials are really a glaring vulnerability and an area of opportunity. I think, at the end of the day, they're their main route. They're part of your front-door access, as Patrick sort of talked about. 

So, I think we really do need some stronger authentication type of solutions out there if we're going to prevent these breaches from going forward. So, Patrick, I'm going to sort of switch over to you. Talk about what you've seen with the link being between stolen credentials and security breaches like ransomware. Is there a direct connection? Is MFA really going to help against a credential theft? Or is it just, you know, an additional piece of technology that we just need to maybe add, but it's not like...it's just putting the seatbelt on? 

Patrick

Yeah. No, it's one of the layered controls, and it absolutely will help. One thing I would say that, you know, like all car...to take your car analogy, it's not...you know, all cars aren't created equal in terms of safety, and all MFA methods aren't equally as good. And one of the...you know, starting...you know, Mike started from a business perspective, which I love, by the way, thinking about the economics is important. 

One thing, as I've talked to CISOs over the last two...really, the last two years, you know, having been one myself and a CIO and in the old days, I've been really shocked at how often CISOs are starting from a user experience perspective as well. I mean, it was a bit of a shit-show during COVID and getting everything else sorted, but there's really an interesting...as I've talked to them, UX and design ends up being...and really, you know, helping employees get done what they need to get done is a factor. 

And with a lot of MFA solutions, they're almost at odds, you know. And, in fact, a lot of security solutions we've put in place. We add another control and it, you know, incrementally makes, you know, the life of the end-user trying to do their work worse, you know. So, you know, one really important factor in whatever we choose to build stronger authentication is do it in a way...so, we started with passwords. You know, make them longer, make them stronger. You know, now they're writing them down, and all the reasons that, you know, a lot of us understand why that was, you know kind of a pain. But we also put the burden on users. Now it's just bad advice, as I had said before. It doesn't really matter. I can steal them. So, but MFA is the same thing. 

If you take an MFA solution that requires me to go...you know, for every app I'm logging into, I'm, you know, picking up a second device, grabbing a code, typing it in, clicking, you know, if it takes another 30, 40, 50 seconds and any given user is going to be logged on to six, eight, 10 applications, you really have to think about that. So, that's one real important consideration if you're evaluating this stuff. User experience matters. 

And on the other side of the equation, security matters. So, you know, a solution that could be super easy to use but is all weak factors, basically, you know, a password is a shared secret. If it's just another shared secret, you know, by another name, you know, called MFA, you know, as I like to say, a screen door in front of a screen door doesn't do you any good in terms of protecting you from somebody getting inside, you know? 

So, on the other hand, you don't want the door key, you know, if you have to iron doors and it's, you know, you have to turn the dial, you know, 15 different combination things to get in, that's not very helpful to people who actually need to get in where they're getting in. So, some balance of, you know, high security with strong usability ends up being important. You know, the password is just, you know, one of the pieces. 

One other thing, and we can come back to it later, is probably in this...you had mentioned it early, we're not only work from home, you know, Mike's got guys, you know, working in plants, you know, and, I'm sure, using on-prem software that he's got, services and software and probably a mix of cloud things. Like he said, you have different controls. One of the big gaps is people working from wherever on a range of devices, accessing cloud applications, where I can't assume my old perimeter network controls, "Hey, they're on my network. I can trust them." 

You know, Mike's gone down the Zero Trust path already. So, you know, there's an element of that, of not only figuring out who the user is, which device are they using, and is that thing secure enough to let into whatever I'm trying to get it in. Because very often, I'm not now, you know, going through my own network. I may be VPNing in, but it's kind of unpopular, you know, to send, you know, business users who need to access a cloud application, "Okay. Log into your VPN first, then trombone out, go through the pain of logging in, go through, you know, the slow, bad user experience just to get to some SaaS application." 

So, there's a piece of kind of Zero Trust element that, you know, authentication isn't just about the person anymore, it's also authenticating a device and understanding whether that device is secure enough to let into the resources you need. So, I think when I think about MFA, I think very, very broadly. Very narrowly, it has to be easy. And then more broadly, it has to accomplish some other jobs other than just authenticating users strongly. 

Marci

So, to bridge on what Patrick is saying, Mike, what stronger authentication methods do you think we can adopt? And how do we deploy them in a way that doesn't cause more friction? 

I know, like, users just hate having all these barriers and everything. They just want seamless to get around and do their jobs and not feel like they have to, you know, deal with a million different things while just trying to get the work done, especially in an environment that there may have been accustomed to be working in and now are turning back to. So, want to think about that with us? 

Mike

Yeah. And Patrick touched on some really powerful points here. I think that for a long time, security practitioners have continuously navigated the trade-off of experience with control. And it's time that we stop accepting that it's a trade-off and work really, really hard to provide better security and better experience at the same time. 

Because when you start thinking about moving authentication, for example, from an event-driven type of approach to a continuous approach, depending on exactly what technique you use, then theoretically, you're improving the experience, and you're improving security. I think there's a lot of philosophical things that, as an industry, that we've let persist for a long period of time. 

I know that I've heard a couple of leaders tell me, "Well, nothing that you've done five years ago is probably appropriate for today." Well, Fernando Corbato invented the password in 1960 at MIT. And here we are, 61 years later, and we still...as a collective industry, we allow it, and we... And even MFA, some of the RSA implementations for MFA are almost 20 years old. So, here we are, with this massive onset of a digital revolution, and we're still allowing these, by definition in the technology, ancient technologies to persist. 

So, I think that there's a significant amount of work we need to do from a practitioner perspective to eradicate that. I also think that there are some fundamental assumptions that we've made all along about how our various IT departments, our operations departments, want every machine to be connected to each other procedurally to manage them. 

And in my mind, it's analogous to having every house in the neighborhood collected by a stream of highly flammable liquids. So, God forbid, you have one house that catches fire. All of a sudden, they all are going to. Well, that's how we build our environments today to manage our PCs. So, there's a fundamental element of having each machine on their own island, if you will. And so that we could always control the radius of any kind of attack, limit it to that machine. Because that's how ransomware spreads is through common share protocols. 

So, I think there's a lot of almost completely ground-up rethinking of, you know, the kind of stuff that companies like Amazon and Apple have been thinking about for years, but for whatever reason, in corporate America, in corporate world, we've not adopted those themes, even though our collective user base is starting to view that as normal. 

And then we immediately bifurcate the experience from what they get from a really good consumer app to what they get at work. And in reality, the two constants need to come together. So, I think from a...in my mind, authentication has to become continuous, and it has to be tremendously easy to use. And I think people... 

And of course, any factor is better than just a password. 

So, if you're starting simple, push authentication to the phone, you know, all these things that are out there that are a good...point. And I think that, you know, again, we have to collectively stop accepting the burden excuse. Because things that persist, for example...I'll give you a real case study from a Takeda perspective. When we were originally rolling out push authentication, you know, going on four or five years ago now, we heard a lot of pushback that what about the people that don't have smartphones? 

Well, and even though we don't provide a smartphone for every person, we've realized that only one percent of our users didn't have a smartphone. So, how many cycles did we waste designing for a one percent exception? So, and you think about, well, they're not going to accept the company-installed app on their personal phone. 

Well, we don't provide everybody a car either, but we figure they'll get to the office. So, we can assume that they have these devices and we can leverage them as well. So, there's a lot of tactics that I think that we can partner with our user base to accept this as a norm rather than an exception moving forward. And that includes the other continuous authentication piece that I think is where we're heading. 

Patrick

Yeah, totally agree on continuous auth, for sure. 

Marci

Very reminiscent of my PeopleSoft implementation days. There was always, like, the scenario, "Oh, let's figure out this procedure," and, like, they've never had it in 30 years. But all good. We've had a great response from our audience with a lot of interesting questions. And I want to start with Frank Iglesias's questions, because we've never been really asked this question before, and, you know, I think it's an important consideration. 

So, I'm going to lump his two questions together. I'd love your feedback. What do you recommend for ADA folks, for example, like, a blind person? And then they have some various clients that are over the age of 70 with various issues. So, you know, there's challenges at the end of the day out there. And how would you approach that for Frank's folks? 

Mike

You want to start, Patrick? You got it. 

Patrick

Sure. Yeah, that's a fascinating and a very relevant question. You know, for our company, we've really got two kind of user bases that we support. The workforce, like, you know, Mike and his employees. We also work with companies who sell, you know, apps or, you know, financial apps and things like that. And so, you know, they call it the "CIAM," the Customer Identity and Access Management, you know, scenario. 

And, you know, it's relevant in both. So, the UX thing ends up, you know, kind of being easy if I've got multiple factors and I've got to go between devices. I don't know, though. I don't actually know the perfect answer to that question. You know, I think, you know, one of it is, you know, choosing software that follows the ADA guidelines. I mean, there are actually, you know, guidelines for how to do that and making sure that, you know, in some cases, if you've got blind or seeing-impaired people, that, it can...that there's voice kinds of prompts and things like that that they can get, not necessarily from the software, but even if it's not built in the software, can read over top of it. 

So, you know, making sure the UX, you know, of whatever solution is... The way we thought about it was, you know, we put an authenticator on each device. It's a little piece of authenticator code. And, you know, if that thing's telling you, you know, and prompting you for the next steps, you know, then it's fairly easy to follow for somebody with that kind of a disability. But, you know, that's a persistent problem across, you know, tech. 

I don't know, as an industry, candidly, that we've...you know, we've made some progress there, but I would...you know, if I graded us on a, you know, A, B, C, D, E, F, and, you know, we're barely getting a C, I would imagine, at this point. So, you know, it's a good reminder to software vendors like us that, you know, we need to do better in this regard in design. You know, it's not a one percent problem, it's, you know... 

Marci

Yeah. I wanted to say that's probably definitely not a 1% problem. Well, let's just jump into our next... Oh, did you want to add something, Mike? Because we only have a couple more minutes, and I'd love to get another question in. 

Mike

The only thing I would add very, very quickly is that being that we're in the business of, as Patrick mentioned, more of a CIAM approach, where we're developing more and more applications and mobile apps for, say, our patients, one of our therapeutic areas is oncology, which tends to have a lot of older patients who are not very tech-savvy, we've invested some energy in trying to address the UX issue by going with a companion care. 

So, a verification technique where maybe the person can't authenticate, but there's someone that they know and trust that can for them. And we go through a little bit of energy of verifying their authenticity as well so that they can get some help from a caregiver. 

Marci

Perfect. Well, our last question today is... This is a question from Vaughn Hazen, and "We've seen some studies where 80% of the companies paying the ransom experience another event. My guess is, is due to the fact that they did not address the root cause of the initial infection." Good assumption. 

Have you seen this work in what you're doing?" Have you seen this in the work overall? So, I'm going to have Patrick sort of answer that question. Are you seeing that they just didn't do a good job cleaning it up from the beginning and it's sort of, you know, a disease that just keeps getting infectious there? 

Patrick

That number seems high to me. I'd be interested in Mike. I actually don't have the exact data on that. You know, there's, you know, trust among thieves, you know, kind of thing. They're not likely to get hit by the same guys. Because if the same guys hit you multiple times, then their reputation, you know, dwindles, and the next guy that gets hit, it's like, "Well, I'm not going to pay the ransom because I'm going to..." 

They want to do everything to, you know, ensure that you actually pay. But this could be multiple different actors. So, I think, yeah, if you get hit twice, you know, you probably haven't done some of the basic hygiene stuff. Again, while the ransomware software itself has gotten more effective and more clever, the ways to get it on a system have not. 

So, it's a lot of basic hygiene. You know, it's... I don't know if, Mike, if you guys are doing any of the user education, you know, on clicking on the wrong link and all that stuff, because obviously, that's one way to get ransomware on the system. But as we've already talked about, credential theft and credential stuffing techniques and remote access tools ends up being the biggest vector. So, yeah, if they're getting hit again, it's likely hygiene. But I don't...that number seems very high to me. 

Mike

The only thing I would add is that, you know, we have to avoid, as an industry, and try really hard not to stigmatize people who get hit, because it's not a matter of if, it's when we'll all get hit. 

But I think what's happening is that people who pay a ransom, and there's a really, really good reason why a hospital would pay it, like I said before, or others would pay it, but people who pay a ransom basically demonstrate that they have control deficiencies. So, and they basically advertise themselves as a wider target. It's not just about the whole law enforcement thing. "Well, if I pay ransom because someone's been kidnapped, I'm more willing do it again. So, I'll be targeted again." 

There's a little bit of that as well. But I think ransom payment is, generally speaking, a recognition that there is other things wrong. So, you're going to be a bigger target from that point forward because of what that exposes. So, I agree completely that a lot of this, as I said before, is let's not be so tempted to look at the new, cool, sexy stuff and focus on the basics. Patching, hygiene, and just good general practice there. 

Marci

Going back to the basics. Well, thank you, all, for joining us today, and thank you to our panelists, Patrick and Mike. We loved your conversation and all the thoughts that you shared with us today.  

Stay healthy and safe, and have some fun in the sun. And be careful of some of the places that are having a heatwave. I want to say thank you to be Beyond Identity for being our sponsor today. And once again, thank you to Patrick and Mike for being our panelists.

Book

TEN: ISE Fireside Chat

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.