Who Can It Be Now?... Identity Centric Security
Wayne Hilt: Hi, everyone. Thank you for attending. My name is Wayne Hilt, Executive Director with the Office of CISO Practice at Optiv. Been in security for a little over 20 years. Most recently before coming to Optiv I was a CISO at an energy company, utility company. Before that I spent about a decade and a half in the financial services world at JP Morgan Chase, so I've been doing this a little bit, little while. And yes, in case you're wondering, I did choose the title for the song from the Men at Work song, so if it wasn't stuck in your head before, it probably is now.
All right, so let’s start by talking about passwords. According to the Verizon Data Breach Incident Report, between 2015 and 2016 the number of breaches that were directly attributable to weak or stolen passwords went from about 63% to 81%. I haven't seen the latest iteration yet, um, but I'm pretty sure it's going to be similar, and the thing is, when you add in other forms of credential compromise, privilege escalation, that sort of thing, that number pretty quickly converges on 100%. So, pretty much ever breach has some sort of identity component to it. And the problem is that sort of during and after a breach one of the things that tends to happen is we focus on what I'll call “the wrong things,” and not the wrong things because they're necessarily, they're not necessarily important at all, but they're not just the most important things.
So what we tend to do is we look at what's the vulnerability that created the incident? How do we patch our perimeter? How do we stop the bad guys from where they came into the environment? The problem is what it tends to ignore is what happened during the breach that allowed it to go from a relatively benign event, so the bad actors getting in and being fairly limited in what they can do, and turning into a much more severe one, which is generally because they were able to escalate privileges to get access to credentials, allow them to move laterally around in the environment, which fundamentally comes down to ineffective identity and access management capabilities or programs.
So here's the problem, right? So in order to executive a breach effectively one of the first things that most intruders try to do is to get an identity, right? It could be a privilege user identity, like a CIS Admin, or a Network Admin. It could be one of your executives, right? They could be doing some whaling or spear fishing, trying to get access to an executives credentials. It could be a functional account, or even just a regular user account, but it almost always starts very early in the process of a breach getting that identity. Once they capture that, either through fishing or some other form of social engineering, or maybe it's a weak or default password, we see a lot of those out there, right? People don't change passwords on systems, routers, whatever. It's really those ineffective IAM controls that allow them to move laterally around the environment and then gain access to the sensitive data that they're going after. Usually that's what they're after, is data. There may be other things. Could be financial compromise, website defacement, denial of service, whatever, but they're obviously trying to do something, and that's being able to take that identity and leverage that is what allows this to happen.
So, we all know we're spending a ton of money collectively on security, so in 2017 it was about 90 billion dollars spent globally on cyber security. You can see only about 7%, a little less than 7% was on IAM technologies and solutions. So one of the things that we get asked to do a lot at Optiv is to come in and help companies rationalize their portfolio, their security portfolios, to basically make sure that the company that we're working with is getting the most value for their investment. That they're getting a high return on that investment, and to help them reduce risk to the greatest degree, right? And the rations that you see here obviously are pretty consistent of what we see across customers and across industry, so the real question is, is that the right ratio? Should we really be spending half as much on IAM as we are on network perimeter security, or end point protections? Given that we're at an IAM conference, I'm sure you can guess that I'm going to say, “No, we shouldn't be, that's not the right ratio.”
So, before we get into the why we should be more focused on IAM, let’s talk a little bit about why we're not seeing that focus, right? So number one, people tend to think IAM is hard, right? It's complex, it's time consuming, there's lots of variables, and all those things, they can be true, but I would argue that it's because that counterbalancing value proposition isn't clearly articulated that companies tend to reject or underfund IAM initiatives and treat them as kind of high cost low value exercises. So what we see is a lot of companies will invest the bare minimum, right? They'll go with what's going to allow them to meet the regulatory compliance objectives and kind of leave it at that. We know that regulatory compliance is not the same as security, so we'll leave that out there.
Second, there tends to be a heavy focus on ROI metrics around IAM, and I'm not sure why exactly but it's always seemed to be more the case in the IAM world versus in other controlled disciplines, and it's not necessarily bad in it of itself to do that, the problem is when you get too heavily focused that way you start to lose the notion of IAM as an enabler and as a force multiplier. You kind of lose that notion of enablement, and yeah, and force multiplication, right? And we'll talk a little bit more about that on a bit.
Third, there's, you know, IAM programs frequently tend to get distributed across organizational units, and I don't know about you, but I've experienced when you start to get, cross lots of business units you get politics involved, right? That can be, there can be conflicts over ownership, and that just creates some additional layers of challenges around IAMs specifically. And last but not least, a lot of companies have been through previous IAM initiatives, and they may have been narrowly focused or tactical in nature, but there's this tendency to assume, “Oh, we've already done that, right? We've had an IAM program, we've solved that, why are we spending more money on IAM, that should be a done thing.”
So, what are some of the consequences of that lack of focus, right? One of the biggest issues is if like me you think of IAM as a business enabler, you reduce your ability to support business initiatives when you take that focus away, and specifically when you start to think about moving workloads and data into the cloud. There's a whole different set of identity challenges when you do that, and even if you're doing a decent job of managing identity in the traditional sense on premise, that may not translate to the cloud, and if you're not doing it well on, you know, though on premise, traditional IAM approaches, you're probably not going to be better at it just because you went to the cloud, right? And with all the identities that we have to manage, and as things move outside the traditional perimeter that we've kind of worked within, you risk more. When you think about things like IOT and Cloud and mobile, and all these things that kind of create that lack of a definable perimeter, you really risk more frequent and more severe breaches, especially if your IAM program is ineffective.
Like I said before, even though compliance isn't the same as security, it's still important, right? We do still need to meet those obligations, and recognize that almost all audit findings are in some form or fashion tied back to some form of inappropriate access, which gets us back to IAM.
The reality is that IAM spans across every security initiative in your organization in some form or fashion. So I'm not going to talk about all of these, but I'll hit on a few them. So, advanced threat. Most advanced threat actors have a heavy focus on kind of flying under the radar, being undetected, and one of the best ways for them to do that is to compromise existing credentials to be able to impersonate a legitimate user, or maybe to get some sort of privileged escalation so they can create accounts that help them fly under the radar.
Mobility, right? We just talked about as that very mobile workforce continues to be enabled, and those boundaries blur, knowing who's accessing your data, from where and how is absolutely critical to the security of your environment.
Third party risk, right? We all have heard the adage of “You're only as strong as your weakest link." We've seen the breaches that have happened because of poor third party management, and I've even seen in my experience companies that do a really good job managing their employee contractor identities, and the identities of their third party vendors, partners are an afterthought, and that's a problem, right?
Insider threats, right? I'll come back to this a little bit more later, because I think it's interesting when we talk about insiders. With that sort of dissolving perimeter, kind of argue that there aren't really insiders and outsiders anymore, right? There's different levels of access, there's different contexts, so we'll talk a little bit more about that in a minute.
And last, Internet of Things, right? There's estimated to be 20 billion Internet of Things devices by 2020, and those devices are prime real estate for bad actors. We've seen default hard coded passwords, weak passwords, just overall lax security around a lot of Internet of Things devices, and so there's a lot of opportunity there for improved identity management around Internet of Things devices.
So basically IAM needs to evolve from the older kind of premise based models, and this notion of identity as the new perimeter, and you hear that used a lot, but I kind of think of this as sort of an outdated model, right? Yes, it's helpful in providing a context that helps traditional security practitioners who've worked in network security and vulnerability management to understand why identity's important, but it kind of misses a little bit of the point I think, right? It's ... And what I would say is, identity needs to become the core of your security program, not just an afterthought or a bolt on, right? It needs to help us define the language of security, and we'll talk a little bit about how we get there, but ultimately this, doing this will help you create a program that is greater than the sum of the parts, right?
So how do we win the war? You know, going back to that ROI conversation we need to start discussing and understanding IAM as a business-enabler. If we aren't effectively identity, then we're sub-optimizing all the rest of the investments that we're doing in our security portfolio. So to really get true value we need to start thinking a little differently. When we do start to think that way we can create that force multiplier effect.
And like I said before, this notion of insider versus outsider, you know, I would argue that those concepts really aren't that meaningful any longer. There's identities, there's contexts, and this notion of employee versus vendor versus contractor, or insider versus outsider. You can have individuals who are all those things at various times and in different contexts. So I think we need to sort of rethink that notion of the insider. And when the boundaries have dissipated as we know they have, I think those perimeter technologies, while they're still important, I'm not saying go out and throw your firewalls away, but those become a little bit less the focus. I think you start to see identity coming its own as the key control point for securing our environments.
And again, not losing sight of the compliance side of things, effective IAM can really help you in being successful in your compliance, especially your regulatory compliance obligations. In fact, when you look at NYDSF is a good example. It really tackles head on this notion of how access should be limited, especially around non-public information. Requiring regular access reviews, it even goes into giving guidance around multi-factor authentication. When you think about GDPR, some of the key tenets of GDPR are really predicated on effective identity management. The ability to restrict access to personal data to ensure that it's only used for which it was collected. And effectively controlling that data throughout its lifecycle. You just can't do those things without effective identity management. When you dig deeper into those, you realize it's just absolutely critical. This isn't a "nice to have." It's foundational to successful compliance program.
So let's talk a little bit about the future. This is identity-centric or defined security. This is kind of a model that puts IAM front and center. It's not a bolt-on to the side of your program, it's not one of many modules. It's the foundation. Just keep in mind these components, the access management, again, the governance administration, identity directory services. Those aren't limited to the ones that are kind of offshoots from them. They touch all of those items in that concentric ring outside of it.
I like to think in this model, IAM is like the skeleton, right? It's the piece that yes, you can have some level of security with all the other pieces there, but when you leverage IAM as that skeleton that holds it all together, then you start to do that multiplier effect. When you do that, a whole slew of improvement opportunities present themselves. Things like better streamlining of an automation, an incident response and vulnerability or remediation. Better adaptive authentication, so you know, you can improve user experience while still maintaining higher levels of security where it's required. I mean, there are just tons of use cases that come out of rethinking security with this identity-centric model.
So how do we go about implementing an identity-centric model in practical terms? So this is where the Identity Defined Security Alliance comes in. The IDSA is an organization of member companies that was established to become an independent source of education and information on identity-centric strategies. We do that through harnessing our collective experience, through ongoing discussion and collaboration, creating awareness and, most importantly, developing best practices, use cases, integrations, tools and resources across vendors. The ultimately goal here is to have that 20% of organizations who are leading the charge on this. The ones who are already kind of down the road in this identity-centric model to help uplift the 80% who are still kind of maturing. And helping to better the community and sharing some of the successes that have been had through some of these collaborative integrations.
So here's the current 17 members of the IDSA. You can see they can span across IAM, cybersecurity vendors more broadly, we've even got a couple of customers from an advisory board perspective. One thing I ask is, if you don't see one of your vendors or partners listed here, encourage them to get engaged. The more inclusion we have in this kind of alliance, the more effective integrations and use cases that can be built out of that. So at this point I'm going to turn it over to Stephen Lee from Okta and Jake Reynolds from LogRhythm who are going to take us through a demo and give you kind of a real world view of the kinds of use cases that the IDSA is focused on.
Stephen Lee: Thanks, Wayne. So it's mostly Jake's that going to be doing the talking, since my name was outside I figured I better talk a little bit about, at least, Okta's involvement in IDSA. So, I mean, everything that Wayne has said, if you think about the Okta Integration Network, what it's all about, really a lot of it has to do with our ability to integrate with a lot of these partners. If you think about the list of members that are there, it's very likely that you have one or two or three or maybe even four of those products that are running. And I have always felt that, you know, as an identity guy at Okta, before Okta I used to work at another company, it starts with the letter "O."
I always feel like we owe it to customers to tell them how to use certain technologies. Especially now when you have all these different products and best of breed products. It's not easy to figure out how to put these things together. I remember a year ago when we decided to join the IDSA, it was right around the same time ... Right around Oktane, it was right around the time when we renamed the Okta application network and the Okta integration network. It was almost a no-brainer for me to basically tell folks at Okta that "Hey, we should be a part of IDSA." We are already integrated with a lot of these folks.
As you can see up there were also some kind of competitors and with overlapping features, but I guarantee you, when we walk into the room with all the members, we take our competitive hats off. It's really about solving use cases. I see there being a ton of promise in this, because every time I go into that room I know is the who's who of the identity and security space. We're going through a lot of use cases. We're trying to define the use cases, we're trying to get feedback from customers to really understand what it is that you're trying to solve, and, hopefully, be able to present you with a compelling story. Or at least give you an example of how you could use these products and then leave it up to your creativity to take over. But we need to give you some help, give you some guidance to start with.
One such example is what Jake is going to go through today, which is a demo with these four vendors that are out there, including Okta. So with that, I'll hand it over to Jake.
Jake Reynolds: All right, thanks Stephen. So, let's quickly run over to our browser. So this is a live demo. So as you can see, we've got our IDSA Okta portal here. Most of you should be familiar with this interface. We'll start off. Here we've got our single sign-on and MFA. I've got it set up to automatically push to here. And, of course, it helps if my phone is unlocked. So where'd we go? Took care of it for me. All right.
So in this case, we've got a relatively light portal and it's because we're trying to highlight the specific integrations between these vendors, so typically you'll have a lot more applications in here, but in this case maybe I'm systems admin, or typically what I do, security operations, incident response stuff. I've got privileged access in case I need to respond to something. So we get quick, easy access to CyberArk which we'll pull up in moment here. And right away we can see my privileged access, in this case I've got ... I can get into the Unix system and do what I need to do to investigate something there. I'm going to go ahead and sign out of there.
Let's say, you know, some time goes by and later on I become a disgruntled employee. At this point maybe I'm not happy doing what I'm doing for ID Allied Probe and since I've had privileged access, I decide maybe I want to go out with a bang. I'm going to pivot over into AWS. In this case, Netskope provides a protection on that side, right? So everything that I'm going to do in AWS is going to get logged and ... Here, where you will come in and say, "Hey, I'm on my way out, I've checked out of the company, I'm not interested anymore, but I'm going to cause as much damage as I can on the way." I'm going to start stopping instances. So yeah, I'm going to turn that off. Oh, well that didn't work. Let me give that another try. Yeah, see. So in this case Netskope is preventing us from performing this action.
Let me go ahead and quit out of here. So this gives us kind of that threat remediation use case that we're discussing. So we've got Netskope, Okta, CyberArk, they're feeding all their logs and activity into the LogRhythm analytics platform. In this case Okta's going to give us a single sign on MFA, Netskope provides coverage across our cloud applications, right? They're our CASB. CyberArk keeps an eye on our privileged access. So all of this comes together, feeds in to LogRhythm and we can correlate these data sources along with anything else that you have coming in.
So in this example, I'm now happy employee turned insider threat. We can take these block actions that Netscape sends us. We've got our Okta dashboard here. Interesting if I'm the identity guy, but in this case, I'm a security analyst. I'm more concerned with alarms as the day goes on.
So right here we have indication of a compromise. Multiple attempts to stop cloud resources. We get all of the contextual data that we need out of Netskope right here. The incident's name that's involved, the end user, what they're trying to do.
And in this case, I'm requiring human intervention for the sake of a demo, but if you trust the analytics or you have resources that are key enough ... This can, of course, be fully automated. We could reach out to the cyber arch response manager and revoke that privileged access.
In a moment, once we hear back from the Python script there, we should have confirmation that Karms reached out to the component server and in theory he's blocked me. So right now I can actually confirm that, right? We were able to get into cyber arch a minute ago, take a look at what passwords I have. The one Unix box. And it's taking a little bit longer to load this time. That may be a good sign. Or it could be the nature of live demo. There we go. It's passing the SAML token. And I can't get in, right?
So by picking up telemetry elsewhere in our environment and detecting a potential threat, while we may not, in this case we may not be able to interrupt an ongoing session, we can lock that down and prevent lateral movement problems elsewhere in the environment.
So I think that's about it. Does anyone have any questions? We've got plenty of time for Q&A.
Wayne Hilt: Yeah, one thing I'll say. This is the kind of example when I think about it from a perspective of a SISO, right? The fact that we can get this level of integration, that you can take activity that's happening and your CASB can pick it up, you can log it, you can either manually or automated for your SOX analyst to go in and disable that access, right? That's a tremendous value, and that's where I was talking about earlier about that more than the sum of the parts. You can enable better efficiency with your resources, you can enable more timely response. Limiting, containing and mitigating incidents much more quickly. And that's just one example.
This, to me, is where you start to really see the true value of that identity-centric model.
Stephen Lee: The only thing I'll add to that is, like I said, it's an extremely powerful consortium of players. If you think about some of the logos that showed up this morning at Todd's keynote, think about F5, think about the big VMware announcement that we've done, those are all members. And we really see a lot of opportunities.
And as Wayne pointed out, the aim is to grow this, to bring in more players. You do see some vendors missing up there, and you come to us and say, hey Okta, I really feel like this vendor should be there because they provide one of the slices, or maybe multiple slices, of that IAM pie that Wayne showed earlier. Let us know. We're trying to grow this consortium to be a very effective and very efficient way of delivering solutions, giving recommendations.
And really, the end benefit is not for me, it's not for Wayne, it's not for Jake. It's for you guys to be able to solve your problems. To me, everything's got to be very use-case driven. We can't be, as vendors, theoretical about what the products can potentially do.
In this case, it's an AWS story. So when I pitch this to somebody, I'm basically telling them, hey, what you're trying to do if you have some sort of AWS deployment, maybe this can also lend itself to a GCP environment or a Azure environment. How do you want to protect those? Do you have a SecOps instant response type of an initiative? And then we can pull some of these products in.
And sometimes it spills over to products outside of the idea, because maybe there are products out there that are not as security focused. You think about something like ServiceNow SecOps doing some of that instant response, or maybe you have your own work flow.
The idea really here is to come up with scenarios and to be able to give you samples to guide you through. We're doing more and more of these. If you think about ... I think it was a couple weeks ago that we were on a road show with CyberArk and SalePoint, again, doing something very similar. Where you put three products, all three including Okta, IDSA members, to come up with a solution that would help you around privileged account. But there's also the governance piece that goes with the privileged account and then Okta providing that single sign-on.
So this is all extremely interesting stuff for me and my team. My team basically leads all of the ISV integrations that we do here at Okta. So the OIN is basically my job.
So, yeah. Very excited about this opportunity. We've got a couple minutes left, so any questions? Feel free to ask us.
Audience 1: You'll have to forgive me if this question is a little naïve. Some of these technologies are new to me. But I'm wondering what NetSkope offers over something like Amazon AWS, IAM, or GCP's IAM permissions. I didn't quite understand that.
Stephen Lee: So NetSkope is a CASB product. And you're looking ... And what, really, it does is it kind of fills that gap between the identity provider and the service provider, in this case AWS IAM.
So within AWS IAM, it manages users. You can manage different types of roles that would authorize people to carry out different activities within AWS. But there are specific things that you do. In this case it's not so much that ... You can certainly take that privilege away from the user so he or she couldn't stop an instance, but there are cases where maybe it's okay for the person to stop one instance, but it's a little weird if a person is trying to stop 15 instances within the span of 30 seconds or a minute.
So what products like NetSkope does is it basically has an inline proxy that's seeing all the flows, what the end user's actually doing. And it's able to monitor something in addition to what AWS IAM would do. So, if you were to take something outside of AWS, say Salesforce or Office 365, and you put NetSkope on that, that's exactly what it does. Those products, they have their own authorization model in terms of what the user can do, but then there's what the person's actually doing at run time.
So, you could be going to Salesforce looking at a lead and maybe that's perfectly fine. Maybe you're downloading a certain file, some sort of legal agreement that's tied to that account. Maybe that's also fine. But maybe you're doing it many times or you're doing it across multiple different laptops. Something like NetSkope has the ability to see that sort of run time traffic.
So it gives you a little bit more in addition to what the service providers give you. That's why we look at that ... If you look at that diagram for this particular example, Netskope was able to give us additional insight about what the person was doing within AWS. So Okta signs you in, gives you MFA, we SAML into AWS, that's where we sort of hand off the control. AWS IAM has its own set of policies, but there's sort of that little gap in between. NetSkope is able to provide that data which is tremendously useful. You look at a lot of the CASB products, that's basically what they do.
No? No more questions.
Like I said, a lot of the partners are on the expo floors. I'll be roaming around, so don't hesitate to come and find us and ask us questions. And I guess with that, I'll give everyone a couple extra minutes to get to the next session.
Wayne Hilt: Thanks, everyone.
Breaches happen because most organizations treat identity management as a ‘necessary evil’ rather than a fundamental, core enabler of an effective security program. Today, security organizations spend the majority of their time and energy preventing, detecting, and responding to intrusions. No matter how the intrusion begins, identity compromise and privilege escalation is a key factor. What if you could reduce the time to detect and mitigate intrusions through intelligent correlation and an integrated control framework? In this session, you’ll hear from former CISO and Optiv Executive Director Wayne Hilt on why an identity centric approach to security should be top of mind for all CISOs and security organizations, and you’ll get to see it in action thanks to Okta’s Stephen Lee and Optiv technology partners CyberArk, LogRhythm and Netskope.