Panel on Eliminating Passwords and Other Ways to Stop Ransomware
Listen to the following security experts share their insights in the webinar:
- Patrick McBride, Chief Marketing Officer at Beyond Identity
- John McClure, CISO at Sinclair Broadcast Group, Inc
- Ilya Pazharsky, Sr., Director of Security and Compliance at Epiq
- Sujeet Bambawalle, CISO at 7-11
- Husnain Bajwa, Senior Manager of Global Sales Engineering at Beyond Identity
Transcription
Patrick McBride
Hi, I'm Patrick McBride. I'm the chief marketing officer at Beyond Identity. I've actually spent, you know, a fair amount of my career being on the other side of the fence, having been a CIO and a CISO in past lives as well. So I spent about 25 years in and around cybersecurity. Really excited to be moderating a panel upcoming. The title of the panel is called, "Shut the Front Door! Eliminating Passwords and Other Ways to Stop Ransomware Threats."
And we're really gonna dig into that topic and others that are facing many of you. I'm welcoming you today. Like many of you, I'm working at home on my back deck in suburban Northern Virginia. Our offices are actually in New York and Dallas, but we're not in the office today, like many of you who are working from home.
In terms of the content that we're going to cover, we've got a great panel and we're going to really dig into the ransomware question and look at what people are doing to help prevent it. Actually, we're going to start with, you know, is the topic actually overblown? You know, what is the actual risk level? Does it change by size of company? Does it change by the type of company or industry you're in? That sort of thing.
Kind of dig into that topic a little bit and think about what's that look like today? What might that look like moving forward? So we'll ask our experts some questions along those lines.
Then we'll kind of switch gears a little bit and talk about what the biggest vulnerabilities are. What are the things that are leading into these ransomware attacks? You know, where are you most vulnerable to them and other attacks? We'll try to put this, you know, the ransomware threat in context with some of the other things that you're also facing on a continuous basis and understand that.
We'll talk to the panel a lot about what they've already done to protect themselves, kind of what were the key moves that they've already making, and what are they thinking about doing moving forward to reduce this risk, or, effectively deal with the risk post-facto if they can't prevent it or what are they doing to recover from it quickly, etc.?
And how are they kind of thinking about the idea of paying or not paying the ransom in ransomware attacks? And then we're going to talk a little bit about, you know, the role that credential theft, you know, plays in many of these kinds of attacks, not only ransomware, but they tend to be the through-line, really, the attack vector of choice for adversaries along the way.
So talk about how passwords and other credentials play in that and what you can do with stronger authentication practices and, you know, talk a little bit about what an ideal solution might look like. I think we'll end up bumping into, as we will clearly do moving forward, into a discussion on zero trust and how strong authentication plays into zero trust. As many of you know, zero trust is a concept, you know, an important way of thinking about protecting yourself, but it's not a product.
So, you know, what is the panel thinking about from, you know, getting started with zero trust, how are they approaching that problem, etc.? So looking forward to being with you, to asking some really hard questions to a really great panel, and getting some questions from the audience. So I certainly would hope that you guys prepare some in advance or, or come ready to dig in and provide some additional questions to the panel, because I'd like to open it up to that as well.
Take care, and I look forward to seeing you at the event. Awesome. Well, first of all, everybody, welcome to the CIO/CISO East Virtual Summit. We're all excited to be here. I'm particularly excited. I've got an awesome panel to work with today. Our presentation title is "Shut the Front Door! Eliminating Passwords and Other Ways to Stop Ransomware."
We may agree or not agree, but we're going to have, I'm sure, a lively discussion. What I'll do first is just ask each of our panelists to introduce themselves, and we'll start with Sujeet.
Sujeet Bambawalle
Thank you very much, Patrick. Good afternoon, everyone. My name is Sujeet Bambawalle. I'm the chief information security officer at 7-11, and I'm honored to be a part of this group.
Patrick
Fantastic. Thanks, Sujeet. John?
John McClure
Yeah, good afternoon. Thank you, Patrick. My name is John McClure. I'm the chief information officer at the Sinclair Broadcast Group, recently named to the Fortune 500, and look forward to talking to everybody on the call.
Patrick
Fantastic. Ilya?
Ilya Pozharsky, Sr.
How's everybody doing? This is Ilya Pozharsky. I'm the senior director of security and compliance solutions here at Epiq Global.
Patrick
And Husnain?
Husnain
I'm Husnain Bajwa. People often call me HB. I'm responsible for global sales engineering at Beyond Identity.
Patrick
Fantastic. And I'm the chief marketing officer at Beyond Identity with a fairly long career in cybersecurity and this topic that is pretty timely. We are, you know, recently on the heels of the Colonial Pipeline and the JBS attack. And I think we all on the panel know that this has been going on for a while, but it sure caught the attention of Americans and actually a worldwide audience.
When you make the gas prices go up or make the meat more expensive all of a sudden, it really gets everybody's attention. And then we had the Kaseya ransomware, over July 4th weekend interrupt a whole lot of folks'...unfortunately their vacation time over at July 4th weekend here with a, really, it was a ransomware variant of a supply chain attack.
So, you know, it was using a software component called their Virtual Systems Administrator, really, to deliver REvil ransomware. So we ended up, you know, we have, you know, all kinds of things going on, some changes in tactics, some new things, and really have some cool stuff to talk with the panel about. What I wanted to start with though since a lot of us have spent long careers in cybersecurity, is this just a blip or are we really kind of overplaying the topic?
Is it overblown or is it as bad as we kind of think it is? And let me, you know, we'll go around the horn again, but, Sujeet, do you want to comment on that first?
Sujeet
I think this topic is causing real harm to a lot of businesses, and it's not overplayed in terms of the financial damages that it has caused and the way that it has changed the nature of the industry. It has changed the nature of cybersecurity insurance.
There are a lot of insurers today who are hesitant to accept their part in events like these, and arguments could be made on both sides with regards to that topic. It has certainly called a lot of attention towards forming an opinion about one's place in one's partner ecosystem, because in many cases, the old proverb of the weakest link in the chain has been coming to life.
It's not well-protected organizations that have been attacked successfully in this context, but parts of their ecosystem that may not have been as well protected or as well scrutinized from a security lens that have fallen prey to threat actor tactics. So is it overplayed?
No, I think it has caused a significant change in the way we perceive things. It has caused a significant focus on the actual cost of information security, and it has helped quantify ROI as well as risk in a very dollars and cents form.
Patrick
Fantastic. John, you recently started with a new organization, so you've got a foot in a brand new camp with a very large broadcasting company and then another foot, close memories of being in an EDU space. Now, what does that look like to you?
Is it overblown, you know, in either of those sets of glasses?
John
Yeah, I don't think it is. I think, you know, obviously, some agreement what was said earlier. But I don't think it's overblown. I think, if anything, it really put a much-needed light on cybersecurity. In the past, I think, unfortunately, some very, very smart cyber people have continued to talk cyber to their boards and to their leadership, and, you know, that doesn't resonate, right?
As well as something that we can very easily quantify, things that are making the headlines, things are that they understand. They understand the business can't run today. That's very easy for them to understand how that could be impactful to the business. And the tactics surely have changed.
I mean, not only have the vectors changed through your apps for attack, but even if you pay the ransom, right? I mean, you see, okay, pay your ransom, but also, we're still going to go auction off your data, so go also now and try to buy back the data that's going to be released on the dark web. So I think, if anything, it's brought a real light to things.
Hopefully, it is being seen by the business at the right level of severity, and that it actually brings the CISOs or the folks that are representing risk in these organizations in front of the board, right? And in front of other parts of the business that needs to clearly and continually understand that this is a risk that can't be just addressed once, right?
It's a continual area that evolves very quickly. So I don't think it's been overblown. I do think there were some interesting comments that were just made about the insurance market. You saw some insurers stop even providing coverage for some ransomware attacks, and then you saw one of the larger insurers in the business fall victim to it, right, with Aon.
So that hardening of the market in the insurance market has been, I think, expected, and it'll be interesting to see what new risk approaches and risk mitigation approaches companies start taking if you take that insurance piece off the table.
Because for a lot of companies, that was one of their primary measures to reduce some of that risk to the business. So I don't think it's overblown. If anything, I think it's putting some much necessary light on the topic.
Patrick
Totally, man. Ilya, you get a chance to talk to lots of clients across different industries. What's been resonating there?
Ilya
Yeah. You know, what both gentlemen said before me is spot on. The focus on ransomware a lot of times is thought on as far as data, right? And data is obviously a big impact when you start encrypting the lifeblood, a lot of organizations, which is their crown jewel, is in their data itself. And a lot of times that's why insurers are concerned about the exponential costs of providing cyber insurance for these types of cases, because especially when privacy data or any sort of regulatory data is breached and impacted, those costs can really grow exponentially.
Because depending on where you are on the world impact, the result of breaches like that will have different financial implications. One thing we haven't talked about but you mentioned before, Patrick, around the Pipeline attack that happened before, critical infrastructure is something that isn't really thought of a lot of times when we're thinking about ransomware.
And that's really where some of the biggest impact can really occur, and that's also where, traditionally, the least amount of security has been in place. People are always thinking about how do I protect my data assets? That's something that traditionally has been thought of for quite a bit of time, but when you start thinking about IoT and OT, those simple devices that can really be, first of all, a great attack vector, but then also can be the pieces that, if not properly segmented, can really go out and start attacking critical infrastructure that can really cause some great harm across the board for organizations.
So I don't think this is overblown at all. I think it's, as, John, you mentioned, put a good spotlight on the challenges that the world is dealing with today, right? Because we always know about that analogy of we have to be right every time as those folks who are on the defense side, they have to be right once.
But they have a lot more tries than we do. So because of that, it's really become a big challenge, and it's not a one-stop shop as far as, how do you defend against this? This is really about a defense in depth methodology, and organizations really need to start thinking about that.
And, you know, the spotlight is really an important thing. Just recently, the presidential administration released a new executive order as far as how all organizations within the fed need to look at cybersecurity. That's also true from the Department of Defense. There's a cybersecurity certification that's been released and put in effect late last year, where now all companies, not just the fed, but those who are vendors for the Department of Defense need to get a certification in order to be awarded any new RFIs.
So there's been a good spotlight so that we've had some good results, some good traction going, but we're not there yet, right? There's, you know, John, you mentioned before, and Sujeet as well, that weakest link is out there. And we really need to be able to, first of all, harden those weak links, but also segment ourselves in the right way so that when there is an impact, not if, when there is a breach, because as I said before, they only have to be right once, we have the appropriate ways to mitigate the impact of that breach.
Patrick
Excellent. The whole OT aspect of it is pretty near and dear. I spent a fair amount of time in that market and it's true. It's the kind of the soft white underbelly. It was interesting in the Colonial Pipeline initiative. Apparently, it didn't actually bring the Pipeline down. They took it offline, kind of an abundance of caution at first, and then as we found out, you know, also because the billing system, you know, they couldn't figure out and track where deliveries were going, so they couldn't build form.
So they had a, you know, obviously a very direct and present revenue impact. HB, we've hit a couple of things, anything to add there, and maybe even in some of the tactics that we're seeing moving forward?
Husnain
Yeah, absolutely. So I think one of the interesting sort of highlights that ransomware brings to the table is that it's a very sexy and popular media-friendly kind of topic, right? Like, as first-generation immigrants, I learned most about American culture from "Law and Order."
And the number of extortion cases on there was huge. And so it's a hot, sexy topic, so I don't think it can ever really be overblown. But when you look at the amount of money that's involved and the mechanisms for transformation that have become available over the past decade, it brings to light a really important situational awareness topic that we've sort of missed across cyber security.
That cybersecurity has still been mostly, like, sort of the bastion of nerds and kind of specialists. And I think this is a really clear case where you can see that in the '80s and '90s, you might've had people doing it for fun and fame, but in the 2000s and definitely, the 2020s, what we're seeing is people doing it for fortune and force.
So with the combination of nation-state actors and cartels involved, the evolution of this ransomware and the progressive sophistication and ability to leverage zero-days that are extremely expensive and push up that ransom threshold from, like, sub 50,000 to well over 100,000 and in individualized cases above 10 million, it's a real transformation.
And the sophistication is really key. The fact that they've introduced ransomware as a service and also sort of leverage these exfiltration-first models, there was a time when people would lock down your data, and it was really an offshoot of the personal attacks that people were doing.
The fact that people are now doing these exfil-first attacks where they're taking the data earlier, it creates real problems. You see a lot of regulatory pressure to shut down insurance payments, so you can get fined if you pay the insurance and ransom, you can get fined if your data is compromised and leaked.
And the attackers are so sophisticated that they use name and shame techniques so it's really brand impact as well. So there are so many levels of the attack that have merged, and we're only at the very beginning of this. So I think there's a lot to talk about in terms of security hygiene, who builds the cyber security frameworks, and investments in these kinds of areas.
Patrick
Let me throw this one out to Sujeet and John. I mean, Sujeet, you've got a massive infrastructure that you end up having to protect. And HB said, you know, was talking about the level of sophistication of the attackers.
John, you're in kind of at the same boat. It's interesting, I'm wondering if, and that they have used some really interesting combinations of zero-days, but is that the big vulnerability or is it more mundane things?
Sujeet
I don't think that threat actors are burning through expensive zero-days to get malware infections into complex networks. Burning an expensive zero-day is a very expensive and sometimes a tactically irresponsible proposition. The average malware that you can customize is about $250 on the dark web.
With a hex editor, you can change enough attributes in it to make it your own, and with some luck, you'll evade vanilla endpoint detection and response.
How you get it into a infrastructure, how you get it into an environment is entirely your creativity. And information security teams and a lot of the narrative around this is around people-centric security.
So I think that's an important aspect of this because, you know, water cooler attacks have been around as a phrase for many, many, many years. I think they've really manifested now when we have seen them come and position themself as the actual threat surfaces used in these cases.
Zero-days per se being used for delivering a ransomware payload is a method of doing things but it's not the most effective method of doing things. Because once you do that pomp and pageantry, there comes so much of a spotlight on that platform, that mode of delivery, that you can almost never use it again.
And that's why burning an expensive zero-day is not a smart proposition if you're a threat actor. On the flip side, and I have to call this out because I've seen it in more than one cases, I think one of the good parts about what we saw recently is it actually brought the information security cohort closer together.
I think ransomware was one of the best uses of the phrase, "We are fighting a common enemy," right? Because it's not competing. It's not me against X, against Y, against Z in terms of getting revenue, saving revenue, getting customers, reducing customer acquisition costs, and so on and so forth. It is about all of us banding together really quickly and pushing away the threat as best as we can by sharing IOCs, by sharing things that we find, by sharing behaviors that we have seen in our networks.
So I think that is a very good way of seeing this. Another perhaps positive way of looking at this is that we have seen, or the industry in general, has seen a lot of creativity in terms of following your newly remote workers home, and understanding their environments in the context of if ransomware can creep in.
There's a lot of rhetoric about, well, is my printer secure and is X secure, and is my Y secure and my Z secure, right? But when you think about it in terms of, oh, my God, this could be a threat vector to get ransomware on your machine, that accelerates the USB drive locking, that accelerates the DLP discussion, that accelerates the email security discussion a lot better and a lot faster, because that risk is now quantified, it's tangible, and it's real.
Patrick
Yeah, totally understand. Or even going down the list as you get to other things, you're RDP brute-forcing, you know, ends up being one of the more popular attack factors. John, you've got new glasses again. I mean, you're interesting because you get a look on, you know, where I was and where I am now that you're looking at that, you know, it's your older, your new infrastructure that you have to protect.
Where do you, you know, how do you calculate where the big vulnerabilities are?
John
Yeah. A few thoughts. So to your point, I was in the education space for about six years before starting at Sinclair very recently. And before that, I supported primarily the intelligence community space for over 20 years. And so, definitely have some different perspectives on how that's looked both in a classified environment as well as a non-classified environment.
And, agreed, you know, there is no... I mean, first, even if we talk about the actors, right, generally these aren't nation-state actors who are actually performing ransomware. It's more on the cybercrime side where their economy for themselves is just as important. They're not out there buying zero-days or burning zero-days.
Well, there surely might be nation-states ignoring what's happening within their countries. These aren't normally nation-state-sponsored activity. And why bother with zero-day? I mean, there are so many other vectors that are available and continue to prove successful, right? Why go do the hard thing?
I think that, you know, there is the ABCs that I think historically organizations have been challenged with, right? Simple things. I know we're going to get even more into identity today, not that that's necessarily an easy thing, but it's a building block of a good cyber program. Vulnerability management, building block of a great cyber security program.
And I think sometimes we get distracted by these shiny new things, whether it's, "Hey, let's go start doing full packet capture and starting to decrypt all our traffic and look for payload X and Y," while in reality, how about, at least let's go patch some systems, right? Let's get a better understanding of our assets to include our identities.
And so, I don't think, well, while I think everybody can be in tune with zero-days, first of all, it's a zero-day, so there's nothing for you to do, right, except almost be a victim, unless you're not doing some of those other things. So I don't think it's an area that we need to spend a ton of time being concerned about.
And generally, again, you're not going to be the target of a super-advanced attack. None of these attacks are extremely sophisticated, right? Are they hard to detect? Are they easier? But they're not as complex when you really break down the vulnerabilities and risks being taken advantage of.
It's rarely like, oh, my God, this would have been impossible to defend against, right? I think a lot of times we're just missing some core focus on risk reduction that we can do with a lot of what we already have, and continuing to focus on those big pieces that make it all better.
Again, vuln management, identity, asset management, you name it. So I think in some ways, zero-days, especially in the commercial space is, again, it's interesting and to use a word from HB, it's sexy, right? People get focused on it, but in reality, rarely is that leveraged in the commercial space.
Patrick
Ilya, any quick thoughts on that?
Ilya
Yeah. And, you know, zero-days are definitely a challenge, right? But as John said, right, it's a zero-day, so the bigger issue isn't about the fact that you got impacted by zero-days. What did that zero-day do after it got into your network? And I think one of the biggest challenges that organizations have as a whole is overpermissioning of their environment.
Traditionally, everyone felt, you know, we got these four proverbial walls around our network, we're safe as long as we keep the bad guys outside. But we know the bad guys are going to be inside no matter what, and we've specifically, on purpose, created a lot of holes in our network, even from the COVID pandemic, even before that with mobile devices, access from home, so on and so forth.
So a big challenge that we have is how do we look inside of our networks and ensure that we, and I used that term before, segment ourselves properly and only provide the appropriate permissions to each, not just individual, but service that we're using, applications that we're using, and continue to ensure that we're locking down our systems so that when there is an impact to our environment, we're keeping it at the appropriate level or as small of an impact as possible?
As we said before, you're not going to defend yourselves 100% against these cyber-attacks, but it's about how quickly can you detect them and respond to them in an appropriate way so that you can indeed keep them from proliferating throughout your environment.
Patrick
Yeah. To John's point, we ended up calling this thing "Shut the Front Door!" you know, just for a little bit of marketing effect, of course, but, you know, protection on the front end, whether it's through vulnerably management or other things. HB, let me switch gears a little bit with you and get you to talk a little bit about what you, you know, where credential theft and that sort of thing, and stronger authentication... John already mentioned identity, and those obviously are close cousins.
How do you think about that as it applies particularly to the ransomware topic?
Husnain
I think the truth of the matter is that when you look at sort of protect, detect, and respond kind of paradigms, the protection is often based on what Sujeet, John, and Ilya were indicating.
The very basic sort of hygiene cleanup kind of stuff that you can do, right? Like passwords, patches, and MFA can be the three biggest challenges with most organizations, especially when they're smaller in size. The other challenge though, is that you can only protect so much.
You also need to sort of have that detect and response model. And so, I think the zero-day thing probably got a little bit off track. I didn't mean to suggest that, like, zero-days are rampant, but the reality is that it's not a matter of if, it's about when. And the degree to which you're impacted, the blast radius of impact, it's really important to minimize that.
And so, the earliest point, like, all of these approaches that we've used, that overpermission, the interior of the network, and create sort of broad trusted zones, and then globally connect them using, you know, fancy networks and, really, like, expand that, like, lateral movement surface to a problematic degree, you have to start containing that and you have to start containing the threat from credential stuffing and credential harvesting that goes on.
And so, moving towards strong auth is supercritical, but we've generally avoided certificate-based authentication in many environments, especially on an end-user basis. But you look at, like, what X.509 was originally designed for, it was designed for end-user authentication.
So introducing strong authentication, mitigating that credential attack vector, and protecting your network and eliminating all of these, like, you know, weak RDP nodes that are easily detected using showdown or census or whatever your attack surface detection portfolio preference is.
I think those are sort of keys to making the situation better.
Patrick
Anybody who's ever done the Shodan search, you know, it gets their eyes open very quickly. Hey, Sujeet, as you think about this particular thing, you had talked about to some extent there's a little bit of, I wouldn't like, probably the wrong phraseology, but a bit of a perfect storm in being able to translate what we need to do to protect our networks to the board and to the C-suite, etc., and as you said, make the ROI justifications with a much finer grain acuity in terms of what we're actually dealing with.
When you think about the stuff that either you're doing today to protect against ransomware or the things that you'd like to add, you know, what are some of the things that are at the top of the list there?
Sujeet
It's very important to know yourself, know your environment, know your customer, and know your attackers. These four things can help empower your defense strategy very well. I hear a lot about ransomware embedding and manifesting. Now, and I offer that as an example, because to me, that's not the most efficient way a threat actor would actually deliver ransomware.
If I had a piece of malware code in Patrick's laptop, right, I am not going to trigger it immediately. I'm going to wait until you spend some time in the organization. I'm going to see it go around a little bit. I'm going to see it go around from people who are typically on Linux environments, typically on Windows environments, typically on Macs, right?
Let it get a little bit of a foothold, and then on a Friday night, I'm going to activate, right? I'm going to try and pick a holiday weekend when I know that your security ops team is typically either thinly staffed or not staffed at all. So the reason I say this is because it is important to know your attacker.
It's also important to know your customers. A lot of people tend to design some very complex security safeguards that then become a problem rather than a solution because sustaining them at scale becomes very challenging, right? And what that then does is that it leads the perception that security cannot move at the velocity of innovation.
If security cannot move at the velocity of innovation, you've really lost the fight, because then it leads to the perception that you're, you know, slow and ivory towers and so on and so forth. So you've got to know your customer, and you've got to know your environment in which you're supporting whatever revenue generation chain that you are in.
By designing controls that can work in that context at speed and at scale, you're going to create a defense strategy that will tell the board, to answer your question, that will tell the board, that will tell senior management that you are right-sizing your diligence, right-sizing your security safeguards, rightsizing your defense in that, to use Ilya's phrase, right, in a manner that is for your brand, for your customer, and for now to the next six months.
I say the next six months because I don't know how to think or respond to HB's prior comment about we will see more of ransomware. There's a part of me that agrees with him, but there's a part of me that thinks that there is so much attention on this space that we'll probably see a lot more of law enforcement engagement and a lot more pivoting, like, REvil becomes BlackMatter, and X becomes Y and then people catch onto that, right?
And that they figure out a way to really systemically take out all of their servers or all of their networks and whatnot. Because at the scale that it can affect you, just a post from BlackMatter saying we are not going to go after governments and hospitals and so on and so forth is not convincing enough.
Patrick
Right. Hey, so, John, what kind of control set, you know, are you thinking? Is there changes to what you've been doing? You know, you had talked about the basics, are there other things that you'd plan to add to that to make this harder?
John
Yeah. I think that, a very overused term but I totally believe, and everybody probably will cringe, but the journey to zero trust, right? While there is a lot of hard things to do to really get there, and same thing if I think about a DLP program or things like that.
You know, there's basic things we all do, but really, to really do it all as at least I define zero trust, especially when we get into the more complex pieces of just-in-time access, just enough access, and those things to deal with some of the provisioning things that we were talking about earlier in overpermissioning. At least the earlier front-end pieces that build the foundation of zero trust around identity and around zero trust network access.
So I think around that GTNA space and identity, again, I know...and I recently did another similar panel where we were talking about getting rid of passwords and how do we do that, and what are some roadblocks? But we definitely got to get to this place where I know who you are and where you should be, and when you should be there.
And ultimately, if you're not that person, then you don't get to go there. And there are some real solutions around there. You know, a number of years ago, Amazon had come out with a saying that I echo frequently, that identity is the new edge, right? We need this stop...and obviously, I think the pandemic has reinforced that, that the edge is no longer, you know, the edge of your office or the edge of your data center.
And the only way, I think, to ultimately address, not only ransomware, I think ransomware is just one piece of this larger challenge we're talking about, and identity is just a huge part of it as is segmentation, at least privilege some of the other, again, basic concepts I think we've all learned since day one.
But I do think that there's been a lot of advancement around identity and trust. And how do we do that at scale and how do we do that across incredibly diverse and hybrid environments? So I think we'll continue to see a focus there, and I think it's an area that will continue to require some investment because it doesn't just tackle this problem.
It tackles a lot of other ones around DLP, insider threat, you know, go down your list. So I think a lot of energy for us to be spent in that area.
Patrick
Ilya, you had mentioned already kind of network segmentation in the core being, you know, critical. Any other top one or two things that you'd throw in the list there of where people should be thinking about investment to, I think as John said, to help solve ransomware but the cybersecurity issue more broadly?
When ransomware is both locking data up or ex filling data, which is the age-old way to do it, and you can hold somebody hostage with either tactic, then...we're just about good cybersecurity at this point.
Ilya
Yeah, I mean, as John said, zero trust, right? When we talk about network segmentation and just enough access and reducing the overpermissioning, it all revolves around that. And as you guys all know, and John and Sujeet, I'm sure you guys experience this on a regular basis, one of the biggest challenges around that isn't so much the technology piece, it's our people, it's our users, right?
Our users are the easiest attack vector period bar known. And part of that is how do we secure them and their identities and the access they have in a way that's frictionless to them, right? Because we all report to either our customers, our boards, our senior executives, and we need to create solutions that will enable our users to be more productive while being secure.
You know, in the past, we've had simple MFA and, you know, before, these phones were prevalent and you guys could really see me pulling up a smartphone, right? And you have the ability to do, you know, text messages and things along those lines, that's one level of MFA, which, by the way, by itself eliminates probably over 90%, you know, there's different statistics, depending on which periodical you read of attacks.
But it needs to be in a way where a user can come in, access their device, and whether it's their own device, a BYOD device, corporate-given device, or shared devices, right? Because a lot of our users, especially, Sujeet, I'm sure, at the stores themselves, you have a lot of shared devices.
So how do you enable the users to be able to access those devices and the data they need in order to do their day-to-day business wherever it happens to be, but do so in a way that's secure and yet frictionless? And that's a big challenge that's out there today. Thankfully, with not just X.509 certificates as you were talking about, HB, those by themselves are a method, but being able to use things like FIDO keys, and a lot of different organizations including your own are starting to grate passwordless capabilities.
And I think by being able to give users the ability to access their devices and their data in a way that's seamless to them and provide those controls as user-enabled controls with the guidance of corporate policy is a big challenge that we need to really deal with.
And, you know, the two organizations that are present here are probably a little bit more mature. There's a lot of small vendors, third-party vendors that you guys may be using yourselves that are that impact radius. And we keep going back to it's the weakest chain in the link, and I think that a variety of things both on the regulation side as well as advancements to technologies really are great assets for us to use, but creating the right roadmap for adoption to be seamless to those users is something that we all need to think about on a regular basis.
Patrick
It's interesting the whole user experience of the customer, Sujeet mentioned it as one of the multiple pillars of things that you actually have to focus on now. And I can tell you in my career that goes back 25 years in cybersecurity, you know, do it my way or the highway was kind of the old model CISO, you know, kind of thing. And that just I get to have these, you know, UX, user experience discussions with CISOs all the time now, which is a kind of refreshing thing.
We don't necessarily have to make that tradeoff between better security these days, and making it just much harder to do the job. So, again, point well taken.
Ilya
10 years ago, a CISO would have said, "We're not going to the cloud," right? And that was it. That was the security mantra. We're not going to the cloud. Now we have to go to the cloud, and how do you provide the right user experience and security at the same time?
Patrick
Exactly. Exactly. So well, we're, you know, coming down to the end, we hit a couple of things and a couple of these things pointed to identity and zero trust concepts. I wonder if any of you guys have some kind of final thoughts on, when you think about, it's a big ball, right, I mean, it's a lot of pieces and everybody's got a different kind of zero trust journey.
John, you mentioned a couple of pieces with identity and ZTNA. Sujeet, when you think about that, what does it conjure up or how are you kind of thinking about zero trust, and what are some of your fundamental building blocks for that, or starting points for that?
Sujeet
Well, to me, zero trust is a few things. I look at it at an atomic level. For a connection to have confidentiality and integrity, for a connection to provide a cryptographic identity, for there to be logging.
These are a few of the things that I think of when I think about zero trust. And then to assess actions and to continue context in the view that trust is not transitive. So just because I trust one appliance, it doesn't mean that anything connected to that appliance has the same trust privileges.
So I see it in really those five things that I should validate then trust rather than trust but verify. To me, that is what zero trust means. Stepping back, the learning that I think I have that comes out of this current threat landscape is, well, one of the learnings that come out of this threat landscape, is a lot of the times a ransomware incident leverages something that is either very elegant, very simple, or both.
So if you dig into the details, and I suggest everyone does, if you dig into the details of a lot of these very well discussed events, you'll see that the threat insertion and the threat infection were separated by perhaps a misconfiguration.
By perhaps a very elegant abuse of privilege elevation. And some people can call it misconfigurations, some people can call it oversights, right? But if security misconfigurations are the biggest or the lowest hanging fruit, then going after them should be technically easy with a very clearly defined solution that we've all had 10, 15 years ago, which is a gold image.
A lot of us know the concept of a gold image, right? The challenge today is that because of innovation, golden images change the very second they get deployed, right? So I think the challenge for CISOs is to have, and I'm repeating myself, is to have security match the desires and the velocity of innovation.
So if you say security misconfigurations are just ironed out at every step of the design and deployment process, then we may be able to achieve a significant percentage of getting confidence back.
Patrick
Any final thoughts, John?
John
Yeah. And I agree, again, I don't think I've disagreed in any material way with what anybody's said. I think that every organization really needs to evaluate where they are, and just not take on too much. I mean, and I think historically, I don't recall the numbers, but it's an incredibly large percent out of it projects that start that never finish or that fail before full implementation.
And I think that sometimes we get very focused on this very complex problem because we can make it complex if we want. But I don't think we always need to solve the problem in its entirety to get value out of earlier progress. And so I think while we can look at the whole zero trust thing and we can look at the posture management, some of the things that Sujeet's referring to I think, there's easy wins that have an incredible impact, you know, the 20/80 kind of rule, right?
And so, I think that we need to focus on those, not get always distracted by whatever's come out last week from Gartner and Forrester, and really kind of continue to build on those building blocks. And a lot of times those are capabilities that we may already have. And so, a lot of times it doesn't require an incredible amount of capital investment. Though more investment I think needs to be continually focused in the security area.
Patrick
Yeah, it's interesting. If you can't insure it away as easily, then you have to protect it away a little bit better, I guess. HB, any final thoughts maybe on top of the transitive trust kind of topic? I know it's kind of near and dear to your heart.
Husnain
Yeah. I mean, I'm obviously a big fan of pragmatic security models. I like Sujeet's take on security at the velocity of innovation. This whole idea of, like, infrastructure as code, security as code, maybe it's, like, a little bit too far to take it, but, like, that speed of responsiveness, that seconds, minutes, hours kind of level of the engagement makes a lot of sense to me.
I'm a big fan of simple solutions. The more complex and complicated your stuff gets, the more brittle it gets. And so, solutions like device posture assessment for work from home, work from anywhere kind of clients makes a lot of sense.
The tooling there is sophisticated and it's not creepy. So unlike a lot of solutions that do a lot of intrusive supervision, it's lightweight and easy to deploy. I think Ilya's point on behavioral biometrics and sort of that ability to use kind of these newer kinds of solutions that leverage that personal aspect of the device to take advantage of better identity and authentication insurance.
I think these are also going to play a big role because as you were saying, like, the need for better UX is critical to this. Like, the CISO organizations are now partnered with the employees, and it's really everyone working together to figure out ways to mitigate these kinds of positions.
Patrick
I'm glad Ilya brought that point up. Ilya, I'll give you the final word here as we wrap up today.
Ilya
I feel somewhat honored with present company for the last word, but, you know, just as John said, I think we've all made some really good points on what we can do and what we should do in order to increase our security posture and reduce our risk overall. You know, what I think Sujeet said as far as, you know, get the basics, yes, make sure you're innovating your security along with productivity innovation.
One of the things that I think is important to also think about is how do you not just turn our control on, but validate the effectiveness of control? So appropriate continuous testing, right? A gold image is great, but as Sujeet said, the next day or the next minute, it's already been an old.
It's kind of like soon as you drive a car off the parking lot, it reduces value. So being able to have something that provides continuous inspection of your controls and validating the effectiveness, I think is something that we haven't had a chance to talk about today, but it's important as an aspect in order to increase your security posture. And one last thing I would say is don't do it alone, right?
Don't try to figure out and reinvent the wheel. There is a community here, and several of us had said before that one of the benefits that ransomware, if you can say it's a benefit that came out of ransomware and all these high visibility attacks is the security community has really banded together in the sharing of TTPs of our attackers and things along those lines has gotten to a point where it's never been there before.
I think that's an important aspect. So being able to leverage your community, leverage the right vendors and partners that you want that can really help you get to the right security posture that you need to be in, and several of you guys have said, right-size it for your organization to ensure that you don't necessarily need as much security for your lunch menus as you do for, you know, the Coca-Cola formula, so to speak.
But at the same time, if you're going to reduce the security in one aspect, you need to make sure you're segmenting it appropriately and following that zero trust protocols to make sure that if there is some sort of attack on a lower level asset, it's not going to creep and do lateral movements into where your higher-level assets are.
Patrick
Well, that's the final word. With that, we'll wrap it up. Gentlemen, thank you very much. I think it was a very enlightening discussion. I hope the CIOs, the CISOs in the audience had a couple of good takeaway points. I would, you know, on Ilya's comments, I mean, there's the threat intel sharing organizations that are out there, so certainly turn to those.
There's ISSA and ISACA, so if your employees aren't engaged with those groups, you know, definitely, you know, have them take a look at it. There is a large community here, not just vendors selling, you know, things. There's a lot there as well, but there's a lot of folks that are perfectly happy to help.
So please reach out to those organizations. And certainly, if you'd like to talk to Beyond Identity, we'd love to entertain that as well. And with that, we'll close it up. Thank you.