No items found.
No items found.
No items found.

Prevention Is Better Than Detection

Written By
Published On
Jun 1, 2022

Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, VP of Global Sales Engineering Husnain Bajwa, and our host Marketing Empress Reece Guida on how prevention is better than detection.

Transcription

Reece

Hello, and welcome to the first Beyond Identity Podcast. My name is Reece, I'm the generic marketing lady whose sole job is to get these guys to say interesting stuff. We're joined by Jasson, our CTO, H.B. who's in charge of global sales engineering, and Nelson, our founding engineer. This is our first episode, we're just gonna talk about some technical stuff. So I'll let the guys introduce themselves.

Jasson

I'm Jasson I'm the CTO. Repetitively repeating what Reece's told us. More importantly, what's the dog's name, Reece?

Reece

Oh, this is Joey Bones. He's pretty cool when he's not licking his butt like he's doing now.

Jasson

I can show you mine although all you can really see as a match is Austin in Brooklyn sleeping.

Reece

Nelson has a dog too, but it's very stinky apparently.

Nelson

I shouldn't carry him anymore if he's not ready for that.

Jasson

Last man, show us your dogs.

H.B.

My two dogs are trying to escape the winter weather here in Austin that's hitting us today. So they're enjoying the fireplace at 15 years old each. So...

Reece

Oh, wow.

Jasson

This is a requirement of employment here at Beyond Identity. You have to show dog-proof or some sort of form of animal proof.

Nelson

Even if it's stuffed, okay.

Reece

So what we wanted to talk about today, guys, was how prevention is better than detection. I think this is something that the company really cares about. And who better to talk about it than you guys?

Jasson

I don't know, is that really true? Like, I prefer to remodel my kitchen after all of my cooking fires.

Reece

Good point.

H.B.

I would approach that, Jasson. So I'll be honest with you, like, when we got to this, like, sort of prevention versus detection conversation, a lot of it started with kind of the NIST Cybersecurity Framework and Lockheed Martin Cyber Kill Chain and all of the various approaches, you know, like, you look at ISO 27,000 and it doesn't even have a unifying approach. It just has, you know, a dozen-plus sections to it in terms of understanding cybersecurity frameworks.

And Jasson had a good point, the five functions that NIST calls out could really be reduced down to like, three actionable functions, which are just prevent, detect and respond. And I think Jasson can speak to kind of what his thought process was around, kind of the nature of those things relative to shift left security and all these other things that marketers love talking about these days.

Jasson

I mean, at a high level, so I'm a framework guy. I love frameworks because frameworks are useful to help you check your thoughts against some sort of structure and answer the question, "Are you making consistent direction?" NIST Framework which has five parts, right, identify, protect, detect, respond and repair. It's a great set of high-level buckets. And obviously, there's tons of controls and control families that fall under these things around really understanding what are your assets? Are your assets protected? Right patched? Are they configured properly? Are they following best current practices? Detection, right? Like, are you present and observing to find bad things that happen? Responses, do you have an ability to respond, right? And then repair is when a bad thing happens, response is not enough. Like typically, you have to engage cleanup. And response could be everything from, you know, providing new devices and reemerging and whatnot, to engaging legal firms and filing compliance notifications and engaging a PR firm.

Or going back to the kitchen, identifying all the things that can catch on fire, making sure that you locate them in an area where they're unlikely to catch fire. Have a fire extinguisher around to where if a fire does happen, you can actually put it out. Sorry, have a smoke detector to let you know a fire has started when you're not paying attention or Nelson's burning the spices again. And then, of course, our favorite, you know, when the island and the cabinets are all charged senders, typically people aren't happy to continue coming over for dinner. They expect you to, like, knock all that stuff out and rebuild the kitchen.

So from our perspective, you know, clearly that's the expensive proposition. Why focus so much on putting out fires and repairing the damage when you could stop them from happening in the first place? You know, we joke around a lot but, like, the central premise here is most security incidents start with valid credential use, right? That's kind of a fancy way of essentially saying, like, bad actors don't break into your infrastructure, they log in, and they log in using credentials, people that exist that have valid reason to access your infrastructure. So it's an interesting way of basically saying your identity and access architecture and services are not giving you great security results right now. Because a good security result is a bad thing doesn't happen.

So how do you think about building out your security architecture where you can kind of shift left, right? And shift left was all the rage, because from a software perspective, you know, we all studied this problem for 20 years and kind of put our coats on and gathered our pipes and harrumphed to each other, and then said, "Hey, it sure is easier to fix problems at the state of design, than it is when a customer is using something in production." And of course, you know, we had this big move from waterfall to agile, but there's no difference in security, right? It's a lot easier to fix problems at the point of design, it's a lot easier to prevent things... Or it's easier on the organization if something can be prevented, as opposed to an organization just focused on responding to things.

And, you know, that's kind of what we focus on here at Beyond Identity. How does an organization focus on getting security results from their identity stack? Like, as a fundamental part of zero trust, right? Zero trust access is the risk signals about a device someone's actually using to access the data, the criticality of the data they're trying to access and signals about the likelihood of that person being who they claim to be. Why not take all of those into account at the time of access? Because if you could, you could certainly level a lot of issues off the desk of your operations team.

Reece

Yeah, I think the reason why not is because, for cybersecurity companies, detection response is more valuable to them. But for organizations and users prevention and protection are better. So I think it's kind of that give and take between, you know, like, this is a market we're selling to people. But I think by emphasizing prevention more, you're empowering organizations and users. So do you think we're at, like, a turning point here, just after, you know, so much ransomware attacks in 2020?

Jasson

I do think it's an interesting point in time where people care about security results, right? Security industry, it's been around for a long time, but the size of it and the size of the growth of the industry is fairly recent. And I think the reason for that is consequences now matter, right? Like breaches cost companies, they cost reputation of individuals. And at least at the lowest level, it costs a lot of time that's taking away from the primary mission of the company. So, you know, the cost of not paying attention to security is material and now shows up at the board. It shows up the C-suite, and this wasn't necessarily true in the '90s and the 2000s. And even the 20-aughts, it was still kind of gaining steam.

But, you know, we talked to our friends in the cyber insurance industry, and, you know, for the first time last year, they all lost money on their cyber insurance policies. And the reason was ransomware. And they basically said, "If there's anything you can do about ransomware, let's talk and otherwise our other 14 cyber initiatives, we'll handle those maybe in another year or two, but, like. that is the focus right now." And of course, they're the canary in the coal mine, right? Like they're there to service companies trying to get the work done that the companies are there doing.

H.B.

think cyber insurance is the big change in the industry is that the presence of cyber insurance is a counterweight to the sort of heroic activities that people enjoy in detection and response that, like, ordinarily, like, you know, recovering from a disaster, detecting a breach that's been its own sort of, like, you know, proving ground for cybersecurity professionals. And it causes people at times to not be as principled on the prevention side. Like, prevention ends up looking like a collection of tools that roughly everyone else who's like you is using. And now, like, I think, with the insurance players wanting to see less activity, wanting to see things be more boring in networks, want to see effective cybersecurity architectures, that security architecture focus on prevention is super important.

If you just assemble the 27 boxes that Gartner considers collapsed into the Secure Access Service Edge, you haven't really solved a problem. Like, you have to have more of an approach towards, like, which problems you're trying to solve and where they occur in the chain and whether they're even still relevant. And so that's, I think, where this identity plus endpoint security design from Beyond Identity is kind of interesting is that we've sort of converged these two things and it's super early in that collection of tools, and really does need to exist.

Nelson

But to me, even when you look at identity systems today, and zero trust is just gonna push more towards identity systems being at the center of our transactions. It's just a corollary of how zero trust is supposed to work, you find a collection of phishable factors most of the time, and you have SMS codes and push notifications. Even the federal government on the federal zero trust strategy, they are now requiring agencies to find unphishable factors, PIV Cards and WebAuthn, they recognize that one-time calls and push notifications and SMS and voice calls are not appropriate methods of authentication for any agency out there.

Reece

Do you think that people are getting this or do you think it's something that people are starting to get?

Jasson

I think people are getting this, right? Like, look at what people are doing, right? Right now organizations are searching for ways of trying to integrate formerly disparate parts of their network architecture, right? So in almost any enterprise over a certain size, you're gonna find an identity stack, some sort of MFA product that may come from that identity stack or not, potentially a PAM PAM solution, you're gonna find an EDR, you're gonna find an MDM, you're gonna find a SIM, right? Or some sort of log collection, where all of the services I just mentioned, are all kind of depositing their little droppings of contextless insights. And then you're gonna find some set of analytics, either by the SIM organization or by some third-party analytics company, trying to stitch that all together and make sense of it and put information and alerts up on an incident responder screen.

The companies that are actually working through legitimate problems, or that are trying to kind of simplify their architecture, they're actively looking for ways of trying to connect the dots lower in that stack, right? So what I just described is great for telling you about what happened in your rearview mirror. But it's not necessarily great for preventing things, especially on the identity side of the house. So yeah, all the customers that I talked to, all the prospects that I talked to, almost all the conversations revolve around, "How do I take the network to the VPN side of this equation, the EDR side of the equation, the MDM side of the equation, and how do I get information from those systems and incorporate it as part of the decision making of access?" And some of them will even be on a journey of trying to kind of do it themselves and kind of do complex orchestration and integration.

And the conversation ends up... You know, the conversation we try to have with them is there's a better way. Ask for security results from your identity stack. If your identity stack has an authenticator that's on the machine someone's trying to do something from, and obviously, it's plugged in and federated to all the services that person is trying to connect to, it's at the natural high ground. It has an ability no matter who the person is, no matter where they are in the world, no matter what device type they're using, no matter if they're a contractor or an employee, no matter if it's BYOD or company-owned, they have an ability to assert something about the security of the device, the likelihood of the person, the criticality of what they're trying to do, and really decide at that moment in time with real-time information, should they allow this access attempt to proceed or not. Ask for security results from your identity stack.

H.B.

To your point, Reece, I think it's important to note that Jasson is also correct that, like, there is this, like, directional focus on updating, upgrading and right-sizing security architectures. If you were to look at sort of the landscape of cyber security, momentum publishes a fantastic cyber landscape that goes over all of the sort of traditional categories of solution. If you look at sort of modern architectures though, the going phrase that everyone goes for is zero trust, and with zero trust, there's essentially an access component which, you know, some people have been calling Secure Access Service Edge, some people call it zero trust access.

And then on the cloud side, you have kind of an aggregation and simplification of all of your sort of datacenter security tools under what people call CPSM, Cloud Posture and Security Management. These are like big umbrella buckets that sort of drop in tools. And then on the sort of observability detection and response, like, human-led side, there's this trend towards, like, putting everything that's MSP, MSSP, CloudSim, all of those tools into a bucket called MDR, Managed Detection Response.

And so if you look at these three things, yes, I think in general CIO, and CISO priorities are to figure out how they adapt to these, like, three big buckets. But I don't think that as many of the CISOs, and CIOs have a strong opinionated and well-informed opinion yet on what the priority is for tooling and tooling upgrades in each of those areas should be. So I think, like what Jasson was suggesting, makes a lot of sense as the highest value first step. And I think that's what we're trying to advocate to people.

Reece

Yeah, I'm surprised. I haven't heard you guys mentioned Defense In Depth yet, because this is just one of those philosophies that's kind of thrown around like zero trust and I think that people have bought into it or accepted it as reality. But it also kind of sounds like an inconvenience, again, benefiting cybersecurity companies typically, like, "You need to have a lot of products in order to be secure." So what did you guys think about how Defense In Depth factors into this? Do you think it's time to challenge that or rethink that phrase?

Jasson

No, Defense In Depth is a good thing. What it's time to challenge is this notion that it can't come, or it has to come at the expense of the end-user. There's nothing from a technical perspective that says good security products have to have crap experiences for their end-user but that has been a tendency over time in a lot of the products in the industry. And honestly, even some of our attitudes from an operations in security engineering perspective. The end-user, if they're there, they're gonna have to do this, this is the only way to move forward. I do think it's time to challenge that notion and that assumption. There are ways of improving the end-user experience. Every time you apply friction, security friction to an end-user, is there a meaningful reason for that friction? Is there is no other alternative way of establishing whatever control you're trying to establish without bringing that friction to the end-user?

So taking it down a step, making it a little bit more practical, do I really need an end-user to have two devices to prove who they say they are if I have a credential locked in a hardware enclave protected or guarded by a local PIN or a biometric, and that's being compared against end-user behavioral history, and I have signals on the device to understand are the controls I expect to be on the device present on the device at the time that person tried to do something interesting? I think the answer is there's a lot of opportunity to improve the end-user experience while getting better security results.

Defense In Depth is good. Nothing is bulletproof. Nothing works all the time. And I think it's a pithy reminder of that. I think where it goes sideways is being used as a crutch that, "Well, this is just how we improve security and, Mr. End-User or Miss End-User, you just have to get over it."

H.B.

I agree with Jasson's take on this. I would say that Defense In Depth has been a sort of broad umbrella to make excuses for brittle and fragmented product landscape. I think bringing ideas on mechanisms together, especially where they make sense without having distinct products, is an important future trend that we're seeing. And that's why I think you're seeing a lot of collapsing of these, like, endpoint tools into these, like, you know, bigger, like, Cloud-centric buckets of, you know, ZTNA and on the cloud side, you're seeing sort of CPSM is that people are kind of looking at their security signals and trying to aggregate them intelligently even at the point of acquisition, not just the point of aggregation.

Reece

I think the last question should be for Nelson to kind of put a bow on this. When you were building Beyond Identity, Nelson, obviously, prevention was a big focus. But, you know, what about the other side of it, detection and response, how did we factor that into things as well given the landscape?

Nelson

What the team was found important to try to find a solution for a authentication framework that was based on hardware, was based on possession, placing some sort of credential, like Jasson said, on the TPM because it changes the landscape of what you're trying to achieve, right? A phone is something you have sent a push notification to, but it's the thing you carry the most, and you put it somewhere else. Why not make it more like a YubiKey, or a thing that you carry, that has a strong cryptographic framework around it? But also put all of the device posture checks that we could gather as a platform authenticator, as a type of thing that lives on the device that you're trying to do something from and that makes it more of a detection product or something that's closer to that, where you're learning about the environment where the authentication is happening in that transaction in specific, and then you can make decisions about it.

So I thought that was a pretty powerful idea, if you build all the right components into a solution for possession and using biometrics or a PIN as a step-up authentication, that could be a better solution that other things that are more phishable or sort of rely on a third-party device or a separate device.

Reece

So really leveraging the endpoint, simplifying it for the user as well and taking advantage of the hardware for security. All right, well, thank you guys for chatting. We're gonna do this again next week, so be sure to tune in. We'll talk about something else exciting. And remember to smash that Subscribe button so you stay up to date. All right, catch you guys later.

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Prevention Is Better Than Detection

Download

Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, VP of Global Sales Engineering Husnain Bajwa, and our host Marketing Empress Reece Guida on how prevention is better than detection.

Transcription

Reece

Hello, and welcome to the first Beyond Identity Podcast. My name is Reece, I'm the generic marketing lady whose sole job is to get these guys to say interesting stuff. We're joined by Jasson, our CTO, H.B. who's in charge of global sales engineering, and Nelson, our founding engineer. This is our first episode, we're just gonna talk about some technical stuff. So I'll let the guys introduce themselves.

Jasson

I'm Jasson I'm the CTO. Repetitively repeating what Reece's told us. More importantly, what's the dog's name, Reece?

Reece

Oh, this is Joey Bones. He's pretty cool when he's not licking his butt like he's doing now.

Jasson

I can show you mine although all you can really see as a match is Austin in Brooklyn sleeping.

Reece

Nelson has a dog too, but it's very stinky apparently.

Nelson

I shouldn't carry him anymore if he's not ready for that.

Jasson

Last man, show us your dogs.

H.B.

My two dogs are trying to escape the winter weather here in Austin that's hitting us today. So they're enjoying the fireplace at 15 years old each. So...

Reece

Oh, wow.

Jasson

This is a requirement of employment here at Beyond Identity. You have to show dog-proof or some sort of form of animal proof.

Nelson

Even if it's stuffed, okay.

Reece

So what we wanted to talk about today, guys, was how prevention is better than detection. I think this is something that the company really cares about. And who better to talk about it than you guys?

Jasson

I don't know, is that really true? Like, I prefer to remodel my kitchen after all of my cooking fires.

Reece

Good point.

H.B.

I would approach that, Jasson. So I'll be honest with you, like, when we got to this, like, sort of prevention versus detection conversation, a lot of it started with kind of the NIST Cybersecurity Framework and Lockheed Martin Cyber Kill Chain and all of the various approaches, you know, like, you look at ISO 27,000 and it doesn't even have a unifying approach. It just has, you know, a dozen-plus sections to it in terms of understanding cybersecurity frameworks.

And Jasson had a good point, the five functions that NIST calls out could really be reduced down to like, three actionable functions, which are just prevent, detect and respond. And I think Jasson can speak to kind of what his thought process was around, kind of the nature of those things relative to shift left security and all these other things that marketers love talking about these days.

Jasson

I mean, at a high level, so I'm a framework guy. I love frameworks because frameworks are useful to help you check your thoughts against some sort of structure and answer the question, "Are you making consistent direction?" NIST Framework which has five parts, right, identify, protect, detect, respond and repair. It's a great set of high-level buckets. And obviously, there's tons of controls and control families that fall under these things around really understanding what are your assets? Are your assets protected? Right patched? Are they configured properly? Are they following best current practices? Detection, right? Like, are you present and observing to find bad things that happen? Responses, do you have an ability to respond, right? And then repair is when a bad thing happens, response is not enough. Like typically, you have to engage cleanup. And response could be everything from, you know, providing new devices and reemerging and whatnot, to engaging legal firms and filing compliance notifications and engaging a PR firm.

Or going back to the kitchen, identifying all the things that can catch on fire, making sure that you locate them in an area where they're unlikely to catch fire. Have a fire extinguisher around to where if a fire does happen, you can actually put it out. Sorry, have a smoke detector to let you know a fire has started when you're not paying attention or Nelson's burning the spices again. And then, of course, our favorite, you know, when the island and the cabinets are all charged senders, typically people aren't happy to continue coming over for dinner. They expect you to, like, knock all that stuff out and rebuild the kitchen.

So from our perspective, you know, clearly that's the expensive proposition. Why focus so much on putting out fires and repairing the damage when you could stop them from happening in the first place? You know, we joke around a lot but, like, the central premise here is most security incidents start with valid credential use, right? That's kind of a fancy way of essentially saying, like, bad actors don't break into your infrastructure, they log in, and they log in using credentials, people that exist that have valid reason to access your infrastructure. So it's an interesting way of basically saying your identity and access architecture and services are not giving you great security results right now. Because a good security result is a bad thing doesn't happen.

So how do you think about building out your security architecture where you can kind of shift left, right? And shift left was all the rage, because from a software perspective, you know, we all studied this problem for 20 years and kind of put our coats on and gathered our pipes and harrumphed to each other, and then said, "Hey, it sure is easier to fix problems at the state of design, than it is when a customer is using something in production." And of course, you know, we had this big move from waterfall to agile, but there's no difference in security, right? It's a lot easier to fix problems at the point of design, it's a lot easier to prevent things... Or it's easier on the organization if something can be prevented, as opposed to an organization just focused on responding to things.

And, you know, that's kind of what we focus on here at Beyond Identity. How does an organization focus on getting security results from their identity stack? Like, as a fundamental part of zero trust, right? Zero trust access is the risk signals about a device someone's actually using to access the data, the criticality of the data they're trying to access and signals about the likelihood of that person being who they claim to be. Why not take all of those into account at the time of access? Because if you could, you could certainly level a lot of issues off the desk of your operations team.

Reece

Yeah, I think the reason why not is because, for cybersecurity companies, detection response is more valuable to them. But for organizations and users prevention and protection are better. So I think it's kind of that give and take between, you know, like, this is a market we're selling to people. But I think by emphasizing prevention more, you're empowering organizations and users. So do you think we're at, like, a turning point here, just after, you know, so much ransomware attacks in 2020?

Jasson

I do think it's an interesting point in time where people care about security results, right? Security industry, it's been around for a long time, but the size of it and the size of the growth of the industry is fairly recent. And I think the reason for that is consequences now matter, right? Like breaches cost companies, they cost reputation of individuals. And at least at the lowest level, it costs a lot of time that's taking away from the primary mission of the company. So, you know, the cost of not paying attention to security is material and now shows up at the board. It shows up the C-suite, and this wasn't necessarily true in the '90s and the 2000s. And even the 20-aughts, it was still kind of gaining steam.

But, you know, we talked to our friends in the cyber insurance industry, and, you know, for the first time last year, they all lost money on their cyber insurance policies. And the reason was ransomware. And they basically said, "If there's anything you can do about ransomware, let's talk and otherwise our other 14 cyber initiatives, we'll handle those maybe in another year or two, but, like. that is the focus right now." And of course, they're the canary in the coal mine, right? Like they're there to service companies trying to get the work done that the companies are there doing.

H.B.

think cyber insurance is the big change in the industry is that the presence of cyber insurance is a counterweight to the sort of heroic activities that people enjoy in detection and response that, like, ordinarily, like, you know, recovering from a disaster, detecting a breach that's been its own sort of, like, you know, proving ground for cybersecurity professionals. And it causes people at times to not be as principled on the prevention side. Like, prevention ends up looking like a collection of tools that roughly everyone else who's like you is using. And now, like, I think, with the insurance players wanting to see less activity, wanting to see things be more boring in networks, want to see effective cybersecurity architectures, that security architecture focus on prevention is super important.

If you just assemble the 27 boxes that Gartner considers collapsed into the Secure Access Service Edge, you haven't really solved a problem. Like, you have to have more of an approach towards, like, which problems you're trying to solve and where they occur in the chain and whether they're even still relevant. And so that's, I think, where this identity plus endpoint security design from Beyond Identity is kind of interesting is that we've sort of converged these two things and it's super early in that collection of tools, and really does need to exist.

Nelson

But to me, even when you look at identity systems today, and zero trust is just gonna push more towards identity systems being at the center of our transactions. It's just a corollary of how zero trust is supposed to work, you find a collection of phishable factors most of the time, and you have SMS codes and push notifications. Even the federal government on the federal zero trust strategy, they are now requiring agencies to find unphishable factors, PIV Cards and WebAuthn, they recognize that one-time calls and push notifications and SMS and voice calls are not appropriate methods of authentication for any agency out there.

Reece

Do you think that people are getting this or do you think it's something that people are starting to get?

Jasson

I think people are getting this, right? Like, look at what people are doing, right? Right now organizations are searching for ways of trying to integrate formerly disparate parts of their network architecture, right? So in almost any enterprise over a certain size, you're gonna find an identity stack, some sort of MFA product that may come from that identity stack or not, potentially a PAM PAM solution, you're gonna find an EDR, you're gonna find an MDM, you're gonna find a SIM, right? Or some sort of log collection, where all of the services I just mentioned, are all kind of depositing their little droppings of contextless insights. And then you're gonna find some set of analytics, either by the SIM organization or by some third-party analytics company, trying to stitch that all together and make sense of it and put information and alerts up on an incident responder screen.

The companies that are actually working through legitimate problems, or that are trying to kind of simplify their architecture, they're actively looking for ways of trying to connect the dots lower in that stack, right? So what I just described is great for telling you about what happened in your rearview mirror. But it's not necessarily great for preventing things, especially on the identity side of the house. So yeah, all the customers that I talked to, all the prospects that I talked to, almost all the conversations revolve around, "How do I take the network to the VPN side of this equation, the EDR side of the equation, the MDM side of the equation, and how do I get information from those systems and incorporate it as part of the decision making of access?" And some of them will even be on a journey of trying to kind of do it themselves and kind of do complex orchestration and integration.

And the conversation ends up... You know, the conversation we try to have with them is there's a better way. Ask for security results from your identity stack. If your identity stack has an authenticator that's on the machine someone's trying to do something from, and obviously, it's plugged in and federated to all the services that person is trying to connect to, it's at the natural high ground. It has an ability no matter who the person is, no matter where they are in the world, no matter what device type they're using, no matter if they're a contractor or an employee, no matter if it's BYOD or company-owned, they have an ability to assert something about the security of the device, the likelihood of the person, the criticality of what they're trying to do, and really decide at that moment in time with real-time information, should they allow this access attempt to proceed or not. Ask for security results from your identity stack.

H.B.

To your point, Reece, I think it's important to note that Jasson is also correct that, like, there is this, like, directional focus on updating, upgrading and right-sizing security architectures. If you were to look at sort of the landscape of cyber security, momentum publishes a fantastic cyber landscape that goes over all of the sort of traditional categories of solution. If you look at sort of modern architectures though, the going phrase that everyone goes for is zero trust, and with zero trust, there's essentially an access component which, you know, some people have been calling Secure Access Service Edge, some people call it zero trust access.

And then on the cloud side, you have kind of an aggregation and simplification of all of your sort of datacenter security tools under what people call CPSM, Cloud Posture and Security Management. These are like big umbrella buckets that sort of drop in tools. And then on the sort of observability detection and response, like, human-led side, there's this trend towards, like, putting everything that's MSP, MSSP, CloudSim, all of those tools into a bucket called MDR, Managed Detection Response.

And so if you look at these three things, yes, I think in general CIO, and CISO priorities are to figure out how they adapt to these, like, three big buckets. But I don't think that as many of the CISOs, and CIOs have a strong opinionated and well-informed opinion yet on what the priority is for tooling and tooling upgrades in each of those areas should be. So I think, like what Jasson was suggesting, makes a lot of sense as the highest value first step. And I think that's what we're trying to advocate to people.

Reece

Yeah, I'm surprised. I haven't heard you guys mentioned Defense In Depth yet, because this is just one of those philosophies that's kind of thrown around like zero trust and I think that people have bought into it or accepted it as reality. But it also kind of sounds like an inconvenience, again, benefiting cybersecurity companies typically, like, "You need to have a lot of products in order to be secure." So what did you guys think about how Defense In Depth factors into this? Do you think it's time to challenge that or rethink that phrase?

Jasson

No, Defense In Depth is a good thing. What it's time to challenge is this notion that it can't come, or it has to come at the expense of the end-user. There's nothing from a technical perspective that says good security products have to have crap experiences for their end-user but that has been a tendency over time in a lot of the products in the industry. And honestly, even some of our attitudes from an operations in security engineering perspective. The end-user, if they're there, they're gonna have to do this, this is the only way to move forward. I do think it's time to challenge that notion and that assumption. There are ways of improving the end-user experience. Every time you apply friction, security friction to an end-user, is there a meaningful reason for that friction? Is there is no other alternative way of establishing whatever control you're trying to establish without bringing that friction to the end-user?

So taking it down a step, making it a little bit more practical, do I really need an end-user to have two devices to prove who they say they are if I have a credential locked in a hardware enclave protected or guarded by a local PIN or a biometric, and that's being compared against end-user behavioral history, and I have signals on the device to understand are the controls I expect to be on the device present on the device at the time that person tried to do something interesting? I think the answer is there's a lot of opportunity to improve the end-user experience while getting better security results.

Defense In Depth is good. Nothing is bulletproof. Nothing works all the time. And I think it's a pithy reminder of that. I think where it goes sideways is being used as a crutch that, "Well, this is just how we improve security and, Mr. End-User or Miss End-User, you just have to get over it."

H.B.

I agree with Jasson's take on this. I would say that Defense In Depth has been a sort of broad umbrella to make excuses for brittle and fragmented product landscape. I think bringing ideas on mechanisms together, especially where they make sense without having distinct products, is an important future trend that we're seeing. And that's why I think you're seeing a lot of collapsing of these, like, endpoint tools into these, like, you know, bigger, like, Cloud-centric buckets of, you know, ZTNA and on the cloud side, you're seeing sort of CPSM is that people are kind of looking at their security signals and trying to aggregate them intelligently even at the point of acquisition, not just the point of aggregation.

Reece

I think the last question should be for Nelson to kind of put a bow on this. When you were building Beyond Identity, Nelson, obviously, prevention was a big focus. But, you know, what about the other side of it, detection and response, how did we factor that into things as well given the landscape?

Nelson

What the team was found important to try to find a solution for a authentication framework that was based on hardware, was based on possession, placing some sort of credential, like Jasson said, on the TPM because it changes the landscape of what you're trying to achieve, right? A phone is something you have sent a push notification to, but it's the thing you carry the most, and you put it somewhere else. Why not make it more like a YubiKey, or a thing that you carry, that has a strong cryptographic framework around it? But also put all of the device posture checks that we could gather as a platform authenticator, as a type of thing that lives on the device that you're trying to do something from and that makes it more of a detection product or something that's closer to that, where you're learning about the environment where the authentication is happening in that transaction in specific, and then you can make decisions about it.

So I thought that was a pretty powerful idea, if you build all the right components into a solution for possession and using biometrics or a PIN as a step-up authentication, that could be a better solution that other things that are more phishable or sort of rely on a third-party device or a separate device.

Reece

So really leveraging the endpoint, simplifying it for the user as well and taking advantage of the hardware for security. All right, well, thank you guys for chatting. We're gonna do this again next week, so be sure to tune in. We'll talk about something else exciting. And remember to smash that Subscribe button so you stay up to date. All right, catch you guys later.

Prevention Is Better Than Detection

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, VP of Global Sales Engineering Husnain Bajwa, and our host Marketing Empress Reece Guida on how prevention is better than detection.

Transcription

Reece

Hello, and welcome to the first Beyond Identity Podcast. My name is Reece, I'm the generic marketing lady whose sole job is to get these guys to say interesting stuff. We're joined by Jasson, our CTO, H.B. who's in charge of global sales engineering, and Nelson, our founding engineer. This is our first episode, we're just gonna talk about some technical stuff. So I'll let the guys introduce themselves.

Jasson

I'm Jasson I'm the CTO. Repetitively repeating what Reece's told us. More importantly, what's the dog's name, Reece?

Reece

Oh, this is Joey Bones. He's pretty cool when he's not licking his butt like he's doing now.

Jasson

I can show you mine although all you can really see as a match is Austin in Brooklyn sleeping.

Reece

Nelson has a dog too, but it's very stinky apparently.

Nelson

I shouldn't carry him anymore if he's not ready for that.

Jasson

Last man, show us your dogs.

H.B.

My two dogs are trying to escape the winter weather here in Austin that's hitting us today. So they're enjoying the fireplace at 15 years old each. So...

Reece

Oh, wow.

Jasson

This is a requirement of employment here at Beyond Identity. You have to show dog-proof or some sort of form of animal proof.

Nelson

Even if it's stuffed, okay.

Reece

So what we wanted to talk about today, guys, was how prevention is better than detection. I think this is something that the company really cares about. And who better to talk about it than you guys?

Jasson

I don't know, is that really true? Like, I prefer to remodel my kitchen after all of my cooking fires.

Reece

Good point.

H.B.

I would approach that, Jasson. So I'll be honest with you, like, when we got to this, like, sort of prevention versus detection conversation, a lot of it started with kind of the NIST Cybersecurity Framework and Lockheed Martin Cyber Kill Chain and all of the various approaches, you know, like, you look at ISO 27,000 and it doesn't even have a unifying approach. It just has, you know, a dozen-plus sections to it in terms of understanding cybersecurity frameworks.

And Jasson had a good point, the five functions that NIST calls out could really be reduced down to like, three actionable functions, which are just prevent, detect and respond. And I think Jasson can speak to kind of what his thought process was around, kind of the nature of those things relative to shift left security and all these other things that marketers love talking about these days.

Jasson

I mean, at a high level, so I'm a framework guy. I love frameworks because frameworks are useful to help you check your thoughts against some sort of structure and answer the question, "Are you making consistent direction?" NIST Framework which has five parts, right, identify, protect, detect, respond and repair. It's a great set of high-level buckets. And obviously, there's tons of controls and control families that fall under these things around really understanding what are your assets? Are your assets protected? Right patched? Are they configured properly? Are they following best current practices? Detection, right? Like, are you present and observing to find bad things that happen? Responses, do you have an ability to respond, right? And then repair is when a bad thing happens, response is not enough. Like typically, you have to engage cleanup. And response could be everything from, you know, providing new devices and reemerging and whatnot, to engaging legal firms and filing compliance notifications and engaging a PR firm.

Or going back to the kitchen, identifying all the things that can catch on fire, making sure that you locate them in an area where they're unlikely to catch fire. Have a fire extinguisher around to where if a fire does happen, you can actually put it out. Sorry, have a smoke detector to let you know a fire has started when you're not paying attention or Nelson's burning the spices again. And then, of course, our favorite, you know, when the island and the cabinets are all charged senders, typically people aren't happy to continue coming over for dinner. They expect you to, like, knock all that stuff out and rebuild the kitchen.

So from our perspective, you know, clearly that's the expensive proposition. Why focus so much on putting out fires and repairing the damage when you could stop them from happening in the first place? You know, we joke around a lot but, like, the central premise here is most security incidents start with valid credential use, right? That's kind of a fancy way of essentially saying, like, bad actors don't break into your infrastructure, they log in, and they log in using credentials, people that exist that have valid reason to access your infrastructure. So it's an interesting way of basically saying your identity and access architecture and services are not giving you great security results right now. Because a good security result is a bad thing doesn't happen.

So how do you think about building out your security architecture where you can kind of shift left, right? And shift left was all the rage, because from a software perspective, you know, we all studied this problem for 20 years and kind of put our coats on and gathered our pipes and harrumphed to each other, and then said, "Hey, it sure is easier to fix problems at the state of design, than it is when a customer is using something in production." And of course, you know, we had this big move from waterfall to agile, but there's no difference in security, right? It's a lot easier to fix problems at the point of design, it's a lot easier to prevent things... Or it's easier on the organization if something can be prevented, as opposed to an organization just focused on responding to things.

And, you know, that's kind of what we focus on here at Beyond Identity. How does an organization focus on getting security results from their identity stack? Like, as a fundamental part of zero trust, right? Zero trust access is the risk signals about a device someone's actually using to access the data, the criticality of the data they're trying to access and signals about the likelihood of that person being who they claim to be. Why not take all of those into account at the time of access? Because if you could, you could certainly level a lot of issues off the desk of your operations team.

Reece

Yeah, I think the reason why not is because, for cybersecurity companies, detection response is more valuable to them. But for organizations and users prevention and protection are better. So I think it's kind of that give and take between, you know, like, this is a market we're selling to people. But I think by emphasizing prevention more, you're empowering organizations and users. So do you think we're at, like, a turning point here, just after, you know, so much ransomware attacks in 2020?

Jasson

I do think it's an interesting point in time where people care about security results, right? Security industry, it's been around for a long time, but the size of it and the size of the growth of the industry is fairly recent. And I think the reason for that is consequences now matter, right? Like breaches cost companies, they cost reputation of individuals. And at least at the lowest level, it costs a lot of time that's taking away from the primary mission of the company. So, you know, the cost of not paying attention to security is material and now shows up at the board. It shows up the C-suite, and this wasn't necessarily true in the '90s and the 2000s. And even the 20-aughts, it was still kind of gaining steam.

But, you know, we talked to our friends in the cyber insurance industry, and, you know, for the first time last year, they all lost money on their cyber insurance policies. And the reason was ransomware. And they basically said, "If there's anything you can do about ransomware, let's talk and otherwise our other 14 cyber initiatives, we'll handle those maybe in another year or two, but, like. that is the focus right now." And of course, they're the canary in the coal mine, right? Like they're there to service companies trying to get the work done that the companies are there doing.

H.B.

think cyber insurance is the big change in the industry is that the presence of cyber insurance is a counterweight to the sort of heroic activities that people enjoy in detection and response that, like, ordinarily, like, you know, recovering from a disaster, detecting a breach that's been its own sort of, like, you know, proving ground for cybersecurity professionals. And it causes people at times to not be as principled on the prevention side. Like, prevention ends up looking like a collection of tools that roughly everyone else who's like you is using. And now, like, I think, with the insurance players wanting to see less activity, wanting to see things be more boring in networks, want to see effective cybersecurity architectures, that security architecture focus on prevention is super important.

If you just assemble the 27 boxes that Gartner considers collapsed into the Secure Access Service Edge, you haven't really solved a problem. Like, you have to have more of an approach towards, like, which problems you're trying to solve and where they occur in the chain and whether they're even still relevant. And so that's, I think, where this identity plus endpoint security design from Beyond Identity is kind of interesting is that we've sort of converged these two things and it's super early in that collection of tools, and really does need to exist.

Nelson

But to me, even when you look at identity systems today, and zero trust is just gonna push more towards identity systems being at the center of our transactions. It's just a corollary of how zero trust is supposed to work, you find a collection of phishable factors most of the time, and you have SMS codes and push notifications. Even the federal government on the federal zero trust strategy, they are now requiring agencies to find unphishable factors, PIV Cards and WebAuthn, they recognize that one-time calls and push notifications and SMS and voice calls are not appropriate methods of authentication for any agency out there.

Reece

Do you think that people are getting this or do you think it's something that people are starting to get?

Jasson

I think people are getting this, right? Like, look at what people are doing, right? Right now organizations are searching for ways of trying to integrate formerly disparate parts of their network architecture, right? So in almost any enterprise over a certain size, you're gonna find an identity stack, some sort of MFA product that may come from that identity stack or not, potentially a PAM PAM solution, you're gonna find an EDR, you're gonna find an MDM, you're gonna find a SIM, right? Or some sort of log collection, where all of the services I just mentioned, are all kind of depositing their little droppings of contextless insights. And then you're gonna find some set of analytics, either by the SIM organization or by some third-party analytics company, trying to stitch that all together and make sense of it and put information and alerts up on an incident responder screen.

The companies that are actually working through legitimate problems, or that are trying to kind of simplify their architecture, they're actively looking for ways of trying to connect the dots lower in that stack, right? So what I just described is great for telling you about what happened in your rearview mirror. But it's not necessarily great for preventing things, especially on the identity side of the house. So yeah, all the customers that I talked to, all the prospects that I talked to, almost all the conversations revolve around, "How do I take the network to the VPN side of this equation, the EDR side of the equation, the MDM side of the equation, and how do I get information from those systems and incorporate it as part of the decision making of access?" And some of them will even be on a journey of trying to kind of do it themselves and kind of do complex orchestration and integration.

And the conversation ends up... You know, the conversation we try to have with them is there's a better way. Ask for security results from your identity stack. If your identity stack has an authenticator that's on the machine someone's trying to do something from, and obviously, it's plugged in and federated to all the services that person is trying to connect to, it's at the natural high ground. It has an ability no matter who the person is, no matter where they are in the world, no matter what device type they're using, no matter if they're a contractor or an employee, no matter if it's BYOD or company-owned, they have an ability to assert something about the security of the device, the likelihood of the person, the criticality of what they're trying to do, and really decide at that moment in time with real-time information, should they allow this access attempt to proceed or not. Ask for security results from your identity stack.

H.B.

To your point, Reece, I think it's important to note that Jasson is also correct that, like, there is this, like, directional focus on updating, upgrading and right-sizing security architectures. If you were to look at sort of the landscape of cyber security, momentum publishes a fantastic cyber landscape that goes over all of the sort of traditional categories of solution. If you look at sort of modern architectures though, the going phrase that everyone goes for is zero trust, and with zero trust, there's essentially an access component which, you know, some people have been calling Secure Access Service Edge, some people call it zero trust access.

And then on the cloud side, you have kind of an aggregation and simplification of all of your sort of datacenter security tools under what people call CPSM, Cloud Posture and Security Management. These are like big umbrella buckets that sort of drop in tools. And then on the sort of observability detection and response, like, human-led side, there's this trend towards, like, putting everything that's MSP, MSSP, CloudSim, all of those tools into a bucket called MDR, Managed Detection Response.

And so if you look at these three things, yes, I think in general CIO, and CISO priorities are to figure out how they adapt to these, like, three big buckets. But I don't think that as many of the CISOs, and CIOs have a strong opinionated and well-informed opinion yet on what the priority is for tooling and tooling upgrades in each of those areas should be. So I think, like what Jasson was suggesting, makes a lot of sense as the highest value first step. And I think that's what we're trying to advocate to people.

Reece

Yeah, I'm surprised. I haven't heard you guys mentioned Defense In Depth yet, because this is just one of those philosophies that's kind of thrown around like zero trust and I think that people have bought into it or accepted it as reality. But it also kind of sounds like an inconvenience, again, benefiting cybersecurity companies typically, like, "You need to have a lot of products in order to be secure." So what did you guys think about how Defense In Depth factors into this? Do you think it's time to challenge that or rethink that phrase?

Jasson

No, Defense In Depth is a good thing. What it's time to challenge is this notion that it can't come, or it has to come at the expense of the end-user. There's nothing from a technical perspective that says good security products have to have crap experiences for their end-user but that has been a tendency over time in a lot of the products in the industry. And honestly, even some of our attitudes from an operations in security engineering perspective. The end-user, if they're there, they're gonna have to do this, this is the only way to move forward. I do think it's time to challenge that notion and that assumption. There are ways of improving the end-user experience. Every time you apply friction, security friction to an end-user, is there a meaningful reason for that friction? Is there is no other alternative way of establishing whatever control you're trying to establish without bringing that friction to the end-user?

So taking it down a step, making it a little bit more practical, do I really need an end-user to have two devices to prove who they say they are if I have a credential locked in a hardware enclave protected or guarded by a local PIN or a biometric, and that's being compared against end-user behavioral history, and I have signals on the device to understand are the controls I expect to be on the device present on the device at the time that person tried to do something interesting? I think the answer is there's a lot of opportunity to improve the end-user experience while getting better security results.

Defense In Depth is good. Nothing is bulletproof. Nothing works all the time. And I think it's a pithy reminder of that. I think where it goes sideways is being used as a crutch that, "Well, this is just how we improve security and, Mr. End-User or Miss End-User, you just have to get over it."

H.B.

I agree with Jasson's take on this. I would say that Defense In Depth has been a sort of broad umbrella to make excuses for brittle and fragmented product landscape. I think bringing ideas on mechanisms together, especially where they make sense without having distinct products, is an important future trend that we're seeing. And that's why I think you're seeing a lot of collapsing of these, like, endpoint tools into these, like, you know, bigger, like, Cloud-centric buckets of, you know, ZTNA and on the cloud side, you're seeing sort of CPSM is that people are kind of looking at their security signals and trying to aggregate them intelligently even at the point of acquisition, not just the point of aggregation.

Reece

I think the last question should be for Nelson to kind of put a bow on this. When you were building Beyond Identity, Nelson, obviously, prevention was a big focus. But, you know, what about the other side of it, detection and response, how did we factor that into things as well given the landscape?

Nelson

What the team was found important to try to find a solution for a authentication framework that was based on hardware, was based on possession, placing some sort of credential, like Jasson said, on the TPM because it changes the landscape of what you're trying to achieve, right? A phone is something you have sent a push notification to, but it's the thing you carry the most, and you put it somewhere else. Why not make it more like a YubiKey, or a thing that you carry, that has a strong cryptographic framework around it? But also put all of the device posture checks that we could gather as a platform authenticator, as a type of thing that lives on the device that you're trying to do something from and that makes it more of a detection product or something that's closer to that, where you're learning about the environment where the authentication is happening in that transaction in specific, and then you can make decisions about it.

So I thought that was a pretty powerful idea, if you build all the right components into a solution for possession and using biometrics or a PIN as a step-up authentication, that could be a better solution that other things that are more phishable or sort of rely on a third-party device or a separate device.

Reece

So really leveraging the endpoint, simplifying it for the user as well and taking advantage of the hardware for security. All right, well, thank you guys for chatting. We're gonna do this again next week, so be sure to tune in. We'll talk about something else exciting. And remember to smash that Subscribe button so you stay up to date. All right, catch you guys later.

Prevention Is Better Than Detection

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, VP of Global Sales Engineering Husnain Bajwa, and our host Marketing Empress Reece Guida on how prevention is better than detection.

Transcription

Reece

Hello, and welcome to the first Beyond Identity Podcast. My name is Reece, I'm the generic marketing lady whose sole job is to get these guys to say interesting stuff. We're joined by Jasson, our CTO, H.B. who's in charge of global sales engineering, and Nelson, our founding engineer. This is our first episode, we're just gonna talk about some technical stuff. So I'll let the guys introduce themselves.

Jasson

I'm Jasson I'm the CTO. Repetitively repeating what Reece's told us. More importantly, what's the dog's name, Reece?

Reece

Oh, this is Joey Bones. He's pretty cool when he's not licking his butt like he's doing now.

Jasson

I can show you mine although all you can really see as a match is Austin in Brooklyn sleeping.

Reece

Nelson has a dog too, but it's very stinky apparently.

Nelson

I shouldn't carry him anymore if he's not ready for that.

Jasson

Last man, show us your dogs.

H.B.

My two dogs are trying to escape the winter weather here in Austin that's hitting us today. So they're enjoying the fireplace at 15 years old each. So...

Reece

Oh, wow.

Jasson

This is a requirement of employment here at Beyond Identity. You have to show dog-proof or some sort of form of animal proof.

Nelson

Even if it's stuffed, okay.

Reece

So what we wanted to talk about today, guys, was how prevention is better than detection. I think this is something that the company really cares about. And who better to talk about it than you guys?

Jasson

I don't know, is that really true? Like, I prefer to remodel my kitchen after all of my cooking fires.

Reece

Good point.

H.B.

I would approach that, Jasson. So I'll be honest with you, like, when we got to this, like, sort of prevention versus detection conversation, a lot of it started with kind of the NIST Cybersecurity Framework and Lockheed Martin Cyber Kill Chain and all of the various approaches, you know, like, you look at ISO 27,000 and it doesn't even have a unifying approach. It just has, you know, a dozen-plus sections to it in terms of understanding cybersecurity frameworks.

And Jasson had a good point, the five functions that NIST calls out could really be reduced down to like, three actionable functions, which are just prevent, detect and respond. And I think Jasson can speak to kind of what his thought process was around, kind of the nature of those things relative to shift left security and all these other things that marketers love talking about these days.

Jasson

I mean, at a high level, so I'm a framework guy. I love frameworks because frameworks are useful to help you check your thoughts against some sort of structure and answer the question, "Are you making consistent direction?" NIST Framework which has five parts, right, identify, protect, detect, respond and repair. It's a great set of high-level buckets. And obviously, there's tons of controls and control families that fall under these things around really understanding what are your assets? Are your assets protected? Right patched? Are they configured properly? Are they following best current practices? Detection, right? Like, are you present and observing to find bad things that happen? Responses, do you have an ability to respond, right? And then repair is when a bad thing happens, response is not enough. Like typically, you have to engage cleanup. And response could be everything from, you know, providing new devices and reemerging and whatnot, to engaging legal firms and filing compliance notifications and engaging a PR firm.

Or going back to the kitchen, identifying all the things that can catch on fire, making sure that you locate them in an area where they're unlikely to catch fire. Have a fire extinguisher around to where if a fire does happen, you can actually put it out. Sorry, have a smoke detector to let you know a fire has started when you're not paying attention or Nelson's burning the spices again. And then, of course, our favorite, you know, when the island and the cabinets are all charged senders, typically people aren't happy to continue coming over for dinner. They expect you to, like, knock all that stuff out and rebuild the kitchen.

So from our perspective, you know, clearly that's the expensive proposition. Why focus so much on putting out fires and repairing the damage when you could stop them from happening in the first place? You know, we joke around a lot but, like, the central premise here is most security incidents start with valid credential use, right? That's kind of a fancy way of essentially saying, like, bad actors don't break into your infrastructure, they log in, and they log in using credentials, people that exist that have valid reason to access your infrastructure. So it's an interesting way of basically saying your identity and access architecture and services are not giving you great security results right now. Because a good security result is a bad thing doesn't happen.

So how do you think about building out your security architecture where you can kind of shift left, right? And shift left was all the rage, because from a software perspective, you know, we all studied this problem for 20 years and kind of put our coats on and gathered our pipes and harrumphed to each other, and then said, "Hey, it sure is easier to fix problems at the state of design, than it is when a customer is using something in production." And of course, you know, we had this big move from waterfall to agile, but there's no difference in security, right? It's a lot easier to fix problems at the point of design, it's a lot easier to prevent things... Or it's easier on the organization if something can be prevented, as opposed to an organization just focused on responding to things.

And, you know, that's kind of what we focus on here at Beyond Identity. How does an organization focus on getting security results from their identity stack? Like, as a fundamental part of zero trust, right? Zero trust access is the risk signals about a device someone's actually using to access the data, the criticality of the data they're trying to access and signals about the likelihood of that person being who they claim to be. Why not take all of those into account at the time of access? Because if you could, you could certainly level a lot of issues off the desk of your operations team.

Reece

Yeah, I think the reason why not is because, for cybersecurity companies, detection response is more valuable to them. But for organizations and users prevention and protection are better. So I think it's kind of that give and take between, you know, like, this is a market we're selling to people. But I think by emphasizing prevention more, you're empowering organizations and users. So do you think we're at, like, a turning point here, just after, you know, so much ransomware attacks in 2020?

Jasson

I do think it's an interesting point in time where people care about security results, right? Security industry, it's been around for a long time, but the size of it and the size of the growth of the industry is fairly recent. And I think the reason for that is consequences now matter, right? Like breaches cost companies, they cost reputation of individuals. And at least at the lowest level, it costs a lot of time that's taking away from the primary mission of the company. So, you know, the cost of not paying attention to security is material and now shows up at the board. It shows up the C-suite, and this wasn't necessarily true in the '90s and the 2000s. And even the 20-aughts, it was still kind of gaining steam.

But, you know, we talked to our friends in the cyber insurance industry, and, you know, for the first time last year, they all lost money on their cyber insurance policies. And the reason was ransomware. And they basically said, "If there's anything you can do about ransomware, let's talk and otherwise our other 14 cyber initiatives, we'll handle those maybe in another year or two, but, like. that is the focus right now." And of course, they're the canary in the coal mine, right? Like they're there to service companies trying to get the work done that the companies are there doing.

H.B.

think cyber insurance is the big change in the industry is that the presence of cyber insurance is a counterweight to the sort of heroic activities that people enjoy in detection and response that, like, ordinarily, like, you know, recovering from a disaster, detecting a breach that's been its own sort of, like, you know, proving ground for cybersecurity professionals. And it causes people at times to not be as principled on the prevention side. Like, prevention ends up looking like a collection of tools that roughly everyone else who's like you is using. And now, like, I think, with the insurance players wanting to see less activity, wanting to see things be more boring in networks, want to see effective cybersecurity architectures, that security architecture focus on prevention is super important.

If you just assemble the 27 boxes that Gartner considers collapsed into the Secure Access Service Edge, you haven't really solved a problem. Like, you have to have more of an approach towards, like, which problems you're trying to solve and where they occur in the chain and whether they're even still relevant. And so that's, I think, where this identity plus endpoint security design from Beyond Identity is kind of interesting is that we've sort of converged these two things and it's super early in that collection of tools, and really does need to exist.

Nelson

But to me, even when you look at identity systems today, and zero trust is just gonna push more towards identity systems being at the center of our transactions. It's just a corollary of how zero trust is supposed to work, you find a collection of phishable factors most of the time, and you have SMS codes and push notifications. Even the federal government on the federal zero trust strategy, they are now requiring agencies to find unphishable factors, PIV Cards and WebAuthn, they recognize that one-time calls and push notifications and SMS and voice calls are not appropriate methods of authentication for any agency out there.

Reece

Do you think that people are getting this or do you think it's something that people are starting to get?

Jasson

I think people are getting this, right? Like, look at what people are doing, right? Right now organizations are searching for ways of trying to integrate formerly disparate parts of their network architecture, right? So in almost any enterprise over a certain size, you're gonna find an identity stack, some sort of MFA product that may come from that identity stack or not, potentially a PAM PAM solution, you're gonna find an EDR, you're gonna find an MDM, you're gonna find a SIM, right? Or some sort of log collection, where all of the services I just mentioned, are all kind of depositing their little droppings of contextless insights. And then you're gonna find some set of analytics, either by the SIM organization or by some third-party analytics company, trying to stitch that all together and make sense of it and put information and alerts up on an incident responder screen.

The companies that are actually working through legitimate problems, or that are trying to kind of simplify their architecture, they're actively looking for ways of trying to connect the dots lower in that stack, right? So what I just described is great for telling you about what happened in your rearview mirror. But it's not necessarily great for preventing things, especially on the identity side of the house. So yeah, all the customers that I talked to, all the prospects that I talked to, almost all the conversations revolve around, "How do I take the network to the VPN side of this equation, the EDR side of the equation, the MDM side of the equation, and how do I get information from those systems and incorporate it as part of the decision making of access?" And some of them will even be on a journey of trying to kind of do it themselves and kind of do complex orchestration and integration.

And the conversation ends up... You know, the conversation we try to have with them is there's a better way. Ask for security results from your identity stack. If your identity stack has an authenticator that's on the machine someone's trying to do something from, and obviously, it's plugged in and federated to all the services that person is trying to connect to, it's at the natural high ground. It has an ability no matter who the person is, no matter where they are in the world, no matter what device type they're using, no matter if they're a contractor or an employee, no matter if it's BYOD or company-owned, they have an ability to assert something about the security of the device, the likelihood of the person, the criticality of what they're trying to do, and really decide at that moment in time with real-time information, should they allow this access attempt to proceed or not. Ask for security results from your identity stack.

H.B.

To your point, Reece, I think it's important to note that Jasson is also correct that, like, there is this, like, directional focus on updating, upgrading and right-sizing security architectures. If you were to look at sort of the landscape of cyber security, momentum publishes a fantastic cyber landscape that goes over all of the sort of traditional categories of solution. If you look at sort of modern architectures though, the going phrase that everyone goes for is zero trust, and with zero trust, there's essentially an access component which, you know, some people have been calling Secure Access Service Edge, some people call it zero trust access.

And then on the cloud side, you have kind of an aggregation and simplification of all of your sort of datacenter security tools under what people call CPSM, Cloud Posture and Security Management. These are like big umbrella buckets that sort of drop in tools. And then on the sort of observability detection and response, like, human-led side, there's this trend towards, like, putting everything that's MSP, MSSP, CloudSim, all of those tools into a bucket called MDR, Managed Detection Response.

And so if you look at these three things, yes, I think in general CIO, and CISO priorities are to figure out how they adapt to these, like, three big buckets. But I don't think that as many of the CISOs, and CIOs have a strong opinionated and well-informed opinion yet on what the priority is for tooling and tooling upgrades in each of those areas should be. So I think, like what Jasson was suggesting, makes a lot of sense as the highest value first step. And I think that's what we're trying to advocate to people.

Reece

Yeah, I'm surprised. I haven't heard you guys mentioned Defense In Depth yet, because this is just one of those philosophies that's kind of thrown around like zero trust and I think that people have bought into it or accepted it as reality. But it also kind of sounds like an inconvenience, again, benefiting cybersecurity companies typically, like, "You need to have a lot of products in order to be secure." So what did you guys think about how Defense In Depth factors into this? Do you think it's time to challenge that or rethink that phrase?

Jasson

No, Defense In Depth is a good thing. What it's time to challenge is this notion that it can't come, or it has to come at the expense of the end-user. There's nothing from a technical perspective that says good security products have to have crap experiences for their end-user but that has been a tendency over time in a lot of the products in the industry. And honestly, even some of our attitudes from an operations in security engineering perspective. The end-user, if they're there, they're gonna have to do this, this is the only way to move forward. I do think it's time to challenge that notion and that assumption. There are ways of improving the end-user experience. Every time you apply friction, security friction to an end-user, is there a meaningful reason for that friction? Is there is no other alternative way of establishing whatever control you're trying to establish without bringing that friction to the end-user?

So taking it down a step, making it a little bit more practical, do I really need an end-user to have two devices to prove who they say they are if I have a credential locked in a hardware enclave protected or guarded by a local PIN or a biometric, and that's being compared against end-user behavioral history, and I have signals on the device to understand are the controls I expect to be on the device present on the device at the time that person tried to do something interesting? I think the answer is there's a lot of opportunity to improve the end-user experience while getting better security results.

Defense In Depth is good. Nothing is bulletproof. Nothing works all the time. And I think it's a pithy reminder of that. I think where it goes sideways is being used as a crutch that, "Well, this is just how we improve security and, Mr. End-User or Miss End-User, you just have to get over it."

H.B.

I agree with Jasson's take on this. I would say that Defense In Depth has been a sort of broad umbrella to make excuses for brittle and fragmented product landscape. I think bringing ideas on mechanisms together, especially where they make sense without having distinct products, is an important future trend that we're seeing. And that's why I think you're seeing a lot of collapsing of these, like, endpoint tools into these, like, you know, bigger, like, Cloud-centric buckets of, you know, ZTNA and on the cloud side, you're seeing sort of CPSM is that people are kind of looking at their security signals and trying to aggregate them intelligently even at the point of acquisition, not just the point of aggregation.

Reece

I think the last question should be for Nelson to kind of put a bow on this. When you were building Beyond Identity, Nelson, obviously, prevention was a big focus. But, you know, what about the other side of it, detection and response, how did we factor that into things as well given the landscape?

Nelson

What the team was found important to try to find a solution for a authentication framework that was based on hardware, was based on possession, placing some sort of credential, like Jasson said, on the TPM because it changes the landscape of what you're trying to achieve, right? A phone is something you have sent a push notification to, but it's the thing you carry the most, and you put it somewhere else. Why not make it more like a YubiKey, or a thing that you carry, that has a strong cryptographic framework around it? But also put all of the device posture checks that we could gather as a platform authenticator, as a type of thing that lives on the device that you're trying to do something from and that makes it more of a detection product or something that's closer to that, where you're learning about the environment where the authentication is happening in that transaction in specific, and then you can make decisions about it.

So I thought that was a pretty powerful idea, if you build all the right components into a solution for possession and using biometrics or a PIN as a step-up authentication, that could be a better solution that other things that are more phishable or sort of rely on a third-party device or a separate device.

Reece

So really leveraging the endpoint, simplifying it for the user as well and taking advantage of the hardware for security. All right, well, thank you guys for chatting. We're gonna do this again next week, so be sure to tune in. We'll talk about something else exciting. And remember to smash that Subscribe button so you stay up to date. All right, catch you guys later.

Book

Prevention Is Better Than Detection

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.