Thought Leadership
Zero Trust

What is Needed for a Modern Authentication Solution

Written By
Published On
Apr 7, 2023

Today's episode brings you a presentation from Gartner IAM by Beyond Identity CMO Patrick McBride and Chase Cunningham, AKA Dr. Zero Trust discussing the issues of legacy MFA and what companies need to look for in their modern authentication solution.

Transcription

Joshua

Hello and welcome to the "Cybersecurity Hot Takes" podcast. This is your producer, Joshua, coming at you today with a very special episode. On today's episode, we are so thrilled to bring you the presentation from Gartner IAM by Beyond Identity CMO, Patrick McBride, and Chase Cunningham, AKA Dr. Zero Trust. In this discussion, Patrick and the doctor delve into the issues of legacy MFA and what companies need to look for in their modern authentication solution. We hope you enjoy this presentation and gain some valuable information for how your company can lay your foundation for your zero trust architecture. Enjoy. 

Patrick

We good? All right. Well, welcome. We have a packed house. Thank you all for attending our session today. I'm Patrick McBride. I'm one of the co-founders at Beyond Identity. I think employee nine is the official account from the early days. I'm here with Dr. Chase Cunningham, and I'll have Chase introduce himself in just a minute. Both Chase and I are former, as I like to say, recovering industry analysts. I'm a former META Group analyst kind of way back in the day prior to the Gartner acquisition thereof, and Chase is a former Forrester analyst, so I feel a little bit like inviting the fox to the henhouse here, which is kind of... 

Chase

I'm surprised they gave me a chair. 

Patrick

Yeah. They were going to make you stand, I think. So, we're here to talk about the requirements for modern authentication. And, yeah, we're going to dig into that from what are they, why you need them, but from really a risk perspective. So, that's kind of a unique perspective. I'm not going to give a presentation and prattle on about Beyond Identity. We'd rather, you know, have you come and see it in action. You know, just a quick commercial just so we set the scene is, you know, we believe, and you guys will be the judge, that we've created the most advanced and secure authentication platform on the planet. But, like I said, don't believe me. Come down to booth 509 when you walk, you know, into the main auditorium. We're second row, kind of big booth there. You know, come by and put us to the test. Or my colleague, Kurt Johnson, is doing, I think, one of the floor sessions tomorrow, Tuesday afternoon at 5:40. So you can come and look at that and see what the ingredients are. You know, overall, we've got a solution, a single platform that has a solution for both your workforce and SIEM, so that's a piece of it. But if you were to kind of pick up the top-level characteristics of our platform, it's passwordless, phishing-resistant MFA, really comprehensive device trust, and the ability to include signals from third party from the tech stack that you already have in place all into a rich policy engine and then do it continuously. So we're going to break down some of those things and talk about why some of those things are important. But before I do that, let me get Chase to kind of introduce himself and give you a little bit of background.

Chase

Sure. So, I'm a retired Navy chief. I did all my time working on a variety of organizations. I was basically an NSA civilian wearing a military uniform. Then I went to work for the NSA for a little bit, and I...

Patrick

Are you allowed to say that now?

Chase

Yeah. Right. I just can't talk about what I did, but I was there. I may have been the classified janitor, for all you know. But then I was able to transition over to Forrester, did a bunch of work at Forrester Research. And then lately, I've been doing a whole bunch of consulting gigs across the industry, and along the way spreading hate and discontent and talking about zero trust as much as I possibly can.

Patrick

Yeah. For those that haven't picked up on it, Chase's pseudonym is also Dr. Zero Trust. So, he's got... I think he and John Kindervag back at their Forrester days, you know, kind of worked on that, you know, early on, some of the pioneers in that. And Chase is underselling himself. He's one of the smartest guys in cyber that I know, so he's kind of on speed dial to a lot of folks in the government to work on some of these projects. Listen, you know, kind of start from the top. You know, I'm here saying we need, you know, a new modern authentication regime and, you know, why.  

Chase 

Well, it's not that we need a new regime. Actually, what we need to do is recognize that the bad guys have been telling us how this is going to work for three decades, and people sit around wondering how do we solve this problem. I mean, you look at the number in the DBIR every year of how compromises begin, and how they proliferate, and how the life cycle goes forward... 

Patrick 

Now, we've got a bunch of identity folks in here along with some cyber guys. So the DBIR is?

Chase

Yeah, the DBIR, the Verizon DBIR, which is basically Verizon's...I would call it an almost biblical reference in cyber that they put all the information together every year and say, "Here's the trends of how attacks are successful." And if you have 30 years, we'll call it that, of proof that passwords and password management and access management is what is typically leveraged as the 80-percentile of compromise, why would you focus on other areas first? I mean, because I do so much work consulting with organizations about how do we be on our zero-trust journey, what do we do first, etc., etc. The bad guys tell you, like, they want you to have bad password, bad access management, etc., and that's how they're going to get you. It's going to be crappy passwords and human beings clicking on links. And then, sure, down the road, solve for your super amazing crazy NSA EternalBlue exploit. But if, you know, John at home has got password 1234, which, by the way, statistically speaking, was the number one password this year in 2023, what do we fix first? I mean, it's not rocket surgery. Like, this stuff is about as clear as it could possibly be. Somebody says they're going to punch you in the face, you don't bend over and, you know, cover your lower area.

Patrick

We're going to get a lot of those. You know, Chase is full of fun things like that... Hey, so, it's interesting. You said, you know, the more sophisticated ones and stuff. And one of the things that we've kind of struggled with is when the press writes about some of these attacks, these password attacks, they talk about just how sophisticated they are. Is that the case?

Chase 

No. I mean, well, the press obviously tells the truth 100% of the time. There's never any manipulation going on. But, I mean, in reality, what we're looking at there is there's always an avenue of identity being part if of this thing, authentication. It doesn't matter if it's a thermostat at home, a wirelessly enabled toilet, which I have found one of those. Sooner or later, somewhere along the way, it authenticates to something. And if you can't interrupt the authentication life cycle, the bad guy continually wins. And this is not a zero-sum game. Honestly, I'm personally sick of the victim mentality that we put forward in cyber. 

Patrick 

Yeah. 

Chase

The bad guys only got to be right once, woe is me, they just got in. The bad guy has to be right continually just like you need to be right continually. If you can interrupt their life cycle, guess what? They'll go find an easier target. You don't have to be perfect, you just have to be better than the next person down the road. And, you know, I love zombie movies. We're running in front of the zombie horde. If you trip and fall, I keep running. Like, that's what we're trying to get to. It sucks for you, and I might wave at you and clap like, "Come on, you can keep up," but I'm not stopping. I'm not tying your shoe. And that's what you're trying to get to is I want to be in a more defensible posture and make the bad guy more miserable in my network than you and they'll go after you.

Patrick 

I'm still stuck on the, you know, Wi-Fi-enabled toilet.

Chase

Oh, it's crazy.

Patrick 

We'll talk about that. 

Chase

Yeah, it's a whole other issue.

Patrick 

So, you know, password's bad. There isn't anybody that you talk to that understands that... "I love my password," said nobody ever. So they don't like them from a usability perspective and also from a security perspective, but wasn't MFA supposed to fix that problem?

Chase

Well, MFA was a great move towards an out-of-band authentication mechanism, right? The one that I like to use all the time is there was a study published by the oil and gas industry. If you remember a few years ago, we used to go to a gas station, just zip your card to get your gas and leave. Fraud was everywhere. So then they came up with that idea of, wait a minute, that's a card. Let's make you either put your four-digit PIN in or your ZIP code and validate that. In something like 30 or 60 days, they saw, like, a 90-something percent reduction of fraud.

Patrick 

Right.

Chase

So that one additional out-of-band authentication massively reduces the ability for someone to get in the middle of that. Now, we thought when we moved to MFA that, all of a sudden, we had uncovered the golden cup of awesome that would make this never be a problem again. However, a bunch of organizations have proved via APIs and other things and just basically inundating people with, you know, a blast of multi-factor auth, sooner or later you can get somebody pissed off enough they'll click the link. So, it's not that there's not a whole lot of value to MFA, but MFA, like any other thing, can be manipulated and leveraged to cause compromise. 

Patrick 

Right. So, all of the kind of user-oriented manipulation attacks. You know, it was, I think, mid-last year I did...you know, Kurt Johnson who's in the audience with me, and I did a bunch of CISO Executive Network presentations around the country. And when I was giving the presentations, I was kind of coming in pretty hot about, you know, the issues. We felt, like, a little bit of a candle in the wind, you know, kind of way and to say, you know, it's not all it's cracked up to be, the stuff that you've been using. And we got a lot of pushback. I mean, Microsoft and Google had said it's wonderful and it stops all the stuff, but now it's maybe changed a bit. You know, we're seeing this year when we talk, not so much. They're like, "Okay, we get it."

Chase

I think in the context of the big broad problem, MFA is a force multiplier, right? I think it's something relatively simple. My 11-year-old, when she set up her Fortnite account, the first thing she did was she set up MFA. I didn't tell her to do it, and I asked her why, and she said, "Well, that way, no one can get my V-Bucks." And I was like if an 11-year-old can understand this concept, anyone in the CISO world can get it, right. 

Patrick 

That's a cyber kid, for sure.

Chase

Well, she was protecting what's of value for her with a really simple thing. And she had a phone, and she set it up, and good to go. So, I think it's super valuable for the broad swath of where we're moving to, but there are better ways, just like in every other space, to continually innovate and do things on the front. I moved over to full passwordless last year for all of my stuff, and I don't miss having a password at all. Now, there is a bit of a biometric thing there that some people are concerned about like, well, what if someone gets your finger? Okay, that's another problem. We'll solve that, you know, but…

Patrick 

There are certain threat models like this one that we can't quite stop.

Chase

Yeah. Like, of all the threats I'm willing to live with, taking my finger is one I'm okay with. So it's good, but there are better ways to continue to innovate on that space.

Patrick 

Double-click a little bit into the MFA stuff. I mean, you know, there's a bunch of recent attacks. You know, we talked about, say, you know, you mentioned kind of what I guess is becoming classically known as prompt bombing. They'll send you a bunch of push notification attacks, and, eventually, somebody's going to click on one. I've got some CISO friends who...you know, there is a woe is me. They've experienced that to much detriment. What are some of the other things that...?

Chase

Well, APIs have become another avenue of compromise, and APIs are not really well-leveraged for authentication protocol. So, it's pretty easy to leverage the back and forth of that to get past it. Twitter, honestly, was a good example of somebody sort of manipulating the man in the middle side and really getting into it. However, I would also say Twitter, in my view, actually expressed a good use of out-of-band authentication because they were able to at least go, okay, we got sick and tired of the prompt. Somebody clicked it, third party, blah, blah, blah, but at least we know something weird occurred and we're able to respond.

Patrick 

Right.

Chase

So, yes, there was a fire, but the entire state wasn't on forest fire.

Patrick 

Right. If I can't, you know, protect upfront, at least detect and respond.

Chase

I mean, all cybersecurity, I think, strategically is actually, in the Navy, we call that watertight integrity. Right, I want to be able to take a hit from a missile and keep the ship afloat, and how do I do that? I do that by compartmentalization by isolating where the water can go and I stay in the fight. I don't want to be the Titanic where they said, "There's no way we could ever sink, so we won't even bring the lifeboats on board," and you wind up with a movie where Leo freezes to death.

Patrick 

Yeah.

Chase

That's not what we want.

Patrick 

Poor guy. Poor guy. So, is the MFA bypassing attacks, is it still kind of in theory land? You mentioned the Twitter one. Or is that kind of...? 

Chase

Well, I mean, it's in the stage of be aware of it and start to understand. Especially for, like, high-profile executives and people that are going to be doing a lot of interacting, they're going to be targeted with it. I think now the term is not phishing, it's whaling, which could be offensive depending on how you look at it.

Patrick 

Right.

Chase 

But, yeah, I mean, if they're moving up the chain and there's proof of concept and it's starting to work, just like I said earlier, you can guarantee once the bad guys see an easy value proposition, they go where the money is.

Patrick 

Right. We were surprised, I think, you know, 6, 8, 12 months ago when we were talking about it and getting a lot of pushback. A lot of folks said, "Yeah, but, you know, Microsoft, you know, came out with a report and said it blocks 99% of stuff." Well, you know, this year, it was interesting. They came out and said, "Hey, wait, there's active exploits in the wild, you know, freely available," and we're seeing an attack on 35,000, you know, organizations using some of the phishing techniques that you talked about.

Chase

I mean, it's a numbers game. They're just blasting them across the internet, and if I send out... Because when I was red teaming, I would send out 35,000 emails. If I get 3%, that's a pretty good number for me, and I only need a significant person to fall for it and go forward from there.

Patrick 

All right. So, switching gears, so we've got kind of that as a backdrop. You know, password's no good, kind of some of the legacy MFA is kind of, you know, iffy at this point.

Chase 

Needs to evolve.

Patrick 

Yeah, needs to evolve. All right. So, you know, what does a, you know, kind of modern auth solution need to incorporate?

Chase

Well, really, I think the most important piece is the policy engines we're seeing now. There's a lot of conversation going on around zero trust and etc., etc. Really, the power there comes from the policy engine side of this. And you should be able to take in a lot of telemetry and validate the things that are taking place. And using the policy engine at any stage in a life cycle, I should be able to sit out and interrupt what's going on if there's an anomaly or a strange occurrence taking place. It shouldn't make the users miserable. Users should do what users do. We've done a disservice to our general user population in cybersecurity because we've tried to make them all cybersecurity engineers. And we've said, "Well, why do you keep screwing this up?" Well, that's not their job. Just like I run my own LLC, I use tax software to do my taxes so I don't get arrested. Not that I have enough money to get arrested, but they would, you know, do that. The whole thing is just making it where software makes it where you can do what you need to do, and the telemetry is available, and you solve the problem and go on about your day.

Patrick 

So, in the telemetry, some of those risk signals, you know, is there a couple that, you know, kind of come to mind that are things that you want to include in that policy decision?

Chase 

I mean, the simplest ones are does this look like what it has looked like normally over time, right? Chase works from home, it's in Virginia. He's on Comcast. Comcast, typically, he talks to these applications. He usually works from 6 in the morning till 4 in the afternoon. Today, for some reason, Chase sent a login request at 2:00 in the morning from, I don't know, Moscow. Probably something we should look at. Those types of things are super useful, and they don't have to totally eradicate the activities going on, but I want to investigate it. I want to see what's up. And the policy engines make that where we talk about the cybersecurity hiring crisis. I fundamentally think we don't have a cybersecurity hiring crisis. We have a mismanagement and misuse of technology to solve the problem. We're trying to dig the Suez Canal with spoons. It's doable, it would take a long time and would suck a lot, but, really, we should be using the right technology to optimize the people to do this at scale.

Patrick 

So when we think about, like, MFA, and passwords, and even, you know, kind of modern versions of MFA, which we'll click into here in a second, that's about... Well, actually, before that, let's click in to kind of we talked about some of the issues with, you know, some of the existing, you know, stuff that's out there, things like push notification or one-time passwords over SMS and stuff like that. You know, what does good look like or new good like in that regard?

Chase

I mean, really, you move to that space where you're getting your average users off of the password and your policy engine is taking care of everything, and your telemetry is continually feeding that life cycle. If you're doing it correctly, you could look at, like, the Lockheed Martin Kill Chain or MITRE or whatever. And you flip that not for the defensive side because we also try and come up with this concept, the perfect defense that doesn't exist.

Patrick 

Right.

Chase

I really want to be thinking, and he was talking about it before in the trends, I want to be thinking about how the adversary is successful. And all I need to do is interrupt them enough to where I win, and how do they do that? They do privilege escalation, access management, all of those things.

Patrick 

You know, it's interesting. I looked at the MITRE kill chain where you take the...the old kill chain, you take the MITRE report that dissects a kill chain and looks at the TTPs that the bad guys are using. And for initial access, well, there's lots of ways that they gain entry. There's a reconnaissance step affront, who am I going to attack, how am I going to go after them. There's another step... The first step is how do I gain initial entry, and by far, the one that they had the most threat actors leveraging was passwords, you know, stolen credentials, etc. It's an arm's length one. You know, it was a bunch of the sophisticated guys. So, the opposite trend to these attacks aren't sophisticated like stealing passwords or bypassing MFA. On the other hand, the sophisticated actors will use them too because it's easy money.

Chase

Well, and we've also seen some of the more, I guess you'd call them combination types of attacks becoming really prevalent where even if I can't get you with a username and password and whatever else, there are people that now, because of the volume of information you buy on the underground, that are extorting humans to be able to get their access logins. And if you can do that, it would still be valuable to be able to look at it from a SOC perspective and go, "There is something weird occurring here." Because the bad guys aren't going to follow the same pattern of life as a normal human being. Like, you will find an anomaly and you should be able to react to it. The ransomware conversation is super interesting as well. Like, I'll save everyone in here a whole lot of money on ransomware defense. If you have a Windows machine, go to that little search thing and type in PowerShell. If it works and you can invoke PowerShell, turn it off and you just saved 90% on ransomware threats. Like, there you go, and send me the check. That's it, you know what I mean?

Patrick 

You'll take pennies [crosstalk]

Chase

Exactly. Yeah. I'll take one percentage point of that. 

Patrick 

In fact, that initial attack factor when we looked at ransomware, the DBIR also says that it was... When I talked to CISOs, their initial inclination is, oh, ransomware, they must've clicked a link that downloaded the ransomware or sent it to a nefarious website.

Chase

No, they invoked a native program.

Patrick 

Yeah. They invoked a native program or they logged in. Actually, the one that rose to the top was email with a phishing link that got you to give up access to one of the remote access tools, remote access Trojans or not even a Trojan, actually, a legit tool.

Chase

I mean, brand impersonation plays in here a lot too, especially with the man in the middle stuff. It is exceptionally easy to grab brands and just change one thing in the domain, and then you've got all their information. I mean, you can be Wells Fargo because a lowercase L looks a lot like a 1 in a URL. 

Patrick 

You know, one of the...again, when people think sophisticated, not sophisticated, there's literally toolkits out in GitHub, open repositories that are available that makes that, like, painting by numbers, doing, you know, phishing attacks.

Chase

If you're super lazy, you can just go hire someone to do it for you.

Patrick 

Exactly. 

Chase

I mean, I think the last exploit kit that I saw on one of the forums was you would pay 50 bucks for them to set it up, and they got 3% of every time you got a hit on a bank account. Like, it's a good retirement plan. It's better than my 401k.

Patrick 

Yeah. And you don't have to do the ransomware piece so that you let somebody else do that, which...

Chase

As long as you're willing to live in a non-extradition country, it's beautiful.

Patrick 

Yeah. All right. So we talk, you know, a lot about the, you know, higher trust in the end users and getting to that level. What about the device? You know, so the endpoint that we're logging in from.

Chase

Yeah, VPNs are...if you're running your business on 1993 or 1996 accounting software, you'd probably get fired. VPNs came to the market in 1993 and '96, so if you're using a VPN, you're using really old technology to solve a problem where you're literally piping someone from somewhere into the system and they get access to whatever they're supposed to have access to. So that continually introduces risk, and that is usually combined with a lack of policy engine, and good password management, and all those things. So, it continues to introduce these things, and it only empowers the adversary. Go on Shodan right now and look for VPN. You'll find a few million of them that are talking to the internet that are open that are vulnerable and do whatever you want with them. No, actually, don't do that, and don't say I did it, but you could.

Patrick 

Yeah. This would screw up your retirement plan if they follow that advice.

Chase

Yeah.

Patrick 

So, high trust in the user, establish. You're using other methods other than, you know, age-old technology to establish high trust in the endpoint.

Chase

Your device, I mean, your iPhone or your Android phone, I mean, that's a great way to validate, especially cryptographically, that you have the things there that you're supposed to have to be able to get to this and that you are who you say you are. You should be checking device health before you allow access to applications. And it's really simple. Duo did this quite a while ago and they've gotten a lot better, but, like, there's been a lot of innovation around it as far as is this machine regular, does it fail the policy requirements, is it patched. And if it's not patched, you don't get access to my network. Here's a thing. Go download the patch, and then I'll provide you access. And it's not going to make the user miserable. They're in plain English. They can figure it out. They can download all of the apps that people do. You can click the download link to patch your machine.

Patrick 

Got it. All right. So, let's... No pun intended, beyond high trust in the user and the device, over the...in Gartner circles and other places, we've heard a lot about continuous authentication, which tended to be, like, do stuff every time I authenticate. Does that fit the zero trust model? We have these long session tokens, and...

Chase

No, I mean, the most important thing in the realm of strategic victory is to make sure that they go away after it's over with. You don't want the repair guy showing up to your house and you say, "Hey, would you like to move in and drink my beer in my fridge? And, oh, by the way, you can stay here indefinitely." Like, you come, you fix my problem, and then you leave. So, having the ability to revoke session tokens to get them out of your network and to end the session when something has transacted is super valuable because then you get another opportunity to run through the protocol to make sure that they're supposed to be there.

Patrick 

Right. 

Chase

You don't want continual access. You don't want it just unfettered, get to my network, and do whatever you want for as long as you think you might need to be there.

Patrick 

You mentioned this earlier in the discussion. I just want to, you know, kind of call it out specifically. You mentioned kind of user experience, you know, kind of the context of passwords, but, you know, why so important? You know, we've got a bunch of security measures, but, you know, hey, can't we go old school and say, "Do it my way or the highway?"

Chase

You can and it will work well for you. I mean, the first thing that anybody does whenever a security control gets in the way of you is you go around it. If you've got it done correctly, if the security policy engine and the technologies are aligned correctly to enable the user, they don't know that security is actually taking place. They just do their job. I think it's very much like how the modern automobile works where a few years ago, you used to have to buy your Garmin separately. You had to turn it on, and most of us, while we were driving 80 miles an hour, we're plugging in where we were supposed to go and whatever else. Now you get in your car, you hit the button. If it's a Tesla, I guess you call Elon and he sends you where you're supposed to go.

Patrick 

Or not.

Chase

Yeah, but the rest of us, like, it's all there and you just operate safely to get to wherever you're supposed to go. You don't have to know how all that stuff works.

Patrick 

Got it. So, it was interesting. When I looked at kind of the makeup of the audience this year at IAM, and I've been going for lots and lots of years, I was kind of surprised. It was a rather large influx of kind of true cyber...you know, kind of cybersecurity titles and professionals. You know, they're kind of edging in on our...the identity, you know, that we like to call ourselves in the past. But, you know, so I'll let them turn off for a little while, but, you know, kind of talking to the identity folks. I mean, you've been on the zero trust bus here...literally, if you turn the clock back, I think in the keynote, they talk, you know, people went back 15, 20, 25 years being in the identity practice. And early on, it was about, you know, IT and getting people to their stuff, but it's kind of more important than that. What would be the message to, you know, our identity these days?

Chase

I mean, you can't have security without identity and access management. Like, that's as clear as I could possibly make it. And if you're not able to control what's going on and have the ability to do that scale... And you can't do that with a spreadsheet, and you can't do that with Timmy the intern. You have to do it with technology. And most of us are going to use cloud and scale and all those things. That's how you enable modern cybersecurity. That's part of digital transformation. Even if you talk to your regular consumer side of this equation, just like for me, I check in every morning, I have Dashlane for my password manager for my personal side of it. This morning, I had 404 usernames and passwords that are managed by that. There's no way I could possibly keep up with it. So, technology makes it possible, and that is, to me, the most important part of this whole thing to begin with. On top of that, if you look at the DoD strategy, which we got published right before Thanksgiving, all of phase one is about identity and access. And there's a reason that they've allocated $1.75 billion to this whole thing because they know that if they can take care of that correctly, everything else after it becomes part of a paradigm.

Patrick 

So, you know, from somewhat red-headed stepchild, you guys became like the cool kids at the dance. You know, everybody wants to hang out with you now, which is... You know, there's not a CISO that I talk to that doesn't say that that is the most important thing now.

Chase

Well, it's important too that the seat at the table has been provided. Now, it's not to mess up dinner for everybody, you know what I mean? It's like you've got your seat at the table. Push it and talk about business context, talk about outcomes for users, growing opportunities. And, actually, if you do it correctly with the right policy engines, I think before he was asking how many people had 15 IAM or something solutions. You should consolidate that and get more out of one. You're probably never going to get towards the Sauron sort of one ring to rule them all cybersecurity deal, but you'll get towards a portfolio that is manageable. And there you save money, and that's a conversation CFOs like.

Patrick 

And if you do it in a risk context, which, you know, kind of Chase walked you through, I mean, that's the lingua franca of the CISO, right? I mean, if we want to get extra budget from the CISOs, you know, we've got to put it into that kind of context. And you'd be surprised at how many CISOs...they know. They know identity is really important. They know they can't have a strong program without it. They know authentication is important. They can't have a strong program without it. But if you ask them about their number one vulnerability, they don't go back to that data in the Verizon data breach report that we see every year and your 80% number. They kind of go, they start thinking about, you know, some zero-day [crosstalk]

Chase

It's not sexy. I mean, it's not...

Patrick 

I think it's kind of...I think these people are kind of sexy.

Chase

Well, the blocking and tackling stuff is not sexy, but that's what wins games. So, block and tackle real well, which is identity and access management, which is policy engine, which is authentication. That stuff, do all the sexy cool stuff later because if you get this right, that becomes even more doable.

Patrick 

You know, one of the...with some of the CISOs we've talked to, I mean, for the last decade, you know, if we're going to be honest, we spent a whole of the time with detection response. That's where the budget went to, not shockingly. Dual times where an attacker gets in and kind of sits around for weeks, months, even years, it's like you've got a problem that you got to fix. Let's identify them and do something with them, but we forgot the ounce of prevention or ounce of protection part of it. So, I think, you know, people are really...and zero trust is all about that, really coming back, understanding that they are going to get in, no environment's secure, but also don't forget the protection side of it.

Chase

Well, and the thing about SIM and those sides of it is it's like going to the doctor and he walks in and holds up your test results. He's like, "Man, you're really sick," and then he leaves. You're like, "Wait, where's my treatment plan?" And they go, "Oh, well, that's extra." Like, no, no, no. Like, if you're really sick, I want you to tell me how to treat it and fix the problems. And, usually, it's a fundamental basic issue. If you've got high cholesterol, change your diet. Like, if you're smoking cigarettes, put the cigarettes away. So, it's those types of things that make a lot of difference.

Patrick 

Well, we've got a couple of minutes, you know, left I wanted to reserve. If anybody's got any questions, you can just shout them. I don't know, there may be a floater mic, but kind of any questions for Chase in the audience? Hard questions only.

Chase

Don't ask me where I got my coat because my daughter made me put this on.

Patrick 

Yeah. Chase has got, you know, observation, great jacket and great boot game. You know, I've got some catching up to do. Go ahead in the back. 
 
[Question inaudible]

Chase

I mean, it's better than not. I think FIDO, and Auth0, and some of those folks are doing interesting work. It's a good way to begin the process, and there is an evolution going on there. So, I think, honestly, where you're going to get to is going to be this combination of self-sovereign identity, policy engines, and biometrics that are going to basically change the way that we make sure that the authentication protocols are handled. But, you know, I would say that what you're doing makes a lot of sense, and that's a great place to begin pushing that initiative.

Patrick 

You know, I think, you know, the way we think about it is FIDO2 is a really good start. And it, you know, allows you...along with other factors like if you can use local biometrics or local pin code, FIDO2, good solutions in FIDO2. Store a private key in a TPM, that hardware enclave that's, you know, separate on the computer. So then you can do a cryptographic, you know, transaction to make sure it's actually Patrick or Chase. Combine that with a biometric, and you've got two really strong factors there. But it doesn't mean...you can implement that in a not phishing-resistant way. You can implement that in a...well, you can, you know, implement that and still not have the device trust, and implement that and still not have the policy engine, you know, to bring in the other signals of continuous auth. So, we think, you know, we're...in fact, we had Chase and I get to do a thing last week where we did this launch of the zero trust authentication, and we did a leadership series on that. It was kind of cool because the FIDO team came and presented at that. And we'll be with them out at RSA too, so, you know, we're kind of all in on that. it makes sense, but... You know, and I don't even want to say it's not good enough. It's a great start. I mean, they've done a lot in the industry, you know, to get us off of passwords into something much more secure. Take one more question.

Chase 

Thirty seconds. She's like holding up a crook. She's like, "Get off the stage."

Patrick 

Yeah, we're going to get the hook. So, all right, well, just kind of a quick reminder. We've got that floor session tomorrow at Tuesday if you want to come see that. We're in booth 509. We'd love to prove to you, you know, the wares that we have and talk to you. Otherwise, thank you. Have a great rest of your day.

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

What is Needed for a Modern Authentication Solution

Download

Today's episode brings you a presentation from Gartner IAM by Beyond Identity CMO Patrick McBride and Chase Cunningham, AKA Dr. Zero Trust discussing the issues of legacy MFA and what companies need to look for in their modern authentication solution.

Transcription

Joshua

Hello and welcome to the "Cybersecurity Hot Takes" podcast. This is your producer, Joshua, coming at you today with a very special episode. On today's episode, we are so thrilled to bring you the presentation from Gartner IAM by Beyond Identity CMO, Patrick McBride, and Chase Cunningham, AKA Dr. Zero Trust. In this discussion, Patrick and the doctor delve into the issues of legacy MFA and what companies need to look for in their modern authentication solution. We hope you enjoy this presentation and gain some valuable information for how your company can lay your foundation for your zero trust architecture. Enjoy. 

Patrick

We good? All right. Well, welcome. We have a packed house. Thank you all for attending our session today. I'm Patrick McBride. I'm one of the co-founders at Beyond Identity. I think employee nine is the official account from the early days. I'm here with Dr. Chase Cunningham, and I'll have Chase introduce himself in just a minute. Both Chase and I are former, as I like to say, recovering industry analysts. I'm a former META Group analyst kind of way back in the day prior to the Gartner acquisition thereof, and Chase is a former Forrester analyst, so I feel a little bit like inviting the fox to the henhouse here, which is kind of... 

Chase

I'm surprised they gave me a chair. 

Patrick

Yeah. They were going to make you stand, I think. So, we're here to talk about the requirements for modern authentication. And, yeah, we're going to dig into that from what are they, why you need them, but from really a risk perspective. So, that's kind of a unique perspective. I'm not going to give a presentation and prattle on about Beyond Identity. We'd rather, you know, have you come and see it in action. You know, just a quick commercial just so we set the scene is, you know, we believe, and you guys will be the judge, that we've created the most advanced and secure authentication platform on the planet. But, like I said, don't believe me. Come down to booth 509 when you walk, you know, into the main auditorium. We're second row, kind of big booth there. You know, come by and put us to the test. Or my colleague, Kurt Johnson, is doing, I think, one of the floor sessions tomorrow, Tuesday afternoon at 5:40. So you can come and look at that and see what the ingredients are. You know, overall, we've got a solution, a single platform that has a solution for both your workforce and SIEM, so that's a piece of it. But if you were to kind of pick up the top-level characteristics of our platform, it's passwordless, phishing-resistant MFA, really comprehensive device trust, and the ability to include signals from third party from the tech stack that you already have in place all into a rich policy engine and then do it continuously. So we're going to break down some of those things and talk about why some of those things are important. But before I do that, let me get Chase to kind of introduce himself and give you a little bit of background.

Chase

Sure. So, I'm a retired Navy chief. I did all my time working on a variety of organizations. I was basically an NSA civilian wearing a military uniform. Then I went to work for the NSA for a little bit, and I...

Patrick

Are you allowed to say that now?

Chase

Yeah. Right. I just can't talk about what I did, but I was there. I may have been the classified janitor, for all you know. But then I was able to transition over to Forrester, did a bunch of work at Forrester Research. And then lately, I've been doing a whole bunch of consulting gigs across the industry, and along the way spreading hate and discontent and talking about zero trust as much as I possibly can.

Patrick

Yeah. For those that haven't picked up on it, Chase's pseudonym is also Dr. Zero Trust. So, he's got... I think he and John Kindervag back at their Forrester days, you know, kind of worked on that, you know, early on, some of the pioneers in that. And Chase is underselling himself. He's one of the smartest guys in cyber that I know, so he's kind of on speed dial to a lot of folks in the government to work on some of these projects. Listen, you know, kind of start from the top. You know, I'm here saying we need, you know, a new modern authentication regime and, you know, why.  

Chase 

Well, it's not that we need a new regime. Actually, what we need to do is recognize that the bad guys have been telling us how this is going to work for three decades, and people sit around wondering how do we solve this problem. I mean, you look at the number in the DBIR every year of how compromises begin, and how they proliferate, and how the life cycle goes forward... 

Patrick 

Now, we've got a bunch of identity folks in here along with some cyber guys. So the DBIR is?

Chase

Yeah, the DBIR, the Verizon DBIR, which is basically Verizon's...I would call it an almost biblical reference in cyber that they put all the information together every year and say, "Here's the trends of how attacks are successful." And if you have 30 years, we'll call it that, of proof that passwords and password management and access management is what is typically leveraged as the 80-percentile of compromise, why would you focus on other areas first? I mean, because I do so much work consulting with organizations about how do we be on our zero-trust journey, what do we do first, etc., etc. The bad guys tell you, like, they want you to have bad password, bad access management, etc., and that's how they're going to get you. It's going to be crappy passwords and human beings clicking on links. And then, sure, down the road, solve for your super amazing crazy NSA EternalBlue exploit. But if, you know, John at home has got password 1234, which, by the way, statistically speaking, was the number one password this year in 2023, what do we fix first? I mean, it's not rocket surgery. Like, this stuff is about as clear as it could possibly be. Somebody says they're going to punch you in the face, you don't bend over and, you know, cover your lower area.

Patrick

We're going to get a lot of those. You know, Chase is full of fun things like that... Hey, so, it's interesting. You said, you know, the more sophisticated ones and stuff. And one of the things that we've kind of struggled with is when the press writes about some of these attacks, these password attacks, they talk about just how sophisticated they are. Is that the case?

Chase 

No. I mean, well, the press obviously tells the truth 100% of the time. There's never any manipulation going on. But, I mean, in reality, what we're looking at there is there's always an avenue of identity being part if of this thing, authentication. It doesn't matter if it's a thermostat at home, a wirelessly enabled toilet, which I have found one of those. Sooner or later, somewhere along the way, it authenticates to something. And if you can't interrupt the authentication life cycle, the bad guy continually wins. And this is not a zero-sum game. Honestly, I'm personally sick of the victim mentality that we put forward in cyber. 

Patrick 

Yeah. 

Chase

The bad guys only got to be right once, woe is me, they just got in. The bad guy has to be right continually just like you need to be right continually. If you can interrupt their life cycle, guess what? They'll go find an easier target. You don't have to be perfect, you just have to be better than the next person down the road. And, you know, I love zombie movies. We're running in front of the zombie horde. If you trip and fall, I keep running. Like, that's what we're trying to get to. It sucks for you, and I might wave at you and clap like, "Come on, you can keep up," but I'm not stopping. I'm not tying your shoe. And that's what you're trying to get to is I want to be in a more defensible posture and make the bad guy more miserable in my network than you and they'll go after you.

Patrick 

I'm still stuck on the, you know, Wi-Fi-enabled toilet.

Chase

Oh, it's crazy.

Patrick 

We'll talk about that. 

Chase

Yeah, it's a whole other issue.

Patrick 

So, you know, password's bad. There isn't anybody that you talk to that understands that... "I love my password," said nobody ever. So they don't like them from a usability perspective and also from a security perspective, but wasn't MFA supposed to fix that problem?

Chase

Well, MFA was a great move towards an out-of-band authentication mechanism, right? The one that I like to use all the time is there was a study published by the oil and gas industry. If you remember a few years ago, we used to go to a gas station, just zip your card to get your gas and leave. Fraud was everywhere. So then they came up with that idea of, wait a minute, that's a card. Let's make you either put your four-digit PIN in or your ZIP code and validate that. In something like 30 or 60 days, they saw, like, a 90-something percent reduction of fraud.

Patrick 

Right.

Chase

So that one additional out-of-band authentication massively reduces the ability for someone to get in the middle of that. Now, we thought when we moved to MFA that, all of a sudden, we had uncovered the golden cup of awesome that would make this never be a problem again. However, a bunch of organizations have proved via APIs and other things and just basically inundating people with, you know, a blast of multi-factor auth, sooner or later you can get somebody pissed off enough they'll click the link. So, it's not that there's not a whole lot of value to MFA, but MFA, like any other thing, can be manipulated and leveraged to cause compromise. 

Patrick 

Right. So, all of the kind of user-oriented manipulation attacks. You know, it was, I think, mid-last year I did...you know, Kurt Johnson who's in the audience with me, and I did a bunch of CISO Executive Network presentations around the country. And when I was giving the presentations, I was kind of coming in pretty hot about, you know, the issues. We felt, like, a little bit of a candle in the wind, you know, kind of way and to say, you know, it's not all it's cracked up to be, the stuff that you've been using. And we got a lot of pushback. I mean, Microsoft and Google had said it's wonderful and it stops all the stuff, but now it's maybe changed a bit. You know, we're seeing this year when we talk, not so much. They're like, "Okay, we get it."

Chase

I think in the context of the big broad problem, MFA is a force multiplier, right? I think it's something relatively simple. My 11-year-old, when she set up her Fortnite account, the first thing she did was she set up MFA. I didn't tell her to do it, and I asked her why, and she said, "Well, that way, no one can get my V-Bucks." And I was like if an 11-year-old can understand this concept, anyone in the CISO world can get it, right. 

Patrick 

That's a cyber kid, for sure.

Chase

Well, she was protecting what's of value for her with a really simple thing. And she had a phone, and she set it up, and good to go. So, I think it's super valuable for the broad swath of where we're moving to, but there are better ways, just like in every other space, to continually innovate and do things on the front. I moved over to full passwordless last year for all of my stuff, and I don't miss having a password at all. Now, there is a bit of a biometric thing there that some people are concerned about like, well, what if someone gets your finger? Okay, that's another problem. We'll solve that, you know, but…

Patrick 

There are certain threat models like this one that we can't quite stop.

Chase

Yeah. Like, of all the threats I'm willing to live with, taking my finger is one I'm okay with. So it's good, but there are better ways to continue to innovate on that space.

Patrick 

Double-click a little bit into the MFA stuff. I mean, you know, there's a bunch of recent attacks. You know, we talked about, say, you know, you mentioned kind of what I guess is becoming classically known as prompt bombing. They'll send you a bunch of push notification attacks, and, eventually, somebody's going to click on one. I've got some CISO friends who...you know, there is a woe is me. They've experienced that to much detriment. What are some of the other things that...?

Chase

Well, APIs have become another avenue of compromise, and APIs are not really well-leveraged for authentication protocol. So, it's pretty easy to leverage the back and forth of that to get past it. Twitter, honestly, was a good example of somebody sort of manipulating the man in the middle side and really getting into it. However, I would also say Twitter, in my view, actually expressed a good use of out-of-band authentication because they were able to at least go, okay, we got sick and tired of the prompt. Somebody clicked it, third party, blah, blah, blah, but at least we know something weird occurred and we're able to respond.

Patrick 

Right.

Chase

So, yes, there was a fire, but the entire state wasn't on forest fire.

Patrick 

Right. If I can't, you know, protect upfront, at least detect and respond.

Chase

I mean, all cybersecurity, I think, strategically is actually, in the Navy, we call that watertight integrity. Right, I want to be able to take a hit from a missile and keep the ship afloat, and how do I do that? I do that by compartmentalization by isolating where the water can go and I stay in the fight. I don't want to be the Titanic where they said, "There's no way we could ever sink, so we won't even bring the lifeboats on board," and you wind up with a movie where Leo freezes to death.

Patrick 

Yeah.

Chase

That's not what we want.

Patrick 

Poor guy. Poor guy. So, is the MFA bypassing attacks, is it still kind of in theory land? You mentioned the Twitter one. Or is that kind of...? 

Chase

Well, I mean, it's in the stage of be aware of it and start to understand. Especially for, like, high-profile executives and people that are going to be doing a lot of interacting, they're going to be targeted with it. I think now the term is not phishing, it's whaling, which could be offensive depending on how you look at it.

Patrick 

Right.

Chase 

But, yeah, I mean, if they're moving up the chain and there's proof of concept and it's starting to work, just like I said earlier, you can guarantee once the bad guys see an easy value proposition, they go where the money is.

Patrick 

Right. We were surprised, I think, you know, 6, 8, 12 months ago when we were talking about it and getting a lot of pushback. A lot of folks said, "Yeah, but, you know, Microsoft, you know, came out with a report and said it blocks 99% of stuff." Well, you know, this year, it was interesting. They came out and said, "Hey, wait, there's active exploits in the wild, you know, freely available," and we're seeing an attack on 35,000, you know, organizations using some of the phishing techniques that you talked about.

Chase

I mean, it's a numbers game. They're just blasting them across the internet, and if I send out... Because when I was red teaming, I would send out 35,000 emails. If I get 3%, that's a pretty good number for me, and I only need a significant person to fall for it and go forward from there.

Patrick 

All right. So, switching gears, so we've got kind of that as a backdrop. You know, password's no good, kind of some of the legacy MFA is kind of, you know, iffy at this point.

Chase 

Needs to evolve.

Patrick 

Yeah, needs to evolve. All right. So, you know, what does a, you know, kind of modern auth solution need to incorporate?

Chase

Well, really, I think the most important piece is the policy engines we're seeing now. There's a lot of conversation going on around zero trust and etc., etc. Really, the power there comes from the policy engine side of this. And you should be able to take in a lot of telemetry and validate the things that are taking place. And using the policy engine at any stage in a life cycle, I should be able to sit out and interrupt what's going on if there's an anomaly or a strange occurrence taking place. It shouldn't make the users miserable. Users should do what users do. We've done a disservice to our general user population in cybersecurity because we've tried to make them all cybersecurity engineers. And we've said, "Well, why do you keep screwing this up?" Well, that's not their job. Just like I run my own LLC, I use tax software to do my taxes so I don't get arrested. Not that I have enough money to get arrested, but they would, you know, do that. The whole thing is just making it where software makes it where you can do what you need to do, and the telemetry is available, and you solve the problem and go on about your day.

Patrick 

So, in the telemetry, some of those risk signals, you know, is there a couple that, you know, kind of come to mind that are things that you want to include in that policy decision?

Chase 

I mean, the simplest ones are does this look like what it has looked like normally over time, right? Chase works from home, it's in Virginia. He's on Comcast. Comcast, typically, he talks to these applications. He usually works from 6 in the morning till 4 in the afternoon. Today, for some reason, Chase sent a login request at 2:00 in the morning from, I don't know, Moscow. Probably something we should look at. Those types of things are super useful, and they don't have to totally eradicate the activities going on, but I want to investigate it. I want to see what's up. And the policy engines make that where we talk about the cybersecurity hiring crisis. I fundamentally think we don't have a cybersecurity hiring crisis. We have a mismanagement and misuse of technology to solve the problem. We're trying to dig the Suez Canal with spoons. It's doable, it would take a long time and would suck a lot, but, really, we should be using the right technology to optimize the people to do this at scale.

Patrick 

So when we think about, like, MFA, and passwords, and even, you know, kind of modern versions of MFA, which we'll click into here in a second, that's about... Well, actually, before that, let's click in to kind of we talked about some of the issues with, you know, some of the existing, you know, stuff that's out there, things like push notification or one-time passwords over SMS and stuff like that. You know, what does good look like or new good like in that regard?

Chase

I mean, really, you move to that space where you're getting your average users off of the password and your policy engine is taking care of everything, and your telemetry is continually feeding that life cycle. If you're doing it correctly, you could look at, like, the Lockheed Martin Kill Chain or MITRE or whatever. And you flip that not for the defensive side because we also try and come up with this concept, the perfect defense that doesn't exist.

Patrick 

Right.

Chase

I really want to be thinking, and he was talking about it before in the trends, I want to be thinking about how the adversary is successful. And all I need to do is interrupt them enough to where I win, and how do they do that? They do privilege escalation, access management, all of those things.

Patrick 

You know, it's interesting. I looked at the MITRE kill chain where you take the...the old kill chain, you take the MITRE report that dissects a kill chain and looks at the TTPs that the bad guys are using. And for initial access, well, there's lots of ways that they gain entry. There's a reconnaissance step affront, who am I going to attack, how am I going to go after them. There's another step... The first step is how do I gain initial entry, and by far, the one that they had the most threat actors leveraging was passwords, you know, stolen credentials, etc. It's an arm's length one. You know, it was a bunch of the sophisticated guys. So, the opposite trend to these attacks aren't sophisticated like stealing passwords or bypassing MFA. On the other hand, the sophisticated actors will use them too because it's easy money.

Chase

Well, and we've also seen some of the more, I guess you'd call them combination types of attacks becoming really prevalent where even if I can't get you with a username and password and whatever else, there are people that now, because of the volume of information you buy on the underground, that are extorting humans to be able to get their access logins. And if you can do that, it would still be valuable to be able to look at it from a SOC perspective and go, "There is something weird occurring here." Because the bad guys aren't going to follow the same pattern of life as a normal human being. Like, you will find an anomaly and you should be able to react to it. The ransomware conversation is super interesting as well. Like, I'll save everyone in here a whole lot of money on ransomware defense. If you have a Windows machine, go to that little search thing and type in PowerShell. If it works and you can invoke PowerShell, turn it off and you just saved 90% on ransomware threats. Like, there you go, and send me the check. That's it, you know what I mean?

Patrick 

You'll take pennies [crosstalk]

Chase

Exactly. Yeah. I'll take one percentage point of that. 

Patrick 

In fact, that initial attack factor when we looked at ransomware, the DBIR also says that it was... When I talked to CISOs, their initial inclination is, oh, ransomware, they must've clicked a link that downloaded the ransomware or sent it to a nefarious website.

Chase

No, they invoked a native program.

Patrick 

Yeah. They invoked a native program or they logged in. Actually, the one that rose to the top was email with a phishing link that got you to give up access to one of the remote access tools, remote access Trojans or not even a Trojan, actually, a legit tool.

Chase

I mean, brand impersonation plays in here a lot too, especially with the man in the middle stuff. It is exceptionally easy to grab brands and just change one thing in the domain, and then you've got all their information. I mean, you can be Wells Fargo because a lowercase L looks a lot like a 1 in a URL. 

Patrick 

You know, one of the...again, when people think sophisticated, not sophisticated, there's literally toolkits out in GitHub, open repositories that are available that makes that, like, painting by numbers, doing, you know, phishing attacks.

Chase

If you're super lazy, you can just go hire someone to do it for you.

Patrick 

Exactly. 

Chase

I mean, I think the last exploit kit that I saw on one of the forums was you would pay 50 bucks for them to set it up, and they got 3% of every time you got a hit on a bank account. Like, it's a good retirement plan. It's better than my 401k.

Patrick 

Yeah. And you don't have to do the ransomware piece so that you let somebody else do that, which...

Chase

As long as you're willing to live in a non-extradition country, it's beautiful.

Patrick 

Yeah. All right. So we talk, you know, a lot about the, you know, higher trust in the end users and getting to that level. What about the device? You know, so the endpoint that we're logging in from.

Chase

Yeah, VPNs are...if you're running your business on 1993 or 1996 accounting software, you'd probably get fired. VPNs came to the market in 1993 and '96, so if you're using a VPN, you're using really old technology to solve a problem where you're literally piping someone from somewhere into the system and they get access to whatever they're supposed to have access to. So that continually introduces risk, and that is usually combined with a lack of policy engine, and good password management, and all those things. So, it continues to introduce these things, and it only empowers the adversary. Go on Shodan right now and look for VPN. You'll find a few million of them that are talking to the internet that are open that are vulnerable and do whatever you want with them. No, actually, don't do that, and don't say I did it, but you could.

Patrick 

Yeah. This would screw up your retirement plan if they follow that advice.

Chase

Yeah.

Patrick 

So, high trust in the user, establish. You're using other methods other than, you know, age-old technology to establish high trust in the endpoint.

Chase

Your device, I mean, your iPhone or your Android phone, I mean, that's a great way to validate, especially cryptographically, that you have the things there that you're supposed to have to be able to get to this and that you are who you say you are. You should be checking device health before you allow access to applications. And it's really simple. Duo did this quite a while ago and they've gotten a lot better, but, like, there's been a lot of innovation around it as far as is this machine regular, does it fail the policy requirements, is it patched. And if it's not patched, you don't get access to my network. Here's a thing. Go download the patch, and then I'll provide you access. And it's not going to make the user miserable. They're in plain English. They can figure it out. They can download all of the apps that people do. You can click the download link to patch your machine.

Patrick 

Got it. All right. So, let's... No pun intended, beyond high trust in the user and the device, over the...in Gartner circles and other places, we've heard a lot about continuous authentication, which tended to be, like, do stuff every time I authenticate. Does that fit the zero trust model? We have these long session tokens, and...

Chase

No, I mean, the most important thing in the realm of strategic victory is to make sure that they go away after it's over with. You don't want the repair guy showing up to your house and you say, "Hey, would you like to move in and drink my beer in my fridge? And, oh, by the way, you can stay here indefinitely." Like, you come, you fix my problem, and then you leave. So, having the ability to revoke session tokens to get them out of your network and to end the session when something has transacted is super valuable because then you get another opportunity to run through the protocol to make sure that they're supposed to be there.

Patrick 

Right. 

Chase

You don't want continual access. You don't want it just unfettered, get to my network, and do whatever you want for as long as you think you might need to be there.

Patrick 

You mentioned this earlier in the discussion. I just want to, you know, kind of call it out specifically. You mentioned kind of user experience, you know, kind of the context of passwords, but, you know, why so important? You know, we've got a bunch of security measures, but, you know, hey, can't we go old school and say, "Do it my way or the highway?"

Chase

You can and it will work well for you. I mean, the first thing that anybody does whenever a security control gets in the way of you is you go around it. If you've got it done correctly, if the security policy engine and the technologies are aligned correctly to enable the user, they don't know that security is actually taking place. They just do their job. I think it's very much like how the modern automobile works where a few years ago, you used to have to buy your Garmin separately. You had to turn it on, and most of us, while we were driving 80 miles an hour, we're plugging in where we were supposed to go and whatever else. Now you get in your car, you hit the button. If it's a Tesla, I guess you call Elon and he sends you where you're supposed to go.

Patrick 

Or not.

Chase

Yeah, but the rest of us, like, it's all there and you just operate safely to get to wherever you're supposed to go. You don't have to know how all that stuff works.

Patrick 

Got it. So, it was interesting. When I looked at kind of the makeup of the audience this year at IAM, and I've been going for lots and lots of years, I was kind of surprised. It was a rather large influx of kind of true cyber...you know, kind of cybersecurity titles and professionals. You know, they're kind of edging in on our...the identity, you know, that we like to call ourselves in the past. But, you know, so I'll let them turn off for a little while, but, you know, kind of talking to the identity folks. I mean, you've been on the zero trust bus here...literally, if you turn the clock back, I think in the keynote, they talk, you know, people went back 15, 20, 25 years being in the identity practice. And early on, it was about, you know, IT and getting people to their stuff, but it's kind of more important than that. What would be the message to, you know, our identity these days?

Chase

I mean, you can't have security without identity and access management. Like, that's as clear as I could possibly make it. And if you're not able to control what's going on and have the ability to do that scale... And you can't do that with a spreadsheet, and you can't do that with Timmy the intern. You have to do it with technology. And most of us are going to use cloud and scale and all those things. That's how you enable modern cybersecurity. That's part of digital transformation. Even if you talk to your regular consumer side of this equation, just like for me, I check in every morning, I have Dashlane for my password manager for my personal side of it. This morning, I had 404 usernames and passwords that are managed by that. There's no way I could possibly keep up with it. So, technology makes it possible, and that is, to me, the most important part of this whole thing to begin with. On top of that, if you look at the DoD strategy, which we got published right before Thanksgiving, all of phase one is about identity and access. And there's a reason that they've allocated $1.75 billion to this whole thing because they know that if they can take care of that correctly, everything else after it becomes part of a paradigm.

Patrick 

So, you know, from somewhat red-headed stepchild, you guys became like the cool kids at the dance. You know, everybody wants to hang out with you now, which is... You know, there's not a CISO that I talk to that doesn't say that that is the most important thing now.

Chase

Well, it's important too that the seat at the table has been provided. Now, it's not to mess up dinner for everybody, you know what I mean? It's like you've got your seat at the table. Push it and talk about business context, talk about outcomes for users, growing opportunities. And, actually, if you do it correctly with the right policy engines, I think before he was asking how many people had 15 IAM or something solutions. You should consolidate that and get more out of one. You're probably never going to get towards the Sauron sort of one ring to rule them all cybersecurity deal, but you'll get towards a portfolio that is manageable. And there you save money, and that's a conversation CFOs like.

Patrick 

And if you do it in a risk context, which, you know, kind of Chase walked you through, I mean, that's the lingua franca of the CISO, right? I mean, if we want to get extra budget from the CISOs, you know, we've got to put it into that kind of context. And you'd be surprised at how many CISOs...they know. They know identity is really important. They know they can't have a strong program without it. They know authentication is important. They can't have a strong program without it. But if you ask them about their number one vulnerability, they don't go back to that data in the Verizon data breach report that we see every year and your 80% number. They kind of go, they start thinking about, you know, some zero-day [crosstalk]

Chase

It's not sexy. I mean, it's not...

Patrick 

I think it's kind of...I think these people are kind of sexy.

Chase

Well, the blocking and tackling stuff is not sexy, but that's what wins games. So, block and tackle real well, which is identity and access management, which is policy engine, which is authentication. That stuff, do all the sexy cool stuff later because if you get this right, that becomes even more doable.

Patrick 

You know, one of the...with some of the CISOs we've talked to, I mean, for the last decade, you know, if we're going to be honest, we spent a whole of the time with detection response. That's where the budget went to, not shockingly. Dual times where an attacker gets in and kind of sits around for weeks, months, even years, it's like you've got a problem that you got to fix. Let's identify them and do something with them, but we forgot the ounce of prevention or ounce of protection part of it. So, I think, you know, people are really...and zero trust is all about that, really coming back, understanding that they are going to get in, no environment's secure, but also don't forget the protection side of it.

Chase

Well, and the thing about SIM and those sides of it is it's like going to the doctor and he walks in and holds up your test results. He's like, "Man, you're really sick," and then he leaves. You're like, "Wait, where's my treatment plan?" And they go, "Oh, well, that's extra." Like, no, no, no. Like, if you're really sick, I want you to tell me how to treat it and fix the problems. And, usually, it's a fundamental basic issue. If you've got high cholesterol, change your diet. Like, if you're smoking cigarettes, put the cigarettes away. So, it's those types of things that make a lot of difference.

Patrick 

Well, we've got a couple of minutes, you know, left I wanted to reserve. If anybody's got any questions, you can just shout them. I don't know, there may be a floater mic, but kind of any questions for Chase in the audience? Hard questions only.

Chase

Don't ask me where I got my coat because my daughter made me put this on.

Patrick 

Yeah. Chase has got, you know, observation, great jacket and great boot game. You know, I've got some catching up to do. Go ahead in the back. 
 
[Question inaudible]

Chase

I mean, it's better than not. I think FIDO, and Auth0, and some of those folks are doing interesting work. It's a good way to begin the process, and there is an evolution going on there. So, I think, honestly, where you're going to get to is going to be this combination of self-sovereign identity, policy engines, and biometrics that are going to basically change the way that we make sure that the authentication protocols are handled. But, you know, I would say that what you're doing makes a lot of sense, and that's a great place to begin pushing that initiative.

Patrick 

You know, I think, you know, the way we think about it is FIDO2 is a really good start. And it, you know, allows you...along with other factors like if you can use local biometrics or local pin code, FIDO2, good solutions in FIDO2. Store a private key in a TPM, that hardware enclave that's, you know, separate on the computer. So then you can do a cryptographic, you know, transaction to make sure it's actually Patrick or Chase. Combine that with a biometric, and you've got two really strong factors there. But it doesn't mean...you can implement that in a not phishing-resistant way. You can implement that in a...well, you can, you know, implement that and still not have the device trust, and implement that and still not have the policy engine, you know, to bring in the other signals of continuous auth. So, we think, you know, we're...in fact, we had Chase and I get to do a thing last week where we did this launch of the zero trust authentication, and we did a leadership series on that. It was kind of cool because the FIDO team came and presented at that. And we'll be with them out at RSA too, so, you know, we're kind of all in on that. it makes sense, but... You know, and I don't even want to say it's not good enough. It's a great start. I mean, they've done a lot in the industry, you know, to get us off of passwords into something much more secure. Take one more question.

Chase 

Thirty seconds. She's like holding up a crook. She's like, "Get off the stage."

Patrick 

Yeah, we're going to get the hook. So, all right, well, just kind of a quick reminder. We've got that floor session tomorrow at Tuesday if you want to come see that. We're in booth 509. We'd love to prove to you, you know, the wares that we have and talk to you. Otherwise, thank you. Have a great rest of your day.

What is Needed for a Modern Authentication Solution

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Today's episode brings you a presentation from Gartner IAM by Beyond Identity CMO Patrick McBride and Chase Cunningham, AKA Dr. Zero Trust discussing the issues of legacy MFA and what companies need to look for in their modern authentication solution.

Transcription

Joshua

Hello and welcome to the "Cybersecurity Hot Takes" podcast. This is your producer, Joshua, coming at you today with a very special episode. On today's episode, we are so thrilled to bring you the presentation from Gartner IAM by Beyond Identity CMO, Patrick McBride, and Chase Cunningham, AKA Dr. Zero Trust. In this discussion, Patrick and the doctor delve into the issues of legacy MFA and what companies need to look for in their modern authentication solution. We hope you enjoy this presentation and gain some valuable information for how your company can lay your foundation for your zero trust architecture. Enjoy. 

Patrick

We good? All right. Well, welcome. We have a packed house. Thank you all for attending our session today. I'm Patrick McBride. I'm one of the co-founders at Beyond Identity. I think employee nine is the official account from the early days. I'm here with Dr. Chase Cunningham, and I'll have Chase introduce himself in just a minute. Both Chase and I are former, as I like to say, recovering industry analysts. I'm a former META Group analyst kind of way back in the day prior to the Gartner acquisition thereof, and Chase is a former Forrester analyst, so I feel a little bit like inviting the fox to the henhouse here, which is kind of... 

Chase

I'm surprised they gave me a chair. 

Patrick

Yeah. They were going to make you stand, I think. So, we're here to talk about the requirements for modern authentication. And, yeah, we're going to dig into that from what are they, why you need them, but from really a risk perspective. So, that's kind of a unique perspective. I'm not going to give a presentation and prattle on about Beyond Identity. We'd rather, you know, have you come and see it in action. You know, just a quick commercial just so we set the scene is, you know, we believe, and you guys will be the judge, that we've created the most advanced and secure authentication platform on the planet. But, like I said, don't believe me. Come down to booth 509 when you walk, you know, into the main auditorium. We're second row, kind of big booth there. You know, come by and put us to the test. Or my colleague, Kurt Johnson, is doing, I think, one of the floor sessions tomorrow, Tuesday afternoon at 5:40. So you can come and look at that and see what the ingredients are. You know, overall, we've got a solution, a single platform that has a solution for both your workforce and SIEM, so that's a piece of it. But if you were to kind of pick up the top-level characteristics of our platform, it's passwordless, phishing-resistant MFA, really comprehensive device trust, and the ability to include signals from third party from the tech stack that you already have in place all into a rich policy engine and then do it continuously. So we're going to break down some of those things and talk about why some of those things are important. But before I do that, let me get Chase to kind of introduce himself and give you a little bit of background.

Chase

Sure. So, I'm a retired Navy chief. I did all my time working on a variety of organizations. I was basically an NSA civilian wearing a military uniform. Then I went to work for the NSA for a little bit, and I...

Patrick

Are you allowed to say that now?

Chase

Yeah. Right. I just can't talk about what I did, but I was there. I may have been the classified janitor, for all you know. But then I was able to transition over to Forrester, did a bunch of work at Forrester Research. And then lately, I've been doing a whole bunch of consulting gigs across the industry, and along the way spreading hate and discontent and talking about zero trust as much as I possibly can.

Patrick

Yeah. For those that haven't picked up on it, Chase's pseudonym is also Dr. Zero Trust. So, he's got... I think he and John Kindervag back at their Forrester days, you know, kind of worked on that, you know, early on, some of the pioneers in that. And Chase is underselling himself. He's one of the smartest guys in cyber that I know, so he's kind of on speed dial to a lot of folks in the government to work on some of these projects. Listen, you know, kind of start from the top. You know, I'm here saying we need, you know, a new modern authentication regime and, you know, why.  

Chase 

Well, it's not that we need a new regime. Actually, what we need to do is recognize that the bad guys have been telling us how this is going to work for three decades, and people sit around wondering how do we solve this problem. I mean, you look at the number in the DBIR every year of how compromises begin, and how they proliferate, and how the life cycle goes forward... 

Patrick 

Now, we've got a bunch of identity folks in here along with some cyber guys. So the DBIR is?

Chase

Yeah, the DBIR, the Verizon DBIR, which is basically Verizon's...I would call it an almost biblical reference in cyber that they put all the information together every year and say, "Here's the trends of how attacks are successful." And if you have 30 years, we'll call it that, of proof that passwords and password management and access management is what is typically leveraged as the 80-percentile of compromise, why would you focus on other areas first? I mean, because I do so much work consulting with organizations about how do we be on our zero-trust journey, what do we do first, etc., etc. The bad guys tell you, like, they want you to have bad password, bad access management, etc., and that's how they're going to get you. It's going to be crappy passwords and human beings clicking on links. And then, sure, down the road, solve for your super amazing crazy NSA EternalBlue exploit. But if, you know, John at home has got password 1234, which, by the way, statistically speaking, was the number one password this year in 2023, what do we fix first? I mean, it's not rocket surgery. Like, this stuff is about as clear as it could possibly be. Somebody says they're going to punch you in the face, you don't bend over and, you know, cover your lower area.

Patrick

We're going to get a lot of those. You know, Chase is full of fun things like that... Hey, so, it's interesting. You said, you know, the more sophisticated ones and stuff. And one of the things that we've kind of struggled with is when the press writes about some of these attacks, these password attacks, they talk about just how sophisticated they are. Is that the case?

Chase 

No. I mean, well, the press obviously tells the truth 100% of the time. There's never any manipulation going on. But, I mean, in reality, what we're looking at there is there's always an avenue of identity being part if of this thing, authentication. It doesn't matter if it's a thermostat at home, a wirelessly enabled toilet, which I have found one of those. Sooner or later, somewhere along the way, it authenticates to something. And if you can't interrupt the authentication life cycle, the bad guy continually wins. And this is not a zero-sum game. Honestly, I'm personally sick of the victim mentality that we put forward in cyber. 

Patrick 

Yeah. 

Chase

The bad guys only got to be right once, woe is me, they just got in. The bad guy has to be right continually just like you need to be right continually. If you can interrupt their life cycle, guess what? They'll go find an easier target. You don't have to be perfect, you just have to be better than the next person down the road. And, you know, I love zombie movies. We're running in front of the zombie horde. If you trip and fall, I keep running. Like, that's what we're trying to get to. It sucks for you, and I might wave at you and clap like, "Come on, you can keep up," but I'm not stopping. I'm not tying your shoe. And that's what you're trying to get to is I want to be in a more defensible posture and make the bad guy more miserable in my network than you and they'll go after you.

Patrick 

I'm still stuck on the, you know, Wi-Fi-enabled toilet.

Chase

Oh, it's crazy.

Patrick 

We'll talk about that. 

Chase

Yeah, it's a whole other issue.

Patrick 

So, you know, password's bad. There isn't anybody that you talk to that understands that... "I love my password," said nobody ever. So they don't like them from a usability perspective and also from a security perspective, but wasn't MFA supposed to fix that problem?

Chase

Well, MFA was a great move towards an out-of-band authentication mechanism, right? The one that I like to use all the time is there was a study published by the oil and gas industry. If you remember a few years ago, we used to go to a gas station, just zip your card to get your gas and leave. Fraud was everywhere. So then they came up with that idea of, wait a minute, that's a card. Let's make you either put your four-digit PIN in or your ZIP code and validate that. In something like 30 or 60 days, they saw, like, a 90-something percent reduction of fraud.

Patrick 

Right.

Chase

So that one additional out-of-band authentication massively reduces the ability for someone to get in the middle of that. Now, we thought when we moved to MFA that, all of a sudden, we had uncovered the golden cup of awesome that would make this never be a problem again. However, a bunch of organizations have proved via APIs and other things and just basically inundating people with, you know, a blast of multi-factor auth, sooner or later you can get somebody pissed off enough they'll click the link. So, it's not that there's not a whole lot of value to MFA, but MFA, like any other thing, can be manipulated and leveraged to cause compromise. 

Patrick 

Right. So, all of the kind of user-oriented manipulation attacks. You know, it was, I think, mid-last year I did...you know, Kurt Johnson who's in the audience with me, and I did a bunch of CISO Executive Network presentations around the country. And when I was giving the presentations, I was kind of coming in pretty hot about, you know, the issues. We felt, like, a little bit of a candle in the wind, you know, kind of way and to say, you know, it's not all it's cracked up to be, the stuff that you've been using. And we got a lot of pushback. I mean, Microsoft and Google had said it's wonderful and it stops all the stuff, but now it's maybe changed a bit. You know, we're seeing this year when we talk, not so much. They're like, "Okay, we get it."

Chase

I think in the context of the big broad problem, MFA is a force multiplier, right? I think it's something relatively simple. My 11-year-old, when she set up her Fortnite account, the first thing she did was she set up MFA. I didn't tell her to do it, and I asked her why, and she said, "Well, that way, no one can get my V-Bucks." And I was like if an 11-year-old can understand this concept, anyone in the CISO world can get it, right. 

Patrick 

That's a cyber kid, for sure.

Chase

Well, she was protecting what's of value for her with a really simple thing. And she had a phone, and she set it up, and good to go. So, I think it's super valuable for the broad swath of where we're moving to, but there are better ways, just like in every other space, to continually innovate and do things on the front. I moved over to full passwordless last year for all of my stuff, and I don't miss having a password at all. Now, there is a bit of a biometric thing there that some people are concerned about like, well, what if someone gets your finger? Okay, that's another problem. We'll solve that, you know, but…

Patrick 

There are certain threat models like this one that we can't quite stop.

Chase

Yeah. Like, of all the threats I'm willing to live with, taking my finger is one I'm okay with. So it's good, but there are better ways to continue to innovate on that space.

Patrick 

Double-click a little bit into the MFA stuff. I mean, you know, there's a bunch of recent attacks. You know, we talked about, say, you know, you mentioned kind of what I guess is becoming classically known as prompt bombing. They'll send you a bunch of push notification attacks, and, eventually, somebody's going to click on one. I've got some CISO friends who...you know, there is a woe is me. They've experienced that to much detriment. What are some of the other things that...?

Chase

Well, APIs have become another avenue of compromise, and APIs are not really well-leveraged for authentication protocol. So, it's pretty easy to leverage the back and forth of that to get past it. Twitter, honestly, was a good example of somebody sort of manipulating the man in the middle side and really getting into it. However, I would also say Twitter, in my view, actually expressed a good use of out-of-band authentication because they were able to at least go, okay, we got sick and tired of the prompt. Somebody clicked it, third party, blah, blah, blah, but at least we know something weird occurred and we're able to respond.

Patrick 

Right.

Chase

So, yes, there was a fire, but the entire state wasn't on forest fire.

Patrick 

Right. If I can't, you know, protect upfront, at least detect and respond.

Chase

I mean, all cybersecurity, I think, strategically is actually, in the Navy, we call that watertight integrity. Right, I want to be able to take a hit from a missile and keep the ship afloat, and how do I do that? I do that by compartmentalization by isolating where the water can go and I stay in the fight. I don't want to be the Titanic where they said, "There's no way we could ever sink, so we won't even bring the lifeboats on board," and you wind up with a movie where Leo freezes to death.

Patrick 

Yeah.

Chase

That's not what we want.

Patrick 

Poor guy. Poor guy. So, is the MFA bypassing attacks, is it still kind of in theory land? You mentioned the Twitter one. Or is that kind of...? 

Chase

Well, I mean, it's in the stage of be aware of it and start to understand. Especially for, like, high-profile executives and people that are going to be doing a lot of interacting, they're going to be targeted with it. I think now the term is not phishing, it's whaling, which could be offensive depending on how you look at it.

Patrick 

Right.

Chase 

But, yeah, I mean, if they're moving up the chain and there's proof of concept and it's starting to work, just like I said earlier, you can guarantee once the bad guys see an easy value proposition, they go where the money is.

Patrick 

Right. We were surprised, I think, you know, 6, 8, 12 months ago when we were talking about it and getting a lot of pushback. A lot of folks said, "Yeah, but, you know, Microsoft, you know, came out with a report and said it blocks 99% of stuff." Well, you know, this year, it was interesting. They came out and said, "Hey, wait, there's active exploits in the wild, you know, freely available," and we're seeing an attack on 35,000, you know, organizations using some of the phishing techniques that you talked about.

Chase

I mean, it's a numbers game. They're just blasting them across the internet, and if I send out... Because when I was red teaming, I would send out 35,000 emails. If I get 3%, that's a pretty good number for me, and I only need a significant person to fall for it and go forward from there.

Patrick 

All right. So, switching gears, so we've got kind of that as a backdrop. You know, password's no good, kind of some of the legacy MFA is kind of, you know, iffy at this point.

Chase 

Needs to evolve.

Patrick 

Yeah, needs to evolve. All right. So, you know, what does a, you know, kind of modern auth solution need to incorporate?

Chase

Well, really, I think the most important piece is the policy engines we're seeing now. There's a lot of conversation going on around zero trust and etc., etc. Really, the power there comes from the policy engine side of this. And you should be able to take in a lot of telemetry and validate the things that are taking place. And using the policy engine at any stage in a life cycle, I should be able to sit out and interrupt what's going on if there's an anomaly or a strange occurrence taking place. It shouldn't make the users miserable. Users should do what users do. We've done a disservice to our general user population in cybersecurity because we've tried to make them all cybersecurity engineers. And we've said, "Well, why do you keep screwing this up?" Well, that's not their job. Just like I run my own LLC, I use tax software to do my taxes so I don't get arrested. Not that I have enough money to get arrested, but they would, you know, do that. The whole thing is just making it where software makes it where you can do what you need to do, and the telemetry is available, and you solve the problem and go on about your day.

Patrick 

So, in the telemetry, some of those risk signals, you know, is there a couple that, you know, kind of come to mind that are things that you want to include in that policy decision?

Chase 

I mean, the simplest ones are does this look like what it has looked like normally over time, right? Chase works from home, it's in Virginia. He's on Comcast. Comcast, typically, he talks to these applications. He usually works from 6 in the morning till 4 in the afternoon. Today, for some reason, Chase sent a login request at 2:00 in the morning from, I don't know, Moscow. Probably something we should look at. Those types of things are super useful, and they don't have to totally eradicate the activities going on, but I want to investigate it. I want to see what's up. And the policy engines make that where we talk about the cybersecurity hiring crisis. I fundamentally think we don't have a cybersecurity hiring crisis. We have a mismanagement and misuse of technology to solve the problem. We're trying to dig the Suez Canal with spoons. It's doable, it would take a long time and would suck a lot, but, really, we should be using the right technology to optimize the people to do this at scale.

Patrick 

So when we think about, like, MFA, and passwords, and even, you know, kind of modern versions of MFA, which we'll click into here in a second, that's about... Well, actually, before that, let's click in to kind of we talked about some of the issues with, you know, some of the existing, you know, stuff that's out there, things like push notification or one-time passwords over SMS and stuff like that. You know, what does good look like or new good like in that regard?

Chase

I mean, really, you move to that space where you're getting your average users off of the password and your policy engine is taking care of everything, and your telemetry is continually feeding that life cycle. If you're doing it correctly, you could look at, like, the Lockheed Martin Kill Chain or MITRE or whatever. And you flip that not for the defensive side because we also try and come up with this concept, the perfect defense that doesn't exist.

Patrick 

Right.

Chase

I really want to be thinking, and he was talking about it before in the trends, I want to be thinking about how the adversary is successful. And all I need to do is interrupt them enough to where I win, and how do they do that? They do privilege escalation, access management, all of those things.

Patrick 

You know, it's interesting. I looked at the MITRE kill chain where you take the...the old kill chain, you take the MITRE report that dissects a kill chain and looks at the TTPs that the bad guys are using. And for initial access, well, there's lots of ways that they gain entry. There's a reconnaissance step affront, who am I going to attack, how am I going to go after them. There's another step... The first step is how do I gain initial entry, and by far, the one that they had the most threat actors leveraging was passwords, you know, stolen credentials, etc. It's an arm's length one. You know, it was a bunch of the sophisticated guys. So, the opposite trend to these attacks aren't sophisticated like stealing passwords or bypassing MFA. On the other hand, the sophisticated actors will use them too because it's easy money.

Chase

Well, and we've also seen some of the more, I guess you'd call them combination types of attacks becoming really prevalent where even if I can't get you with a username and password and whatever else, there are people that now, because of the volume of information you buy on the underground, that are extorting humans to be able to get their access logins. And if you can do that, it would still be valuable to be able to look at it from a SOC perspective and go, "There is something weird occurring here." Because the bad guys aren't going to follow the same pattern of life as a normal human being. Like, you will find an anomaly and you should be able to react to it. The ransomware conversation is super interesting as well. Like, I'll save everyone in here a whole lot of money on ransomware defense. If you have a Windows machine, go to that little search thing and type in PowerShell. If it works and you can invoke PowerShell, turn it off and you just saved 90% on ransomware threats. Like, there you go, and send me the check. That's it, you know what I mean?

Patrick 

You'll take pennies [crosstalk]

Chase

Exactly. Yeah. I'll take one percentage point of that. 

Patrick 

In fact, that initial attack factor when we looked at ransomware, the DBIR also says that it was... When I talked to CISOs, their initial inclination is, oh, ransomware, they must've clicked a link that downloaded the ransomware or sent it to a nefarious website.

Chase

No, they invoked a native program.

Patrick 

Yeah. They invoked a native program or they logged in. Actually, the one that rose to the top was email with a phishing link that got you to give up access to one of the remote access tools, remote access Trojans or not even a Trojan, actually, a legit tool.

Chase

I mean, brand impersonation plays in here a lot too, especially with the man in the middle stuff. It is exceptionally easy to grab brands and just change one thing in the domain, and then you've got all their information. I mean, you can be Wells Fargo because a lowercase L looks a lot like a 1 in a URL. 

Patrick 

You know, one of the...again, when people think sophisticated, not sophisticated, there's literally toolkits out in GitHub, open repositories that are available that makes that, like, painting by numbers, doing, you know, phishing attacks.

Chase

If you're super lazy, you can just go hire someone to do it for you.

Patrick 

Exactly. 

Chase

I mean, I think the last exploit kit that I saw on one of the forums was you would pay 50 bucks for them to set it up, and they got 3% of every time you got a hit on a bank account. Like, it's a good retirement plan. It's better than my 401k.

Patrick 

Yeah. And you don't have to do the ransomware piece so that you let somebody else do that, which...

Chase

As long as you're willing to live in a non-extradition country, it's beautiful.

Patrick 

Yeah. All right. So we talk, you know, a lot about the, you know, higher trust in the end users and getting to that level. What about the device? You know, so the endpoint that we're logging in from.

Chase

Yeah, VPNs are...if you're running your business on 1993 or 1996 accounting software, you'd probably get fired. VPNs came to the market in 1993 and '96, so if you're using a VPN, you're using really old technology to solve a problem where you're literally piping someone from somewhere into the system and they get access to whatever they're supposed to have access to. So that continually introduces risk, and that is usually combined with a lack of policy engine, and good password management, and all those things. So, it continues to introduce these things, and it only empowers the adversary. Go on Shodan right now and look for VPN. You'll find a few million of them that are talking to the internet that are open that are vulnerable and do whatever you want with them. No, actually, don't do that, and don't say I did it, but you could.

Patrick 

Yeah. This would screw up your retirement plan if they follow that advice.

Chase

Yeah.

Patrick 

So, high trust in the user, establish. You're using other methods other than, you know, age-old technology to establish high trust in the endpoint.

Chase

Your device, I mean, your iPhone or your Android phone, I mean, that's a great way to validate, especially cryptographically, that you have the things there that you're supposed to have to be able to get to this and that you are who you say you are. You should be checking device health before you allow access to applications. And it's really simple. Duo did this quite a while ago and they've gotten a lot better, but, like, there's been a lot of innovation around it as far as is this machine regular, does it fail the policy requirements, is it patched. And if it's not patched, you don't get access to my network. Here's a thing. Go download the patch, and then I'll provide you access. And it's not going to make the user miserable. They're in plain English. They can figure it out. They can download all of the apps that people do. You can click the download link to patch your machine.

Patrick 

Got it. All right. So, let's... No pun intended, beyond high trust in the user and the device, over the...in Gartner circles and other places, we've heard a lot about continuous authentication, which tended to be, like, do stuff every time I authenticate. Does that fit the zero trust model? We have these long session tokens, and...

Chase

No, I mean, the most important thing in the realm of strategic victory is to make sure that they go away after it's over with. You don't want the repair guy showing up to your house and you say, "Hey, would you like to move in and drink my beer in my fridge? And, oh, by the way, you can stay here indefinitely." Like, you come, you fix my problem, and then you leave. So, having the ability to revoke session tokens to get them out of your network and to end the session when something has transacted is super valuable because then you get another opportunity to run through the protocol to make sure that they're supposed to be there.

Patrick 

Right. 

Chase

You don't want continual access. You don't want it just unfettered, get to my network, and do whatever you want for as long as you think you might need to be there.

Patrick 

You mentioned this earlier in the discussion. I just want to, you know, kind of call it out specifically. You mentioned kind of user experience, you know, kind of the context of passwords, but, you know, why so important? You know, we've got a bunch of security measures, but, you know, hey, can't we go old school and say, "Do it my way or the highway?"

Chase

You can and it will work well for you. I mean, the first thing that anybody does whenever a security control gets in the way of you is you go around it. If you've got it done correctly, if the security policy engine and the technologies are aligned correctly to enable the user, they don't know that security is actually taking place. They just do their job. I think it's very much like how the modern automobile works where a few years ago, you used to have to buy your Garmin separately. You had to turn it on, and most of us, while we were driving 80 miles an hour, we're plugging in where we were supposed to go and whatever else. Now you get in your car, you hit the button. If it's a Tesla, I guess you call Elon and he sends you where you're supposed to go.

Patrick 

Or not.

Chase

Yeah, but the rest of us, like, it's all there and you just operate safely to get to wherever you're supposed to go. You don't have to know how all that stuff works.

Patrick 

Got it. So, it was interesting. When I looked at kind of the makeup of the audience this year at IAM, and I've been going for lots and lots of years, I was kind of surprised. It was a rather large influx of kind of true cyber...you know, kind of cybersecurity titles and professionals. You know, they're kind of edging in on our...the identity, you know, that we like to call ourselves in the past. But, you know, so I'll let them turn off for a little while, but, you know, kind of talking to the identity folks. I mean, you've been on the zero trust bus here...literally, if you turn the clock back, I think in the keynote, they talk, you know, people went back 15, 20, 25 years being in the identity practice. And early on, it was about, you know, IT and getting people to their stuff, but it's kind of more important than that. What would be the message to, you know, our identity these days?

Chase

I mean, you can't have security without identity and access management. Like, that's as clear as I could possibly make it. And if you're not able to control what's going on and have the ability to do that scale... And you can't do that with a spreadsheet, and you can't do that with Timmy the intern. You have to do it with technology. And most of us are going to use cloud and scale and all those things. That's how you enable modern cybersecurity. That's part of digital transformation. Even if you talk to your regular consumer side of this equation, just like for me, I check in every morning, I have Dashlane for my password manager for my personal side of it. This morning, I had 404 usernames and passwords that are managed by that. There's no way I could possibly keep up with it. So, technology makes it possible, and that is, to me, the most important part of this whole thing to begin with. On top of that, if you look at the DoD strategy, which we got published right before Thanksgiving, all of phase one is about identity and access. And there's a reason that they've allocated $1.75 billion to this whole thing because they know that if they can take care of that correctly, everything else after it becomes part of a paradigm.

Patrick 

So, you know, from somewhat red-headed stepchild, you guys became like the cool kids at the dance. You know, everybody wants to hang out with you now, which is... You know, there's not a CISO that I talk to that doesn't say that that is the most important thing now.

Chase

Well, it's important too that the seat at the table has been provided. Now, it's not to mess up dinner for everybody, you know what I mean? It's like you've got your seat at the table. Push it and talk about business context, talk about outcomes for users, growing opportunities. And, actually, if you do it correctly with the right policy engines, I think before he was asking how many people had 15 IAM or something solutions. You should consolidate that and get more out of one. You're probably never going to get towards the Sauron sort of one ring to rule them all cybersecurity deal, but you'll get towards a portfolio that is manageable. And there you save money, and that's a conversation CFOs like.

Patrick 

And if you do it in a risk context, which, you know, kind of Chase walked you through, I mean, that's the lingua franca of the CISO, right? I mean, if we want to get extra budget from the CISOs, you know, we've got to put it into that kind of context. And you'd be surprised at how many CISOs...they know. They know identity is really important. They know they can't have a strong program without it. They know authentication is important. They can't have a strong program without it. But if you ask them about their number one vulnerability, they don't go back to that data in the Verizon data breach report that we see every year and your 80% number. They kind of go, they start thinking about, you know, some zero-day [crosstalk]

Chase

It's not sexy. I mean, it's not...

Patrick 

I think it's kind of...I think these people are kind of sexy.

Chase

Well, the blocking and tackling stuff is not sexy, but that's what wins games. So, block and tackle real well, which is identity and access management, which is policy engine, which is authentication. That stuff, do all the sexy cool stuff later because if you get this right, that becomes even more doable.

Patrick 

You know, one of the...with some of the CISOs we've talked to, I mean, for the last decade, you know, if we're going to be honest, we spent a whole of the time with detection response. That's where the budget went to, not shockingly. Dual times where an attacker gets in and kind of sits around for weeks, months, even years, it's like you've got a problem that you got to fix. Let's identify them and do something with them, but we forgot the ounce of prevention or ounce of protection part of it. So, I think, you know, people are really...and zero trust is all about that, really coming back, understanding that they are going to get in, no environment's secure, but also don't forget the protection side of it.

Chase

Well, and the thing about SIM and those sides of it is it's like going to the doctor and he walks in and holds up your test results. He's like, "Man, you're really sick," and then he leaves. You're like, "Wait, where's my treatment plan?" And they go, "Oh, well, that's extra." Like, no, no, no. Like, if you're really sick, I want you to tell me how to treat it and fix the problems. And, usually, it's a fundamental basic issue. If you've got high cholesterol, change your diet. Like, if you're smoking cigarettes, put the cigarettes away. So, it's those types of things that make a lot of difference.

Patrick 

Well, we've got a couple of minutes, you know, left I wanted to reserve. If anybody's got any questions, you can just shout them. I don't know, there may be a floater mic, but kind of any questions for Chase in the audience? Hard questions only.

Chase

Don't ask me where I got my coat because my daughter made me put this on.

Patrick 

Yeah. Chase has got, you know, observation, great jacket and great boot game. You know, I've got some catching up to do. Go ahead in the back. 
 
[Question inaudible]

Chase

I mean, it's better than not. I think FIDO, and Auth0, and some of those folks are doing interesting work. It's a good way to begin the process, and there is an evolution going on there. So, I think, honestly, where you're going to get to is going to be this combination of self-sovereign identity, policy engines, and biometrics that are going to basically change the way that we make sure that the authentication protocols are handled. But, you know, I would say that what you're doing makes a lot of sense, and that's a great place to begin pushing that initiative.

Patrick 

You know, I think, you know, the way we think about it is FIDO2 is a really good start. And it, you know, allows you...along with other factors like if you can use local biometrics or local pin code, FIDO2, good solutions in FIDO2. Store a private key in a TPM, that hardware enclave that's, you know, separate on the computer. So then you can do a cryptographic, you know, transaction to make sure it's actually Patrick or Chase. Combine that with a biometric, and you've got two really strong factors there. But it doesn't mean...you can implement that in a not phishing-resistant way. You can implement that in a...well, you can, you know, implement that and still not have the device trust, and implement that and still not have the policy engine, you know, to bring in the other signals of continuous auth. So, we think, you know, we're...in fact, we had Chase and I get to do a thing last week where we did this launch of the zero trust authentication, and we did a leadership series on that. It was kind of cool because the FIDO team came and presented at that. And we'll be with them out at RSA too, so, you know, we're kind of all in on that. it makes sense, but... You know, and I don't even want to say it's not good enough. It's a great start. I mean, they've done a lot in the industry, you know, to get us off of passwords into something much more secure. Take one more question.

Chase 

Thirty seconds. She's like holding up a crook. She's like, "Get off the stage."

Patrick 

Yeah, we're going to get the hook. So, all right, well, just kind of a quick reminder. We've got that floor session tomorrow at Tuesday if you want to come see that. We're in booth 509. We'd love to prove to you, you know, the wares that we have and talk to you. Otherwise, thank you. Have a great rest of your day.

What is Needed for a Modern Authentication Solution

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Today's episode brings you a presentation from Gartner IAM by Beyond Identity CMO Patrick McBride and Chase Cunningham, AKA Dr. Zero Trust discussing the issues of legacy MFA and what companies need to look for in their modern authentication solution.

Transcription

Joshua

Hello and welcome to the "Cybersecurity Hot Takes" podcast. This is your producer, Joshua, coming at you today with a very special episode. On today's episode, we are so thrilled to bring you the presentation from Gartner IAM by Beyond Identity CMO, Patrick McBride, and Chase Cunningham, AKA Dr. Zero Trust. In this discussion, Patrick and the doctor delve into the issues of legacy MFA and what companies need to look for in their modern authentication solution. We hope you enjoy this presentation and gain some valuable information for how your company can lay your foundation for your zero trust architecture. Enjoy. 

Patrick

We good? All right. Well, welcome. We have a packed house. Thank you all for attending our session today. I'm Patrick McBride. I'm one of the co-founders at Beyond Identity. I think employee nine is the official account from the early days. I'm here with Dr. Chase Cunningham, and I'll have Chase introduce himself in just a minute. Both Chase and I are former, as I like to say, recovering industry analysts. I'm a former META Group analyst kind of way back in the day prior to the Gartner acquisition thereof, and Chase is a former Forrester analyst, so I feel a little bit like inviting the fox to the henhouse here, which is kind of... 

Chase

I'm surprised they gave me a chair. 

Patrick

Yeah. They were going to make you stand, I think. So, we're here to talk about the requirements for modern authentication. And, yeah, we're going to dig into that from what are they, why you need them, but from really a risk perspective. So, that's kind of a unique perspective. I'm not going to give a presentation and prattle on about Beyond Identity. We'd rather, you know, have you come and see it in action. You know, just a quick commercial just so we set the scene is, you know, we believe, and you guys will be the judge, that we've created the most advanced and secure authentication platform on the planet. But, like I said, don't believe me. Come down to booth 509 when you walk, you know, into the main auditorium. We're second row, kind of big booth there. You know, come by and put us to the test. Or my colleague, Kurt Johnson, is doing, I think, one of the floor sessions tomorrow, Tuesday afternoon at 5:40. So you can come and look at that and see what the ingredients are. You know, overall, we've got a solution, a single platform that has a solution for both your workforce and SIEM, so that's a piece of it. But if you were to kind of pick up the top-level characteristics of our platform, it's passwordless, phishing-resistant MFA, really comprehensive device trust, and the ability to include signals from third party from the tech stack that you already have in place all into a rich policy engine and then do it continuously. So we're going to break down some of those things and talk about why some of those things are important. But before I do that, let me get Chase to kind of introduce himself and give you a little bit of background.

Chase

Sure. So, I'm a retired Navy chief. I did all my time working on a variety of organizations. I was basically an NSA civilian wearing a military uniform. Then I went to work for the NSA for a little bit, and I...

Patrick

Are you allowed to say that now?

Chase

Yeah. Right. I just can't talk about what I did, but I was there. I may have been the classified janitor, for all you know. But then I was able to transition over to Forrester, did a bunch of work at Forrester Research. And then lately, I've been doing a whole bunch of consulting gigs across the industry, and along the way spreading hate and discontent and talking about zero trust as much as I possibly can.

Patrick

Yeah. For those that haven't picked up on it, Chase's pseudonym is also Dr. Zero Trust. So, he's got... I think he and John Kindervag back at their Forrester days, you know, kind of worked on that, you know, early on, some of the pioneers in that. And Chase is underselling himself. He's one of the smartest guys in cyber that I know, so he's kind of on speed dial to a lot of folks in the government to work on some of these projects. Listen, you know, kind of start from the top. You know, I'm here saying we need, you know, a new modern authentication regime and, you know, why.  

Chase 

Well, it's not that we need a new regime. Actually, what we need to do is recognize that the bad guys have been telling us how this is going to work for three decades, and people sit around wondering how do we solve this problem. I mean, you look at the number in the DBIR every year of how compromises begin, and how they proliferate, and how the life cycle goes forward... 

Patrick 

Now, we've got a bunch of identity folks in here along with some cyber guys. So the DBIR is?

Chase

Yeah, the DBIR, the Verizon DBIR, which is basically Verizon's...I would call it an almost biblical reference in cyber that they put all the information together every year and say, "Here's the trends of how attacks are successful." And if you have 30 years, we'll call it that, of proof that passwords and password management and access management is what is typically leveraged as the 80-percentile of compromise, why would you focus on other areas first? I mean, because I do so much work consulting with organizations about how do we be on our zero-trust journey, what do we do first, etc., etc. The bad guys tell you, like, they want you to have bad password, bad access management, etc., and that's how they're going to get you. It's going to be crappy passwords and human beings clicking on links. And then, sure, down the road, solve for your super amazing crazy NSA EternalBlue exploit. But if, you know, John at home has got password 1234, which, by the way, statistically speaking, was the number one password this year in 2023, what do we fix first? I mean, it's not rocket surgery. Like, this stuff is about as clear as it could possibly be. Somebody says they're going to punch you in the face, you don't bend over and, you know, cover your lower area.

Patrick

We're going to get a lot of those. You know, Chase is full of fun things like that... Hey, so, it's interesting. You said, you know, the more sophisticated ones and stuff. And one of the things that we've kind of struggled with is when the press writes about some of these attacks, these password attacks, they talk about just how sophisticated they are. Is that the case?

Chase 

No. I mean, well, the press obviously tells the truth 100% of the time. There's never any manipulation going on. But, I mean, in reality, what we're looking at there is there's always an avenue of identity being part if of this thing, authentication. It doesn't matter if it's a thermostat at home, a wirelessly enabled toilet, which I have found one of those. Sooner or later, somewhere along the way, it authenticates to something. And if you can't interrupt the authentication life cycle, the bad guy continually wins. And this is not a zero-sum game. Honestly, I'm personally sick of the victim mentality that we put forward in cyber. 

Patrick 

Yeah. 

Chase

The bad guys only got to be right once, woe is me, they just got in. The bad guy has to be right continually just like you need to be right continually. If you can interrupt their life cycle, guess what? They'll go find an easier target. You don't have to be perfect, you just have to be better than the next person down the road. And, you know, I love zombie movies. We're running in front of the zombie horde. If you trip and fall, I keep running. Like, that's what we're trying to get to. It sucks for you, and I might wave at you and clap like, "Come on, you can keep up," but I'm not stopping. I'm not tying your shoe. And that's what you're trying to get to is I want to be in a more defensible posture and make the bad guy more miserable in my network than you and they'll go after you.

Patrick 

I'm still stuck on the, you know, Wi-Fi-enabled toilet.

Chase

Oh, it's crazy.

Patrick 

We'll talk about that. 

Chase

Yeah, it's a whole other issue.

Patrick 

So, you know, password's bad. There isn't anybody that you talk to that understands that... "I love my password," said nobody ever. So they don't like them from a usability perspective and also from a security perspective, but wasn't MFA supposed to fix that problem?

Chase

Well, MFA was a great move towards an out-of-band authentication mechanism, right? The one that I like to use all the time is there was a study published by the oil and gas industry. If you remember a few years ago, we used to go to a gas station, just zip your card to get your gas and leave. Fraud was everywhere. So then they came up with that idea of, wait a minute, that's a card. Let's make you either put your four-digit PIN in or your ZIP code and validate that. In something like 30 or 60 days, they saw, like, a 90-something percent reduction of fraud.

Patrick 

Right.

Chase

So that one additional out-of-band authentication massively reduces the ability for someone to get in the middle of that. Now, we thought when we moved to MFA that, all of a sudden, we had uncovered the golden cup of awesome that would make this never be a problem again. However, a bunch of organizations have proved via APIs and other things and just basically inundating people with, you know, a blast of multi-factor auth, sooner or later you can get somebody pissed off enough they'll click the link. So, it's not that there's not a whole lot of value to MFA, but MFA, like any other thing, can be manipulated and leveraged to cause compromise. 

Patrick 

Right. So, all of the kind of user-oriented manipulation attacks. You know, it was, I think, mid-last year I did...you know, Kurt Johnson who's in the audience with me, and I did a bunch of CISO Executive Network presentations around the country. And when I was giving the presentations, I was kind of coming in pretty hot about, you know, the issues. We felt, like, a little bit of a candle in the wind, you know, kind of way and to say, you know, it's not all it's cracked up to be, the stuff that you've been using. And we got a lot of pushback. I mean, Microsoft and Google had said it's wonderful and it stops all the stuff, but now it's maybe changed a bit. You know, we're seeing this year when we talk, not so much. They're like, "Okay, we get it."

Chase

I think in the context of the big broad problem, MFA is a force multiplier, right? I think it's something relatively simple. My 11-year-old, when she set up her Fortnite account, the first thing she did was she set up MFA. I didn't tell her to do it, and I asked her why, and she said, "Well, that way, no one can get my V-Bucks." And I was like if an 11-year-old can understand this concept, anyone in the CISO world can get it, right. 

Patrick 

That's a cyber kid, for sure.

Chase

Well, she was protecting what's of value for her with a really simple thing. And she had a phone, and she set it up, and good to go. So, I think it's super valuable for the broad swath of where we're moving to, but there are better ways, just like in every other space, to continually innovate and do things on the front. I moved over to full passwordless last year for all of my stuff, and I don't miss having a password at all. Now, there is a bit of a biometric thing there that some people are concerned about like, well, what if someone gets your finger? Okay, that's another problem. We'll solve that, you know, but…

Patrick 

There are certain threat models like this one that we can't quite stop.

Chase

Yeah. Like, of all the threats I'm willing to live with, taking my finger is one I'm okay with. So it's good, but there are better ways to continue to innovate on that space.

Patrick 

Double-click a little bit into the MFA stuff. I mean, you know, there's a bunch of recent attacks. You know, we talked about, say, you know, you mentioned kind of what I guess is becoming classically known as prompt bombing. They'll send you a bunch of push notification attacks, and, eventually, somebody's going to click on one. I've got some CISO friends who...you know, there is a woe is me. They've experienced that to much detriment. What are some of the other things that...?

Chase

Well, APIs have become another avenue of compromise, and APIs are not really well-leveraged for authentication protocol. So, it's pretty easy to leverage the back and forth of that to get past it. Twitter, honestly, was a good example of somebody sort of manipulating the man in the middle side and really getting into it. However, I would also say Twitter, in my view, actually expressed a good use of out-of-band authentication because they were able to at least go, okay, we got sick and tired of the prompt. Somebody clicked it, third party, blah, blah, blah, but at least we know something weird occurred and we're able to respond.

Patrick 

Right.

Chase

So, yes, there was a fire, but the entire state wasn't on forest fire.

Patrick 

Right. If I can't, you know, protect upfront, at least detect and respond.

Chase

I mean, all cybersecurity, I think, strategically is actually, in the Navy, we call that watertight integrity. Right, I want to be able to take a hit from a missile and keep the ship afloat, and how do I do that? I do that by compartmentalization by isolating where the water can go and I stay in the fight. I don't want to be the Titanic where they said, "There's no way we could ever sink, so we won't even bring the lifeboats on board," and you wind up with a movie where Leo freezes to death.

Patrick 

Yeah.

Chase

That's not what we want.

Patrick 

Poor guy. Poor guy. So, is the MFA bypassing attacks, is it still kind of in theory land? You mentioned the Twitter one. Or is that kind of...? 

Chase

Well, I mean, it's in the stage of be aware of it and start to understand. Especially for, like, high-profile executives and people that are going to be doing a lot of interacting, they're going to be targeted with it. I think now the term is not phishing, it's whaling, which could be offensive depending on how you look at it.

Patrick 

Right.

Chase 

But, yeah, I mean, if they're moving up the chain and there's proof of concept and it's starting to work, just like I said earlier, you can guarantee once the bad guys see an easy value proposition, they go where the money is.

Patrick 

Right. We were surprised, I think, you know, 6, 8, 12 months ago when we were talking about it and getting a lot of pushback. A lot of folks said, "Yeah, but, you know, Microsoft, you know, came out with a report and said it blocks 99% of stuff." Well, you know, this year, it was interesting. They came out and said, "Hey, wait, there's active exploits in the wild, you know, freely available," and we're seeing an attack on 35,000, you know, organizations using some of the phishing techniques that you talked about.

Chase

I mean, it's a numbers game. They're just blasting them across the internet, and if I send out... Because when I was red teaming, I would send out 35,000 emails. If I get 3%, that's a pretty good number for me, and I only need a significant person to fall for it and go forward from there.

Patrick 

All right. So, switching gears, so we've got kind of that as a backdrop. You know, password's no good, kind of some of the legacy MFA is kind of, you know, iffy at this point.

Chase 

Needs to evolve.

Patrick 

Yeah, needs to evolve. All right. So, you know, what does a, you know, kind of modern auth solution need to incorporate?

Chase

Well, really, I think the most important piece is the policy engines we're seeing now. There's a lot of conversation going on around zero trust and etc., etc. Really, the power there comes from the policy engine side of this. And you should be able to take in a lot of telemetry and validate the things that are taking place. And using the policy engine at any stage in a life cycle, I should be able to sit out and interrupt what's going on if there's an anomaly or a strange occurrence taking place. It shouldn't make the users miserable. Users should do what users do. We've done a disservice to our general user population in cybersecurity because we've tried to make them all cybersecurity engineers. And we've said, "Well, why do you keep screwing this up?" Well, that's not their job. Just like I run my own LLC, I use tax software to do my taxes so I don't get arrested. Not that I have enough money to get arrested, but they would, you know, do that. The whole thing is just making it where software makes it where you can do what you need to do, and the telemetry is available, and you solve the problem and go on about your day.

Patrick 

So, in the telemetry, some of those risk signals, you know, is there a couple that, you know, kind of come to mind that are things that you want to include in that policy decision?

Chase 

I mean, the simplest ones are does this look like what it has looked like normally over time, right? Chase works from home, it's in Virginia. He's on Comcast. Comcast, typically, he talks to these applications. He usually works from 6 in the morning till 4 in the afternoon. Today, for some reason, Chase sent a login request at 2:00 in the morning from, I don't know, Moscow. Probably something we should look at. Those types of things are super useful, and they don't have to totally eradicate the activities going on, but I want to investigate it. I want to see what's up. And the policy engines make that where we talk about the cybersecurity hiring crisis. I fundamentally think we don't have a cybersecurity hiring crisis. We have a mismanagement and misuse of technology to solve the problem. We're trying to dig the Suez Canal with spoons. It's doable, it would take a long time and would suck a lot, but, really, we should be using the right technology to optimize the people to do this at scale.

Patrick 

So when we think about, like, MFA, and passwords, and even, you know, kind of modern versions of MFA, which we'll click into here in a second, that's about... Well, actually, before that, let's click in to kind of we talked about some of the issues with, you know, some of the existing, you know, stuff that's out there, things like push notification or one-time passwords over SMS and stuff like that. You know, what does good look like or new good like in that regard?

Chase

I mean, really, you move to that space where you're getting your average users off of the password and your policy engine is taking care of everything, and your telemetry is continually feeding that life cycle. If you're doing it correctly, you could look at, like, the Lockheed Martin Kill Chain or MITRE or whatever. And you flip that not for the defensive side because we also try and come up with this concept, the perfect defense that doesn't exist.

Patrick 

Right.

Chase

I really want to be thinking, and he was talking about it before in the trends, I want to be thinking about how the adversary is successful. And all I need to do is interrupt them enough to where I win, and how do they do that? They do privilege escalation, access management, all of those things.

Patrick 

You know, it's interesting. I looked at the MITRE kill chain where you take the...the old kill chain, you take the MITRE report that dissects a kill chain and looks at the TTPs that the bad guys are using. And for initial access, well, there's lots of ways that they gain entry. There's a reconnaissance step affront, who am I going to attack, how am I going to go after them. There's another step... The first step is how do I gain initial entry, and by far, the one that they had the most threat actors leveraging was passwords, you know, stolen credentials, etc. It's an arm's length one. You know, it was a bunch of the sophisticated guys. So, the opposite trend to these attacks aren't sophisticated like stealing passwords or bypassing MFA. On the other hand, the sophisticated actors will use them too because it's easy money.

Chase

Well, and we've also seen some of the more, I guess you'd call them combination types of attacks becoming really prevalent where even if I can't get you with a username and password and whatever else, there are people that now, because of the volume of information you buy on the underground, that are extorting humans to be able to get their access logins. And if you can do that, it would still be valuable to be able to look at it from a SOC perspective and go, "There is something weird occurring here." Because the bad guys aren't going to follow the same pattern of life as a normal human being. Like, you will find an anomaly and you should be able to react to it. The ransomware conversation is super interesting as well. Like, I'll save everyone in here a whole lot of money on ransomware defense. If you have a Windows machine, go to that little search thing and type in PowerShell. If it works and you can invoke PowerShell, turn it off and you just saved 90% on ransomware threats. Like, there you go, and send me the check. That's it, you know what I mean?

Patrick 

You'll take pennies [crosstalk]

Chase

Exactly. Yeah. I'll take one percentage point of that. 

Patrick 

In fact, that initial attack factor when we looked at ransomware, the DBIR also says that it was... When I talked to CISOs, their initial inclination is, oh, ransomware, they must've clicked a link that downloaded the ransomware or sent it to a nefarious website.

Chase

No, they invoked a native program.

Patrick 

Yeah. They invoked a native program or they logged in. Actually, the one that rose to the top was email with a phishing link that got you to give up access to one of the remote access tools, remote access Trojans or not even a Trojan, actually, a legit tool.

Chase

I mean, brand impersonation plays in here a lot too, especially with the man in the middle stuff. It is exceptionally easy to grab brands and just change one thing in the domain, and then you've got all their information. I mean, you can be Wells Fargo because a lowercase L looks a lot like a 1 in a URL. 

Patrick 

You know, one of the...again, when people think sophisticated, not sophisticated, there's literally toolkits out in GitHub, open repositories that are available that makes that, like, painting by numbers, doing, you know, phishing attacks.

Chase

If you're super lazy, you can just go hire someone to do it for you.

Patrick 

Exactly. 

Chase

I mean, I think the last exploit kit that I saw on one of the forums was you would pay 50 bucks for them to set it up, and they got 3% of every time you got a hit on a bank account. Like, it's a good retirement plan. It's better than my 401k.

Patrick 

Yeah. And you don't have to do the ransomware piece so that you let somebody else do that, which...

Chase

As long as you're willing to live in a non-extradition country, it's beautiful.

Patrick 

Yeah. All right. So we talk, you know, a lot about the, you know, higher trust in the end users and getting to that level. What about the device? You know, so the endpoint that we're logging in from.

Chase

Yeah, VPNs are...if you're running your business on 1993 or 1996 accounting software, you'd probably get fired. VPNs came to the market in 1993 and '96, so if you're using a VPN, you're using really old technology to solve a problem where you're literally piping someone from somewhere into the system and they get access to whatever they're supposed to have access to. So that continually introduces risk, and that is usually combined with a lack of policy engine, and good password management, and all those things. So, it continues to introduce these things, and it only empowers the adversary. Go on Shodan right now and look for VPN. You'll find a few million of them that are talking to the internet that are open that are vulnerable and do whatever you want with them. No, actually, don't do that, and don't say I did it, but you could.

Patrick 

Yeah. This would screw up your retirement plan if they follow that advice.

Chase

Yeah.

Patrick 

So, high trust in the user, establish. You're using other methods other than, you know, age-old technology to establish high trust in the endpoint.

Chase

Your device, I mean, your iPhone or your Android phone, I mean, that's a great way to validate, especially cryptographically, that you have the things there that you're supposed to have to be able to get to this and that you are who you say you are. You should be checking device health before you allow access to applications. And it's really simple. Duo did this quite a while ago and they've gotten a lot better, but, like, there's been a lot of innovation around it as far as is this machine regular, does it fail the policy requirements, is it patched. And if it's not patched, you don't get access to my network. Here's a thing. Go download the patch, and then I'll provide you access. And it's not going to make the user miserable. They're in plain English. They can figure it out. They can download all of the apps that people do. You can click the download link to patch your machine.

Patrick 

Got it. All right. So, let's... No pun intended, beyond high trust in the user and the device, over the...in Gartner circles and other places, we've heard a lot about continuous authentication, which tended to be, like, do stuff every time I authenticate. Does that fit the zero trust model? We have these long session tokens, and...

Chase

No, I mean, the most important thing in the realm of strategic victory is to make sure that they go away after it's over with. You don't want the repair guy showing up to your house and you say, "Hey, would you like to move in and drink my beer in my fridge? And, oh, by the way, you can stay here indefinitely." Like, you come, you fix my problem, and then you leave. So, having the ability to revoke session tokens to get them out of your network and to end the session when something has transacted is super valuable because then you get another opportunity to run through the protocol to make sure that they're supposed to be there.

Patrick 

Right. 

Chase

You don't want continual access. You don't want it just unfettered, get to my network, and do whatever you want for as long as you think you might need to be there.

Patrick 

You mentioned this earlier in the discussion. I just want to, you know, kind of call it out specifically. You mentioned kind of user experience, you know, kind of the context of passwords, but, you know, why so important? You know, we've got a bunch of security measures, but, you know, hey, can't we go old school and say, "Do it my way or the highway?"

Chase

You can and it will work well for you. I mean, the first thing that anybody does whenever a security control gets in the way of you is you go around it. If you've got it done correctly, if the security policy engine and the technologies are aligned correctly to enable the user, they don't know that security is actually taking place. They just do their job. I think it's very much like how the modern automobile works where a few years ago, you used to have to buy your Garmin separately. You had to turn it on, and most of us, while we were driving 80 miles an hour, we're plugging in where we were supposed to go and whatever else. Now you get in your car, you hit the button. If it's a Tesla, I guess you call Elon and he sends you where you're supposed to go.

Patrick 

Or not.

Chase

Yeah, but the rest of us, like, it's all there and you just operate safely to get to wherever you're supposed to go. You don't have to know how all that stuff works.

Patrick 

Got it. So, it was interesting. When I looked at kind of the makeup of the audience this year at IAM, and I've been going for lots and lots of years, I was kind of surprised. It was a rather large influx of kind of true cyber...you know, kind of cybersecurity titles and professionals. You know, they're kind of edging in on our...the identity, you know, that we like to call ourselves in the past. But, you know, so I'll let them turn off for a little while, but, you know, kind of talking to the identity folks. I mean, you've been on the zero trust bus here...literally, if you turn the clock back, I think in the keynote, they talk, you know, people went back 15, 20, 25 years being in the identity practice. And early on, it was about, you know, IT and getting people to their stuff, but it's kind of more important than that. What would be the message to, you know, our identity these days?

Chase

I mean, you can't have security without identity and access management. Like, that's as clear as I could possibly make it. And if you're not able to control what's going on and have the ability to do that scale... And you can't do that with a spreadsheet, and you can't do that with Timmy the intern. You have to do it with technology. And most of us are going to use cloud and scale and all those things. That's how you enable modern cybersecurity. That's part of digital transformation. Even if you talk to your regular consumer side of this equation, just like for me, I check in every morning, I have Dashlane for my password manager for my personal side of it. This morning, I had 404 usernames and passwords that are managed by that. There's no way I could possibly keep up with it. So, technology makes it possible, and that is, to me, the most important part of this whole thing to begin with. On top of that, if you look at the DoD strategy, which we got published right before Thanksgiving, all of phase one is about identity and access. And there's a reason that they've allocated $1.75 billion to this whole thing because they know that if they can take care of that correctly, everything else after it becomes part of a paradigm.

Patrick 

So, you know, from somewhat red-headed stepchild, you guys became like the cool kids at the dance. You know, everybody wants to hang out with you now, which is... You know, there's not a CISO that I talk to that doesn't say that that is the most important thing now.

Chase

Well, it's important too that the seat at the table has been provided. Now, it's not to mess up dinner for everybody, you know what I mean? It's like you've got your seat at the table. Push it and talk about business context, talk about outcomes for users, growing opportunities. And, actually, if you do it correctly with the right policy engines, I think before he was asking how many people had 15 IAM or something solutions. You should consolidate that and get more out of one. You're probably never going to get towards the Sauron sort of one ring to rule them all cybersecurity deal, but you'll get towards a portfolio that is manageable. And there you save money, and that's a conversation CFOs like.

Patrick 

And if you do it in a risk context, which, you know, kind of Chase walked you through, I mean, that's the lingua franca of the CISO, right? I mean, if we want to get extra budget from the CISOs, you know, we've got to put it into that kind of context. And you'd be surprised at how many CISOs...they know. They know identity is really important. They know they can't have a strong program without it. They know authentication is important. They can't have a strong program without it. But if you ask them about their number one vulnerability, they don't go back to that data in the Verizon data breach report that we see every year and your 80% number. They kind of go, they start thinking about, you know, some zero-day [crosstalk]

Chase

It's not sexy. I mean, it's not...

Patrick 

I think it's kind of...I think these people are kind of sexy.

Chase

Well, the blocking and tackling stuff is not sexy, but that's what wins games. So, block and tackle real well, which is identity and access management, which is policy engine, which is authentication. That stuff, do all the sexy cool stuff later because if you get this right, that becomes even more doable.

Patrick 

You know, one of the...with some of the CISOs we've talked to, I mean, for the last decade, you know, if we're going to be honest, we spent a whole of the time with detection response. That's where the budget went to, not shockingly. Dual times where an attacker gets in and kind of sits around for weeks, months, even years, it's like you've got a problem that you got to fix. Let's identify them and do something with them, but we forgot the ounce of prevention or ounce of protection part of it. So, I think, you know, people are really...and zero trust is all about that, really coming back, understanding that they are going to get in, no environment's secure, but also don't forget the protection side of it.

Chase

Well, and the thing about SIM and those sides of it is it's like going to the doctor and he walks in and holds up your test results. He's like, "Man, you're really sick," and then he leaves. You're like, "Wait, where's my treatment plan?" And they go, "Oh, well, that's extra." Like, no, no, no. Like, if you're really sick, I want you to tell me how to treat it and fix the problems. And, usually, it's a fundamental basic issue. If you've got high cholesterol, change your diet. Like, if you're smoking cigarettes, put the cigarettes away. So, it's those types of things that make a lot of difference.

Patrick 

Well, we've got a couple of minutes, you know, left I wanted to reserve. If anybody's got any questions, you can just shout them. I don't know, there may be a floater mic, but kind of any questions for Chase in the audience? Hard questions only.

Chase

Don't ask me where I got my coat because my daughter made me put this on.

Patrick 

Yeah. Chase has got, you know, observation, great jacket and great boot game. You know, I've got some catching up to do. Go ahead in the back. 
 
[Question inaudible]

Chase

I mean, it's better than not. I think FIDO, and Auth0, and some of those folks are doing interesting work. It's a good way to begin the process, and there is an evolution going on there. So, I think, honestly, where you're going to get to is going to be this combination of self-sovereign identity, policy engines, and biometrics that are going to basically change the way that we make sure that the authentication protocols are handled. But, you know, I would say that what you're doing makes a lot of sense, and that's a great place to begin pushing that initiative.

Patrick 

You know, I think, you know, the way we think about it is FIDO2 is a really good start. And it, you know, allows you...along with other factors like if you can use local biometrics or local pin code, FIDO2, good solutions in FIDO2. Store a private key in a TPM, that hardware enclave that's, you know, separate on the computer. So then you can do a cryptographic, you know, transaction to make sure it's actually Patrick or Chase. Combine that with a biometric, and you've got two really strong factors there. But it doesn't mean...you can implement that in a not phishing-resistant way. You can implement that in a...well, you can, you know, implement that and still not have the device trust, and implement that and still not have the policy engine, you know, to bring in the other signals of continuous auth. So, we think, you know, we're...in fact, we had Chase and I get to do a thing last week where we did this launch of the zero trust authentication, and we did a leadership series on that. It was kind of cool because the FIDO team came and presented at that. And we'll be with them out at RSA too, so, you know, we're kind of all in on that. it makes sense, but... You know, and I don't even want to say it's not good enough. It's a great start. I mean, they've done a lot in the industry, you know, to get us off of passwords into something much more secure. Take one more question.

Chase 

Thirty seconds. She's like holding up a crook. She's like, "Get off the stage."

Patrick 

Yeah, we're going to get the hook. So, all right, well, just kind of a quick reminder. We've got that floor session tomorrow at Tuesday if you want to come see that. We're in booth 509. We'd love to prove to you, you know, the wares that we have and talk to you. Otherwise, thank you. Have a great rest of your day.

Book

What is Needed for a Modern Authentication Solution

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.