Thanks to Steve Moore, V.P. and Chief Security Strategist at Exabeam for sharing his insights on the current and future state of security. Steve recently joined Exabeam, prior to he was the Staff Vice President of Cyber Security Analytics at Anthem, Inc. Earlier in his career, he worked in financial services. He brings a real-world client-side perspective to what’s going on in the space.
Q: What do you see as the most important elements of securing apps, infrastructure, and data?
A: It’s easy to get distracted by shiny objects. Focus on the fundamentals and the current problems the business is facing at this time, as opposed to those they are not. Most companies are not able to tell when a credential is mishandled or accessed by a bad actor. We need to ensure we are building systems that can be managed centrally, log user activity, and leverage a core authenticator. Based on the recent security study by Verizon in their DBIR, 81% of breaches are stolen credentials or passwords. When you tie everything back to a central identity, centrally log those events, and monitor them, you then at least have a fighting chance to detect if an application has been misused or accessed by an unauthorized party. This includes cloud, IoT, and APIs, which are often not considered.
Q: How is the cybersecurity landscape changing?
A: More money is being spent on both sides of the problem. Companies are spending more on defense, education, and training while the criminal actors keep getting massive returns from crypto ransomware. This is driving further innovation, especially in ransomware – adding new features that can steal passwords and further move laterally within the victim’s networks. Espionage is not slowing down either, as you can buy usernames and passwords for virtually any site, including remote access credentials on the darknet. Business email compromise (BEC) phishing is a multi-billion-dollar industry as hackers are able to social engineer and convince employees to wire money to their accounts without the employee knowing this request did not come from within their company – low tech, but high yield.
Q: What are some real-world problems you are helping clients solve (a.k.a., use cases you would like to highlight)?
A: Our mission is to be the next generation security intelligence platform that provides insights into analytics and can respond in a timely manner. We help our clients know which accounts were involved in an attack and what systems were affected.
As an example, during a holiday weekend, a large retailer noticed 1,600 point-of-sale (POS) systems being accessed by someone in H.R. We flagged the suspicious activity using behavioral analytics, not correlation rules, and raised the issue using a simple to understand risk score. With this information, the client was able to understand two things quickly: remote access was misconfigured and the machine had malware, which harvested network credentials. We were able to identify the infected behavior on the network, shut it down, and see all of the affected components in the system.
For another client, using our analytics platform, we uncovered previously unknown compromised systems from an earlier incident. It’s not uncommon to simply pull a machine off the network so it could be reimaged due to a virus alert and consider things done. We were able to show the complete scope of the incident, discovering additional compromised machines so they could be secured as well.
In a DevOps environment, we help clients build playbooks for common events like phishing investigations. This allows virtually anyone to reduce the mean-time-to-resolution to ensure the security of the network and apps within it. This also helps with the talent issue often found in IT and IT Security.
Q: What are the most common issues you see affecting security?
A: Credential theft and reuse, hence the need to tie back into the core authenticator and not allow for split identities, which represent the second set of credentials. It’s important to understand the risk of these compromised credentials; both internal domain accounts and for remote access. There have been disastrous breaches that involved little more than phishing a username and password. Most organizations do not have a way to tell if an adversary is using an internal account to travel around an environment. Yes, this is a staple of nearly all breaches.
Q: What’s the future for security from your point of view – where do the greatest opportunities lie?
A: There’s great opportunity in the machine learning and behavioral analytics space. It’s allowing for context-driven decisions to be made, providing a picture instead of a simple puzzle piece, such as a singular AV alert. Bigger picture, larger data lakes can be analyzed, made human by tying a name to events, assigning a risk and building a storybook timeline. This is absolutely changing the way security teams perform analysis, detection, and response.
From a human perspective, we need friendlier programs on both the dev/QA and SecOps sides. The problem of security must be tackled together, but security can’t be a roadblock or impediment to a timely release.
Q: What do developers need to keep in mind with regards to security?
A: Operationally, consider a separate development platform from the one you use for communications and accessing the internet. Think hygiene and containerization. Most organizations do not have Application Security or Code Review. Developers have a huge opportunity to expand their expertise and increase their value to current and future employers by embracing security and learning how to make their code more secure. Offer to write a standards document for secure coding if none exist. Lobby for direct access to code scanning tools for use while you write your code.
Q: What else do we need to consider with regards to security that I have not brought up?
A: For your readers in the development community, I think it important for every organization to have a Secure Code Center of Excellence with an active community that involves Application Security, developers, and really anyone in the organization interested in learning more about security. If no one will officially support it, then meet unofficially. We need to get better at building more secure systems and empowering others to learn security. We can achieve this with continuous engagement and a commitment to learning from each other. Use new mindsets to automate and orchestrate security. Get everyone involved in incident response with tabletop exercises for stolen credentials and website hacks.