by Mackenzie Fribance
This summer, a few of us from Intensity Analytics joined the Atomicorp team at the 2020 Virtual OSSEC Conference, where IT security professionals from around the globe came together in search of solutions and ideas to support their work. Over the past few months, companies have rushed through digital transformation in the midst of a global pandemic, experiencing many challenges along the way to keep their organizations’ technology stack operational, as the edge of their networks exploded into the homes of employees, many for the first time.
I was honored to lead a panel with two cybersecurity, compliance and security experts who shared their insight with OSSEC attendees. It is with gratitude that I thank Liban Jama, Partner/Principal of the Crisis Management, Compliance & Investigations practice at Ernst & Young, and Harish Siripurapu, former CISO and founder of Cyber Align, for joining us. Their discussion was thoughtful and I feel compelled to share some of the takeaways beyond the OSSEC virtual conference since so many organizations are in need of assistance prioritizing their work and thinking about how best to tackle the immense digital transformation challenges in the time of Covid-19.
Perhaps uncharacteristically for a discussion on technology, immediately Harish commented on the immense pressure this pandemic has caused — from a cultural perspective — for people and organizations:
“Companies have always had the question of ‘how much do we trust our employees?’ That's been a key question. And the situation that we are in is really putting that to test. It's basically: ‘how much can we trust our employees with information when they are not in our offices? And, I think based on what has been going on for the last two months, it's been terrific. There has not been any significant, insider related cyberattack. Due to some of the points you made earlier about employees wanting to work from home, I think that is the future. Our experiences are validating that employees can be responsible with the information that is given to them no matter where they work. And, like I said, I do see a change in culture itself, not necessarily a cyber culture, but work culture, that in the future, companies are going to be more trusting of employees and in giving them information.” Harish Siripurapu
Employees are asking companies to extend the type of access, functionality and support needed to do their jobs to remote locations as they transition to work from home. Employees must acknowledge that companies, to meet that expectation, are entering the homes of employees to some degree. We could have held another panel discussion with great debate about where the lines should be drawn in this dilemma, but underscoring Harish’s point – the results largely boil down to culture.
On the issue of culture, Liban also shared valuable insight from a regulatory perspective:
“We’re seeing a recognition on the part of the regulators; that they are starting to look at the pandemic as a great accelerant for digital transformation. if, entities weren't already thinking about how to go ahead and be transforming their operations in a digital format, they're doing that today because they're forced to do so. And that has also led to a discussion about, well, is there going to be a commensurate security transformation and, listening to Tom Ketcham’s discussion earlier and laying out sort of the expectations and availability of your products and services that I think are fantastic in this space, I think there's going to be a clearly increasing demand, because as you mentioned, Mackenzie, regulators are not alleviating the burden.
So, what's essentially happening from a security perspective? Let me take that as an example, particularly in the financial services sector, broker dealers, investment advisors, as part of their overall oversight. Yes, there is a tremendous focus on user access, identity controls. Are you testing? Are you monitoring simply because folks are working from home? That's not stopping. And as a result, a lot of our clients are taking a fresh look to make sure that their processes and procedures are actually up to date recognizing the new environment.
And that takes a need to take a step back and reorient one's approach to monitoring and testing and bringing in additional tools to meet those regulatory obligations – that are not going to let up and will evolve as this new normal continues to stay in place, which I think will be for quite some time.” Liban Jama
At Intensity Analytics, we come at these challenges from an identity perspective. Identity (or compromised identity) is broadly recognized as a key factor in over 80% of data breaches. Most breaches are associated with weak or stolen credentials. And work from home elevates risk associated with identity and access management. Harish spends a great deal of his time as CISO supporting initiatives to address this elevated risk. What he sees working today, he has concerns about in the future.
“Honestly, multifactor authentication works today. If I may put it that way, but I'm not confident it's going to be working or it's going to be effective in the future because cyberattacks are catching up with multifactor authentication, especially with mobile devices being vulnerable to cyberattacks. I think it's only a matter of time when you're going to see a significant cyberattack involving a multifactor authentication solution. So, with that said, today, you know, from a security consulting perspective, my recommendation is definitely to use multifactor authentication, but also layer that up with, security awareness training. Train your employees on, for example, to not download apps on mobile devices that you don't know about, protect your mobile device when you're traveling. So, it's just not MFA itself, it's MFA with additional end user training, that I recommend to my customers.” Harish Siripurapu
I believe Harish touches on an absolutely critical element of security, and that is layering of solutions and strategies to mitigate risk.
“Clients constantly looking to see if there's a way that we can achieve the authentication, be able to have a clear access history, have some insight into habit and behavior, but not falling off into the areas of concern with respect to regulatory footfalls and risk management associated with the collection of PII, particularly for our global organizations.” Liban Jama
What Liban refers to above touches on the risks of using fixed biometric information for authentication or profiling and raised a few questions from conference attendees. Facial recognition, known for biases which can negatively impact people of color have come under scrutiny, particularly for their use in law enforcement. But many more organizations are becoming more inclined to not support technology solutions that may undermine their own constituents (their customers or employees). If those same technologies more broadly have a negative impact on the lives of their employees, should they be using them at all? Companies must understand that risk, how it impacts their culture, and their relationship with employees, in addition to the regulatory watch it may attract.
On that Front, Liban emphasizes that the costs of implementing compliance solutions with substantial regulatory oversight is often far more than originally anticipated.
“One of the most burdensome elements of that in terms from the business perspective is to the dedication of resources and having the imposition of a third party come in and ensure that the enterprise is actually meeting its compliance obligations. So not only on the fine front, but also on the resources and time and commitment front, which obviously means funding and meeting those expectations and having the regulators place a monitorship because of that. We see that to be an increasing part of the resolution package going forward for companies that are not sufficiently resourcing and investing in compliance. And in this environment, given the pandemic, a lot of enterprises are looking at their limited resources, particularly in industries that are being significantly impacted.” Liban Jama
Circling back to the fact that most data breaches occur due to weak or stolen credentials, coupling that with the realization that multi factor authentication works well (at least for now), but complicating that with a myriad of regulatory and compliance controls which impact identity and access management decisions, we conducted a poll of conference attendees to better understand how all of this was playing out in the field.
Among conference attendees, almost half of organizations have implemented multifactor authentication to some degree. Perhaps not all employees were covered, but at least user groups identified as higher risk were in some organizations. Nonetheless, most companies have still not implemented MFA. We explored the challenges and concerns with traditional MFA solutions, to gain a better understanding. Here are the key results:
- MFA is too cumbersome for users – 46%
- MFA has too much reliance on device-based authentication – 27%
- MFA solutions are time consuming and disruptive to the login process – 19%
More positively, perspectives on MFA indicate that only 11% believe that MFA solutions are too expensive, indicating there is a high value proposition to implement MFA. And finally, behavioral solutions are hitting the mainstream, with a small number of respondents uncertain about the efficacy of behavioral solutions suggesting 89% of IT professionals believe behavior is a form of MFA that deserves attention.
The fact that behavioral authentication solutions, like TickStream.KeyID, deserve your attention is not surprising. About half of IT professionals believe MFA is too cumbersome for users. Behavioral solutions create less friction – they make it easy for users. TickStream.KeyID, for example, relies only on keystroke analytics applied when a user types their password. This means, you can have a multifactor authentication without users being required to do anything new or different. They simply enter their password normally, just like they always have. As a result, there should be no surprise that 89% of people surveyed were interested in exploring behavior as an efficient and easy-to-use form of MFA.
Rushing headlong into digital transformation as a response to a global pandemic hasn’t been easy for many of us. OSSEC users have at their disposal a great tool to help maintain compliance and manage security risks. Our recent collaboration with the OSSEC community will result in a special opportunity for OSSEC users to integrate TickStream.KeyID with their stack to help make their digital transformation and remote work safe, secure, and compliant.
If you would like to learn more about TickStream behavior analytics or have us connect you to Harish Siripurapu from Cyber Align or Liban Jama from Ernst & Young, please contact us.