- CISO Series Newsletter
- Posts
- Defending Against What Criminals Know About You
Defending Against What Criminals Know About You
Defense in Depth
Defending Against What Criminals Know About You
Are we ready to shift left on identity? What more do we need to know about identities before they enter our environment?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest Damon Fleury, chief product officer, SpyCloud.
A holistic view
Managing identities would be easier if they were centrally stored. But reality couldn’t be further from the truth. "We need more deterministic ways of verifying accounts and people across all identity stores. The average enterprise manages an employee's identity in 25 different places, meaning we have to think about identity security as a horizontal layer of controls that need to be applied holistically," said Bojan Simic of HYPR. Identity data does have its inherent limits. If we can supplement that with what we know about risk, we might get somewhere, argued Jay Dance of StubHub, saying, "We should look at data other than identity data: does the user visit websites that are high risk, use high-risk tools on their corporate devices, access high-value business data. If we can deterministically identify high-risk situations, we may then be able to use that score not to allow access to sensitive data."
Adding sophistication to identity
Many organizations use well-established but still rudimentary tools to detect anomalous behavior. Given the sophistication of threat actors, that’s increasingly not enough. "We must move beyond detecting impossible travel and logging in from new countries or devices. Instead, we must move toward detecting anomalous and possibly malicious journeys identities take through identity providers and the application and cloud layers," said Adam Koblentz of Reveal Security. Andrew Wilder of Community Veterinary Partners explained how to move away from static identity authentication, saying, "How can we tailor that access for 'just in time' and authenticated to prevent a bad actor from using that access? You could use that data to create profiles to feed User and Entity Behavior Analytics models to identify possibly compromised accounts and help create role-based access control models for new employees."
Your employees can help
Some organizations don’t want to get employees directly involved with securing identities. However, employees can be tangible assets rather than being the weakest link. "Giving employees self-service access to their own risk and usage data increases your employees’ security awareness. You can even gamify it. Once users know their standing privileges and the corresponding risk, you can also drive towards faster adoption of least privilege and 'just in time' in your organization," said Ashish Shah of Andromeda Security. While employees can be assets, don’t let the process add too much technical overhead. "From the user side, we need to make it easier for individuals to review their permissions and remove themselves from apps and systems to which they no longer need access,” said David Alkema of Optiv.
Cracking the code
Identity-as-code is gaining recognition as a powerful way to shift left on identity. This formalizes identity issues into problems developers know how to address. “All identity and authorization policies should be expressed as code. You can proactively benefit from best practices and code reviews before hitting deployment. The actual mechanisms for authentication and authorization need to be orchestrated at runtime in a passwordless and ephemeral sense,” said Abhishek Singh, Qualys.
Thanks to our other unwitting contributor, Drew Simonis, CISO, Juniper Networks.
Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Thanks to our podcast sponsor, SpyCloud
Subscribe
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.
Super Cyber Fridays!
Join us NEXT Friday [11-01-24], for "Hacking Your Cyber Brand"
Join us next Friday, November 1, 2024, for “Hacking Your Cyber Brand: An hour of critical thinking about building how people see your company in this industry.”
It all begins at 1 PM ET/10 AM PT on Friday, November 1, 2024, with guests Gianna Whitver, co-founder and CEO, Cybersecurity Marketing Society and Andy Ellis, partner, YL Ventures. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dmitriy Sokolovskiy, senior vice president, information security, Semrush.
Thanks to our Cyber Security Headlines sponsor, SpyCloud
Leading Big with Small Efforts
“Everything is obvious, but I never thought of it that way,” said one reader of Andy Ellis’ book, “1% Leadership,” which is a collection of all the small things you should do as a leader, but many don’t do. Andy’s argument is successful leadership is a collection of small actions. In this video, Andy and I talk about his book, which I thoroughly enjoyed, and we talked about how to avoid excluding coworkers who “don’t want to talk about the game last night.” My other favorite tip of Andy’s is “Make the smallest and most defensible argument necessary to spur action.” Which means don’t try to keep making your argument. “As soon as you convince someone to do something, shut your mouth,” said Ellis.
Watch the video and please pick up Andy’s book. You can get it here on Amazon.
Cyber chatter from around the web...
Jump in on these conversations
"Tiny Persistent Threat Devices" (More here)
"What are your must haves for secure active directory environments?" (More here)
"What are the best inside jokes of cybersecurity?" (More here)
Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:
[11-01-24] Hacking Your Cyber Brand
[11-08-24] Hacking MFA
Save your spot and register for them all now!
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.