pio3 - Fotolia
The success rate of phishing attacks could be dramatically shrunk if end users and security spoke the same language.
Acronyms, specialised references and a technical view of the world sometimes prevent security experts from describing threats to users in a language they understand.
Chris Meidinger, technical director for EMEA for Beyond Identity, talked about the challenges with MicroScope.
Do you think it would help if everything in security was explained in terms the average person would instantly understand?
Chris Meidinger: The root of the problem in cyber security is that we expect every person on the planet to be an expert to actively defend themselves and their companies. We don’t expect everyone to understand glide slopes in order to land their own planes – we have pilots for that. Strangely though, we expect everyone to understand how to inspect links in their email and make an informed decision whether to click them, with potentially devastating consequences.
I don’t think it’s realistic to explain everything in security in a way the average person would instantly understand. It’s not realistic in astrophysics or any other complex field. It would really help if we moved to systems that are secure enough by design that the average person could use them safely without needing a PhD in hyperlinks.
Like air travel, the average person needs get in the plane and get off at their destination, rather than being forced to do airspeed calculations in flight, like we have seen from many existing security “solutions” in practice.
That’s what we’re doing at Beyond Identity – we have developed login methods that eliminate passwords, orders of magnitude more secure than typical solutions and effortless for regular people to use safely.
Can you explain zero-trust security and zero-trust authentication by likening it to any form of popular story?
Meidinger: What a fun question. What do all spy movies – from Austin Powers to James Bond – have in common? Disguise. Spies disguise themselves to evade detection by the adversary. From turncoats operating by Moscow Rules in a John le Carré story, to Jason Bourne evading the CIA, spies always blend in by adapting their appearance and movements to match the place they’re in and people they’re among.
It’s no different in cyber security – attackers attempt to imitate legitimate users to evade detection and expulsion from the network. Unlike counterintelligence operatives who must rely on their eyes and ears to catch spies, in the cyber domain we build technical systems that access requests from users and systems and grant or deny them. We keep with the fundamental “never trust; always verify” model of zero trust and apply it to authentication.
In the olden days of passwords and John le Carré spies, a single yes – whether a password check or a passport check – granted access to whole countries and networks. Today, however, we use more modern factors to decide whether a person is a spy in disguise or just a weirdly dressed citizen.
To start, we permanently tie identities and devices together using strong cryptography. It’s like stopping spies from changing their clothes and appearance and requiring them to wear orange hats – it gets a lot easier to just stop them at the front gate.
Then we validate the security posture of the device before granting it access, to ensure it’s neither compromised nor in a vulnerable, non-compliant state. The counterintelligence officers in our metaphor have to pull from science fiction for this one, but like in Minority Report, we’re looking into the mind of the device and establishing a PreCrime programme to detect devices poised to be abused for security violation. To do this, we also incorporate signals from other systems – for us, it’s EDR/XDR, and MDM – comparable to tapping national and international security databases to determine the risk posed by a given individual.
Lastly, we perform this continuously and enforce our decisions with concrete actions. If at any time a machine’s security posture should degrade, we detect a PreCrime risk and act. Unlike the Russian security service, we don’t send people to cold Lefortovo Prison, and we certainly don’t have dementors like in Harry Potter, but we do cap their access, kick them off systems and networks, and quarantine devices.
How do you make zero-trust authentication more exciting for the channel?
Meidinger: I’m not sure it could get much more exciting than the combination of Jason Bourne, Minority Report and Harry Potter in my previous answer, but if I absolutely had to make it more exciting for the channel, I’d want to talk about responsibility to our shared customers and preventing breaches.
Four of five breaches stem from password misuse. From the Verizon data breach investigation to the CrowdStrike global threat report, the numbers always hover around 80% of breaches that are traced back to passwords. Attackers have learned how to bypass first-generation multi-factor authentication (MFA) and we see them do it regularly. From Solarwinds to Uber, most breaches in the news involve bypassing phishable MFA systems.
To keep our customers safe, not from Dr Evil but from the real-life adversaries that want a share of their bank accounts, we need to move them to zero-trust authentication, which unites inherent technical defence against phishing and other account takeover attacks with device trust and validation to effectively prevent intrusions that can lead to breaches. We need to close the front door before we build Rube Goldberg machines.
How can you make the story more gripping for customers?
Meidinger: There are very few technologies that make you more secure while actually being delightful to use. Beyond Identity is one of them. Streamlining MFA (no more codes) and making it more secure (no more phish) at the same time sounds great, but is it necessary?
If you want to keep adversaries away from your data then yes, zero-trust authentication is swiftly becoming necessary. Companies that spend a lot of time and money on cyber security are regularly in the news for major breaches despite having had first-generation MFA in place. Uber and SolarWinds are the easiest examples, but there are literally hundreds more and the list is growing every day.
If security is important to you, it’s time to advance your programme past first-generation MFA, past simple passwords, past even basic phishing-resistant, to full zero-trust authentication.
And if, in so doing, you start getting high-fives in the hallway from your users who love not having to pull out phones and fobs, enter tokens, interpret pictograms, match numbers, or stand on their head while touching their nose to log in? All in a day’s work.
Can you sell the prospect of a career in security, without recourse to technical jargon?
Meidinger: If you want to be at the forefront of the modern cat-and-mouse game, where the stakes are in the millions, your adversary could be anywhere from London to Pyongyang, and your confidence and expertise could make the difference between business as usual and a cyber catastrophe.
If that sounds interesting, then don’t wait for someone to teach you – start learning on your own. Success in cyber security starts with intellectual curiosity and requires the mindset of a lifelong learner. Google “beginner CTF” and take a crack at one. See you on the other side.