[BRIGHT MUSIC] I'm Brian Chappell. I am the head of product here at One Identity. Well, today, I'd really like to talk to you about reducing the noise in your cybersecurity environment. I think most of us, when we're working in cybersecurity, tend to come into our offices every morning, facing what I can only describe as a tsunami of data.
There's input from every possible direction we could be imagining, whether that's from within our own environment, from our SOCs and our NOCs and any other -OCs we want to throw into the mix there, but also from outside, from media, from reports, from things like the CVE database, et cetera. There's a whole pile of information coming at us. And that can be overwhelming in many ways.
And what we need to be doing as much as we can is filtering through that data to get to the really important pieces that we need to actually take action for. Among those things, we'll be obviously looking for things like breaches and attacks that have actually happened.
But in most environments, that's incredibly hard to do because while we may have the great seams, while we may have great logging environments, we may have great dashboards, we are trying to sieve out, from all of the information, the legitimate activities that people within our organizations are doing from the potentially damaging, from the malicious acts that often are coming from outside but can sometimes also be within the inside of our environment.
That leaves us with some significant challenges in how we address that. And many organizations run towards the shiny, the exciting, the latest goodness that's out there, where organizations are claiming to deliver some kind of silver bullet for you, that's actually going to help you solve all of your ills and woes and possibly make the coffee, too. And that is just simply not a reality. There is no silver bullet. There is no easy answer to this.
It's often about focusing on what's often not seen as the more exciting side of things. It's about getting the foundational pieces correct. Now, I had a scenario some years ago when I was in Dubai for a CISO conference. And that conference, I was staying in a hotel, very high floor, looking out across the desert. And so over a number of days, you get up, you open the curtain, you look out across the sand dunes. And you kind of go, well, that's the same desert there was yesterday.
But the reality of the situation is that every one of those dunes has moved slightly. It's, in fact, an entirely different desert every time you look out into that space. And in many ways, that's what the attack surface looks like. That's the external view we're putting out to the world, but it's also a good analogy for the attacks that are coming at us. We don't know where they're going to come from.
So if we go out and we build the most beautiful edifice in the sand, we're going to find the sand moves under it, and it falls over. And we get breached. What we need to do is we need to do a little like a switching metaphors, a little like an oil rig in the sea that has these deep piles that anchor it even in something that moves as vividly as the sea.
Or if you've ever been to London and seen the Shard on the banks of the Thames, that's sitting on a clay bed bank. And that has, I think it's something like 180-plus columns which are sunk down into the clay. But together, if you think, they're like a comb, and they anchor it. That thing does not move.
And that's just so appropriate when we're thinking about the foundations of cyber security. They may be dull, gray, concrete columns. But they anchor the edifice that we build on top. That's where we get our beauty. That's where we're building our organization.
And some of those things include vulnerability management, which is often an overlooked area, especially today. It's a little like antivirus. Everyone thinks it's commodity. And they get into these things. But I still have discussions with organizations who are focused on the severity of the vulnerability, so focused on the CVSS score, the common vulnerability scoring scheme value-- starts at 10, goes down to 0. The severity goes from critical down to informational.
But what we really want to focus on is the vulnerabilities that have known exploits in the world because that's where the scripts are. That's where the tools are. That's where the hacking as a service exists. So that is primarily where you're going to get breached. And there's a really old statistic that I've not managed to get a better one for since. And this was that-- I think it was around 2011-- Gartner said that 98% of successful attacks were the result of well-known and entirely preventable vulnerabilities.
Now, Verizon, in their great DBIR, kind of reflected this. And I think, 2016, it had dropped to something like 95% or maybe 94%. So not really doing a very good job in securing that side of our environment. So for me, that's one of the foundational areas we need to get our arms around, we need to have vulnerability sorted, because when somebody manages to get onto your infrastructure, it's usually through a vulnerability.
That could be technological, as we're talking about here. It could also be a human vulnerability like a phishing attack or something like that. But getting onto a machine is the first step. They're unlikely to land where they need to land. They'll want to move laterally across the network. And for that, they'll need privileges. And invariably, for that, they'll need some kind of vulnerability to gain them.
So you can see how it's a very foundational element. The attack chain tends to follow a very simple premise of vulnerability, privilege, and move laterally until you get to what you found exciting and then do one of three things. Well, you either move laterally one more time, you steal something, or you break something. It's a very simple premise. And it's invariably driven by money, if we're honest about it.
So vulnerability management is great. But once you're on the box, there are other things we need to think about. So I've gotten onto a laptop. And I'm going to be looking around to try and find some privilege. You've dealt with vulnerabilities. There's nothing I can do there. So I'll probably start looking for some configuration errors that you might have made.
So configuration management is a heavily overlooked area again. There are many good standards out there, CIS, DSA, and many others, who provide you with already pre-configured configurations-- that wasn't well structured-- but pre-configured configurations of how to secure your environments. So grab them and use them, adapt them for your needs. But make sure that your vulnerability scanner or some other device or system is checking to make sure those configurations don't change, because that kind of creep can leave you exposed.
So we've locked down the configuration-- another great foundational pillar of our cybersecurity. Patches-- patches often leave vulnerabilities. If we've got our vulnerability management, hopefully it's telling us to do our patching. Sometimes we don't keep up to date with them. So good patch management, another foundational piece.
So far, nothing is earth-shattering, and nothing is really exciting in many ways. But we are beginning to anchor our platform that we're going to work from. The users who are on these workstations, if I go back in time to the beginnings of my career, which is such a very long time ago-- not quite steam-powered computing, but not far off-- in those days, there were administrators, and there were users. And never the twain shall meet, until you needed to add a printer or install your first piece of software, in which case Windows went, hey, I want you to be an admin.
So in that regard, quickly, users got more privileges than they need. And in all honesty, today, I don't think we really have a standard or an unprivileged user anymore. Everyone has some degree of privilege. But we can use things like endpoint privilege-management tools to help us bring those users back to the bare minimum they need.
It's often referred to as the principle of least privilege. And that is, as was originally posited by a guy called Serome-- Jerome Saltzer-- nearly called him "Serome," that's good-- Jerome Saltzer in the Association for Computing Machinery meeting in, I think it was July of 1973. He said that each process or user should have the least privilege necessary for them to operate.
I kind of like to think of that in the least privilege to be productive because, obviously, securing your environment is about being productive. It's about delivering more from your company. It's about growing and having a safe environment to grow in. But I think that's a good way to look at it.
Another way to call it would be the principle of least risk. And for cybersecurity professionals, I think this is a good one because that's what your board talk about. They talk about risk each and every day-- the risk of doing something, the risk of not doing something. So the more we can relate these things to them, the better it is that they can understand and help them make decisions more quickly.
So endpoint privilege management can reduce that risk down to the absolute bare minimum it needs to be for that person to be fully productive in their role. They don't have to have any restraints in that. And in fact, in all honesty, you can often give them a little bit more capability than they had in the opposite scenario of trying to take, like, an administrator user and clamp it down. So you actually end up doing more damage in that route.
So when we begin to think of these things coming together and we add on-- say I'm an administrator. I need to access that server over there. Rather than me having the credentials to log in directly to that machine, I use my credentials to log in to a system which is generally a privileged access and session management system.
That then allows me to connect onto that target machine without me ever having the credentials myself. If I don't have them, somebody getting onto my system doesn't have them either. And by having a session that's initiated through the system, I can record everything that's going on. There's nothing that can be hidden. And we've now encompassed the infrastructure of our environment as being a safe access, as well.
So again, another pillar is being driven down into the sand, into the water, into the mud. It really doesn't matter what it is. But we are really securing our environment. So when we've got these things in place and then we have clear control over things like identity, we can then look onto identity, as well, because knowing what identities we have out there in our environment, and, more importantly, being able to identify when an identity appears that-- I'm going to go back because I looked into the camera there.
So sinking that pillar into the ground, that's another great one. Then we can move on to identity. And being able to create identities and manage those identities and the entitlements they have out in the environment, plus being able to quickly, clearly, and easily identify any identities created that we didn't create is vitally important. Those kind of clarities that we're going through help us ensure that we're securing our environment.
And if we kind of go back across everything we've been talking about in this regard, you'll begin to see that what we've done at each point is we've taken away the implicit capabilities in the environment. And we've replaced them with very explicit privileges, or permissions.
When we think about that in terms of, say, the administrator in Windows, I can say-- unfortunately, I do remember Windows 2.0. So I've been with Windows for a long, long while. And even I can't tell you everything an administrator could potentially do on a system. I can tell you that group policy, which is often used to try and limit what an administrator can do, consists of somewhere in the region of 2,400 settings today. And those can be layered up in very interesting ways, which make it more and more complicated to do.
I often imagine it's similar to trying to put a cloud into a Perspex box just using your hands. Bits are going to get missed. Another way I look at it from time to time is an office building. Everyone can relate to that. But the floor plan I have for the office building is not up to date. There might be connecting doors. There might be back stairs, where somebody who knows the building a bit better than I do will find a route through that I hadn't secured.
So you're always fighting in that scenario. And when you think about how large a security model that actually becomes, it's immense. For some years, I worked with a large pharmaceutical. And they have around 110,000 people in their organization. And I can tell you there was a room full of something like 17 people just thinking about the security model.
It's not good if you can't get it in one head because when something bad happens, those 17 people have to have a conference to think about what they should do next. When we move to implicit privileges, we actually simplify the security model. It's no longer, what can't Brian do? It's, what can Brian do? And rather than, Brian can't do 2,375 out of the 2,400 things, Brian can do 25 things.
I unfortunately do remember Windows 2.0. I am that old. And even though I've been around Windows for that long, I couldn't tell you everything an administrator can do. There are around 2,500 settings in group policy, which is often used to try and restrict what an administrator can do. But those can be layered in all sorts of interesting ways. And it is a little bit like trying to gather up a cloud and put it into a box with just your hands. There's always going to be mist on the outside.
Or another example, using an office building as a good example, you want to close your windows and doors. I really just want to make sure that when you come through the front door, only the route you need to get to your desk and do your work is open for you. But my floor plan is not up to date. There are connecting doors. There are back stairs. There are ways for the smart person to get around the defenses that I might put in place.
And so when we think about what tends to happen then is you tend to have very explicit-- sorry, implicit models. And then we moved towards explicit models. So we're going from, you can do everything, I'm going to try and stop you, to, you can only do this handful of things. And that then enables you to have very tight control over what's happening. But at the same time, with products like endpoint privilege management, you are also enabling everyone to be fully productive in what they're doing.
So again, as these things begin to come together, everything we do as we step through those foundational elements is simplifying the security model. As we get to the end of it, we're no longer worried about what Brian can do with his account, because Brian can do nothing except the things we've explicitly said he can do.
So when we then look at the logs, I'm not really that worried about the things that he's allowed to do, because those are necessary for his role. There are none of the other pieces, which is where Brian was using a highly privileged account to do something he shouldn't, whether by intent or by accident. And the noise, the number of log entries, has gone down.
Now, when something happens, when we see a login to a server that doesn't have a corresponding access through our privileged access and session management solution, alarm bells ring. We send out the dogs. We stop it very quickly. And as we mentioned earlier, an account gets created that shouldn't be there, we see it straight away.
They become very strong signals because the noise has just been quelled down. And we now have an environment that we can start to look to the more exciting things, the shinier technologies that will help us then find some of the more nuanced attacks within our environment. But we've kind of dealt with that 95%, 98% up front.
And in many ways for me, this is not a scenario of actually reducing the number of people we need in our teams. It's about enabling them to have the space to actually do what we hired them for in the first place, which is to look forward to the future attack, to ensure that we can move forwards in a safe way, because at the end of the day, company growth is dependent on having a secure environment in which to grow, whether that's financial, whether it's security-wise, or any other premise.
It's about making sure we feel confident to take those educated guesses, reasonable risks in stepping forwards because we know we have a stable platform on which we're walking. So that's, for me, why this idea of the foundational cybersecurity, why it's so fundamentally important to everything we do when we're thinking about a cybersecurity strategy and when we're thinking about how we can enable our company to be the one still stepping forwards while others might be suffering with a breach.
[UPBEAT MUSIC]
17:21
