Organizations are becoming increasingly digital in their operations, products and services offerings, as well as with their business methods. This means they are introducing more technology into their environment. At the same time, they have shrunk their IT shops – in particular, their infosec teams – and have less visibility into their environment and operations. While they are trying to do more with fewer staff, they are also falling behind in terms of tracking potential security alerts and understanding how attackers enter their networks. Unfortunately, threats are more complex as criminals use a variety of paths such as web, email, mobile, cloud, and native Windows exploits to insert malware and steal a company’s data and funds.

In this post for RSA’s blog, I talk about how organizations have to become better at managing their digital risk through using more advanced security and information event management systems and adaptive authentication tools. Both of these use more continuous detection mechanisms to monitor network and user behaviors.

The world has changed significantly in the past two years, and so have the rules around assessing cyber security risk. A combination of greater digital business penetration, a wider array of risks, and bigger consequences of cyber threats have made the world of risk management both more complex and more important than ever. Sadly, word hasn’t yet gotten out that risk management is an essential part of today’s business operations. According to this PwC study cited by Silicon Republic, 40 percent of Irish companies are failing to do any risk assessments whatsoever.

If you want to get on board, read my article in CSOonline. I interview several people who show how things have changed and how IT can do these kinds of assessments properly.

In just a few years,a lot has happened in the Cloud Access Security Broker (CASB) market.

Most of the main-line security vendors have purchased CASB solutions: Oracle (Palerra), IBM (Gravitant), Microsoft (Adallom), Forcepoint (Skyfence), Proofpoint (FireLayers), Symantec (Skycure) and McAfee (Skyhigh Networks). The three independent vendors still standing include CipherCloud, Netskope, and Bitglass. The market has matured, although this is a matter of degree since even the longest-running vendors have only been selling products for a few years. It has also evolved to the point where many analysts feel CASB will be just as important in the near future just as firewalls once were back in the day when PCs were being bought by the truckloads. Gartner predicts that by 2020, more enterprises will use CASBs than not, which represents a big jump from the 10% that used them at the end of 2017.

Four things also helped the CASB cause: First was its quick learning curve by security personnel. Second was that they became more inclusive in terms of applications support. Third was the beginnings of a managed service provider business, and finally, multimode operation has become more prevalent. 

In this story for CSOonline, I talk about what are these products, why enterprises are motivated to purchase and deploy them,  what features you should look for that are appropriate for your network. what are your decision points in the purchase process, and links to many of the major CASB vendors.

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year. However, other reports offer a more nuanced point of view.While the raw number of ransom-based attacks is increasing, the proportion of ransom-related attacks is dropping over the last part of 2017. Many businesses are not paying out the ransoms, motivating criminals to try other malware methods.

I compare the results and show how they differ in my latest blog post for IBM”s Security Intelligence blog.

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of hacking back opens up a wide range of cyber defense tools to IT and security managers. Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

In this post for IBM’s Security Intelligence blog, I review some of the early hacking back efforts by both private and government entities and discuss some of the recent legislation.

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplify a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods, especially as the typical enterprise attack surface has expanded and evolved. The expansion takes on several different dimensions:

• Endpoints are getting more diverse. Thanks to more capable mobile devices and more susceptible embedded internet of things (IoT) products, attackers have more leverage and entry points. Botnets of thousands of these devices are quite common, and entire malware campaigns (such as Mirai in 2016) are a major threat vector.
• More mobiles on enterprise networks means that users are mixing more personal and business activities on their phones and tablets. This erodes the boundaries between these two domains and makes it easier for attackers to leverage entry into the business network.
• Social networks make it easier for hackers to use social engineering tactics to figure out users’ logins. As a result, authentication challenges are getting more sophisticated, with attackers compromising one-time passwords and weak MFA methods with better tools and the acquired social engineering knowledge.
• Cloud computing has helped to leverage malware-as-a-service, and a number of malware construction kits and services are available for purchase that don’t require much in the way of skill beyond clicking on a few buttons.
• Malware is getting more sophisticated at hiding in plain sight, being able to disable protective methods and establish themselves deep within a typical enterprise network.
• Attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications, making them very hard to track if viewed as separate and independent events.
• Shadow IT operations continue to proliferate, making it harder for IT to police and protect endpoints. Adding to this difficulty is that the average enterprise network is getting more complex and harder to defend. One study shows that the average bank had 30 domain configuration issues, 42 SSL configuration issues, 87 IP reputation issues, and 81 threat indicators across their digital footprints. That is a lot of different touch points to monitor and maintain.
• Finally, ransomware is a growth business, with increasing number of attacks and pinpoint targeting on specific businesses and transactions.

Passwords are no longer secure

As the number of logins and password-protected services increases, it makes passwords more difficult to remember. That encourages more reuse or picking weaker ones that are easier to compromise. Users are experiencing more password fatigue, and they need better tools that can avoid passwords whenever possible without compromising security. All static passwords are now vulnerable, and RBA has become the best mechanism to introduce security and avoid further password reuse and fatigue.

These trends are forcing IT managers to more seriously use RBA methods and move from traditional binary login/logout practices to more nuanced user access. Authentication has to adjust to different circumstances. When a user is doing something particularly risky, such as a funds transfer or adding a new payee to their online banking account, they need more stringent authentication.

An enterprise needs to have more granular authentication tools, not just a simple yes or no process. Security blogger Brian Krebs says in a recent post, “Nobody has any business using these static identifiers for authentication because they are for sale on most Americans quite cheaply in the cybercrime underground. Most U.S. adults have had their static personal details on sale for years now.” RBA is needed to make sure that subtler yes/no decisions can be made for various authentication activities, and to be able to distinguish between the genuine user and a hacker try to force their way in.

The new generation of RBA solutions

RBA isn’t new. Various authentication vendors have been selling risk-based solutions that scored particular transactions on simple linear scales for years. What is new is a series of innovations that can make RBA more attractive and more secure. Here are a few of the RBA vendors:

• Easy Solutions DetectID
• Gemalto Assurance Hub
• HID Global Risk Management
• RSA Adaptive Authentication
• Transmit Security
• Vasco Identikey Risk Manager

The innovations found in these products include the following features, and IT buyers of RBA solutions should carefully examine how each of these are implemented before choosing one that fits their needs:

• Continuous authentications and account monitoring that provides automated risk profiles and assessments. RBA needs to understand a user’s typical behavior, life and account patterns. For example, some software knows that you always use a particular neighborhood ATM for cash withdrawals, so that when you go visit an ATM across the country, you are presented with authentication challenges or get conditional access until you prove your identity. Unlike the older linear risk scales, these continuous methods are adjusting risk dynamically, and cover a wider collection of circumstances.
• Real-time analysis. Helping this continuous assessment is being able to do so in near real-time. When someone is trying to use my credit card illegally (which actually happened to me last week), I should receive a notification from my bank within moments of the attempted transaction.
• Orchestration across various diverse applications and environments. The best orchestration technologies can examine a wide variety of inputs and combine everything together to make a decision about whether a user is acting appropriately or if fraud or account takeover is happening.
• Ability to work with various self-service portals. This allows users to reset passwords or deal with lost devices without having to call the enterprise help desk for support
• Behavioral biometrics. RBA should also keep track of how the user behaves with the authentication application itself, so that a user’s collection of devices becomes part of its sensor network to perform the actual risk assessment. The ways in which we walk, stand, sit, and interact with our applications and devices (choosing menus, typing and touch cadence) turns out to be quite predicable and all can be used as authentication mechanisms.
• Better integration of MFA methods. MFA is just one piece of the RBA puzzle. While it is an important one, it isn’t the only game in town. RBA tools need to determine when not to use MFA logins as much as when to use them. It used to be that we considered biometric methods as an additional MFA factor, akin to a better one-time password generator. However, biometrics and MFA are just additional inputs to the overall RBA decision process, and both need to be better integrated into an enterprise’s functional processes to handle the newer continuous risk-scoring methods.