The Human Factor: Building a Culture of Identity Security in a Decentralized Workforce

hello and welcome everybody to the next session in track one here we are joined today to talk about identity security FEI here is going to have a discussion with us present some information if you can go give him a warm welcome with Applause thank

you thank you very much um good afternoon everyone my name is FEI um want to stop by saying thank you to the bide Edmonton crew it's um thanks for having me uh thanks for some awesome swag as well I think this is pretty snazzy don't you think I think it's pretty snazzy so Christmas lights early for everyone um so today I want to talk about something it's not going to be too technical so I'm not going to ask you to write code or anything like that so don't worry it's fine um I'm not going to display or demo any shiny new stuff like Kim and I me did Al do I think it's interesting that the bsid crew put

together a bunch of identity related talks back to back to backs I think that's pretty nice because I think identity is the future of security no I don't think I know it is so um and because we are in a postsecondary school right now we're going to start with a pop quiz so ask yourselves and answer the question who was the biggest driver of digital transformation at your company was it the CEO the CIO the CTO or covid-19 almost everyone agrees it was covid covid was um a big factor in making many companies decide when either go cloud or change the way we do things or all of that and today thanks to covid um we've got smarter thread actors and

now you can't use traditional castle wall defenses so your firewall is no longer your perimeter now identity is the new perimeter and so where are we now first uh there was a study in 2022 there was an allout study that found that about 62% of workers between 22 and 65 say they work remotely um at least occasionally maybe twice a week hybrid except of course you work for Amazon um then you have to go back to work in January no remote um and of course that has actually led to many people being dis I know lots of people who say if you want to give me a job buffer and it's not remote I'm not

taking it that's where we are right now so there's an increased adoption of remote work from everywhere so your hotel lobby is your office the airport lounge is your office and Starbucks or Tim Horton is also your office now as long as you buy a coffee and unlimited refills so that's interesting as well so there's been an increase in cyber threats that are targeting those human vulnerabilities because we're everywhere now so that's the question how robust is your identity management right so let's try and understand what that human factor is uh because identity security really matters because attackers usually Target user credentials to bypass defenses Bridge systems and all of that so protecting the who in your security strategy is

essential to prevent that unauthorized access and data theft also in today's remote and hybrid um environment managing identity security has become increasingly complex how many people have an IG where you work you see there we okay one person you know how many people have an IM framework that they work with again only very few people so that's why it's so complex not because they don't want to but because it's just so hard to do um because you've got dispersed teams so ensuring that only the right people have the right access at the right time is a constant Challenge and it requires robust Solutions continuous monitoring and not many Enterprises have that resource and finally you find out that

people are often the weakest link in cyber security uh they can also be your strongest link they could be your strongest in terms of Defense so people could be falling for fishing attacks or practicing good cyber hygiene they swing all the entire length of the spectrum very good or very bad and human behavior sort of plays a pivotal role in securing those systems so if Enterprises can build Security First cultures it empowers their employees to become your first line of defense so that's what we want to look at how can you do that as an Enterprise so today because we know esm is a nightmare for many Enterprises like saw in this room right here because

there's so many things to do with there's so many things you want to pull together so let's look at some of what those challenges are so one of those challenges that we have unsecure remote networks because remote working introduces new risk and new complications you know many employees rely on personal Wi-Fi connections that may lack strong security you know strong security measures everyone loves free Wi-Fi so airport hotel lobby Starbucks Starbucks 2 the real Starbucks Wi-Fi you know what I mean so that leaves people vulnerable to systems vulnerable to attack as well and some of these employees actually have accounts that have elevated privileges so if this account gets taken over for example by an AP or a malicious actor then you can

have devastating consequences um for them also we've got personal devices because these days some people yes some companies provide but many people do work with their personal devices um and because you don't have strict device management sometimes you have people using BYOD or have people using cop because they use devices for both for both of work and personal purposes it's sometimes it's not the same level of patching or the antivirus is not up to date or there's an increased risk of malware infections on those devices as well and of course that means that there's a limited control over those end points because it teams would face difficulties ensuring that how I sure that every laptop meets that standard we

want because we don't have access to every single laptop at every time so it makes a bit more challenging to monitor update and protect those endpoints effectively because you can't control the human identity that's at the end with that endpoint uh particularly when you have privileged identities as well and finally there just is an increased thread landscape because being remote opens up a lot more ENT points for attackers to actually exploit and that makes it harder to manage and secure copy data so addressing these challenges is critical toly safeguarding sensitive information that enterprises have and maintaining operational security especially now that we're all remote right and of course again there is a psychology of cyber security as well um

because human be human behavior is sort of the biggest thing we've got cognitive biases and everyday habits that can actually undermine you know the way even the strongest security measures because because someone receives a suspicious email especially when the email is from a purported Nigerian prince offering you a lot of money that is more than your RSP has saved in 10 years just to send him an email so like hey why not it's 5 million bucks who doesn't want money right so those human Tendencies create gaps that attackers are able to exploit so if you're able to recognize these behaviors then we can actually train against those behaviors so that's the first thing of course there's also

social engineering tactics because attackers don't actually Target systems well not directly anymore they target the people so fishing pretexting social engineering like we said like Kim mentioned also in her previous talk just before if you were in this room um the exps human psychology to gain authorized access you know craft an email you know he was at a conference and someone said hey at a conference so approve this leave that's how those things work um and even you know a cleverly crafted email convincing phone call or video call like she explained can actually um bypass even sophisticated technical defenses and these days the managers actors aren't just targeting individuals they are targeting those who have

assigned privileged accounts and if those accounts are taken over then it gives them an opportunity to sort of roam free through your environment on checked and finally one of the strongest risks to actually mitigating social engineering and all of that is education um continuous employee training is essential to help teams recognize and respond to those threats uh fishing simulations uh awareness programs education and all of that helps your team actually spot those attacks before they actually succeed in attacking them because how many of us have um fishing training or that kind of awareness training where we work okay that's a better that's a better ratio so that's good companies are begin to wake up that

if you don't you should talk to your it or your ciso or CIO I don't know who whoever's in charge so another thing is it's actually quite hard to build a culture of identity security especially at the Enterprise level because there's so many challenges first there's the role of leadership because leadership sets the tone for that security if your leaders don't Champion secure practices or lead by example and make security a priority across the organization then it becomes a challenge um I was talking to someone earlier today and was like yes leadership wants you to be every want to be secure and use MFA except them so yes MFA is for everyone except me but that's

where the biggest risk are usually so it's not only MFA or security just by leadership in mouth but also in action they've got to do that as well then also there's train and awareness programs so regular training regular sessions to help bring your employees your Workforce up to speed are critical to ensuring your success because if your team knows what to look for knows those tell signs and they're actually able to ensure that everyone either entry level all the way to seit levels are informed and Vigilant and they can actually do that and then finally another thing is also it's important to actually encourage accountability because security is a shared responsibility um it Enterprises should

Empower teams to actually understand what their role is in protecting the organization and encourage proactive Behavior I've heard someone tell me well I thought something was fishy or maybe I I didn't do something quite well but I didn't see anything about it because I will be scapegoated and that's a problem with many Enterprises so do you encourage your culture where your employees can say hey I think something doesn't seem right or might have done something wrong we need to look at that does he get a query or does he get fired because of that or do you actually encourage that um that's another thing that companies need to look at so don't skip go people when incidents happen

because it has The Unwanted effect of making people reluctant to disclose potential probably security probably serious compromises when they happen so what possible solutions are we then Avail available to us what possible solutions can we look at because there are things that as an Enterprise you can actually do to help you enhance your identity security posture and if you do properly Implement that operative word proper implementation if you properly Implement that across the organization it does help first things like multiactor authentication and single sign on it might seem pretty easy or pretty straightforward who doesn't have MFA but lots of people don't have MFA how many people have MFA on their C account how okay how many people know

that it's actually you can actually have MFA in your C account um banking accounts how many of you have MFA on your banking account how many of you have MFA on your social media there you go and how many of us are on our social media every day you know but you don't have M on social media so so that's that's easy um we'll see a couple of things later on why why it's so important because MFA does ensure that even when a password is compromise there's a second layer of verification required it could be Biometrics it could be otps it could be a hardware token and that extra layer sort of it dramatically reduces the risk

of account takeovers and data breaches so if a user is going to have an account with elevated privileges you should be thinking about MFA not just for the standard regular account but also for that privilege account and if you can split those MFA so don't use the same MFA platform to authenticate the regular account and the elevated account so if you're using say um if you're using say a authenticator app for the standard account try using a F2 F2 compliant token for the elevated account or something different so that way you can actually separate the risk that one compromise of one of them compromises all the access that that user has for that user we also have single sign on

which does simplify the login process because it allows users to access multiple applications with just one set of credentials some say it's a problem I don't think it is if it's properly implemented remember when I said proper implementation because one it streamlines the user experience um I like to say that security and user experience are opposite ends of a sliding scale so you ask yourself how secure do I want to be or do I want my users to have the best experience so you want your security to help users do the work as seamlessly as possible but make it as difficult for whoever is a manager s trying to get in so that's what you

want to do it's it helps a user actually get a better user experience if you're able to implement single sign on it reduces password fatigue because how many of us do those things where they say you have to change your password for this platform every time so it's password one then password two then password three then four then you get to 10 it becomes 11 or you add a dollar sign at the end that's what happen and so once the M you know once the figure out your pattern then it's compromised so it's difficult um so you actually want to encourage people to actually okay if I can do single sign on and I'm going to get a 27 character long

password you know with all the various variations and then use that in there it's harder and that makes it easier um and of course with privilege accounts also manage that single signning experience securely so session recordings uh periodic authentication as well setting session timeouts uh to sure that you can actually limit control potential damage um possibly use a pin or a Pam so that you can actually also carry out things like automatic password rotation s recording like I mentioned um because together with MFA and single sign on you can actually offer a perfect balance of strong security as well as a seamless user experience that enables organizations to actually protect their assets without adding unnecessary complexity or

friction to Everyday workflows uh and that's quite important I'm going to just sort of digress and say a bit here because someone has said well zero trust is an it's the antithesis of single sign and it isn't quite um zero trust does help a lot with this but Zer trust doesn't is it doesn't work against single signon so single signon says yes you allow one person to sign up with one credential yes zero trust says just because they've signed up with that credential doesn't mean oh he must be him so he G access to the Keys of the Kingdom so you should be looking for you know different signs of account Behavior signs of compromise you know where is he

authenticating from what are the device characteristics um use the principle of list privilege so every time he tries to have access a different resource query again so don't just assume because he's um he's provided the credential at first you didn't give that to him so continuous uh challenge should be provided as well to help ensure that you are making sure that you're not implicitly trusting the user cuz that's what the that's what Z actually is trying to do make sure there's no implicit trust so for example we say bad zero trust with single sign on is say because he's loged on to the VPN with his username and password he has access to the entire corporate

Network that's just stupid so don't do that so good SSO would be he's G on the VPN okay what does he need to do he's trying to access a different server in a different domain Challenge and be sure that you have the authetic challenge the right response to give that access I'll tell you a story once a story once someone was talking telling me about um there was somebody who had a contract role for a company based in the US and he was um he would log in and do his work it's quite all right now he subcontracted that contract to someone in India now there's nothing wrong with subcontracting that's not the point but

he's always you know based out of Portland I think he was and he was Ling at a particular time and then somebody called him on and say hey why were you logging into this system from a different IP address at 1:00 a.m. in the morning and it was like well it was this person and then that made him lose the contract because hey he could trust that person he's giving it to but do you trust what Endo the person is on do you trust what network the person is on how do you know he has proper proper procedures to take care of his identity how do you know that his that person in India who by

doing my not the job isn't going to be a an entry point for ma to actually get into your network so all of that is very important so that's what good SSO and zero trust does because they didn't assume and say hey it's Chris logging in only from India but because it's Chris we let him go in no you actually want to verify also and say should he be doing that so a single source of TR for indication which is usually what endi tries to do bring everything under one umbrella as a single source of Truth makes it easier to look for what we call indicators of compromise and then uh it makes you makes it easy for you to

actually manage security improve security because let's face it making your users memorize several passwords isn't improving your security just make them more frustrated and then they try to bypass it so they use birthday one birthday two birthday three and you know what we're talking about also you can actually Implement an identi and access management policy because that would be the foundation of your organization security strategy so deploy an IG if you don't have one um that's going to be the gatekeeper for all your critical data your systems and by verifying those identities you're actually able to actually enforce access privileges um for users because the IM is going to ensure that only authorized users are are interacting with your

sensitive information so for example if you have a G that restricts interactive login uh for service accounts and then you also got IP restriction active then it's easy to have a policy that says hey if there's interactive loging on this account I want to DET that especially if it's from an IP address that's not pre-approved on my ACL so Implement things like that because that helps you with that and also that does not only protecting you from both internal and external threats but it also reduces your attx surface because it limits the opportunities for breaches to actually happen and then reducing your tax office significantly and then of course it does actually provide a strong framework for

maintaining trust and regulat compliance and that helps to secure the future of your EMP so these are some of the things that we should be doing around identity and access management and making it essential for future protection of course another interesting thing people have been talking about recently which would also do well is to use us user an enity Behavior analytics or uba or we whatever you want to call it whatever the acronym is because that analyzes user and entity Behavior uses a bit of machine learning and data analytics to detect and flag on usual patterns that could be indicators of attack so for example um you're able to identify potential threats um which you can then

you know detect those anomalies when they show up and you can respond to those suspicious activities you know using machine learning and data so you can see those patterns that indicate that there might be um an attack or a compromise happening monitoring that behavior because when you monitor that behavior it's by monitoring you're able to establish a baseline because without that monitoring you don't have a baseline so where you going to working from what's what's regular Behavior or what's usual Behavior so you need able to establish that Baseline by continuous monitoring to say okay this is regular so this looks different and of course once you're able to detect those unusual activities that let you know hey is this

a threat or is there a risk here and then you can investigate further but if you aren't even looking for it you don't know it happening so it's important to make sure that you're actually looking for those in the first place and of course because you're then looking for it and you can see when it happens it actually enhances the visibility and your ability to respond when those things happen because you can see it happening and you can actually follow up if you have the tools in place to C and if you have the resources to follow up so that's a different conversation but it's part of the things Enterprises should be thinking about and of course

that helps you Support Compliance and security and say are we doing this compliance yes a checkbox but also helps you to support risk management as well are you reviewing all the risk you have are you able to actually put things in place to mitigate against those risks it's by doing all of this that you're able to see all of that gives you a clearer picture of what it is that you're doing now let's talk about some best practices that can actually um help Enterprises secure remote workforces not every not every Enterprise can Implement everything but if you're able to it does help with that so first I know people have said yes VPN are old school but they still help so

use a VPN to encrypt connection because VPN secur your data transmission so preventing attackers from intercepting sensitive information usually if it's again operative word properly implemented like we'll see later on if there improper implementation you can still bypass that and of course make sure you've got regular device updates where you can apply security patches so if you've got EDR or xdr in place as well that can help towards all of that um make sure that you're keeping um all devices up to date where you can purchase manage all of that because it helps you keep see see what your environment looks like know if there's any vulnerabilities with your environment and you're able to actually

deal with those promptly again if you're not looking for it you don't see it so that's important so you have to be looking at that and of course like I said earlier security is a shared responsibility so it's not just the job of the cyber security team or the IR team or the guys in the sock security is for everyone so let your team it's important actually drop into the team that it's everyone's responsibility either you SE Suite all the way down to the new intern because together everyone has a part to ensure that the Enterprise stay secure you only need one person to do something stupid and then you have a breach so encourage employees to speak

up when they can um if they notice suspicious Behavior that's either anomalous or they think they've made a mistake like I said don't demonize anyone it's not okay to demonize anyone especially when it comes to cyber security there was a talk earlier about mental health that's of talk a bit about that so it is so important um and again like I said use secure remote access Solutions so I deploying a zero trust Network architecture you're using a s solution to ensure that users can only access what they need and you're monitoring those access points as well and then finally you want to strengthen your endpoint security like I said earlier using the appropriate tools so

EDR xdr whatever vendor works for you that's fine but make sure you have that in place I'm not going to tell you to use a particular vendor over the other it's all totally up to your Enterprise what you choose to use and of course like I said earlier enforce multiactor authentication at all levels across all boundaries where you can because it does help so adopting those best practices sort of help strengthen defenses when they happen and of course like we mentioned earlier because not everyone in the department in the company works for cyber security you have to make sure that you're balancing security with the user experience so ensure that robot security doesn't mean your compromising

productivity so don't make it too difficult that your users are constantly trying to undermine your security but make it so that they're able to actually work with you so like I said earlier single sign on allow them to do that without you know us remembering multiple passwords to reduce password fatigue um minimize friction so by optimizing your authentication uh streamline your security as well use solutions that actually integrate seamlessly into your existing workflows it's easier for people when they can like like you look at the the solution Kim de show us earlier it's all within the same environment it makes it easier to use than having to use this app then go to that app Then That app that app they

come back here no one wants to do that so where you can integrate those workflows into your uh those Solutions into your workflows without causing significant uh disruptions of course also you want to optimize authentication so combine security and convenience um that don't slow down data so for example where you can use biometric authentication it is quicker I can just put my fingerprint on or my Rea scan or whatever it is that works with you or adaptive authentication which I will talk a little bit about on later which is quite interesting uh some of the new things we seeing there and of course you want to actually have a user Centric design so think about your users when

you're developing your Solutions what do you users want to see how is this going to help your users do their work better so because security is there there to enable the company and not make their life difficult so that's what they want to do there so as thinking about that so having said all of this um like I said it's hard to say that bridge was a result of identity issues or that bridge was a result of not implementing zero trust but when we have the hindsight we can actually look at some solution some cases in the past um and we know that if they had done things differently it could have actually greatly mitigated the risk of a severe

Bridge so what we're going to do is look at a few examples of why we know that if you have the right culture or implement the right strategies you can mitigate that examples such as the Equifax Bridge of 2017 so initially it was actually hacked via consumer we a complaint web portal so there was a vulnerability that was available on the system it wasn't patched that should have been patched but it wasn't for some reason due to failures in eifax internal process so attackers were able to actually move from that web portal to other servers because systems were in segmented from each other and there was they were able to use the same identities across those

systems and they were able to actually find usernames and passwords stored in plain text and then once they found those systems on that web server they were web portal they were able to cross into other systems and then you know get into eax so what happened they pulled data out of the network in on in encrypted form undetected for about 76 days almost 3 months um because Equifax you know they had failed to renew a critical encryption certificate one of their internal security tools so then one day they W like oh we haven't encrypted we haven't renewed this so they they renewed it and when they did they found out wait why is this user

transferring 6 gig of data out because they hadn't been looking for that before so it's important to make sure you're looking for things and of course Equifax didn't actually publicly publicized that bridge until over a month after they discovered it they paid um they they there was about 47 million affected customers 143 in the US about 4 million in Canada and 600,000 in the UK the US government has indicted four Chinese minity individuals the result of that and they suspect it was actually the Chinese government that sponsored that because that data hasn't been found anywhere on the Dark World maybe it's with China we don't know but you know with hindsight we know that if there had

been a Zer TR policy there was micro segmentation there was Stronger MFA in there it could have probably reduced the risk or prevented that bridge from escalating to the level it got to another example we can actually think of is the colonial pipeline run somewh attack of 2021 um because it happened in 21 it was actually quite significant uh it impacted fuel Distribution on the Eastern United States um the ransomware group called Dark Side I believe uh there was a weak password that they exploited to gain access to the it systems and then they deployed around someware encrypting all their data and as a result of that K actually because they got encrypted they actually

had to then shut down their operations for a while and that led to four shortages in the entire Western us and 17 US states actually declared an emergency because of that um including Virginia North Carolina South Carolina Georgia and Florida there was Panic buying there was so many crazy things that happened and it affected critical infrastructure like hospitals and emergency services and Aviation because they all depended on this pipeline to bring some of the things they needed so just by that it affected the entire Western United States Eastern United States um what happened Colonia pipeline actually paid a $4.4 million Ransom in Bitcoin to the group the FBI was able to recover about 92% of that but that was

after Bitcoin and dropped in value so it only came to about 2.3 million when they recovered that um from the hackers and of course like I said if it had been micr segmentation if there had been zero trust and they had good strong identity policies would probably have reduced the impact or scope of that breach when it happened and of course we remember last year who those of us who those people who went to try to go to you know Vegas around this time last year and they couldn't get him because MGM had an attack um there was also the hack that happened to MGM where it was an identity attack but it was a more sophisticated

me than just traditional fishing or credential stuffing um because they Bridge MDM resource system uh they used a social engineering tactic to actually gain access by impersonating one of the it help desk on social media implementating them and then call the help des and says I can get my password can you reset my password and send it to this address and they got the information in there and of course they were able to leverage that person's access to um an elev elevated Privileges and they were able to actually use that to gain access inside the N so once inside deployed run somewhere encrypted systems caused significant disruption um including disabling online reservation systems uh room keys slot machines

websites the app and all of that and it's estimated that mgn lost about $100 million in Revenue over the week or so that this happened of course there was disruption in services that happened as well and um like I said with hindsight zero trust strong MFA micros segmentation least privileged access could have actually prevented a reduction in the scope um because the initial Vector of attack was social engineering that was the primary method used to gain initial access so if there was strong authentication processes in place that would have actually prevented The Ransom attack from actually escalating the level which it did at the end so that was also important as well so if you're in MGM strengthen your

authentication processes and that can help so as techn is improving the attackers have also evolved like I was saying someone it's not very often do you find attackers trying to brute force their way in they're trying to find who is a legitimate user that can steal his credentials and then use that so what are the things we can actually do now so because there's some emerging Technologies because identity security has to evolve to meet these new challenges that we're facing so for example we have Biometrics so enhance verification with Biometrics um and then there's also this thing called behavioral Biometrics where you actually can when to certain attributes or behaviors of a user such as Mouse

movements or typing patterns as a layer of authentication now that's very interesting that's next level NSA stuff but you know it's going to trickle down eventually so that things we start to think about of course also there is the risk of AI or AI in identity and access management as well um because AI is going to drive realtime decision making so it's going to enable access control and all of that so it's important that you're actually looking at all of that to really help you better manage your identity for your Enterprise of course automation as well can actually help you streamline the management of all of that thereby reducing the manal intervention you need uh and also help you speed up

response times to threats if that's whated and then of course uh another new interesting part is there's blockchain for self- Sovereign identity where you can actually determine your identity and set that up uh individuals individuals will actually own their own and control their own digital identities so thereby reducing the Reliance on the central authority of course secure data sharing where you know blockchain can actually provide tamperproof secure methods for sharing identity credentials without exposing any sensitive information and um some of the challenges we also to happen as this technology as technology starts to evolve and improve is that we're going to actually see arise in deep fake identity fraud so criminals may like we heard from Kim and and earlier use

synthetic identities to impersonate or use those techniques to bypass traditional security methods and that is a significant threat that we have to think about um evolving tactics also the C criminals are beginning to use identity based attacks um and so it's important that enterprises are beginning to improve their def defenses to actually focus on how to deal with this sophisticated methods to compromise identities so because they have to be right all the time we just have they have to be we have you have to be right all the time they just have to be right once so it's important that enterprises have to you know continually stay ahead improve and adapt to these new challenges and of course there are

privacy concerns around innovating in identity security but also trying to stay within the law around privacy and that is going to be an ongoing challenge no matter what happens so the challenge companies have to think about constantly um and user expectations around data handling is going to also evolve there so these Trends and challenges are going to highlight the need for you know continuous innovation and vigilance and identity security to sort of continue to protect against current and future threats so after all of all has been said and done what are best practices and um recommendations that we recommend so for an Enterprise to build a resilient cyber security posture identity security has to be prioritized

you know a few key takeaways for example um develop a strong security culture because security begins with a mindset so if you can help your employees your Enterprise actually forer a Security First culture across all levels so not just your sock team or your security team but everyone sales marketing HR SE Suite it ensure that everyone knows that they have a role in protecting the organization and Leadership has to actually Champion cyber security initiatives because if your leaders don't Champion it and show that they committed to cyber security and identity Improvement it's going to show to the work for and going to do that as well so leadership has to set clear expectations across the entire organization and of

course Implement robust Security Solutions you know I am an IGA SSO MFA and what have you essential for protecting sensitive data and controlling access because a strong foundation in identity security actually significantly reduces the risks of Brees and of course start small don't think well we've got this Enterprise we're going to do everything all in one day R wasn't built in the day you don't go to secur Enterprise in a day that's that's a given so start small maybe MFA start with MFA say okay for example we're going to do MFA on our privilege accounts start there and then work outwards um MFA Still Remains one of the easiest well the the most effective and

simplest ways to secure access so stop by doing that you don't need to go out and spend a ton of money or buy a ton of products to do that Implement MFA especially for your highrisk users so c s you know users who have access to elevated uh elevated accounts eled privileges of secure accounts those who have the keys to your kingdom Implement MFA for those and then expand that into the entire organization and of course regularly update your am um your am policies as well so let the security evolve as let your let your security evolve as the land as the threat landscape evolves because if it doesn't you might find that you're actually

stuck in the past and you're fighting you're fighting a battle you've already lost so make sure that you're regularly updating that review that to ensure that it aligns with current threats current business needs and let um security evolve as that and of course like I said continue to educate your employees because your employees are your first line of defense so ongoing training ensures that they aware of fishing social engineering and other identity-based threats and then tailor that training to different levels of experience to ensure that you get the maximum level of Effectiveness so by focusing on on those practices you can actually enhance your security posture create a proactive security culture and Safeguard identities in this changing

landscape that we have if you want to do some further reading there's some material you can actually read out here so there's the N 80027 which talks about zero trust there's also a Forester report on zero trust as well um and there's something my par to another a plug for about micr segmentation um and then talking about s and seam and sassy and zero trust how they all come together um and there's also a case study about implementing zero trust in organization if you want to see that and then there's some information about the r Bridges I talked about Equifax gr Pipeline and MGM and with that I'm available on LinkedIn so someone says I make a lot of noise on

LinkedIn so you can find me on LinkedIn so if you want you can connect with me I also happen to run a cyber security Focus podcast that has a very interesting funny name it's the Cyber SEC migrant I'm a migrant and I work in cyber security so very very interesting a very boring name for the podcast so you can actually look at that and at this point I will take any questions if there are

any yes please mention about uh ztna yes sorry you mentioned about ztna uh ztna has to do more on authorization than authentication because uh it's a device level uh authentication which is Works through PDP and if that is done well then even in that scenario also it depends on the organization how effective are the controls deployed to make sure ztna is ineffective so that I I think so that's a key thing for organizations to to see that the maturity before even going for ztna and any other technology thank you yeah completely agree um I like I said I think the future is zero trust um is every organization at that mature level to implement that I don't

think so but like you said yes it it starts with the authentication but then you can actually build on that Z TNA to determine your authorization and level of access that you give to them but again keyword being proper implementation because if you implement it poorly then you it's pointless right so it's important so let every Enterprise think about okay what's most important to us as an Enterprise and then start from there so like I said I'm not going to say go buy this solution or that solution look at your Enterprise and determine what works best for you what do we need to secure the most who has access to that where are they accting it from what do we do okay what

policies do we need to put in place to ensure that this keys to the kingom this Crown Jews we have are well protected and then work from there

hi uh thank you for the presentation uh my question is regarding MFA fatigue and I'm curious what are your thoughts and can zero trust assist in uh MF fake situation yeah um MF fatigue yes that that can be a challenge but I think with proper education you can let your enterprise Enterprise and your employees know why it's important I think the problem is sometimes people don't understand fully why there's so much you know like for example I have to look into my standard account I have to use a different MFA factor to verify and then I'm going to my privileg account a different one why are we doing that so if there's a lot of

understanding on why we are doing that and the importance of that I think it helps to reduce the severity of that so education is critical in that regard um I'm I'm not going to recommend or say hey there are things you can do to make MFA easier I think just by having MFA think of like this someone is trying to go into a parking lot to Parkade to steal cars there's five nice lexuses cuz I love leus parked in the garage in the parcade four of them have a steering lock and a wheel lock the fifth one doesn't which one do you think the attacker is going to steal or try to steal first one without the lock because

it's just easier because he can just smash the glass connect the wires and drive off with the other ones he has to smash the glass get a cotton tool cut the locks remove the locks throw them out then get the wires JM it's just too much work work so MF just yes you let your employees know why are they doing that and then it helps it just sort of deters the attackers because it's not about when if you're going to get when but make it harder for them to actually get to that point eventually that's that's what I think I I wasn't going to ask my question until he asked the question about MFA fatigue and so really my com

it's more of a comment than a question is I loved your presentation by the way and and I've been doing security for the majority of my career and so so when we start talking about zero trust we're really talking about authorization and authentication of every transaction that occurs and one of the things that I think these presentations Miss is the use of certificates and use use of of Machine level certificates and and user level certificates on machines so how we resolve MFA fatigue uh and is to be able to authenticate the machine itself right and so therefore then even if the user uh clicks the MFA and sends the token to the attacker they can't they can't validate

the machine so they therefore then the attacker can't get into the environment so if anything I would suggest that you put certificates and certificate management and certificate life cycle management into your presentation because it will then B bolster up the conversation of zero trust that's truth I I I didn't want to be too technical about zero trust and all of that that's why I didn't see a lot about that but totally right that does help yes if you can if you can reduce the amount of human interaction you need to do to verify those authent those ID those transactions it makes it easier for you to actually manage all of that which is what certificate authentication

does for you

yes I saw another hand somewhere here I

think in your experience what's the best security awareness training program that you've come across what we do we onboard our clients we give them an hour presentation of different kinds of things that can go wrong user based then we have the monthly fishing campaigns which everybody's really tired of but you need it what wouldn't your experience is the best way to train the users that's actually useful that's a very interesting question um because I don't think there's a one siiz fits all um I've also not been paid by any company to tell you this is what to do so I'm I'm reluctant to mention any specific names we work with a very popular Canadian company starts with a B

so you might know the company um and they they they they have ongoing I think the key is continuous ongoing training security training can be a once andone so you have to let it design what works best for you deter what works best for for Enterprise oh our users respond well to this how can we design ongoing training around this that makes it easier for them to understand the challenges we face so I think that's the important thing I've been told to stop because I think we need to get ready for the uh but I'm still around today and tomorrow so if anybody wants to stop in chat please feel free to stop me um and

thank you for listening to my thoughts this afternoon

right a big thank you again to FEI thank you so much in 10 minutes there's going to be another talk in this room regarding the Internet of Things in a decentralized world and how security relates to that