Redefining the Security Perimeter for the Remote Workforce

um but you know as i mentioned uh john murray security and compliance specialist at microsoft um i try and approach these talks from uh from a really you know sort of vendor agnostic way i'm gonna talk about concepts that are important um and uh you know it's not so much important what vendor you're using as the concepts still apply and i like to throw that disclaimer out whenever i give talks like this um so i i think we're all uh you know certainly aware that that times have changed we're living in in extremely interesting times now uh and that really translates to the way that we you know manage security and identity and these types of things um

back in the in the 90s uh we would come to the office we'd turn on this big beast under our desk go make a cup of coffee and hope that it was running up and running uh when we came back um and really you know by 1995 most security concerns were really around the network securing that network putting firewalls in place having vpn tunnels um things like that and everything that that we cared about was really kept within those walls was kept you know within that firewall um and and as we know that's no longer the tr the the truth today right times have changed uh we've seen an evolution uh you know in the digital space of sas

applications being launched public wi-fi that you know provides convenience but also provides you know additional security risk mobile devices um you know a lot of organizations are you know allowing folks to use their own mobile devices um employees frequently have more than one device that they're that they're working from and even in the iot space um you know we there's been a lot of introductions there there's now billions of connected devices in the world um and and then in you know 2011 um you know office 365 launched and and you know a lot of companies have been uh moving to that uh um you know to to sas services uh providing their their critical uh you

know work functionality and productivity uh suite so whether it's you know office 365 or g suite or whoever you're using most organizations are shifting from that uh everything within the on-premises model uh to something that looks a little bit more like this where we have you know we have our corporate network still and that's still important and it's absolutely you know i'm not going to say that it's not important to have firewalls in place and things like that um but we need to to worry a lot about everything outside of that right so we have uh sas applications and data being put in the cloud and people accessing things from mobile devices we have our business partners connecting

and collaborating on on different projects and you know resources within the organization we have personal devices that people are able to do work from people are getting their their email like literally in their pocket which you know wasn't something that we used to be able to do um so so things are a lot different um and you know we have to address the the changing security landscape that comes along with that um and it's now gotten to the point where even if you look at uh gartner um who who said this in their in their uh they created this report uh called the future of network securities in the cloud um and in it they said that

you know the the legacy data center as the center of the universe that's a uh obsolete model um and has really been a an inhibitor of success to to to grow in the digital business um and so our assumptions you know of the way things used to be with you know users being employees and and corporate managed applications and on-premises apps those have really changed and we're now seeing that we have you know employees we have contractors partners even customers that are able to access some of the digital estate corporate managed devices that's no longer the standard we have people uh you know bringing their own devices or you know maybe doing work from a

personal device at some point we have on-premises applications now we have uh an explosion of cloud applications you know almost every app that you you ever ran on premises is now uh there's some equivalent uh available in the cloud uh corporate network and firewall well we know that there's there's a huge expanding perimeter um and and that you know there's more devices applications and you know your data is in more places than ever and you know local packet tracking and logs that was all pretty simple now we have an overwhelming source of signal available um and you know a lot of cloud vendors um are are positioning that type of data and that telemetry to to actually help their

customers um so that's the good side um but you know as i said the world has changed so um there's three studies uh that i've cited here um one is on iot uh and others on the state of the cloud and then finally uh bring your own device usage in enterprise organizations and you can just see some of the staggering numbers here right seven seven billion internet connected devices in the world um sixty percent of organizations allowing formally allowing uh bring your own device or users to to do work on on personal devices um 5.2 uh mobile applications uh business applications uh on average that are that are used daily by employees um and and

of course 94 of organizations using uh cloud technology in some form and so this brings us to this new model of security that we need to consider which is zero trust um and that is really uh operating uh you know an approach to security where we operate um as if every access attempt was coming from um an untrusted network right um so we can't rely on the fact that uh uh you know everybody on our network is is uh you know a legitimate user there's lots of attacks out there on vpns and things like that uh and it's no longer sort of the gold standard of security uh you know talking to some of the

larger or slower moving organizations in terms of security and you know they still want that that vpn connection before you access certain applications or data but really that's not enough to to say that we have security we have uh you know a level of trust that's good enough to uh provide access to those to those uh applications and data and so zero trust really has you know these principles which we need to verify explicitly every access attempt uh we need to provide least privileged access we don't need to be giving and this of course is a pretty dated or pretty old not dated but pretty old and still true uh principle in terms of access and we need to operate with

the assume breach mentality right so um james comey uh once went on 60 minutes and uh while he was talking specifically about the the chinese government um you know he said that there's two types of organizations in the world those that have been uh breached and attacked and those that don't know that they've been breached an attack um so so you know interesting interesting words there um and it's true you know we're seeing all kinds of uh nation state attacks out there um attackers have gotten far more advanced and so we need to change the way that we operate in order to to you know face that challenge head on a bit of history uh on xero's trust so

you know all the way back in 2004 uh the jericho forum was established to start talking about um figuring out the idea of deep perimeterization um then in 2009 you know operation aurora um was you know one of the one of the early and very very public uh you know apt uh attacks um which was where you know nation state china sponsored attack uh where the elder wood group and apt um you know conducted a series of attacks on different private sector um companies who did business in security and defense and and those attackers were able to get access to those internal networks and then just move laterally right and they were undetected for like quite a long

time um in 2010 uh john kinderback of the forester research he's now the cto of palo alto he coined the term zero trust networks and that sort of just evolved to just zero trust or zero trust access um and in 2014 uh google published the beyond corp research paper i'm not sure if you've read that uh very very interesting uh um and and i highly recommend uh reading for for anybody who works in security um and so we saw one of the first you know papers on on a how a big company like google is moving to to the zero trust model and so you know why are we having this this conversation so we know that things

have changed um and and we know that we need to move to this to this model and this way of thinking uh and there's a number of reasons for that so so security is complex right we have so many different devices and users and connections out there like i mentioned um and and again trusted network security strategy it's just not enough right initial attacks used to really be focused on the network um there was simple and seemingly you know economical um and and we accepted lower security uh within the network as long as we had that strong defense at the perimeter of the network excuse me so attackers have really shifted to the way that they're that

they're doing things um so they've shifted to identity attacks things like phishing and credential theft um security teams are often getting overwhelmed with you know the the sheer uh you know amount of signal and and uh you know alerts and things that are coming in and um probing and these types of things that are happening on their network and and we're seeing that those assets again as i mentioned they're increasingly leaving the network in the form of mobile devices and sas applications and of course now uh definitely working from home um and so if we look at the types of attacks that that are out there you know we've seen uh 300 percent this is a

this statistic was was from 2017 but you know you can imagine that that a lot of these are are still very true today uh 300 increase specifically in identity based attacks um and uh some interesting statistics from uh 2018 there as well um you know lots of lots of password spray uh attacks being compromised breach replay people trying to use the same uh passwords that were previously uh compromised um phishing is a is a huge one and i see that in a lot of uh across a lot of different industries it's still something that folks are are very often uh falling for um and and really these are all aimed at harvesting and getting those credentials um so we

need to um this really puts us in a spot where we need to secure the identity so verizon publishes their data breach investigations report every year um the 2018 report specifically cited that 81 of data breaches are involving weeks week default or stolen password so um pretty interesting statistics there if you look at the reports from 2019 and 2020 um a pretty consistent theme they don't cite the exact same statistic but you'll see that the majority of data breaches are stolen credentials phishing right which are kind of one and the same um just you know the means that you go about stealing those credentials it might be a little bit different um and so this brings us to you know

trying to have the mindset that identity needs to be um you know at the center of security um so with security in the cloud you know you want to have sort of a rich breadth and depth of data you need to have powerful algorithms and end-to-end integration um and so the linchpin really becomes that identity and and protecting that identity

and so if we look at what uh what a zero truss architecture uh is is now going to look like um you know we see things like um you know protecting the identity um a big one is multi-factor authentication there's so many organizations out there that are that are not currently leveraging any kind of multi-factor authentication and as such they're doing themselves a huge disservice we know that there are so many uh attacks that are based on the identity we also know that multi-factor authentication is going to going to prevent you know 99.9 percent of those um whenever we implement multi-factor authentication there's several different ways of doing that you know we from the very very secure

with something like a 502 security key um you know where we have a private uh public key pair um and we're authenticating with a biometric and we have the device and we're you know maybe we're providing a pin at the same time um and so we're providing those those multiple factors of authentication um to to really verify the identity of the user and that's a huge piece uh when we think about zero trust is verifying that identity the other thing we have to look at is the device so you know is what device are they coming from are we gonna allow you know a managed device or an unmanaged device to to access our resources

and we have to evaluate that in accordance with with policies right so um you know in some cases we might have a policy for things like user risk if we can evaluate the user risk where we say hey you know maybe an example might be we saw somebody log in from uh toronto um this morning uh and then this afternoon they logged in from uh you know beijing or or st petersburg or somewhere very far away uh in the world where we would not expect them to to move that way and we're going to have to assign a bit of a risk score to that right so when we get that telemetry um you know we we evaluate what's happened

and we give the identity a risk or that says hey maybe that this authentication is a bit of a higher risk and we're going to need more assurances uh on on who the user is when when they're logging in once we we have access to that data we we have to continually monitor that continually evaluate that right if something changes uh if the user you know maybe the user is going to change networks for example to um you know a network that might be or an ip address rather that might be part of a known bot network or something like that um you know it's going to change the uh the level of assurance that we have and the level of

trust we have with that authentication so continuous evaluation is always going to be important again tied back to that uh to that identity um and then with your data specifically you know whether you're accessing data in sas applications um or on-premises applications or wherever it is um we really need to to do a better job uh as security pros making sure that our sensitive data is is protected right we've heard um all too often about uh unencrypted databases that contain you know customer information and in data breaches um and things like this and we have to make sure that we're doing a better job of protecting that data and it's really part of the the broader uh uh zero trust

story perfect okay um so yeah as i mentioned uh i put together a number of uh resources here um they're very valuable there's a lot of good reading included in there i do see that there's a lot of great engagement in the discord chat and so i will um definitely be available there to answer questions and and provide additional insight um this was a quick talk and i realized we had some technical difficulties i apologize for that um but if you do want to uh reach out or um you know have a conversation about this further um or you know pick my brain or just have a virtual coffee um please feel free to connect with me

uh linkedin or or twitter uh where you can see um you know i generally share a lot more about this type of stuff and i'm happy to connect with uh any like-minded security pros that are out there um so thanks very much to max and the and the b-sides team uh i appreciate uh um being included as a presenter today um and again i will uh i'll be over on the discord answering all your questions wonderful thank you very much sorry for the technical difficulty um we're very happy to have you present this stuff uh there was one question that came in quickly and is there a source for any sort of numbers for mfa

protected accounts being breached versus non-mfa um i'm sure there is let me do a quick look at some of our because i know microsoft actually has a lot of internal statistics with having one of the largest enterprise identity stores in the world um in the form of our azure active directory uh we should have some of those statistics so let me do some digging and i will post uh sure there'll be people hanging out in the discord so thank you very much uh we really appreciate it and uh we'll drop the feed now for intentional reasons