Why ‘Zero Trust’ is Driving an Identity Centric Security Strategy

Thank you.
Okay. So welcome everyone. And, and, and thank you. It's my first hybrid event presenting to hybrid event. So I hope both audience in person and online will enjoy the session. My name is yal MOS. I'm vice president of strategy and go to market for identity security at Cy a I've been in Cy a pretty much since it's inception helping customers around the world, secure the most critical assets. My time in Cy, it's been an incredible journey. Cyber's pioneered the pan market and continuously is recognized as the leader in that space in today's session, we'll be going over some background to why identity, where the human or machine identities have become the primary target for attackers. We talk about the rise of zero trust and why identity security approach is key. Okay, so let's get going.
We'll start with some of the key drivers leading cyber and the market towards insecurity. Most of you're familiar with all of these I'll I'll breeze through this quite quickly, but the first is, is digital transformation, which has been a major trend way before the pandemic. And, and since the beginning of, of, of the COVID crisis, this, this trend has accelerated, and there's been a dramatic adoption of cloud applications, infrastructure, and it's become an absolute must pretty much for every single business to the point that many businesses can't even operate their business, unless they've made this dramatic shift, allowing users to work from anywhere and engaging with customers with completely new technology, new platforms, companies are now facing new dynamic environments, increased demand for automation and are in constant motion to adopt new technologies, the number of identities and all the specific entitlements of these identities at all of these companies leveraging these new technologies is exploding. And within the threat landscape, if the right controls are not put in place, these can provide an attack path to an organization's most valuable assets.
In addition to this major increase in identities, that definition is privileged has changed in the on-prem world. It was very clear that the, the difference between what is defined a privilege user and what is defined a regular or considered standard user traditionally privileged access would refer to it users. This is not the case in the cloud and hybrid infrastructure and SA world. There's the dramatic rise in the number of users who can be a privileged access or required privileged access at certain moments of time. And these represent a potential pathway for an attacker to exploit as a minimum users across the organization were now expected to, to be able to work from anywhere they remain key targets for attackers and without those traditional network boundaries that were, that were in the past, we've been used to, to protect them. The, the identities themselves become the new perimeter. And lastly, in the last couple of the years, there's been a continuous major rise in frequency and sophistication of cyber attacks from solo winds to the attack on colonial pipeline and the daily ransomware reports that we hear every day on the news and in conversations. And I've heard from the previous session and some of the conversations as well, that it's already been discussed quite a lot in this event as well.
The expectation that this just continues on this trend and the sophistication and scale will continue to rise. So we'll go into this deeper in the next few minutes here, just a few examples that will go a bit deeper on examples of the innovation and, and audacity of some of these attacks. And if you look at some of these examples from SolarWinds to the zero day attacks zero day vulnerabilities with the Microsoft exchange from a few months ago, and generally, generally ransomware in the, the first appearance, they seem very, very different, but ultimately they share a similar goal from the attacker's point of view. So let's have a closer look.
So ransomware continues to terrorize us and, and many of the news making attacks these days are ransomware. And for the moment, this doesn't seem to slow down. Most likely a combination of low cost of running such attacks together with a very high success rate. These attacks are similar in structure as described here. And most likely this structure is, is familiar to you. You've seen you, you most likely you've seen other in this event and others. So we won't go too deep into this, but most ransomware attacks start with the initial compromise other user station through various mechanisms, such as phishing email, where our user simply clicks on a fake link that triggers and execute an initial ransomware code. Once the workstation connection is established, they move to phase two, which is propagation compromising. The endpoint is not the objective. It's just the beginning. The next step is to threat it, to spread across the organization by leveraging attack methods that expose credentials and escalate privileges. Without these steps, an attacker can't achieve their goals and ultimately cripple the organization by encrypting data and, and these days stealing that data as well.
If we look briefly at the solo winds attack, the attack has been, which has been discussed and dissected ever since its discovery earlier this year, but the attack is very known and categorized as one of the most sophisticated supply chain attacks that leverage a supplier from an organization, whether it's a service or product to infiltrate the organization. And what you see here is three stages of the attack has been structured by the us cyber security and infrastructure security agency. And the first stage, it's basically the attack on solo winds and the Orion code Orion is their product. If you have read up, up on this, the attackers basically managed to break in and access the code and discreetly plant their own code, which will be automatically pushed to the customers around the world. Stage two focused on first patiently learning about the organization's network with a big focus on not being detected.
And in many cases waited for weeks before taking any action and scan for any security tools. If, for example, the, the, the code landed on a certain device, which has a certain security tool. The code wouldn't act the attack wouldn't happen, and it won't. So in order to not raise suspicion, however, as you can see in stage three, once safe within the target organization network, the next step was to elevate privileges in order to fulfill their SBN campaign. Now, supply chain attacks with the pro with the products or third parties who have access to an organization is, is of course a major challenge. But the key takeaway here is that hijacking identities, escalating privileges is a CRI critical part of the pathway of, of the attack. No matter how it foothold was established, by the way, the reason why the Orion software was targeted is really made clear. When you look at this at this line and the type of access the Orion platform has, the purpose of the software is to monitor and manage systems and assets across the organization. And in order to do this, it does need a certain level of privileges and credentials to each one of these systems control over the Orion software essentially gives access to all of these other capability servers infrastructure as well.
The final example, which has also been front news front page news this year is the Microsoft exchange vulnerability specifically the four zero day vulnerabilities that impacted thousands of organizations around the world. The vulnerability itself is, is, is basically remotely exploitable and does not require any authentication of any kind. And it doesn't require any special knowledge of the target account. The attacker just needs to know the server running exchange and the account from which you want to exchange at the extract emails and information. This, this made it a massive issue across the world, and therefore the big push to patch these systems globally. However, despite emails being some of the main headlines and reaching around around this potential damage, it's actually key to understand, and it's kind of emphasized here, but it's key to understand that the attackers didn't stop there. You can see the terms, persistent system access and compromise trust and identity. According to cyber security experts. Once the foothold was established through the exchange vulnerabilities, attackers ran other operations like dumping credentials, adding user accounts to systems stealing copies of, of the active directory database and move laterally to other systems and environment.
So what you see on the screen right now is basically a, a very general it infrastructure cloud hybrid on on-prem. It doesn't really matter, but it's, it's split into three tiers of criticality, tier two, typically endpoints workstations, basically where the users and laptop set tier one represents the higher, more sensitive part of the infrastructure. For example, server infrastructure. When you run applications and databases, et cetera, tier zero represents the most critical areas of your environment and components that if they were compromised, it would pretty much be game over. And it'll be a massive level of, of, of, of crippling or damage or information stealing from the organization. And even attackers can take full control over critical areas of your organization. So that's tier zero in many cases, to move laterally in an organization and achieve these higher level of privileges. Attackers use methods that are actually very well known, zero day attacks like the vulnerabilities found in Microsoft zero day attacks are basically attacks that people haven't heard of vulnerabilities that haven't been used before.
They're expensive, and they're not really used in many of the attacks that come on the news. So it's many cases. It's, it's the basics. This is why targeting identities is so common. There's just so many of these targets and the exist everywhere inside the organization. There are many attack methods available to move deeper and achieve higher privileges and gain access to more critical assets and critical to. So if we refer back to the attacks that we just talked about, then if we refer back to the attacks that we just talked about, ransomware normally starts at the endpoint, the workstation through again, through some sort of fishing campaign or whatever that might be. And then it tries to work its way deeper gain, further privileges, unique and exceptional attacks that come on the news, such as leveraging SolarWind or the zero Dave vulnerabilities and Microsoft are special.
And they're special because they're, they put you in a unique starting point in the organization, usually in a, in a deeper, more exposed area inside the organization, a softer spot from a security point of view. And, and you can see here on the diagram, and this is kind of very generally drawn out, but it's, it's very conceptual, but the exchange zero day attacks compared to the ransomware would get you straight into tier one, the exchange servers, which are on that tier of, of the environment while solo winds arguably takes you even deeper and potentially even to a certain level of tier one, depending on the credentials and privilege access that the Orion system has. So whatever the entry point, whether it's ransomware, which, you know, the attackers are not very discriminative, they're not looking, they're not attacking specific organization to more sophisticated attacks that may be more targeted. The attacker still needs to continue whatever the entry point, whatever the breach point attacker still needs to expand out of that entry point. And the most consistent method is to continue to hydro credentials, steal identities, move laterally, and escape and, and, and escalate privileges.
So with this transition that we previously discussed towards more cloud based applications, infrastructure together is the major shift to allow users across all of the departments to work pretty much anywhere. It has eliminated the option to rely on some sort of perimeter that protects your networks. It becomes even more complex when you start looking at all the different types of identities from business users, bots, developers, remote users, et cetera, with everything that's going on and the speed of change, sorry, everything's going on in the speed of change. It's virtually impossible to predict for where the next attack would come from, but what's clear is next step looking to expand access and, and achieve a higher level of privileges. This is why today's experts recommend taking an assumed breached approach and focusing on the identity and how it can be leveraged by an attacker to move across the organization.
So ultimately this makes the identity, the fundamental control point for security to reduce breach opportunities for attackers and together with the assumed breach mentality and essential consideration when looking at existing applications. And of course, any new technology that you're introducing to your organization. And this finally is how it connects with, with zero trust. It's a very popular term these days, and, and you must have had heard a lot about it and probably in some form of relationship to identity as well. And we do have a lot of customers asking us about how cyber can help and implement zero trust type controls. So let let's go over it briefly. So zero trust is, is in a nutshell means that you can't just trust a user because they have preconfigured access to a system. You can see some of the basic key concepts here. First of all, you need to verify every identity, making sure that every user is who they claim to be with strong authentication and leveraging some form of an analytics to determine if there's any potential risk with a certain connection request, you need to validate their device.
What do we know about the device they're connecting from? Is it their normal PC? Is it secure? Is it hatched? Are they using a public computer? And what is the current security posture of that device? And after varying those two, verifying those two, we need to then intelligently limit privileges to ensure that the user only has rights to perform the task at hand while limiting any excessive rights implementing zero trust means moving away from situations where users typically had regular standing access to systems, whether or not they were actually using those privileges at the time.
Lastly, we must continuously monitor, adapt and, and, and, and analyze the risk, making sure that we are reassessing and adapting, the decisions that we are making depending on the change changing environment with every single connection and any further elevation request afterwards, zero trust is a very strong approach for addressing these challenges and organizations do need the solutions, technologies, and expertise to help them adopt it. And, and this leads to identity security, which focuses on how to secure individual identities throughout the cycle of, of accessing critical assets, whether on premise or, or in the cloud, this means authenticating the identity accurately and the device being used, authorizing author that the identity with the proper permissions has the right permissions just in time, just enough, basically the least privilege approach and providing access for that identity to, to those privilege assets in a structured and secure manner from monitoring the sessions to securing those sessions, to ensure that those sessions cannot be bypassed or hijacked or whatever that might happen throughout do all of this in a way that can be audited to ensure that the entire processes sound together with some form of analytics to as mentioned before in the authentication and other one, all of these layers require that level of authentication and analytics to analyze the current state and, and analyze any issues or threats throughout there.
Isn't anything specifically new with some of these concepts like authentication and authorization, but what is new, how these concepts work together to and implemented together to meet today's use cases while taking to account the current cyber security landscape identity means doing all these things consistently for each of our user types, across the entire entire it environment. And applying stronger layers of controls when users require elevated privileges.
So let's discuss some helpful tools that can get you started. The following tools from cyber are actually free and, and you can start using them time. The one on the left cyborg DNA will help you uncover privilege access and security weaknesses across your, your, your environment on-prem cloud hybrid. It will show you the magnitude of the exposure and provides guidance on how to focus the organization's defenses and prevent and minimize the chances of attacks and the chances of those attacks damaging the organization. So it literally maps it out and visually, and it can show you exactly what, where those paths are. The cyber cloud entitlements manager, focus on helping you assess and manage the thousands of permissions in your cloud environments, AWS Azure, Google cloud. And it helps you remove those excessive permissions that users might have across your cloud footprint and, and applying these privilege in order to reduce that risk in your cloud environment, just Google the terms on screen and, and you can try these out. And I'm sure I'm very certain that these will help you.
Lastly, I'll leave you with a couple of questions that can help get you started when, when implementing new technologies and considering how these are secure, do you take and assume breach approach? What would happen if an identity is hijacked? And then when looking at the flow of providing access to critical assets, do you have all the controls in place to reduce this risk and ensure accountability? And you can consider all the layers that we talked about before from the strong MFA to entitlement management privilege, access management secrets management for, for the, for the code and developers to, to manage those credentials, securing the session, ensuring that it's it's protected itself and not hijacked and, and actually auditing and recording what's going on throughout the session. So these are just examples of some of the controls they need to put in place, especially when looking at critical assets. And it's, it's, it's a great reference. Just think about it in that way.
Making sense of all these controls though, and even understanding where it can can start is, is, is a big challenge. It could be quite challenging for organizations of different size and types, and there isn't necessarily one size fits all. However, CyberArc does work with its customers to develop best practices and to share those best practices. We get asked this all the time and we do share it online as well. So if you're not familiar with the cyber blueprint, it's basically a best practice framework that provides very specific prescriptive guidance designed to reduce risk and protect your organization against attack. Ultimately, it will help you build your program priorities roadmap and, and help you identify quick wins and balance those priorities, the, the cybersecurity priorities with other corporate pressures and priorities as well. So I, I do strongly commend checking it out again, just Google cyber blueprint to find out more. That's it for today. I hope you enjoyed the session and, and that you found it informative and helpful, and yeah. Thank you.