Wednesday, June 9

Bell Labs, the Colonial Pipeline and Multi-Factor Authentication (MFA)

A simple technology invented by Bell Labs over 20 years ago (and widely used today) could have prevented the Colonial Pipeline attack.

In 1880, the French government awarded Alexander Graham Bell roughly the equivalent of $300K as a prize for inventing the telephone. He used the award to fund the research laboratory that became colloquially known as Bell Labs. If you’re not familiar with Bell Labs, you should be. In the 140+ years that followed, researchers at Bell Labs invented radio astronomy, transistors, lasers, solar cells, information theory, and UNIX, just to name a few of the many accomplishments. Among the many prestigious awards granted to Bell Labs researchers are nine Nobel prizes and twenty-two IEEE Medals of Honor.

In 1998, I joined AT&T Labs, which was a research group that the company retained when they spun out most of Bell Labs to Lucent Technologies in 1996. I was a Web Application developer; one of the least technical roles in the Labs. If I ever thought for a moment that I knew technology, I was quickly humbled when I built an app that tracked the Labs' actually important projects. The experience of working in the Labs stuck with me in the form of humility and curiosity. I accepted that I may never be the foremost expert in any given technology and I assumed the mindset of a forever student. Even today, I constantly question what I think I know because there are always holes in my knowledge or perspectives that I haven’t seen.

1998 was the same year that researchers at AT&T Labs were issued a patent (filed in 1995) for what became known in our industry as Multi-Factor Authentication (MFA). As a Product Manager at a tech firm, I don’t review patents for legal reasons. But I recently saw an excerpt of the abstract for the AT&T patent and there was one line that I found entertaining: “A preferred method of alerting the customer and receiving a confirmation to authorize the transaction back from the customer is illustratively afforded by conventional two-way pagers.” Not much has changed in 23 years. Pagers have been largely replaced by SMS but text messaging through the telecom provider’s network remains one of the most popular delivery mechanisms for MFA (despite some potential security flaws). 

I have no personal insight into AT&T’s motivations at the time, but I read Kevin Mitnick’s book a few years ago (Ghost in the Wires) and can’t help but wonder if AT&T was at the forefront of developing security technologies because they were such a target of hackers for so many years. I also reached out to Steve Greenspan, one of the inventors named in the patent to get his thoughts on the project. He noted:

"Two-way pagers had just come out (1994-1995), and our cybersecurity friends were debating whether quantum computing would undermine password-based security. The goal was to explore business applications for two-way pagers and to put humans in-the-loop for secure access."

Quantum computing is a a pretty interesting business driver for MFA, especially in the mid-1990's. The concern is even more relevant today as we inch closer to quantum compute becoming a practical reality. Today's authentication systems should store password data in non-reversible hashes (theoretically preventing the quantum threat), but it's clear that credentials are being stolen all the time (often via large databases that are just left unprotected) and MFA remains a top solution to mitigate the damage. Steve and team were clearly on the right track when they dreamed up out-of-band authentication and deserve some credit and recognition for the foresight.

You may be wondering how this relates to the pipeline attack that led to fuel shortages across the U.S. East Coast. Bloomberg reported that the Colonial Pipeline, which is the largest fuel pipeline in the country, was taken down by a single compromised password. That should never happen given the variety of tools available to limit and control access, starting with MFA – a relatively simple solution that would likely have prevented the attack. The entry point to the system was a Virtual Private Network (VPN) account. If you’re using a VPN and expose anything sensitive inside the VPN, you should implement strong authentication that includes at least two authentication factors (something you know, something you have, something you are). These are widely available technologies that are very effective against lost or stolen credentials.

Of course, authentication isn’t the end of the story. Today’s widely distributed and highly dynamic environments require multiple layers of security. We all know how popular email and phishing attacks have become. It only takes one person inside a network to open an email, click a link, or logon to a phishing site to give an adversary a foothold in the network. We have to assume that will happen and build layers of strong security between any one user and the potential targets.

To illustrate the point, here’s a quick example:

Grocery stores who sell small, high-value items have traditionally struggled with theft. (Ask me over a beer sometime about how I helped take down a recurring thief when I worked at a grocery store.) If the only answer was to authenticate users (check ID) on the way into the store, it wouldn't be enough. Once inside, someone can still pocket items and walk out without paying. If you walk into a grocery store today, you’ll see cameras in the healthcare aisle where small, expensive medications line the shelves. But that’s not enough either. Each item is also locked in an anti-theft device that’s removed at the register. And some items are found in a locked cabinet that requires employee assistance. Theft still happens, but each layer reduces the risk. Our IT environments are much more complicated in terms of the various pathways to theft and our responses to reduce risk typically require more than a few layers of security.

Sensitive data should only be stored in a secure area of the network with access controls and Least Privilege enforcement. Access should be limited to specific hosts or networks. Data should be encrypted (inside the file when possible - so if the file is stolen, the data is still unusable). There should be strong authentication to get into the network and monitoring of all activity. There should be alerts on unusual behavior and Data Loss Prevention (DLP) to evaluate the sensitivity of data moving across the network. The environment should be scanned regularly for vulnerabilities and misconfigurations. And on and on. Any one of these security mechanisms alone is not enough. This multi-layered approach to security is critical in developing a strong security posture that minimizes risk.

We could argue about where to start or which security controls are most important. But, it seems like a no-brainer to implement MFA for employees accessing corporate data and applications. Microsoft, who deals with 300 million fraudulent sign-in attempts daily concluded that “MFA can block over 99.9 percent of account compromise attacks.” That sounds about right. While targeted attacks have increased in prevalence, most attacks are not targeted at specific companies or individuals. Most start with automated scripting or broad-scale phishing attacks that span across potentially thousands of companies and/or millions of people at the same time. When a foothold is found (a script finds a vulnerability or an open port, a user enters credentials into the phishing site, etc.), the attack begins. Implementing a few simple security technologies like automated vulnerability scanning and MFA can prevent most attacks before they begin. Even if a sophisticated phishing attack succeeds despite MFA, the credentials will not be very useful beyond the initial session (which should be limited in scope by other controls).

No single technology will solve all cybersecurity problems. But, implementing MFA is low-cost, easy-to-implement, and highly effective. It may even make life easier for end-users. Password requirements can be loosened because there’s less risk associated with cracked passwords. And there are numerous implementations of passwordless authentication that, while they may not always meet the strict definition of MFA, provide similar (sometimes higher) levels of security as MFA without requiring a password. Combined with context-aware adaptive security (that verifies device, network, location, time-of-day, etc.), these passwordless authentication options may provide the right level of balance between security and user experience. At this point, this isn’t scare tactics or FUD. Attacks on National infrastructure or other high-profile targets can impact the lives of millions with a single execute command. MFA is an easy layer to add to improve security and it’s commonly included with authentication solutions, so there’s really no excuse. It’s time to get it done.

Monday, February 8

Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management

Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management

Over a decade ago, the need for quicker SaaS onboarding led to Siloed IAM for early IDaaS adopters. For many, IDaaS evolved to a Hybrid IAM approach. Today, Oracle’s IDaaS provides comprehensive coverage for enterprise apps. 

"IDaaS has matured quite a bit over the last several years and no longer relies as much on SAML or pre-built app templates. Today, Oracle Identity Cloud Service helps manage access to virtually any enterprise target. To accomplish that, we’ve introduced several technical approaches to bringing more applications into the IDaaS fold with less effort. These approaches, combined, provide the easiest path toward enabling the service to manage access for more systems and applications."

Read more on the Oracle Cloud Security Blog > Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management.

Tuesday, December 22

Oracle Strengthens Interoperability and User Experience with General Availability of FIDO2 WebAuthn Support for Cloud Identity

"Given the distributed nature of today’s technology environment, zero trust has become the standard for security. Every interaction must be authenticated and validated for every user accessing every system or application every time. To that end, interoperability is more important than ever.To that end, interoperability is more important than ever. FIDO2 Web Authentication (WebAuthn) is quickly emerging as an important interoperability standard that enables users to select and manage an authenticator of their own (security keys, or built-in platform authenticators, such as a mobile device) that works with their web browser of choice (Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, etc.) for secure access to any websites or applications that support the WebAuthn standard."

"Oracle is happy to announce the general availability of FIDO2 WebAuthn for our cloud identity service. This means that websites and applications that are protected by Oracle can enable their audience of users to authenticate with FIDO2 authenticators for multi-factor authentication (MFA) as well as passwordless authentication. This simplifies the user experience and may reduce the number of authenticators that users need to access the variety of web applications they interact with on a regular basis. Ultimately, this gives users more choice, more control, and a frictionless user experience.

Read more on the Oracle Cloud Security Blog > Oracle Strengthens Interoperability and User Experience with General Availability of FIDO2 WebAuthn Support for Cloud Identity.

Tuesday, November 24

Modernization of Identity and Access Management

From the Oracle IAM blog:

"Oracle has been in the IAM business for more than 20 years and we’ve seen it all. We’ve addressed numerous IAM use-cases across the world’s largest, most complex organizations for their most critical systems and applications. We’ve travelled with our customers through various highs and lows. And we’ve experienced and helped drive significant technology and business transformations. But as we close out our second decade of IAM, I’m too distracted to be nostalgic. I’m distracted by our IAM team’s enthusiasm for the future and by the impact we’ll have on our customers’ businesses in the decade to come. Central to that is the focus to respect our customer's identity and access journey and meet them with solutions that fit their individual needs."


Monday, August 24

Addressing the Cloud Security Readiness Gap

Cloud security is about much more than security functionality. The top cloud providers all seem to have a capable suite of security features and most surveyed organizations report that they see all the top cloud platforms as generally secure. So, why do 92% of surveyed organizations still report a cloud security readiness gap? They’re not comfortable with the security implications of moving workloads to cloud even if they believe it’s a secure environment and even if the platform offers a robust set of security features. 

Two contributing factors to that gap include:

  • 78% reported that cloud requires different security than on-prem. With security skills at a shortage, the ability to quickly ramp up on a new architecture and a new set of security capabilities can certainly slow progress.
  • Only 8% of respondents claimed to fully understand the cloud security shared responsibilities model; they don’t even know what they’re responsible for; never mind how to implement the right policies and procedures, hire the right people, or find the right security technologies.

I recently posted about how Oracle is addressing the gap on the Oracle Cloud Security blog. There's a link in the post to a new whitepaper from Dao Research that evaluates the cloud security capabilities offered by Amazon AWS, Google Cloud Platform, Microsoft Azure, and Oracle Cloud Infrastructure.

Oracle took some criticism for arriving late to the game with our cloud infrastructure offering. But, several years of significant investments are paying off. Dao's research concludes that “Oracle has an edge over Amazon, Microsoft, and Google, as it provides a more centralized security configuration and posture management, as well as more automated enforcement of security practices at no additional cost. This allows OCI customers to enhance overall security without requiring additional manual effort, as is the case with AWS, Azure, and GCP.

A key take-away for me is that sometimes, the competitive edge in security in delivered through simplicity and ease of use. We've heard over and over for several years that complexity is the enemy of security. If we can remove human error, bake-in security by default, and automate security wherever possible, then the system will be more secure than if we're relying on human effort to properly configure and maintain the system and its security.

Click here to check out the post and the Dao Research whitepaper.

Monday, October 15

Improve Security by Thinking Beyond the Security Realm

It used to be that dairy farmers relied on whatever was growing in the area to feed their cattle. They filled the trough with vegetation grown right on the farm. They probably relied heavily on whatever grasses grew naturally and perhaps added some high-value grains like barley and corn. Today, with better technology and knowledge, dairy farmers work with nutritionists to develop a personalized concentrate of carbohydrates, proteins, fats, minerals, and vitamins that gets added to the natural feed. The result is much healthier cattle and more predictable growth.

We’re going through a similar enlightenment in the security space. To get the best results, we need to fill the trough that our Machine Learning will eat from with high-value data feeds from our existing security products (whatever happens to be growing in the area) but also (and more precisely for this discussion) from beyond what we typically consider security products to be.

In this post to the Oracle Security blog, I make the case that "we shouldn’t limit our security data to what has traditionally been in-scope for security discussions" and how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve security.

Click to read the full article: Improve Security by Thinking Beyond the Security Realm

Tuesday, September 18

Convergence is the Key to Future-Proofing Security

I published a new article today on the Oracle Security blog that looks at the benefits of convergence in the security space as the IT landscape grows more disparate and distributed.

Security professionals have too many overlapping products under management and it's challenging to get quick and complete answers across hybrid, distributed environments. It's challenging to fully automate detection and response. There is too much confusion about where to get answers, not enough talent to cover the skills requirement, and significant hesitation to put the right solutions in place because there's already been so much investment.

Here's are a couple of excerpts:
Here’s the good news: Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms. This approach eliminates the issues of product overlap because each component is designed to leverage the others. It reduces the burden related to maintaining skills because fewer skills are needed and the system is more autonomous. And, it promotes immediate and automated response as opposed to indecision. While there may not be a single platform to replace all 50 or 100 of your disparate security products today, platforms are emerging that can address core security functions while simplifying ownership and providing open integration points to seamlessly share security intelligence across functions.
 Forward-looking security platforms will leverage hybrid cloud architecture to address hybrid cloud environments. They’re autonomous systems that operate without relying on human maintenance, patching, and monitoring. They leverage risk intelligence from across the numerous available sources. And then they rationalize that data and use Machine Learning to generate better security intelligence and feed that improved intelligence back to the decision points. And they leverage built-in integration points and orchestration functionality to automate response when appropriate.
Click to read the full article: Convergence is the Key to Future-Proofing Security

Tuesday, January 30

New World, New Rules: Securing the Future State

I published an article today on the Oracle Cloud Security blog that takes a look at how approaches to information security must adapt to address the needs of the future state (of IT). For some organizations, it's really the current state. But, I like the term future state because it's inclusive of more than just cloud or hybrid cloud. It's the universe of Information Technology the way it will be in 5-10 years. It includes the changes in user behavior, infrastructure, IT buying, regulations, business evolution, consumerization, and many other factors that are all evolving simultaneously.

As we move toward that new world, our approach to security must adapt. Humans chasing down anomalies by searching through logs is an approach that will not scale and will not suffice. I included a reference in the article to a book called Afterlife. In it, the protagonist, FBI Agent Will Brody says "If you never change tactics, you lose the moment the enemy changes theirs." It's a fitting quote. Not only must we adapt to survive, we need to deploy IT on a platform that's designed for constant change, for massive scale, for deep analytics, and for autonomous security. New World, New Rules.

Here are a few excerpts:
Our environment is transforming rapidly. The assets we're protecting today look very different than they did just a few years ago. In addition to owned data centers, our workloads are being spread across multiple cloud platforms and services. Users are more mobile than ever. And we don’t have control over the networks, devices, or applications where our data is being accessed. It’s a vastly distributed environment where there’s no single, connected, and controlled network. Line-of-Business managers purchase compute power and SaaS applications with minimal initial investment and no oversight. And end-users access company data via consumer-oriented services from their personal devices. It's grown increasingly difficult to tell where company data resides, who is using it, and ultimately where new risks are emerging. This transformation is on-going and the threats we’re facing are morphing and evolving to take advantage of the inherent lack of visibility.
Here's the good news: The technologies that have exacerbated the problem can also be used to address it. On-premises SIEM solutions based on appliance technology may not have the reach required to address today's IT landscape. But, an integrated SIEM+UEBA designed from the ground up to run as a cloud service and to address the massively distributed hybrid cloud environment can leverage technologies like machine learning and threat intelligence to provide the visibility and intelligence that is so urgently needed.
Machine Learning (ML) mitigates the complexity of understanding what's actually happening and of sifting through massive amounts of activity that may otherwise appear to humans as normal. Modern attacks leverage distributed compute power and ML-based intelligence. So, countering those attacks requires a security solution with equal amounts of intelligence and compute power. As Larry Ellison recently said, "It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers."
Click to read the full article: New World, New Rules: Securing the Future State.