Duo Security Summit 2016: Breaking the Traditional Security Model
At Duo Security’s annual Security Summit held in San Francisco, we brought together some of the foremost security experts in the field from top tech companies to discuss where the infosec industry is headed, what works, and what doesn’t.
Breaking the Traditional Security Model
Michael Hanley of Duo Labs moderated a panel, Breaking the Traditional Security Model, with panelists Ryan Huber, Security Lead at Slack; Christopher Hymes, Director of Security at Riot Games; Mikhael Felker, Director of Information Security at The Honest Company; and Window Snyder, CSO at Fastly.
One aspect of breaking the traditional model is the fact that more and more people are using unmanaged devices, that is, laptops, tablets and mobile devices not managed by workplace IT. That means an unlimited amount of apps and data are moving out of your workplace.
A lot of empirical research shows that 97% of Windows vulnerabilities wouldn’t be effective if the user didn’t have admin rights - managing permissions is one way to deal with new security models, as the threat shifts to the user and their level of privileges, should an attacker gain access to their account.
Another way to deal with new security models is by getting visibility into and building a baseline built on logs of system and user activity. According to our panelists, most companies aren’t doing that basic level of investigation into their environment. Collecting endpoint logs will give you a head start when looking at infrastructure and security.
Securing access in a time of a disappearing perimeter is another challenge. Google’s BeyondCorp tool verifies logins and devices as users log into their applications over a web browser, encrypting traffic and securing your connections without the need for configuration (like VPNs). This tool is helpful for granting employees remote access to work apps from their home or other locations than the office. You can’t escape BYOD, but you can make it more manageable and safe for companies and employees.
Another important aspect for all security tools is the fact that users will find a way to circumvent anything that slows them down, which makes a case for deploying security tools that are user-friendly and frictionless. The most effective security tool is one that both accurately addresses new security threats, as well as one that your users will actually use.
The best bet is prevention - making your environment less hospitable to the attacker to reduce opportunistic adversaries. To do that, organizations need to get the security basics down, including staying up-to-date, using two-factor authentication, and making it more difficult, costly and time-consuming for an attacker. Those basics can also reduce the chances of an attacker using stolen credentials to gain entry to your systems, such as through a phishing attack.
Balancing Act of Security and User Convenience
Duo’s VP of Customer Success, Lisa Paul, had a fireside chat with Andrew Blackman, CTO of the Children’s Hospital of Colorado (CHC). Hospitals inherently have a corporate model that makes security a challenge, as they have a large variety of different users and high turnover, making identity management an area of opportunity for attackers - plus, lately, there’s been an uptick in phishing in the healthcare industry.
Keeping patient data secure is difficult as there are medical devices like IV pumps on the network that now need to be managed and regulated by the FDA. It’s a challenge to integrate with electronic healthcare record (EHR) systems and ensure they’re secured.
The CHC was able to roll out Duo’s two-factor authentication solution to 10k people in five days. A chief quality and security officer said it really could not have been simpler. When it comes to phishing and other social engineering attacks that target user credentials and identity, user education can help a lot, but you still need a stopgap security solution like two-factor authentication.
In healthcare, there are many shared clinical workstations - at the CHC, there are thousands of computers issued on the floor that could be used by anyone. There are a lot of faculty members that primarily bring in their own equipment, making it challenging to ensure both managed and unmanaged devices are secure.
Hospitals are a big attack vector. But the health of patients doesn’t stop at the bedside - it includes the privacy and security of their data, as well. Securing access to protected health information (PHI) requires two-factor authentication to protect against phishing and malware, advanced endpoint protection to secure user identities, log analysis, and removing administrative access to PCs that don’t require them.
More from the Security Summit to come, including Security at Scale with Facebook, and information on our 2016 Women in Security award winners!