Duo Security Summit 2016: The Shift from Bolted-On to Built-in Security
At Duo Security’s annual Security Summit held in San Francisco, we brought together some of the foremost security experts in the field from top tech companies to discuss where the infosec industry is headed, what works, and what doesn’t.
Building Security for People
Dug Song, CEO of Duo Security gave a keynote on the current state of the industry. I summarized the main points below:
The (infosec) status quo isn’t working - unfortunately, users’ devices aren’t safe. In addition to unsafe devices, credentials are still king for gaining access to systems with sensitive company data.
Unfortunately, we’re failing at the fundamentals in an age of access, as we increasingly see our data spanning not only infrastructure we own, but a lot that we don’t. We don’t know who’s accessing what, and how.
At Duo, we designed a model of Trusted Access - if you can verify the trust of users and devices before you grant them access, you can provide visibility to inform policies and controls and build security in a way that enables your organization.
In the past, we built security for networks and systems. But now, we have to build security for people.
How Secure Are OS and Browsers?
Panelists Justin Schuh of Google and Justine Bone of Secured Worldwide discussed different security solutions for devices, OS and platforms.
Bolted-On vs. Built-In Security
As the attack surface has increased in complexity, security solutions have moved away from bolted-on to built-in. Bolted-on security like antivirus and firewalls did a disservice to infosec by providing the wrong mentality.
At the time, it was useful to slap something on top to fix your security problems and it was helpful simply because the situation was so bad.
Now, we’ve learned that we have to decompose the attack surface and think ahead - applying security after the fact isn’t helpful anymore. Identity and authentication solutions are standalone systems that make more sense, as endpoints are often the target for malicious software.
With the cloud, more trust is instilled in tech giants. But now identity itself is a huge target for attackers, as it is a prime way to gain access to data. People are now thinking about data, where it is, and how it’s stored.
Providing More Security Value
Where do we see the most security value? Anyone that brings transparency to the solution is the most trustworthy - identity providers that don’t explain their products are the worst.
When it comes to supporting Google’s Chrome browser, a large number of error reports come from security vendors for Chrome - it can be hard to harden the browser when security vendors drop products that open up giant holes in the browser. That’s an example of not providing security value - when vendors develop technology, not knowing how well it works with other technology.
What’s Next for Security?
The panelists shared their recommendations for infosec success in the next 3-5 years:
- Influence change by demanding transparency from the large tech giants.
- Avoid bolt-on rocket ships - there has to be ownership of security in terms of owning the APIs of that system.
- At the Google Chrome offices, security engineers are integrated into the development of the products. Make security built-in, not a separate organization from engineering.
- Think about the data and assets you want to protect, including identity.
When it comes to specific security solutions:
- For Chrome, a password alert extension flags if you’re sharing passwords across sites or if you get phished.
- Biometrics and authentication alternatives to passwords show the shift toward protecting users’ identity.
How Does Trusted Access Work?
Duo’s VP of Product, Ash Devata gave a live demo of Duo’s two-factor authentication solution.
To verify the trust of users and devices: When logging into their email, for example, users enter their username and password, then respond to Duo’s two-factor authentication prompt via a push notification on their iPhone.
If their browser is outdated, the authentication prompt will warn the user how long it has been out of date. Admins can also create a policy to block users from accessing their email if they haven’t updated in a certain number of days.
For administrator insight: Admins can log into Duo’s Admin Panel to view data on all of the devices connecting to your network, including managed and unmanaged ones.
This dashboard gives you a quick view of the distribution of devices that are updated or out of date. User and device reports now show trends - admins can see which devices have been updated in the last 30 days. We also show you when vendors release new versions and updates.
This data tells you which devices are jailbroken, rooted, encrypted and more - giving you information to take action and create a policy that blocks outdated devices.
Stay tuned for more takeaways from our other panels at this year’s Security Summit, including:
- Breaking the Traditional Security Model
- The Balancing Act of Security and User Convenience
- Security at Scale with Facebook