Our CTO Thomas Whang had the opportunity recently to talk with Michael Hudak about all things cybersecurity for his podcast, “Fortify Your Data” — from architecture to regulation to blockchain and passwordless. In addition to the recording, below are highlights of their conversation, which we’ve edited for length and clarity.
New Landscape, Bigger Gaps
In 2021, we’re looking at a very different cyber security landscape than a decade ago. Do you find security gaps at companies have grown larger or are just different?
I would say both. And the reason for that is because the cyber security industry has grown tremendously. If you’re familiar with a Momentum CYBERscape diagram, right now the latest number is over 3,500 vendors that are in the cyber security space. So the sheer number of vendors out there is daunting and overwhelming to anybody in the corporate world. On top of that, in a typical enterprise organization, you’re going to see anywhere between 75 to 200 different products trying to do their own thing in areas of cyber security support.
So you put all that together — how is anyone supposed to really get a full holistic view of what’s happening in their environment? The more products and vendors you have in the cybersecurity world, the complexity goes up. And what I tell all of our clients is, if complexity goes up, then gaps are absolutely going to exist, and the more gaps that are found or existing, the higher the risk that comes into play.
If complexity goes up, then gaps are absolutely going to exist, and the more gaps that exist, the higher the risk that comes into play.
That’s why one aspect of our approach is to help clients simplify cyber security — reduce the number of tools and find what’s overlapping, identify what you specifically need so that we can “prune” unnecessary technologies and give you the visibility you need to the data you need to protect and the ability to respond appropriately. The result is a simpler, more mature architecture that delivers increased visibility and better detection and response.
Reduce Complexity Through Consolidation
Absolutely and I think that you touch on a very important thing because a lot of people think that more vendors add complexity in terms of how you have to do application maintenance and patching, but I think it’s also a user experience issue too. So when you guys are focusing on consolidating, how much of a factor is that user experience in terms of either merging applications — how do you go about doing that, can you walk me through that process?
Absolutely. Our first goal is to help clients gain more visibility without adding more tools. So as part of our Advisory Services, we’ll conduct a tool inventory and get a sense of what you’re using today, and through that process, determine the degree of overlap you have across all those different tools. Our second goal is determining how many of your tools can be integrated.
Our first goal is to help clients gain more visibility without adding more tools. Our second goal is determining how many tools can be integrated.
Typically, API integration is the first thing we’ll be looking at — what legacy tools are current that we can use to integrate as much of that data as possible and then, as you aggregate that data, the question becomes how to present it in a manner that’s meaningful. That will be some version of a SIEM, where all that data is aggregated. Then it becomes a matter of visualizing it in a manner that makes sense to the organization. And every organization is going to be different, but the formula and the process is the same.
The Collision of Cyber and Physical
I think one of the biggest struggles with cyber security is getting everyone on board with the policies and following procedure and you touched on manufacturing and their current lack of regulation. Although, CMMC regulations and the government contracts are changing that for a lot of United States manufacturers. But when you’re looking at some of these companies specific to manufacturing and you’re seeing IOT devices, what are you worried about the most? Because from my perspective, I’m worried more about the users than the devices, but devices are also a problem.
Yes, and the biggest concern that will become more of a topic in the space is the intersection — or, I call it, “the collision” of the cyber and physical worlds and how that impacts human lives. Gartner posted an article back in 2020 about the likelihood of regulation, where CEOs will be liable for a cyber event or act that causes harm or death to a human.
The biggest concern that will become more of a topic in the space is the intersection — or, I call it, “the collision” of the cyber and physical worlds and how that impacts human lives.
This is becoming more and more prominent because of IOT. Everything has an IP address now and anything that’s an IP address is reachable from the outside world in some way, shape or form. So if IOT is not secured properly, then we’re going to see more events that cause physical harm. We’ve already seen some of this in the news, and I think we will see more in the very near future.
Flipping Data Ownership with Blockchain
Well, it’s the same thing with Facebook, right? People knew what was going on with the algorithm, but they still succumbed to it, right? And they were working on the algorithm. It’s scary, it’s a huge concern. So how do we fix it? Obviously there’s no silver bullet, so that might be an unfair question, but what are some obvious things we can do now to protect people’s personal information?
I think there’s a few ways. One is, with the government’s support, we need regulation. Right now, a lot of regulation is far behind the technology. Laws are always playing catch-up and that, in and of itself, creates a gap between what happens today and when regulation has finally caught up.
And it’s during this gap where things can happen, and there’s the no man’s land of how to enforce or regulate it. I think regulation has to get as close as possible, but I don’t believe it will ever keep pace with the speed of technology — as long as we can minimize that gap as much as possible.
The other thing is in the realm of data ownership. I think we’re going to see a fundamental change in the way data is being stored. Right now, data everywhere in the world is somewhere centralized in either an organization or on a platform, and whether you know it or not, you’ve given up ownership of that data and are no longer the custodian for maintaining it. There’s so much opaqueness. It has only been because of recent regulatory pressure that platforms have had to disclose how they use and secure their users’ data.
In my perspective, the concept of data custodianship and data ownership has to be flipped; ownership has to stay with the user and anyone else — an organization or platform — must be granted that user’s permission to access their data.
The concept of data ownership has to be flipped; ownership has to stay with the user and anyone else — an organization or platform — must be granted that user’s permission to access their data.
Thinking down the line, this is where blockchain can potentially provide this level of ownership, and you’re already seeing some R&D projects being done this way today.
Sir Tim Berners-Lee, inventor of the world wide web, has a company called Solid, and he’s working on a project where one of the goals is to decentralize data and return ownership to users, whether it’s identity, personal data or whatever, without having to give up custodianship.
Bitcoin vs. The Fed
Do you think that’s a possible model with the way our government is currently set up?
It’s going against the grain, I think, from a technology perspective. How that impacts the government, we’ll have to wait and see. It’s what you see going on today with cryptocurrency, and the friction it’s causing with the government. Bitcoin as a decentralized monetary system goes against the grain of our current centrally planned system, led by the Federal Reserve, who controls the U.S. dollar — there’s contention between them.
Thinking forward, I think one of the things you’ll see is the concept of identity and how it can be used in blockchain form to mitigate the issues we have with phishing attacks, how this leads to stolen credentials and ultimately a security breach. [Editor’s note: Microsoft has launched its first version of ION on the Bitcoin mainnet, which has the potential to significantly mitigate the main threat vector of compromised credentials, from which most breaches originate.]
Bitcoin is such an interesting animal because it’s so different than what I thought blockchain was going to end up being and I still struggle with the use cases people have developed on the blockchain. I really think the best use cases are Bitcoin and gambling — that’s a trustless money exchange, makes a lot of sense to me.
Yes, that makes total sense.
When you start attaching IDs to it, it gets tricky, right? It’s just it’s so hard to actually implement that because at some point somebody has to have the data. And I guess it goes back to who you trust to be the consortium for that data.
Yes, and therein lies the conundrum: As you put it, someone needs to be the authoritative source, whether it’s an individual or entity of some sort. And as long as there’s transparency — and that’s where blockchain can deliver — there will be an authoritative source across the board. But blockchain is not the silver bullet and it’s not going solve all our problems. As the concept of blockchain matures, we’ll start to see how it could impact technology in general and the cyber security space.
The Future Is Passwordless
Absolutely, so I want to shift gears a little bit because poking around your website, you’ve been a somewhat prolific writer. You touched on something that I was talking about very recently — going passwordless. Could you give me a little refresher on what you mean by that and why you think we are headed towards a passwordless future?
It is actually very simple. If you look at all the breaches today and statistics from the Verizon breach data report, you know that 80 percent of breaches are sourced from compromised credentials — so that’s problem number one. If we get rid of passwords, we could stop breaches. One example of that is enabling multi-factor authentication. As Microsoft and Google have pointed out, by enabling MFA, 99% of compromised credential attacks are mitigated.
If we get rid of passwords, we could stop breaches.
That is fantastic, but it still leaves some exposure where MFA can be compromised. Depending on the type of MFA — whether it’s text messaging or a phone call — it could be bypassed. The next step then is to shrink that vulnerability, and that’s where passwordless comes in.
Microsoft is currently at a rate of about 150 million passwordless user logins per month and they themselves are pushing passwordless. We are saying the same thing because if we get rid of passwords, we could prevent the majority of breaches. If you do get phished and it’s asking for your username and password, you have no password to give — right?
Mobile Security Adoption
I wonder how you recruit this generation of people that are so technologically resistant to obviously better security, right? Going back to the Coinbase and Robinhood apps — anything that’s using Plaid, I think they’ve done a great job deploying multi-factor authentication, making the fingerprints really easy. I think we’re headed in the right direction, but there’s a lot of these legacy investment applications or banking applications that just need to pick it up, right?
I think there’s a lot more user education as a society to get people more well versed in the technology and really understanding what they are doing with their data so that they’re more security conscious and think twice before signing up for an app when it’s free or clicking on any link you get, because it’s a dangerous world out there on the internet.