In this episode of the podcast (#199), sponsored by LastPass, we’re joined by Barry McMahon, a Senior Global Product Marketing Manager at LogMeIn, to talk about data from that company that weighs the security impact of poor password policies and what a “passwordless” future might look like. In our first segment, we speak with Shareth Ben of Securonix about how massive layoffs that have resulted from the COVID pandemic put organizations at far greater risk of data theft.
The COVID Pandemic has done more than scramble our daily routines, school schedules and family vacations. It has also scrambled the security programs of organizations large and small, first by shifting work from corporate offices to thousands or tens of thousands of home offices, and then by transforming the workforce itself through layoffs and furloughs.
In this episode of the podcast, we did deep COVID’s lesser discussed legacy of enterprise insecurity.
Layoffs and Lost Data
We’ve read a lot about the cyber risks of Zoom (see our interview with Patrick Wardle) or remote offices. But one of the less-mentioned cyber risks engendered by COVID are the mass layoffs that have hit companies in sectors like retail, travel and hospitality, where business models have been upended by the pandemic. The Department of Labor said on Friday that employers eliminated 140,000 jobs in December alone. Since February 2020, employment in leisure and hospitality is down by some 3.9 million jobs, the Department estimates. If data compiled by our next guest is to be believed, many of those departing workers took company data and intellectual property out the door with them.
Shareth Ben is the executive director of field engineering at Securonix. That company has assembled a report on insider threats that found that most employees take some data with them. Some of that is inadvertent – but much of it is not.
While data loss detection has long been a “thing” in the technology industry, Ben notes that evolving technologies like machine learning and AI are making it easier to spot patterns of behavior that correlate with data theft- for example: spotting employees who are preparing to leave a company and take sensitive information with them. In this discussion, Shareth and I talk about the Securonix study on data theft, how common the problem is and how COVID and the layoffs stemming from the pandemic have exacerbated the insider data theft problem.
It’s Not The Passwords…But How We Use Them
Nobody likes passwords but getting rid of them is harder than it seems. Even in 2021, User names and passwords are part and parcel of establishing access to online services – cloud based or otherwise. But all those passwords pose major challenges for enterprise security. Data from LastPass suggest that the average organization IT department spends up to 5 person hours a week just to assist with password problems of users – almost a full day of work.
In our second segment, we’re joined by Barry McMahon a senior global product marketing manager at LastPass and LogMeIn. McMahon says that, despite talk of a “password less” future, traditional passwords aren’t going anywhere anytime soon. But that doesn’t mean that the current password regime of re-used passwords and sticky notes can’t be improved drastically – including by leveraging some of the advanced security features of smart phones and other consumer electronics. Passwords aren’t the problem, so much as how we’re using them, he said.
To start off, I ask Barry about some of the research LastPass has conducted on the password problem in enterprises. Barry McMahon a senior global product marketing manager at LastPass and LogMeIn.
[START OF RECORDING]
PAUL: This episode of The Security Ledger Podcast is sponsored by LastPass. For more than 47,000 business of all sizes, LastPass reduces friction for employees while increasing control and visibility for IT with an access solution that’s easy to manage and effortless to use. From single sign-on and password management to adaptive authentication, LastPass gives superior control to IT and frictionless access to users. Check it out at lastpass.com.
Hello. Welcome to The Security Ledger Podcast. I’m Paul Roberts, Editor in Chief at The Security Ledger. In this week’s episode of the podcast, number 199Ö
BARRY: Passwords are so ingrained in everything that we do right now because it’s this universal language of registration. It’s this universal language of validate who you claim to me. That doesn’t mean to say that enterprises have to stay on that route.
PAUL: The covid pandemic has done more than scramble our daily routines, school schedules, and family vacations; it has also scrambled the security programs of organizations large and small by shifting work from corporate offices to thousands or tens of thousands of home offices and by affecting huge changes to the workforce itself through layoffs and furloughs. In this episode of the podcast, we’re gonna dig deep into a couple ways that that disruption is playing out. In our second segment, we’re joined by Barry McMahon of LogMeIn and LastPass to talk about research that company has done on the password crisis facing organizations. Remote work, as well as the proliferation of web-based services have spread enterprise security resources dangerously thin.
But first, we’ve read a lot about the cyber risks of Zoom sessions or remote offices but one of the less-mentioned cyber risks engendered by covid-19 are mass layoffs of staff from companies and sectors like retail, travel, and hospitality whose businesses have been upended by the pandemic. Millions of Americans have lost their jobs since the onset of 2020 and if data compiled by our next guest is to be believed, many of those departing workers are taking company data and intellectual property with them out the door. Shareth Ben is the executive director of field engineering at the company Securonix. Ben notes that evolving technologies like machine learning and artificial intelligence are making it easier to spot patterns of behavior that correlate with data theft. In this discussion, Shareth and I talk about Securonix’s study on data theft and data loss, how common the problem is, and how covid and the layoffs stemming from the pandemic are exacerbating the insider data theft problem.
SHARETH: My name is Shareth Ben. I’m the executive director of field engineering at Securonix. Securonix is a next-gen SIM and a UEBA company. We’ve been doing this for the last ten years. We started as a UEBA company. Even before that, we were looking at identities and profiling identities and behavior and that started to evolve naturally into looking at other types of log sources such as e-mail, proxy, endpoints, infrastructure. So in a sense, a next-gen SIM is — has the standard traditional SIM capabilities plus the UEBA capabilities built into it, and also the SOAR capabilities for automation and so on. So, that’s our company in a nutshell.
PAUL: Shareth, welcome to Security Ledger Podcast.
SHARETH: Thank you. Happy to be here.
PAUL: We’re talking to you because we’re digging deep on the problem of insider threats and in particular the risk that employees pose in that period where they may have decided to move on to another job or are leaving or god forbid getting fired for some reason. Securonix came out with a report on insider threat behavior. This was data that you had aggregated from across your customer base and analyzed particularly around this issue. Could you kind of give us the high level on what that report found, some of the high-level takeaways from that report?
SHARETH: Yeah, so let me start by answering that question. What we’ve observed is that most often when an employee leaves a company, they end up taking some data with them, right? I think it is just human tendency to do so because the employee feels a sense of entitlement or ownership, especially if that particular artefact or document is something they worked on. This has always been a problem. With respect to [00:05:00] whether that particular action is benign or serious, it really depends on the impact. For example, let’s just say an employee ended up taking an Excel sheet with macros built into it so that they can be more efficient at the next job they go do.
Is that a big deal? Yes or no? That depends, right? But let’s just say you have a high-profile researcher who ends up taking with them the formula on how to make a leading drug to the next competitor and then uses that for accelerating their time to market. Now, is that a big deal? Obviously, I think it is. So, it’s not just a matter of what they take. It’s a matter of the impact that it actually has and who determines that is obviously the working group within each company — has to determine that. That’s the HR, legal, and all these parties would need to come together to have that kind of discussion.
PAUL: I think your report found something close to like 30% of the data exfiltration, data leak issues were in the pharmaceuticals industry, that it was very highly represented there. I guess that could just kinda reflect Securonix’s customer base but that would tend to suggest that some of this activity is not inadvertent or harmless, that there’s actually high-value IP that isÖ
SHARETH: That’s right. The reason why you’re seeing more cases from pharmaceutical companies and financial companies is only because you’re looking. So, this type of problem is prevalent across the board, right, but if you think about it, financial companies and pharmaceutical companies have a lot to lose in this regard. These companies have had established inside their programs for a long time now and they’ve also made short of a time, so you’re obviously gonna see more incidents in that regard.
PAUL: So, for companies — let’s say we’ve got — which I’m sure we do — folks who are managers or executives or board members who are in The Security Ledger Podcast listening audience and they want to really get their arms around what is this consolation of behaviors I need to be attuned to and worried about, and if I spot patterns that seem worrying, what do I do? So, let’s start with the first one. What are some of the behaviors that are red flags as far as Securonix has been able toÖ
SHARETH: Yeah, that’s — there are all kinds of behaviors that we see in the field but some of the ones that are notable and worth mentioning is that when an employee is about to leave, they exhibit a certain behavior which becomes very, very evident in their e-mail patterns as well as their web browsing patterns. So, what I mean by that is when an employee is about to leave, they’re either sending out resumes, they are actually doing some research on how to write a cover letter, or they’re also going to other job search sites and applying, and so on and so forth.
PAUL: Yeah. If not so, I guess.
SHARETH: I mean, it’s a free country. Everybody is allowed to do what they want to do. The problem arises is that when there’s a conjunction between that kind of behavior with some sort of a data snooping or data exfiltration behavior. That’s when it becomes a problem. What I would recommend is that — look for those basic behaviors which is the e-mail browsing — I’m sorry; the e-mail, external e-mail behavior as well as the web browsing behaviors. There are some specifics that maybe I may get into trouble if I get into the details, but those things I would watch out for. Another thing we also notice is that you’ll start seeing people downloading W2s and tax documents which are typically only available as long as they’re within the company network. So, there are these telltale signs that you can look for. Also look for any sort of data snooping and exfiltration behavior which then amplifies the risk and warrants an investigation.
PAUL: So, their behavior as an employee on the network really changes in that period where they’ve either — are looking for a job or even just have made the mental decision to start looking for a job.
SHARETH: That’s exactly right. In some cases, what happens is — the most straightforward way to do this, Paul, is obtain a list from HR with respect to the upcoming terminations. This can be voluntary and involuntary, and then put them on a watch list and then start looking for behaviors. But in the lack of which, you need to rely on tools to be able to do this.
PAUL: This is kinda what I think is interesting, which is there’s been a huge evolution or maturation in the tools. My sense is [00:10:00] more and more — you know, we’re seeing machine learning and so on be able to spot much more subtle patterns of behavior than hey, somebody just tried to send this protected document.
SHARETH: Yeah. Let me talk about that. So, you did use this word called noise and that’s very relevant here because if you think about it, what these tools have allowed companies to do is to ingest very, very large volumes of data, very chatty data like proxy logs that gives you the web browsing behavior or e-mail gateway logs that gives you any external e-mail activity and several other log types, right? I’m talking about gigabytes of data a day. What these tools allow you to do is even before the machine learning aspect kicks in, is to prepare the data for detecting nefarious behavior. So, these tools have allowed you to take those large volumes of data and then basically process it and only extract what’s relevant. That’s the data extraction stage, and then make that available for the analytics to run.
When it comes to the analytics, what vendors are forced to do today is to be very precise in how they approach this problem. You can’t just apply ML as this data science approach or this one-size fits all approach; you’re gonna — you’re just gonna end up with a lot of noise. So, what vendors like us are forced to do is to curate these use cases and know precisely what detection technique or algorithm to apply in order to derive a specific outcome. So, on one end of the funnel you’re pumping in very, very large volumes of data but after all the processing, you’re — the output is in a very manageable size because you also understand that we are the people — are the staffing problem, right? You don’t have all the staff in the world to look at this so you need to be very precise and very efficient in solving this problem.
PAUL: Indeed. The next question is once you’ve spotted some behavior that seems suggestive or worrying, I guess maybe the bigger, messier problem is what do you do with that and how do you build internal processes around managing that information and acting on it?
SHARETH: That’s a very interesting question and a very important one because I think this is where a lot of insider threat programs fail, because they assume just technology alone can solve this problem. I can tell you for sure this is just like anything else; a people process and technology problem. As a matter of fact, the process and the people aspects are equally if not more important in this regard. The reason why is that when it comes to insider threat behavior, it’s never a black or white situation. It’s always a shades of grey situation which — and what I mean by that is that you really need to have your policies and procedures ironed out very clearly with all the concerned parties. There needs to be consensus by and large — I’m not saying on everything — between HR, legal, the working groups, the lines of business, and so on and so forth so that when a particular nefarious behavior is surfaced, they know how to deal with that. I’ve seen insider threat programs fail because that type of a policy and procedure wasn’t ironed out in the first place. So, they don’t know what’s right from right and wrong from wrong.
PAUL: The companies that you see that are the most mature in this area, what types of things are they doing when they spot — let’s say, okay, here’s somebody who has been updating their LinkedIn profile on job sites, working on a cover letter, and also they’re suddenly grabbing reams of data from all over the place and uploading it to some Dropbox account in ways that are really different from the way that they usually behave; what are the most mature companies doing in that type of situation?
SHARETH: Yeah, before I answer that question, I want to touch on a important topic of risk appetite which I’m sure you’ve — you come across, where every company needs to decide for themselves what their risk appetite is. For example, on one end of the spectrum you have companies who care about any small — any data that is branded that leaves the enterprise. On the other side, the risk tolerance is much higher and they’re willing to live with that. Why this is important is that when an event occurs, usually you’ll have — a L1 team are the first responders who look at it [00:15:00] and then analyze to see who this user is, what is their title, what is their profile, what did they take, where did it go to. Once they think there is something serious, then they will bump up that case to the next level. Then usually at that point someone senior or the program director gets involved and then they would involve the various working groups which is HR, legal, and so on, and then they will decide to see if they should pursue that or not.
In some cases, what I’ve seen is that if the employee’s already left the organization, they would issue a legal letter to that ex-employee stating that hey, employee, by the way, we noticed that you took data with you. This belongs to obviously the enterprise, so we’d recommend that you delete — not recommend; we ask that you delete the data and do not use it in any further places. I’ve seen that happen but if it’s a continuing population — just say that person hasn’t left the company, then they would obviously confront the employee saying this is what happened and they would ask for justification why. In a lot of cases, the — what we see is that the employee would say well, I did it because — for convenience or for ease of use, right? That may or may not sit very well with the decision-making parties and then — and further action is taken. In some severe cases, people are let go because of the type of data and so on. In some cases they get a warning and they keep track of how many warnings somebody gets. In some cases, there’s a three-strike rule where after three times, a warning, then they may end up taking some severe actions.
PAUL: You note in this report Securonix did that flight risk isn’t the only insider threat, right; employees leaving, taking data with them, that there are also risks posed by employees who are — have no intention of leaving the company but are abusing their access to the network in various ways. Can you talk about some of the other behaviors that you guys notice that are worrying or should be worrying for companies?
SHARETH: Sure. So, we at Securonix have aligned ourselves to the Carnegie Mellon CERT model and that model specifies that an insider threat program should have three legs to it; one is the detection and prevention of any sensitive data being leaked. Two is any privileged account misuse, and third is fraud, any action that results in direct monetary loss for a company. By the way, it’s estimated between 1% to 7% a year. When it comes to privilege misuse, as you can imagine, every large enterprise has endpoints, networks, servers, and so on, and you have privileged users who are operating within these environments. We’ve seen in some severe cases that when an employee or a contractor is disgruntled, they will end up disrupting service by doing certain nefarious behaviors. So, that’s a worst-case scenario. But what we continuously observe is that these privileged users are circumventing controls that are in place for whatever reason because it’s easier for them to get their job done, or they are misusing their privileges in some cases. Both these types of activities needs to be in check because one day if that person decides to go rogue, they do have the potential to cause severe damage to the company.
PAUL: Well, it wouldn’t be an interview these days if there wasn’t a covid question.
SHARETH: Of course.
PAUL: Of course. But actually, for this interview, it’s an entirely relevant one. I’m not stretching here at all, which is obviously covid — the covid pandemic has shaken up pretty much every company in the way that it works in a couple ways that I’m guessing probably you all are seeing in your data. One, of course, is the work from home, so the transition from people being in a physical office to working from home. I’m interested in how that either exacerbates or ameliorates data theft and data misuse as people are scrambling to set up an office remotely. The other, of course, is that there have been huge, huge, massive layoffs across industries and huge percentages of workforces just put on furlough or laid off and my guess is you’re seeing the signs of that in [00:20:00] employee behavior for a few people who have been laid off. I’m guessing we’re seeing a lot more data-grabbing as people head out the door.
SHARETH: Yeah. Your point’s absolutely valid. Let me answer your first question. The first thing we noticed as soon as the — this whole covid pandemic situation hit, it was a surge in VPN activity, obviously. No prizes for guessing that. Because of that, we started to see more data on remote login and also along with that came problems for security operations team because they had to loosen up certain controls so that they can enable their staff from — to work remotely. One particular example is printing, right? Before, printing was restricted but now they will allow people to print from home. But in some cases, what would happen is these print vendors allow you to do what is called as an AirPrint which means you can just send a file to a particular something at hp.com or any print vendor and then that’s an easy way for you to take data out. Maybe not maliciously with malicious intent, but that is an area that is a gap, right? So, we started to see these different behaviors emerge because of that.
Another example I would say is we have a specific use case to look for account sharing. The way that we do that is looking for landspeed violation where when we see concurrent logins from two separate, far away geolocations at the same time, that is an indication that somebody’s sharing credentials and could be to a critical application or it could — in worst case, it can also be a case of a credential compromise, right? Now that people are working from home, we shouldn’t be seeing that. It was a different case prior because people would travel, so they would come up with a business justification saying hey, I was in London yesterday and today I’m in the US, whatever. But now people are stuck to their homes and anytime we saw something like that, that it wasn’t a false positive; it was a true positive. So, we started to see different behaviors emerge with the whole covid situation, just to name a few. Obviously, when it’s a cyber siteÖ
PAUL: So, that indicator actually became higher fidelity in the context of work from home.
SHARETH: That’s precisely right, yeah.
PAUL: What about, again, the layoffs and just the huge shifts in the employee roles as companies have been forced to furlough or lay off large numbers of employees; that must put a huge strain on security teams to monitor all those people as they’re walking out the door.
SHARETH: Yeah, that — absolutely, Paul. That situation I think is still unfolding as we speak. It is a developing situation. I can tell you in one instance, some companies, instead of — obviously furloughing employees, but they’re also reducing pay or they’re giving them pay cuts and then they’re randomly selecting people to be on that list. All these small changes done by companies are amplified, right, because everybody’s generally a little more sensitive these days to things. So, there is some fear and that doesn’t necessarily mean that it’s gonna lead to something nefarious but I think what companies need to do is to elevate their monitoring capabilities and at least have visibility if not detecting any advanced issues. So, that’s something that we recommend and we’re gonna continue to see how that unfolds.
PAUL: Okay, so if folks are listening and they’re — maybe they’re not as on top of their employee behavior monitoring, insider threat monitoring as they should be, how can they get started here? Sounds like a monumental task.
SHARETH: It is a monumental task and, well, it can be depending on how much you’re willing to do and invest, just like anything else, anything worthwhile in life. What I can say for sure is the companies who have been investing in this over the period of time before this thing — pandemic hit are in a much better position today because they kinda have the one-on-one stuff already covered. It’s important for companies to at least gain visibility into what is happening within — inside the network and especially if you’re using the Cloud for any platform or infrastructure service; you need to have visibility to see where your data is moving. That’s number one, I would say. [00:25:00] So, investing in a SIM is important because that’s gonna — that’ll allow you to bring in all the disparate log sources into a centralized tool so you can gain that visibility. That’s the way to do it.
Before, everything was looked at in a piecemeal fashion but that doesn’t cut it given the pace in which we’re moving, the businesses are transforming, so you need to be able to centralize the logs and gain that visibility to basically monitor this type of behavior. I feel like the issue is that companies struggle to deal with this problem because they don’t know where to start. They think it’s — the nirvana state is too difficult to accomplish. But I can tell you one thing for sure is every successful insider threat program I’ve seen started small, started with some basic data, with some basic indications and slowly built that over time by gaining more visibility and gaining more evidence to go to their management and make the case to develop the program. So, I would say every company who’s thinking about doing this, there is a way to do it and starting with the basics is just the way to go.
PAUL: Ben of Securonix, thank you so much for coming on and speaking to us on Security Ledger Podcast.
SHARETH: Thank you for having me, Paul. My pleasure.
PAUL: Shareth Ben is the executive director of insider threat and cyber-threat analytics at the firm Securonix. Up next; nobody likes passwords but getting rid of them is harder than it seems. Even in 2021, usernames and passwords are part and parcel of establishing access to online services, Cloud-based or otherwise. But all those passwords pose major challenges for enterprise security. Data compiled by LastPass suggests that the average IT staffer is spending up to five hours a week just helping users with password problems, almost a full day of work. In our second segment we’re joined by Barry McMahon, a senior global product marketing manager at LastPass and LogMeIn. McMahon says that despite talk of a passwordless future, traditional passwords probably aren’t going anywhere anytime soon. But that doesn’t mean that the current password regime of reused passwords and sticky notes can’t be improved drastically, including by leveraging some of the advanced security features of smart phones and other consumer electronics that employees now carry with them. Passwords aren’t the problem, McMahon says, so much as how we’re using them. To start off, I ask Barry about some of the research LastPass has conducted on the password problem in enterprises.
BARRY: Yeah, my name’s Barry McMahon. I work at LogMeIn where my main focus in on our identity offering called LastPass. For those of you that don’t know LastPass, LastPass is a consumer product and a business product as well. Then we also have single sign-on, so SSO. We also have multi-factor authentication, MFA, which blends together with our password management capability and offers enterprises our identity suite.
PAUL: So, at the core of this is identity and authentication, and those are big topics these days. The core of that is of course the password which has been our go-to authentication technology for whatever it is, sixty years. Kind of maybe outlived its usefulness, or certainly a friction point for companies these days, both the number, the quantity of passwords, and of course their security. You’ve done some research on this, LastPass, the last couple years on password use. Talk a little bit about what you discovered.
BARRY: Let me just say something right at the very top of this; passwords are a pain, hands up. I’m not here to evangelize the use of passwords in any way shape or form.
PAUL: Yeah, no one — you’re not gonna get much argument on that.
BARRY: I’m not gonna get any argument on that but where I do get a bit of argument back is that I actually don’t — I don’t see the problem with the concept of passwords. The problem is how we use passwords. Passwords are supposed to be unique. They’re supposed to be something only we know and you’re only supposed to use them for one access at a time, if you like, or to get into a particular application. Problem is is that as humans we go oh, I know, I can think up a really strong password and I’ll be able to remember that password; nobody else will be able to get it and crack it and so therefore, I’ll just use it everywhere. That’s really the problem with passwords, right? It’s how we use passwords. What we were looking at was well, how do we get people from using passwords to a passwordless environment? That might kinda seem a little bit counterintuitive because we provide probably the best-known password manager on the planet, LastPass. But the reality is is thatÖ
PAUL: Yeah, yeah. What, you’re trying to put yourself out of business, Barry.
BARRY: Well, you’d kinda think that, wouldn’t you? But no, the reality is is that it’s about the user experience at the end of the day. We hear fantastic feedback all the time about how easy it [00:30:00] is to use our password manager, right? Well, one of the things we’re thinking of, well, if it’s that easy to use our password manager, why not make it even easier and reduce the number of passwords that people have to have? How do you go about that? Well, you know that passwords are a huge pain for IT but they’re also a huge pain for the end user which is something that IT and security professionals and end users actually really agree on, so we commissioned a report earlier in the year called Passwords to Passwordless and really, we’re looking at anything that is aligned to getting rid of the password, because it’s always such a hot topic.
You know, people have professed for the last number of years about having the next greatest thing that’s gonna kill the password off, and I’m still waiting on them to bring it to market. There hasn’t been anything there that’s gonna actually kill the password off as it exists today. So, what we need to do is we need to find out well, how can we reduce the number of passwords so that we reduce the friction and reduce the pain that IT and different people are having, and also not impact user experience? User experience is the main reason that people will just continue to use weak and repeat usable passwords as well. They just want to get their job done. They just want access to a certain application. Because security puts barriers in their way that potentially try to catch them out or make things more complex isn’t necessarily making it any easier.
If you ask somebody for a twelve-character password with capitals and underscores and everything else of it, how are they gonna remember that if they don’t have a password manager? Well, they’re gonna write it on the Post-it note, right? It’s just substituting one thing for the other. So, what we did was we partnered with a research company called Vance & Bohr. We reached out to over 750 IT and security professionals and they were from across a wide range of sectors, private and public, and across the US, UK, France, Germany, Australia, Singapore, and so on. This was kinda a follow-up if you like or a second element to research that we conducted in 2019 which was for one of our other publications which was called The Guide to Modern Identity, so there’s a couple of similarities we’ve drawn between the two.
PAUL: One of the things you discovered is that for IT folk working within organizations, managing passwords on behalf of their userbase is taking up a fairly astonishing amount of their work each week.
BARRY: Yeah. I couldn’t believe this, to be honest with you. In 2019, we found that organizations were spending about four hours, or IT people within an organization would spend about four hours on average per week managing access credentials and passwords. In 2020, that went up by an hour to five hours a week. For me, I kinda find that a little bit amazing, thatÖ
PAUL: It’s almost a whole day.
BARRY: Well, it’s a whole day — it’s almost a whole day a week, right? Think about the work that you’re not getting done. If the security vertical was awash with talent, you’d say hey, get somebody to spend five hours per week resetting passwords. Nobody has ever said that. The talent and skill shortages that are within the vertical at the moment — really, we should be eradicating that five hours a week and saying hey, this is five hours a week that we can use and add value elsewhere across the business, because we know that security professionals are walking out of one job, walking into another job ëcause there’s over 100% turn and opportunities and all this kinda stuff on market, so there’s no barrier to people in security when they want to go find another job. They get snapped up right away. Security people and IT people are no different than anyone else, right? You want to go where you’re gonna be adding value and you’re valued. It’s a pretty low-value task to be getting people to reset and churn out passwords and access credentials to people five hours a week. That’s a quick win right away for IT and it’s a quick win right away for the people within the business. You can automate these things very easily and to be frank, they’d probably do it a lot better than somebody that you’re allocating five hours a week to do that particular task.
PAUL: So, let’s kind of blow up this concept of passwordless a little bit because I think people hear it — I don’t mean blow it up like get rid of it; I mean blow it up like let’s — I guess unpack is probably what I really mean. Let’s unpack it a little bit ëcause I think people hear ëpasswordless’ and they probably think of Minority Report or something, you know, where you’re just gonna walk around and it’s gonna scan your biome and be like oh yes, it’s Paul, which I’m guessing at some point we will get there but we’re not there yet. When we’re talking about passwordless now, what are we talking about?
BARRY: Yeah, it’s funny ëcause when you hear about people removing passwords, it [00:35:00] kinda does feel a bit like the Minority Report. It seems like it’s so futuristic and that’s part of the problem with cyber-security. For me, there’s a big problem around the words ëcyber’ and ësecurity’. We should just tell people we want to make you safe online, right? Just tell them that. Let’s not use cyber-security. Use cyber-security; it’s a bit like when I was at school. When people talked to me about physics, I just zoned out. I knew it wasn’t a conversation I needed to be involved in. No relevance to me, so I zoned out, right? You tellÖ
PAUL: I just hope your physics teacher is not one of our listeners, Barry.
BARRY: It was nothing to do with the teacher.
PAUL: Right — an arrow aimed right at the heart.
BARRY: Well, listen; if — this was all on the student, right? This was all on the student.
BARRY: But you know what I mean, right? I talked to some of my friends about cyber-security and I can see their eyes glazing over as soon as they hear the word ëcyber’. It’s like, this is not a conversation I need to be involved in. It doesn’t pertain to me and therefore I am not a target in this case, which is totally the wrong thing to be doing. I think when we talk about passwordless, I think we need to start at well, let’s not just talk about passwordless. Let’s talk about — make it simple; let’s talk about — let’s remove as many passwords as we can or mask them or have a way of managing them. So, when I talk about passwords, passwordless, I should say, I talk about in the broadest sense of the word. Remove passwords; that’s kind of what I’m looking at and that’s my — that’s how I think about it. How do you remove passwords? Well, you can use solutions like SSO. If you can put the applications behind a single wall and access them through a single password, right, you can put twenty, thirty, forty, fifty, whatever amount of applications behind that single wall. You log in with a password and hey, presto, you have access to everything. That, for me, is part of the passwordless journey. The other part of the passwordless journey is for everything that can’t go SSO; either you’re not on the right tier where SSO is available or it could be a case thatÖ
PAUL: SSO is single sign-on, justÖ
BARRY: Single sign-on, sorry, yeah. Single sign-on. Or you may not be on the tier where single sign-on is available or you may have people who are working in your marketing department, your HR department, or in other departments who are accessing online applications on the internet, and so you’re not gonna put them through SSO. You can’t put them through SSO. So, what you need to do there is you need to say well, if you do need to go outside of this perimeter, why not just secure all the passwords that you’re using? Let’s make them complex, let’s make them unique, and let’s give you somewhere to store them and somewhere that will auto-fill them when you go to their web pages, therefore you’re taking the passwords out of there again. I should also then add it’s also important then to validate who’s getting access. That validation comes — I kinda think of it as the next layer up into your security piece where yes, you have SSO, yes, you have your password manager to manage your passwords and let you into a whole load of applications, but now you need to challenge that person who’s accessing to make sure that they are who they claim to be. That’s where you start seeing the MFA piece come into play.
PAUL: So, multi-factor, and that can take a number of different forms.
BARRY: That can take a number of different forms. This is where the whole complexity and futuristic piece around passwordless starts to come in because you can have — you can be challenged in a number of different ways. You can be challenged by a push notification; accept and approve this access, right? Or you can be, to the other end of the spectrum, you can be challenged by a biometric prompt, right? Validate that this claim is correct, and so maybe you might use your facial recognition depending on what mobile device you’re using or you might use your fingerprint or whatever else based on that. So, that’s kind of going, if you like, from one end of theÖ
PAUL: That’s where the Minority Report stuff comes in.
BARRY: That’s kinda where the Minority Report stuff comes in. The reality is is that when I explain to people that you do know that your MFA piece is pretty much just — it’s the same ways you’d unlock your phone if your phone’s capable of a biometric fingerprint or facial recognition. They go oh, really? You go yeah, that’s how easy it is.
PAUL: I mean, that’s what’s really interesting, is that consumer demand and these amazing new products called smart phones that have emerged in the last fifteen years have put in everybody’s hands a very capable and strong security device that they can use. Yeah, what’s really interesting is many organizations still, yet, are not leveraging that to improve their own access security and I think we’re seeing that and the evidence of that in the news stories now about the Russian hacks on US government agencies, high security agencies, many of which [00:40:00] have relied on the theft and reuse of credentials to move laterally and not only within the government networks but also out to federated networks; Cloud-based applications and so on.
BARRY: Yeah. The way I look at multi-factor authentication or a second level of authentication; 2FA, MFA, whichever you want to call it, right, validating that that person is who they claim to be when they put in a password or use certain credentials is such a simple thing to do in terms of present that challenge to them. If they accept it and they validate that they are who they claim to be, well, then they’re in. You have a significantly higher level of confidence that that is Barry McMahon who is entering the network. But we continuously see that in the Verizon’s data breach report that more than 80% of data breaches are aligned to poor password hygiene, et cetera, right?
Bad actors will get in if they really, really, really want to get in. They have a lot of resources and we’ve seen that in the recent press, right? They’re gonna get in. How do you slow them down? How do you make sure that they start setting off alarm bells when they get in there? If somebody can get into your network, isn’t it better that you have a way — and they can get access to credentials and stuff like that — isn’t it better that you also have MFA set up, that when they pretend to be me moving around your network that they get challenged for an MFA that they can’t meet and then I get a notification that I didn’t request and I report that to IT?
PAUL: Yeah, and I think your report — I mean, the top concerns that your respondents identified were password reuse, leaked passwords, and weak passwords, right? So, all three of those very solvable problems, ultimately.
BARRY: Hugely solvable problems, as long as the end user has the right tools at their disposal. You mentioned some of the frustrations that IT have with passwords and you also mentioned earlier about the — managing passwords now for five hours a week and resetting credentials five hours a week; IT — the funny thing about this is that the frustrations, while they’re different from IT to employees, they’re actually based on the exact same thing which is the password; IT frustrations around password reuse, password weakness, and then by association, the leaking of company data. Then employees are just as annoyed and frustrated with having to change passwords regularly, with remembering multiple passwords, and trying to remember long, complex passwords which, let’s be honest, without the right tools at their disposal, end up on the Post-it note under the keyboard or stuck on the screen, right?
PAUL: Sure. Let’s look into the crystal ball; where do we end up, Barry, five or ten years from now? Do we get to a place where we really aren’t dealing with alphanumeric passwords anymore or is it really just a matter of greater adoption of, as you’ve laid it out, a variety of technologies that each kind of lifts the bar a little bit?
BARRY: Paul, if I told you that and it came true, well then, you’d be a richer man than me ëcause you’d remember that I’d said it. So, what’s in the immediate future? Well, of the people we surveyed, right, 92% believe that passwordless authentication is in their organization’s future and I use future when I refer to comments, right? 85% say passwords are not going away completely and 85% believe there would be a combination of passwordless and password management in the future. So, that’s kinda like saying well, yeah, we’re gonna keep passwords and we’re gonna move to passwordless. It kind of is the truth; passwords are so ingrained in everything that we do right now because it’s such a common practice everywhere in the world. Nearly every website you go onto, if you want to register, what’s the two things they’re gonna ask you for? A username and a password. So, it’s this universal language of registration.
It’s this universal language of validate who you claim to be. That doesn’t mean to say that enterprises have to stay on that route, alright? So into the future, what are we seeing organizations setting themselves up for? How do you make sure that whoever’s accessing is doing it in the right manner? So, that’s managing the passwords. You then evolve to removing the passwords for all the same reasons that I said in the past. There will be passwordless in the future but there’s also gonna be some tech debt there that organizations are — will have deployed that just won’t be able to go passwordless in whatever shape or form that really takes. [MUSIC] Everybody was supposed to go to the Cloud by now, right? There’s organizations that just — [00:45:00] it doesn’t make sense for them to go to the Cloud based on previous investments, applications they have just won’t run on the Cloud, things just don’t perform the way they expect them to perform on the Cloud, et cetera, et cetera, et cetera.
So, looking down the line ten to fifteen years’ time, I think on one hand you’re gonna see a lot more passwords from the consumer side of things. From the enterprise side of things, I think you’re gonna see a lot less passwords but I think the passwords that you will see will be extremely valuable and will need to be protected really well. How are the enterprises gonna get there? There’s two ways they’re gonna get there; one is by focus on the end user and user experience, and two is by awareness and security surrounding it. You can’t throw stuff over the wall anymore and hope that people are gonna use it.
PAUL: Barry McMahon of LogMeIn and LastPass, thank you so much for coming on and speaking to us on The Security Ledger Podcast.
BARRY: A pleasure, Paul. Can’t wait ëtil we catch up again.
PAUL: Barry McMahon is a senior global product marketing manager at LastPass and LogMeIn. He was here talking to us about research LastPass has done on password use and organizations.
[END OF RECORDING]
Transcription by Leah Transcribes (www.leahtranscribes.com)
(*) Disclosure: This podcast was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Editor’s note: an earlier version of this blog post misspelled Mr. Ben’s name. The article has been corrected. PFR 1/8/2021