Hello. This is Kevin Donahue with Protiviti. Welcome to a new edition of Powerful Insights and our series on cyber security awareness. Protiviti has a series of webinars on cyber security awareness that, along with these accompanying podcasts, are intended to highlight ways organizations can be proactive in addressing these critical security challenges. We explore how leaders can dynamically build cyber resilience while maximizing value. In this series, I’m happy to be talking to our cyber security leaders who are speaking on our webinars and are in the market working with organizations addressing these challenges. You can find more information and listen to our webinars on-demand at protiviti.com/security. With that, I’m happy to introduce my two guests today, Eli Hajjar and Ryan James. Eli is a Senior Manager with our Security and Privacy group. He’s based in Houston, while Ryan is a Manager with our Security and Privacy practice. Ryan is based in Washington, D.C. Eli, thanks for joining me.

I’m glad to be here.

Ryan, thanks for jumping on. Great to talk with you today.

My pleasure. I’m glad to be here.

Let me ask each of you kind of our kickoff question here. Eli, I’ll have you respond first. How would your parents describe what you do for a living?

You know, I may have to give them a call and ask this question directly but the way that I have tried to explain it to them is that Identity & Access Management is really about us helping our customers control who has access to their systems, so giving the right people the right access at the right time from the right location, and not the inverse, and then within privileged as a subset, the only thing I’ve tried to explain is that privileged access is just that really high-risk stuff, and so there’s more emphasis around controlling that.

That sounds good. Ryan, how about you?

Yes. I think it’s probably going to be a mix bag of things. My parents have followed me along my career and they probably say, “Oh, he does development. He does cyber security. He does IT.” Each one of those things is a mouthful if you’re in those specific industries, but yes, I mean that’s probably how they would describe it somewhere around cyber security and infrastructure support.

Thank you. Let’s dive into our topic here. Eli, you mentioned you’re focused on Identity & Access Management or Privileged Access Management. Why is this field so important?

The Privileged Access Management is really a huge subcomponent of the identity world because, frankly, it is what attackers care about. So, if you are some sort of malicious attacker, the way to exfiltrate data, cause a breach, et cetera, is getting access to privileged credentials. It is a field that all of the leading research firms like Gartner, call PAM, a top security project - there’s a bunch of these data breach investigations reports that call out upwards of three quarters of breaches involve the compromise of a privileged credential. So, frankly, it’s just top-of-mind for information security professionals, for auditors, for organizations, that’s regulatory and compliance requirements. And so really, what it boils down to is that’s what the bad guys want, and so we have to take steps to try to protect it against that.

That’s amazing, Eli. So you’re saying that of all the cyber security concerns out there, that most of these end up being a result of an identity and access management issue?

Yes. And then one way or another, a privileged access issue. It’s possible that somebody breaches an organization’s network by just getting an end user with a phishing campaign, for example. But for them to be able to get from that initial breach location to really what they want to do, they’re likely going to need to compromise a privileged credential that provides them access that is sufficiently high-risk to the organization, for them to go and either grab the data they need, or take down a key system or something, so that’s really what makes PAM, Privileged Access Management, so important.

Ryan, what do you see as some of the most common myths in this whole field?

One of the biggest myths that I come across time and time again, and this is always at some level, regardless of the scope of the project, is that there seems to be some confusion or some myths around what privileged access really is. I think when I’ve had discussions with customers in the past, it seems like their understanding of what privileged access or privileged account is really just limited to those traditional administrator accounts on servers or databases. That just isn’t the case, especially nowadays. Privileged access goes far beyond, in my opinion, than just those traditional infrastructure accounts you use to support, like a server or an application or a database. It’s really any account that has some level of risk that can be associated with the access that account is given. Typically, when I’m speaking to customers, I try to highlight that. You may have your original, traditional understanding of what privileged account is, but let’s revisit that conversation. Let’s put that aside for a second and let’s go take a look at what’s important to you as an organization. Where is the risk? Let’s have that conversation, and then let’s go back and look at what you originally thought were privileged accounts. How does that now change your thinking? Nine times out of 10 it changes their thinking about privileged access, which translates back to privileged account management in the scope of privileged accounts and their environment.

I think that’s a really good point. The common example is that today, it may not only be about operational risk or financial risk but also reputational risk for an organization. For example, I think now we start to see a lot more customers using a lot of those same PAM controls for accounts, like the organization’s social media. What kind of reputational risk would it pose to the organization if somebody were to compromise the official Twitter or LinkedIn or Facebook page of the company? So while maybe, like Ryan said, historically, the thought was, this is all about the infrastructure stuff that IT manages, really the scope is much broader. It needs to be risk-based, and can kind of cover the span of operational, financial, and reputational risk. And so, things like social media and other areas that may not as historically been considered privileged, are really getting more eyes on them today.

Yes. That makes complete sense. Eli, maybe it’s what you just described maybe it’s something else, but what do you see as the biggest challenge facing your clients right now?

I think it is related to that that prior discussion, but it’s really - what we see a lot is, how do I know what to go after, how do I know what to do next? A common pattern that we see with customers today is “we had an audit finding or we have a particular concern or issue around compliance, and so we decided we needed to do something around privileged access. And so, we bought a tool, we started to protect the credentials of some of those key infrastructure platforms, the stuff that IT or information security owns, and I was just sitting there. What do we do next?” A lot of what we try to help our customers with is helping to define that risk-based approach to PAM as a program and not just a standalone project. The idea there really is that – you know, frankly, PAM controls can be expensive. And so, across the board, we advocate that organizations take a pretty risk-based approach to figure out, okay, maybe it does start with the key IT infrastructure, but then when we need to get into the application landscape, how do we prioritize what applications to go after and try to protect, and as we identify the accounts that need protection, how do we know what controls we need to apply to various accounts based on risk, so that we don’t either over-control everything, meaning we probably spend a lot of money and we negatively impacted the user experience, but we also don’t under-control everything, meaning that we haven’t adequately reduced risk. And so, taking that risk-based approach to PAM really becomes key, and it’s something that I think we see a lot of customers still trying to get their heads around today.

And Ryan, Eli’s response to that is a good segue to my next question for you. Again, maybe it touches on some of those issues, but what’s the one question you’re asked most often by companies interested or wanting to know more about PAM, and of course, how do you answer it?

Yes, so really quite frankly, I’m mostly technical. The most common question really is, “How do we get started?” The short and dirty answer to that - I often tell customers is, “You need to get it handled in the scope of privileged access.” That would be the first part. So if they’re coming into this field brand new, what do we need to do to begin protecting privileged accounts, it’s we need to understand what is the scope of privileged accounts, and that kind of ties in, I think, pretty closely to what Eli was talking about, and what I was talking about earlier is understanding, “Okay. Well, where is our risk?” and “What are the accounts that are used to access that information that might have risk around regulation, sensitive information, branding, reputation?” That’s really the big question. Where do we get started, and my answer is almost always, “You got to get it handled in the scope of privileged access in your environment.”

I have a quick question for one or both of you. Where does the multifactor authentication come into play here? Is this a helpful tool when it comes to privileged access management or is it something completely separate?

I’ll take a stab, and then Ryan obviously can feel free and add on as well, but the concept of multifactor authentication comes into play a lot with PAM because these accounts that we’re looking to protect are the ones that pose the most elevated risk to an organization. At its core, what PAM solutions do is they protect the passwords or the secrets of privileged accounts. What that means is, rather than me knowing the password of such and such account, what I need to do to perform some administrative function, I have to go to this PAM solution and check out the credential, use it, and then check it back in. And when I check it back in, the PAM solution will actually handle rotating that password, and so that way, should it ever become compromised, it’s not going to be valid very long. Those PAM solutions can apply policies to rotate after each use, or every day, or whatever the case may be. Beyond that, what we’d like to see is that people put multifactor authentication in front of any privileged activity, including somebody going to the PAM solution to check out a credential, and so that way you’ll always know if I, Eli, need to go and grab the account to go do such and such admin task, I not only have a user name and password to log into that portal, but I’m also being prompted to use a second factor. That way, there’s an added element of security there before I’m able to even to get to any privileged account.

Yes, absolutely. I think the key part there is having an additional factor or additional challenge really when you’re trying to get access to a privileged credential. So we’re not talking about being challenged upfront when you’re logging into your workstation or your network, we’re talking about an additional challenge that’s going to be required to be completed in order to get access to a privileged account. That I think is super important when we’re talking about privileged account access, and multifactor is key in that role.

That’s a great point and great insight. Thank you. It’s been a pleasure speaking with both of you today. I want to mention that you out there can listen to our webinars on-demand on this topic and find other content from Protiviti related to these and other security issues at protiviti.com/security. One final question here, Eli, and Ryan you could chime in on this one too. With respect to privileged access management, and maybe some developments, what you see maybe coming over the next five, 10 years or more, what are you most curious about right now?

For me, it actually fairly aligns to what we talked about in our webinar a couple of weeks back. PAM solutions can provide a lot of really nice controls, a lot of really nice enhanced security around protecting these accounts, but in a lot of cases, the fact is, organizations are changing their posture, from a stance of, “We have to keep the bad guys out,” to a stance of, “They’re going to get in at some point, and so we need to be able to take better action when that happens. What that’s meaning in the PAM space is that some of the more reactive controls - for example, monitoring for something anomalous happening and then having a human look into it and make some determination on whether it was appropriate or not, escalating through some sort of incident response plan manually, in some cases that’s not really going to meet the needs anymore. There’s a lot of studies out there showing the average time to identify a breach is over a couple of months, two and a half or three months, while the time to be able to exfiltrate data from a breach is within a number of hours. So, what’s interesting to me, and what I think you’re going to see a lot more of is organizations deploying some of the automated response techniques where by defining the right use cases to look at as something anomalous happens, you have the technology in place to automatically take action without requiring human intervention. One of the examples we gave in the webinar is if somebody creates a new privileged account outside of the scope of the PAM solution, the PAM solution can then detect that and automatically vault that account and rotate its password so that whoever was doing that, even if it ends up being a justified action, we’ve now taken it into the management of the PAM tool, we’ve minimized that risk automatically, and the person can come back behind the scenes and go through the right checks and balances to get what they needed, but if it were in a various action you now in real time killed the ability for somebody to be able to do something with that new account. Those automated response and remediation techniques I think are ones that over the past couple of years some of the out-of-the-box technology capabilities were still catching up but I think that stuff is now here and ready so I think the next couple of years we’ll really start to show a lot more use of that automation, which I think is great.

Just to add to that really it is this concept moving toward a credentials environment so removing this dependency on this thing we call the password and really that’s kind of the root of what we’re talking about here. We’re talking about privileged account management. One of the core things we’re talking about is protecting and managing that password, and my big question is “What’s that next big hurdle to move us toward environments, move us to an operating model where infrastructure teams, administrators no longer need to have a user name and password in order to do their work?” We can shift that burden to technology rather than having a person being the sole responsibility for protecting and changing that password. We do see that happening. I do see that happening especially with the tools like CyberArk that we’ve mentioned before and other tools but what’s that next big leap because there’s still this huge dependency, this elephant in a room we’re calling the password, and it’s not really going to solve this problem until we get to a point we’re not so dependent on having a password in order to get into the system. We’re going to move away from that and shift that burden to something that can do that much better, and in addition to some of the automated remediation or automated steps to mitigate an ongoing attack that Eli was mentioning earlier.

There you have it. We can soon have a world without passwords, which I think would be great for all of us if that could actually happen. Hey, Eli and Ryan, thanks for joining me today. A great discussion and I appreciate your insights.

Thanks for having us.

My pleasure. Thank you.