Interview with Anthony Juliano
RevealSecurity caught up with Anthony Juliano, a veteran of IT operations and technology innovation, for a deep dive into an area of growing interest: insider risk. Currently CTO and General Partner at Landmark Ventures in New York City, Anthony meets regularly with leading CISOs, CIOs, CTOs, and CEOs in North America and Europe to learn from their experiences while bringing them a wealth of knowledge and expertise accumulated over years of immersion in IT operations and cybersecurity. He has helped major enterprises in banking, insurance, manufacturing, legal, and other industries establish and operate successful and innovative cybersecurity programs.
What is insider risk?
Anthony believes in a broad definition of insider risk. Going beyond the standard, “employees who do something outside the security controls and policies of employers,” he expands the definition to include “any threat from the inside, including outsiders who are now inside by any means.” That would include contractors, suppliers, customers, and even attackers who obtain and use credentials—whether legitimately, by coercion or by force — to gain access to the organization’s data, facilities, or processes.
Anthony noticed a trend toward dispersed and remote workforces even before COVID-19 struck and acknowledges that CISOs were concerned with the posed risk of insider threat as a result. While the pandemic certainly accelerated the process, organizations were already thinking about how to dissolve the perimeter and maintain security while embracing remote employees and third-party suppliers. Anthony piercingly asks, “We certainly do background checks, but how can you know for sure that you didn’t just hire a contractor or employee who poses a threat even as you hand him the keys to your kingdom—your trusted credentials?”
Not the same as Identity Access Management
The moment somebody is in the environment, Anthony declares, “They’re an insider.” It doesn’t matter how they got there. Identity is a critical security component, but it is not synonymous with insider threat; it is adjacent to it. For example, if a company is doing identity perfectly, i.e., protecting credentials, let’s say, with multi-factor authentication (MFA), that’s certainly impactful, but it’s not fail-safe. A smart hacker could threaten the organization via phishing using a person-in-the-middle technique to obtain a one-time password whereupon they become an insider who is as trusted as any employee.
Anthony, therefore, makes a distinction between identity and insider risk. “Identity is about establishing trust, while insider risk is what happens when the trust chain is broken. That trust chain might be someone to whom you have willingly given credentials or a trusted employee who has shared credentials or, worse, an impersonator who has stolen credentials.”
Because of the ease and speed at which information—including vital and sensitive data —is now distributed, insider risk is elevated to a top-agenda cybersecurity focus. The very people charged with cybersecurity often don’t know how to stay ahead of rapidly evolving threats. Anthony notes, “The checkbox approach of the past: endpoint security, check; network security, check; DLP, check; IAM, check; etc.—is no longer sufficient.” Insider risk needs its own high-priority program.
Isn’t UEBA supposed to do that?
There has been a heavy investment, especially by large organizations, in UEBA. To date, the results have been far from spectacular. Many security teams complain about multi-year investments in licenses, resources, and precious time – only to still deal with a crush of false positive alerts. In order not to waste time on wild-goose chases, they make a very heavy ongoing investment in fine-tuning UEBA to increase its accuracy – potentially even overtuning to create false negatives.
Anthony reminds us: “The definition of insanity is doing the same thing over again and expecting a different outcome. For a lot of organizations, UEBA is not delivering results and more investment isn’t going to change that.” However, there is a natural reticence to give up on a solution, that the security team has spent years fine-tuning. Therefore, UEBA may well continue to be a money pit for years to come.
But organizations need to quantify their UEBA investment beyond license costs to know the full TCO and opportunity cost that they’re exhausting – how much analyst time, the tradeoff cost of alerts fatigue, etc. Is this spend justified? Is it delivering effective outcomes? Is it missing important incidents?
Those are the questions every organization must ask about the contribution of UEBA to cybersecurity. But the assessment of the current UEBA program is not indicative of the investment that will be necessary in the future. Does it make sense to look at UEBA as a categorical item in the budget? How can you measure improvement? Should it be validated by an additional solution?
“The UEBA investment is not about a sunk cost. It’s a step in the process,” states the expert. “You made an investment in UEBA – and it yielded valuable training, muscle memory for identifying insider risk. You aren’t abandoning it if you don’t renew a license, but it might be time to take the next step to evolve insider risk programs.”
How does RevealSecurity fit in?
Anthony has worked extensively with big financial and insurance institutions. Because of the volume and criticality of the data they routinely handle, these companies are compelled to make profound investments in dealing with insider risk. They are able to invest in expensive data scientists and machine learning experts to continue to fine-tune their expensive UEBA, making it incrementally more effective over time. “But these large institutions are not sure if they are getting enough ‘bang for the buck’ from their UEBA,” declares Anthony. “For them, the heavy investment is absolutely financially justifiable – their customer data, transaction engines, financial backbone applications are their revenue engines and must be protected at all costs.” Their question is: Will UEBA provide adequate protection? And more importantly, is there a simpler, yet highly effective, solution without all the expense and overhead?
RevealSecurity’s unique User Journey Analytics (UJA) solution sits at the intersection of these two questions. The non-intrusive, low-overhead, rapid, and effective UJA solution quickly quantifies the effectiveness of UEBA-based insider risk programs. Anthony concludes, “Knowing that they can get the best of both worlds – the benefits of AI, but without having to hire a legion of data scientists to make sense of application logs – that’s the appropriate evolution of insider risk defenses and people should take heed.”
How would a CISO get started with RevealSecurity?
Knowing that RevealSecurity doesn’t require a lot of time and energy to validate investment in UEBA, CISOs can try it out quickly and without much hassle. “It’s really about seeing it in action,” Anthony reasons. “Any organization can get started easily. Choose an application that is important. It can be home-grown or SaaS like Office 365 or Salesforce, or your HR or ERP system – really whatever concerns you most. Pick the application, let RevealSecurity analyze the logs, make an informed decision on whether the value is there.”
Anthony concludes, “Because RevealSecurity scales so easily, you can then direct it to examine another application or even apply it across the entire application estate.”