Beyond Identity and Access Management: Stop Insider Threats
James Azar from @TheHackerNews is hosting Adam Konlentz, Field CTO of @revealsecurity to discuss insider threats.
Defending against insider threats, whether they arise from malicious insiders or result from negligent users, remains a high priority for security professionals. The unfortunate reality? Many organizations are alarmingly unaware of how their applications are being used. Often, they do little to monitor trusted identities once authentication and access have been granted. No follow-ups, no check-ins — just blind trust. You can’t stop what you can’t see.
Proactive monitoring of user journeys both within and across applications is crucial for the early detection of misuse or abuse of trusted identities. This early detection is essential to mitigate threats and prevent consequences, such as data leakage and theft.
Dive deep into the world of advanced security tactics in this insightful webinar.
Transcript
00:01
what’s happening security Pros welcome to another Hacker News webinar James AAR here I’ve got my good friend uh Adam cin right did I say it right Adam did I say it ad you got it bud you know I’m trying with last names it’s very very difficult right because you know like last names
00:17
no one wants to destroy them welcome everyone to a Hacker News webinar series our friends from reveal security are joining us today and I’m happy to say for all of y’all no PowerPoints none isn’t that amazing like finally you get to hear an honest fun conversation that
00:31
we’re going to be talking about Insider threats and application detection and response we’re g to give everyone just a few more seconds and minutes to get into the room Adam how’s it going today are you ready to knock the socks off of our awesome audience I hope everyone more sock
00:47
holders keep them on yeah I mean I mean it is December right people have got socks up for Christmas if they celebrate Christmas or you know Hanukah K Quanza whatever your holiday of choice is um you know you’ve got some sort of sock for it right especially maybe you got
01:05
your onesie on maybe or ugly sweater if you have an ugly sweater on please comment we’d love to see it right we’d love to know that you’re wearing an ugly sweater I may tell you to go to my LinkedIn page and just drop a little just picture there with your ugly sweater maybe we’ll do a collage of ugly
01:26
sweaters during the webinars but welcome everyone to another hack news webinar series we’re going to go ahead and get started because we know your time is valuable and so we want to make sure you don’t hear us just randomly banter my name’s James AAR I’m the siso and
01:39
moderator for this webinar on behalf of the awesome team behind your favorite website thehacker news we’re very excited for today’s uh webinar but just a few house cleaning before I introduce Adam officially and we kind of kick off our webinar today one we see your comments we see your questions ask
01:54
comment away we love it we Thrive off of it during the webinar as many of you know I love seeing your comments I often crack up laughing in the background and I have to mute myself because you’re are a funny Bunch so with that being said Adam coblin he’s the field CTO over at
02:11
reveal Security today we’re talking about Insider threat in application detection and response Adam Welcome to The Hacker News webinar series it’s great to have you with us thanks James it’s awesome to be here and you know I’ve I’ve seen so many of your webinars in the past I’m happy to be here today
02:28
and and and be here with you live yeah I’m I’m happy that you’re here too because you we’re talking about a topic that I’m really really really passionate about I think a lot of people here know how much I you know application detection and response really is a big
02:42
deal um as well as Insider threats we obviously know there’s malicious and non-malicious Insider threats right we saw what happened at MGM crowd strike talks about 80% of breaches involving credentials these are unbelievable unfathomable numbers uh the idea of compromised credentials that threat to
03:01
the business again malicious non-malicious the limitations within specific systems of being able to contain the threats and I don’t know if it’s part of the you know the the lack of design or or lack of really critical thinking of addressing these threats but Adam we’re seeing so many recent
03:18
breaches that are really kind of highlighting the abuse of trusted identities as one of the main if not the top attack Vector what are you guys seeing and and how’s this amplifying risk both The Insider and external throughs to the organization it’s a great question you
03:39
think about the risks to an organization the just personally myself I’ve gotten so many emails that my email was included in some breach we all get these emails that we we know that now we are targets you know how many password reset emails have I gotten from various you
03:59
know just non-b buus accounts right the the abuse and misuse of of trust identities is such a key Vector now because the identity providers are no longer necessarily on site either if you’re thinking about you know in the MGM case you brought up uh if I’m managing my identity through OCTA I
04:23
don’t control the infrastructure around OCTA now someone can come in you know using creds cred stuffing bypassing MFA and I have no idea that it’s not James it’s it’s impossible to know right now yeah I mean you’re you’re bringing up the scenario of and and it’s to full
04:45
right here’s the risk the risk here is twofold you talked about OCTA right someone just drop some balloons on me they do gestures I do this yeah I you know that that’s awesome I love that I mean you know I did celebrate a birthday recently but I wasn’t sure we were going to do it on the webinar just
05:11
so random but but we you are talking about I think something that’s really really important right um which is one your identity is not controlled internally you’re relying on a third party that third party is now a Target to all external actors we’ve seen it right is
05:30
you know octa’s the market leader in identity management there’s no doubt that OCTA has a great product that many of us use and I’m an OCTA customer right like but they’re also a Target and they’ve got a supply chain and they’ve got to manage their they’re blind to
05:45
their supply chain like you and I are blind to them we don’t manage OCTA so so I I I absolutely you know I I absolutely agree and it kind of takes us you know you know you see these the these breaches you look at OCTA you look at Serv now you look at all those and it
06:00
really does become you know uh a big challenge you know thinking about that you know Adam our our audience is obviously here commenting a whole lot about this I think this topic does relate to a whole lot of people you know what what should we really be concerned with here is it
06:18
malicious insiders as super admins or or should we look at impersonations of privilege access where you know one account leads to the elevation of another to elevation of another account that’s a great question I mean I I would say that unfortunately due to the fact that we’re now talking about
06:42
how identities are using applications as opposed to people in seats in a building it’s it’s hard to know whether someone’s a malicious Insider or there’s been an account takeover and I think if you think about you know your experience as a SE so you know how many truly bad insiders did you
07:04
find versus your external attack attackers right it’s it’s probably 100 to one a thousand to one yeah I mean malicious insiders I don’t want to say they’re rare right because we don’t always the thing about a malicious Insider is you you brought up something a few minutes ago that that
07:26
nailed it on the head you said I’m constantly getting emails that tell me have been part of this breach and that breach right so you you and I are under the assumption that when someone’s credentials are compromised it’s likely they fell for a fishing attack and didn’t necessarily sell it
07:43
unless all of a sudden during Venezuela or bivia right then all of a sudden you go what happened to the employee no notice and now they’re in Venezuela okay I think we know where this originated yeah well that’s a good point I mean when it when we’re really talking about
08:02
whether the internal or the external is really the bigger concern one of the things we have to think about is we’ve already spent a lot of time as an industry trying to create prevention controls around these privileged insiders you have things like Pam for example um but we haven’t really gotten
08:22
to the point where we have that for Sash and other externally hosted Cloud apps so now something like a security comes in as more of a detection mitigation on or compensating control and a lack of prevention because now we can look at and see is is this actually
08:41
James or did did James you know fall for the the DHL scan or something in in his text message and that’s that’s where we’re starting to find the ability to differentiate between an Insider and a account takeover yeah I mean Pam is so hard to Implement it’s harder to manage right I
09:03
mean people bring up Pam to me Pam’s almost a buzzword as a ceso it’s something I want but very few applications have a glove fit to Pam very few it’s a costly implementation right so from a budgeting perspective you’re weighing what am I going to use Pam on all right am I going
09:24
to use it in AWS yeah I’m probably going to use it there but then all of a sudden the implementation goes sideways Pam doesn’t always work correctly there are uh ex you know circumstances where Pam is slowing down development and pushing through specific things to production
09:42
that’s that’s causing issues and you’ve got to rethink the way you’ve implemented it you’ve got to rethink that deployment Pam is is is a theory and a product that still hasn’t adjusted to the business business oh sure absolutely you know Pam Pam’s great if you’re only worrying
10:06
about admins on Linux or something right it’s not if you’re doing it on Prem right exactly if if you’ve got some sort of internal application on Prem where where you can have that type of control and that type of telemetry that’s great but when you’re when you’re talking about third parties right pam
10:26
pam becomes a bit more complex and and I think that’s that’s part of the reason why we see so much success around hijacking super admin accounts and admin accounts because technically those accounts should never exist with a person they should always be behind Pam with onetime passwords and limited
10:47
availability should be I mean the the reality is that you know even before covid we were already starting to shift to a more distributed Workforce you know SAS adoption was always increasing which made you know more Legacy controls like like Pam less possible even back when I was in the the
11:13
EDR space you almost almost a decade ago we were starting to say that you know the the the endo’s the perimeter now right and now maybe the identity is the perimeter because now you’re not even controlling the endpoints necessarily yeah I mean when you don’t control the endpoint right and and this
11:33
brings up a great question from our audience let’s go in I think this might be the earliest I’ve ever brought in an audience question but I see a lot of comments and and and contribution here so let’s pick on Roger for this one um why are we seeing why are we seeing more attacks related to
11:51
identities you know that’s a great question and I think a lot of it is tied to again the the I I saw some stat it was like the average the average company has over over a hundred SAS apps for every you know 100 employees or something after a certain point so like the the average company that has you
12:15
know 10,000 employees they have over a thousand SAS apps whether they know about them or not so they’re they have SAS permissions issues they’re overprivileged SAS posture manag the whole space and then on top of that from my time back in more threat actor focused uh space you MFA bypass used to
12:36
be something that only like nation states would do and now it’s trivial where you don’t have to be one of the top crime Rings you don’t have to be an a you’re not being tracked by Mandy and crowd strike to to do MFA bypass the right the right vising or fishing you know call the right help desk
12:56
person and all of a sudden people who who previously would have been relegated to the lower levels of e crime are now suddenly able to do these things because we’ve expanded the perimeter of where our precious information and identity Pro you provisioning is actually being
13:15
handled yeah I mean you bring up something I think where we might need to drill a little bit more on it because I think you know SAS as an example is a huge Factor right and most s today is managed in one of three ways I believe right direct signin SSO or some sort of token
13:42
right but then most businesses today’s critical operations and data isn’t sitting anywhere but your SAS application if you’re on Salesforce guess what Salesforce is folks it’s sass what’s in Salesforce what’s in your Erp system most Erp systems today are encouraging people to move to the move
14:02
SAS right they’re saying hey you don’t need to install one of our servers in your in your office just use our Cloud product it doesn’t matter where your people are right so what kind of obstacles do you see as as a field C reveal with customers that are trying to do secure SAS adoption yeah
14:22
that’s man you know we we were talking with an insurance company where they’re being pushed by their claim software provider to to put everything in SAS as well that’s my data that’s your data that’s not necessarily just their IP it’s RPI I think that one of the biggest challenges
14:43
especially on the SAS side is every different SAS vendor has their own version of a shared responsibility model they all have different knobs you can turn and different knobs they’ll turn for you on both both access control permissions audit logs detection capabilities if you’re using something
15:07
like Salesforce one of their um best practices is to turn on the audit logging which they do charge you more for and that implies that you’re going to do something with it I don’t know what you would do with you know without something like it like reveal security because you know we’re
15:26
cyber Security Experts we’re not experts in every different l a business we don’t know how to write known good known bad from a a process perspective I don’t know what sales people do yeah I mean and and I think that’s by the way I think that’s one of the disconnects that
15:41
cyber security has right yeah in general um is is our sometimes we’re very very disconnected from the business and that leads to creating opportunities for our adversaries to gain access to environments that otherwise they wouldn’t right and and this will go back
16:00
to my example of Pam earlier not only is it hard to implement but if you don’t understand how privileged users need to have access to an environment and what they can or can’t do what they can push or can’t push and can you restrict that and if you restrict it how well is it
16:16
right can you restrict it to the point where you’re actually mitigating risk or are you adding an annoying step that does nothing but create smoke and mirrors around security and if you do that they’re just not gonna do it but people will find a workaround they always do right we have we have a term
16:33
for that it used to be called Shadow it now we call it Shadow process right yeah yeah this term is trademark this term trademark James right Shadow process right yeah but Shadow process Adam is real right it’s it’s it’s it’s 100% real so so we we actually have a a
16:54
an interesting question here from from someone in the audience and before we get to that question though I kind of want to really quick look at you ask you an additional kind of followup to the SAS question should SAS providers be on the hook for having weak authentication and identity management
17:18
systems I mean they should you know the the real issue is if you if you go and you tell OCTA hey you’re responsible for this person getting in with these with these creds and being a super admin doing super admin things I think they would rightfully say look they authenticated our job is to open and
17:43
close this gate it’s not to so so Isa is is OCTA the right examp let’s talk about for example assaa or Salesforce or HubSpot or any one of those right could they be on the hook for potentially having weak authentication meth methods for maybe not adopting a stricter approach to to to credential
18:05
management I’d argue that the the challenge is is is I think that they they could do more but I think I think the real challenge is beyond the scope of any single application like for example if I you know authenticate using your credentials in Azure ad and then I use that token to then go
18:28
and do something in a tertiary application like a Salesforce Salesforce doesn’t know that I’m impersonating you sales force sees your token you know Azure ad doesn’t see doesn’t know anything’s necessarily wrong because you know there’s no rule saying oh James Can Only log in from
18:50
this time at this place given the distributed Workforce Now and Co and everything else you’d have to manage by exception and it’d be an absolute mess some of our customers told us that they before they start using Ral security they ended up with 40 if if if else
19:04
conditions inside a bunch of their rules because originally their rules were were written when their Workforce worked in the office preco and then suddenly all their rules were predicated upon no one being you know N9 to5 in this location that kind of thing and suddenly it all
19:21
broke and then I wouldn’t even know what to ask a company like Salesforce who has to know your processes in order to create what’s what’s a known good or a known bad I mean known bad I think that everyone should be on the hook for for you know having a prevention and
19:38
detection strategy and known bad for their applications but the real challenge is there’s no there’s nothing there’s no any certain action that’s wrong or bad in an application if they did if there was they wouldn’t have put it in there has to be some legitimate use case for it and I don’t know how
19:55
they would necessarily know that it was being used legitimately so so a question from uh uh from Anish is what’s what’s the solution for this what’s the way to mitigate all the risks we’ve talked about in identities so you know the the real solution I think you know 10 plus years
20:20
ago UA tried to solve this when it tried to identify what behavioral baselines but I think that we can all agree that the last 10 years years or so UA’s you know categorically failed to make good on that on that promise so what reveal security does is not look at individual
20:40
actions and then create risk score based on individual actions reveal security we have a patent on a technology called user Journey analytics user Journey analytics is really looking at what what James does in applications and across applications what did James’s peers do
20:59
in those applications and then really try to figure out what’s typical in an environment and then alert on the anomalies and because everything we’re doing is is post authentication you’re only going to have a handful of of options when you get you know an alert or an anomaly it’s going to be oh that
21:17
wasn’t me account takeover James as creds were compromised okay now we have an instant to go work we know how to do that we can go handle it oh James was being lazy today and for convenience used a break glass account he shouldn’t be using Shadow process compliance
21:33
issues that kind of thing or James got upset today got a bad review and decided that I’m just GNA start selling company IP or something and those are really it because everything’s authenticated right you’re you’re talking about post-authentication detection and response AKA application
21:52
detection and response something you and I have talked about as we were get were getting ready for this webinar which I which I you know I see um a lot of benefit to that FYI um and and I approach application detection and response and and everyone I see some of the comments here by the
22:13
way from some of our audience another acronym right because we’ve got EDR and ndr and MDR and xdr right and and and and then uh Cloud security uh Cloud detection and response right and you know and and and and and all of these you know I think we we uh cyber Security
22:33
Professionals like the government love to come up with acronyms um of course uh and and and and multiple names for Stuff um but application detection and response works at the application Level rather than the network or endpoint level and that’s the key difference am I
22:50
am I kind of summarizing application detection and response correctly yeah I mean if you think about application detection and response it’s it’s layer seven layer eight right we’re looking at the application layer itself because when it comes to something like uh a sass applica
23:09
Salesforce maybe you can do some of the ndr type things based on the infrastructure components but the reality is as more and more of the applications have come out of the environment that the company owns they’re getting less and less visibility into the infrastructure and less of it
23:27
matters it’s really the data and the actions taken inside of those applications and it’s also you know the the idea that all of those other things are still rules based either they they they create some single Baseline like you know how many emails you’re going to send today but you know
23:50
we’re not looking at things like that for example we actually have a customer where we found a call center employee was selling his access and the person the the crime group actually I don’t if he was selling it he was leveraged in some capacity uh and the crime group
24:05
basically told him whenever you get a tofa thing after you go home forward it to us and we’ll take it from there you don’t need to worry about anything thank you right and then it here’s your money or whatever it was and we found the guy because what they would do is they would
24:20
log in after he went home from the same geography so it’s not you could use a rule for a geography or impossible travel type thing they’ log in from the same iography and then they would look at every email that he got that day and read them one by one looking for customer financial information the
24:36
reason that we were able to detect this is because no sane human being sits there and reads all of their email in one sitting sequentially like that so we cre an anomaly no they do not right um but the the challenge is you know when you look at these volumetric type statistical
24:57
rules that all these other kinds of technologies have it may trigger on oh James sent too many emails today or whatever and and the question is who’s to say what’s too many you look at Salesforce if I’m running a looking at a whole bunch of dashboards is that Recon or is that a
25:15
sales professional managing a team that is the end of the quarter and has a bunch of dashboards open auto refresh
