Why connected cybersecurity?Connected cybersecurity provides a context-aware security profile for an identity and assets to determine if the requested access and behavior is legitimate or potentially malicious. It takes into consideration the trusted persistent history of an asset to determine if the user has ever engaged in access with the device versus potentially a new device, or attempted access by a threat actor. For the former, a user may be challenged with multi-factor authentication to secure the asset and user – and even be prompted with a security question to “remember me” and suppress future challenge and responses. This is key for connected cybersecurity. Enough information has been positively provided to trust that a user will access resources using a specific asset even when gaps exist in connectivity. If we add additional context-aware information from IP range, location, user behavior analysis, etc. we can determine if a trusted device should have access even if prior security models have been satisfied. This helps manages risk from device theft, asset hijacking and more. So, what if I want to go off the grid and consider a “Do Not Disturb” paradigm for a longer period of time? What are the risks?
Risks of “Do Not Disturb” for an extended period of timeTeam members go offline and invoke a do not disturb model all the time. Some team members are nine-to-fivers – others are connected 24/7/365. The 24/7/365 user behavior is expected of many professionals – and we all can relate to those who behave this way. However, some team members go off the grid for vacations, marriage, children, health, and a variety of other reasons. The duration they go offline is key to managing a connected state of cybersecurity as well. For example, if there will be periodic check-ins during their absence – that activity could potentially trip threat models. User behavior will be different per individual and career responsibility. How many executives are truly offline fulltime during a vacation? I think you see my point. They are always connected and there is a state of security for them even when their email out of office reply states they will not be responding to any correspondence until a certain date. The out of office automated email reply in itself changes the state of connected cybersecurity just by raising awareness that all access will potentially be remote versus in the office.
Understanding the risks of connected cybersecurityThe first step in understanding the risks are to distinguish between the user and asset. The number and type of assets accessing secure corporate resources should always be known, quantifiable, and managed. Devices that have not been used (like old phones) should be aged out and the number of potential browsers (computers) used for remote access limited by quantity, location, operating system, etc. The more devices, inconsistent or insecure locations, older operating systems, etc. will increase the risk. This can be managed by a good asset inventory solution and vulnerability management program. For the user, the more privileges they have remotely, lack of multi-factor authentication, poor entitlement management, and inconsistent access will also impact behavioral risk. This can be managed by a privileged access management (PAM) solution and identity and access management (IAM) process. The trick is managing both of these metrics on a single platform or location to influence future adaptive response. More on that in a moment. The next piece of the puzzle is procedural. How do you manage requests for extended leaves of absence, but accommodate potentially periodic and intermittent access? The best methodology is first raising awareness that the individual is going offline. That is something missing from the vast majority of organizations today. When an individual is slated for a temporary leave of absence, human resource requests should be tied to information technology and cybersecurity. On-premise devices should be disabled or at least require multi-factor authentication (MFA) for any attempted access (i.e. if the user shows up physically at work). Mobile devices should be restricted to only allow for pre-existing trusted devices and not accept any new access. The state of “do not disturb” takes on an entirely different level since there should be no (or minimal) access, and the connected state of cybersecurity should be static and not have any variations. This is typically handled by entitlements with IAM solutions for standard users and extended to PAM solutions for privileged access. Any new attempts or access during an employee’s absence could potentially be an indicator of compromise. This is much like access in the middle of the night contrary to my normal user behavior of sleeping – just for an extended period of time.
Putting connected cybersecurity togetherSo how do you pull all of this connected cybersecurity together? A comprehensive PAM platform and integration with IAM and other cybersecurity solutions from vulnerability management to asset inventory. If your privileged access solution is context-aware for location and vulnerabilities, your asset inventory helps control VPN and trusted devices, and your IAM methodology controls entitlements by role, device, and user – you are pretty close to a complete solution for knowing the state of cybersecurity for any connected device and user. Linking and integrating the process and solutions together, therefore, makes an effectively connected security model. This is true even if the device or user is dormant for any period of time. It allows changes in user behavior, changes in access, and changes in your trusted computing model. If you are looking for a privileged access management (PAM) or vulnerability management (VM) solution, BeyondTrust can help. We provide a single, unified interface for both that can share data and help you realize the benefits of integrated data and shared communications to define connected cybersecurity.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.