New Privileged Attack Vectors Book: Q&A with Author Morey Haber

In IT security time, 2017 seems a far-removed era, especially since the global onset of coronavirus. Yes, cloud migration was well-underway and organizations widely acknowledged the challenges of a dissolving perimeter, yet, most employees (usually) worked within that perimeter. And, the notion of a pandemic, social distancing mandates, and a wholesale shift to working from home was not in anyone’s mind, business plans, or crisis management plans.

For technical teams, DevOps was in force and being implemented almost everywhere, though development teams were still highly skeptical or dismissive of DevOps security best practices. And blockchain seemed to be almost all anyone ever wanted to talk about. So, where did that end up? Now, it is scarcely a niche technology, and rarely intrudes upon conversations.

That’s the bygone era during which the first edition of the Privileged Attack Vectors book, authored by BeyondTrust CTO & CISO, Morey J. Haber, was first published. Today, we are announcing the release of the 2^nd edition of the Privileged Attack Vectors book. This completely revised and expanded second edition reflects the significantly changing world of Privileged Access Management (PAM).

Below, is a summary of what is covered in the latest edition of the book, followed by an insightful Q&A on the book, cybersecurity and PAM trends, and more with the author himself!

The Privileged Attack Vectors book covers:

• Definitions, fundamentals, and concepts, of privileged access, including where privileges exist, and how privileged access is used - legitimately and illegitimately.
• The threat landscape of traditional, emerging, and evolving privileged attack vectors.
• How threat actors exploit privileges across the cyberattack chain and how privileged access management protects against and detects privilege-based attacks—both external and internal.
• Privileged access management use cases and proven deployment methodologies have been expanded to include modern threats including our new challenges with remote workers
• A 10-Step Approach to Universal Privilege Management.
• Evolving areas of PAM (such as applying practical machine learning to improve privileged security controls, defenses, and responses).
• Regulatory compliance initiatives, including new perspectives on CCPA and frameworks like Mitre Att&ck.

Q & A with Morey J. Haber, author, CTO & CISO, of BeyondTrust

1. What inspired you to write the first edition of Privileged Attack Vectors? Was that your first book?

While privileged access posed a security threat for decades, it’s only in the last 5-7 years that the privileged attack surface has exploded and become the most dangerous IT security threat. Yet, a knowledge gap existed with regards to understanding the scope of privileged threats and how to programmatically address that prodigious risk. I have been an avid technical writer for the last 20 years and, on average, write about 2,000 words per week for blogs, press inquiries, and articles. As my colleagues pointed out, I had already accumulated a “book’s worth” of content on the subject of privileged access. So, I pulled together an outline and asked my external press agency to help find a publisher. After a brief meeting at RSA, things went into motion and, within the year, my first complete manuscript was done. Fast-forward three years, and I have authored three cybersecurity books, plus the second edition of my first book. This work represents the only place to find all the crucial topics on privileged access management and how to actually implement a successful strategy to mitigate the threats. It represents years of work and explains the topics in an easy to read format much better than simpler, narrow focused publications.

2. What motivated you to release a 2^nd edition of the Privileged Attack Vectors book? How significant were the revisions?

It has been three years since I wrote the first book and, in terms of cybersecurity, that is an eternity. Concepts like machine learning, blockchain, cloud, and even the privileged attack vectors themselves, have changed drastically in the last three years. So, the book received a complete refresh, with 40% of the exiting content rewritten. The 2nd edition also includes more than 100 new pages of content on privileged security concepts, threats, and best practices. In addition, based on empirical work, the 12-step process to privileged access management outlined in the first edition has been refined into 10 steps based on technology obsolesce, market consolidation, and new solutions that can easily solve privileged problems in a holistic fashion. It truly is the text book standard for understanding the complete privileged access management landscape.

3. Who is the book for?

The book is geared for anyone with an interest in cybersecurity, specifically with regards to threats and defensive strategies around privileges/privileged access. It is a helpful resource for beginners to intermediate security professionals specializing in privileged access management and for executives learning about the risks to their organization. The book dispenses with heavy technical jargon and lays the problems, facts, and technology down in plain English that anyone can understand. Even seasoned security professionals and sales teams can benefit by gaining a better grasp of the scope of privileged attacks and PAM use cases to improve their own strategy.

4. What are the most noteworthy trend accelerations or changes you have witnessed since publishing the first edition of your Privileged Attack Vectors book? Have pain points shifted? Has PAM become a higher priority? Have certain PAM technologies become more in-demand than others? How so?

The biggest acceleration in privileged access management has been the alignment with identity governance solutions and the need for a holistic approach to solving privileged attack vector problems. The book approaches these problems using a Universal Privilege Management approach, unifying the key disciplines of PAM—password management, endpoint least privilege management, secure remote access technology, and more. This is very important, since the pain of privileged attacks is no longer just about sensitive data on a raised floor secured by credentials in a vault. Excessive administrative rights, remote connectivity using privileged accounts, and IT environment challenges, like the dissolving perimeter and rapid migration to the cloud, all created high-priority privilege risks that need to be addressed. A universal approach is needed to solve all these problems.

5. How much has the onset of coronavirus and social distancing impacted privileged access risks? What are the key security measures organizations should be doing to adapt?

COVID-19, and society’s reaction to it, has had a massive impact on privileged access management and privileged attack vectors. Employees working from home are using the same credentials they did when they were in the office. Many of those credentials and users were privileged. So, how do you secure their access and their credentials on insecure home networks? Addressing these issues absolutely requires a modern, universal privilege management approach. All remote access sessions are some form of privileged access, and if you treat them accordingly, with proper security controls, the threats can be managed—regardless of the data being accessed or rendered. This is just one of the many expanded use cases and chapters covered in the 2^nd edition.

6. What have been the biggest drivers of PAM over the last three years?

The biggest driver of PAM over the last three years has been the explosion of privileged accounts—both human and machine. Privileged accounts are now everywhere. They are no longer just used by administrators, or even just used by people. Everyone has privileges—from marketing to administrators to helpdesk staff, and even every device connected to the network. Applications have privileges. Machines have privileges. Every one of these has a risk and every privilege is a potential target. This is true for everything from wired network devices to wireless access, no matter how it is implemented. So, how do you manage all privileged access, remove unnecessary administrative rights, and secure every privileged account, session, and endpoint, everywhere, every time, from potential misuse? That is what modern PAM is designed to solve and has been the biggest driver in the last three years. Privileged threats are now truly everywhere.

7. In security, we’ve heard the refrain for at least a decade—organizations don’t want siloed products they want fully integrated solutions that communicate with each other. What are the main solutions with which PAM integrates? Does PAM have synergies with other technologies?

This is not a PAM-specific problem. It is about vendor consolidation. PAM, as a discipline, is a subset of the identity governance market. To truly manage identity governance, you need a variety of solutions from IAM, MFA, SSO, PAM, etc. While IAM and PAM are the biggest buckets in the space, they have different buyers, users, and skills needed for their implementation. And when you add technology standards like Radius, OAuth, SCIM, and SAML, all of the vendors can coexist in an environment and solve problems with best of breed solutions. This implies that you could have four or more vendors to manage your identity governance problems. It has created this “silo” problem, but it is tolerated across the industry because the tools do in fact work seamlessly together. What companies do not want, however, is different products in each silo. They do not want multiple vendors solving their PAM problems. There are no standards for PAM vendors to interoperate. API’s for each are different and there is no common vehicle for exchanging information to support privileged access and data exchange between PAM competitors. Therefore, to address the breadth of PAM use cases, integration needs to exist within a PAM vendor’s own portfolio. Of course, the breadth, comprehensiveness, and feature richness can vary substantially from one PAM vendor to another.

8. Are the high number of security incidents and breaches organizations incur a reflection of inadequate overall investment in cybersecurity technologies/resources or a misallocation of those resources (i.e. investing too much in certain technology areas and not investing enough in others)?

This is a difficult question to answer. I do not believe it is due to inadequate overall security investment, but rather due to spending that isn’t focused on the appropriate technologies that provide a good security ROI. Many solutions operate as islands and do not solve the “big” problems. If you consider that 88% of critical Microsoft vulnerabilities could be mitigated by removing administrative credentials, why wouldn’t a business focus on controlling admin rights to mitigate the risk of exploitation, malware, and ransomware? If 80% of attacks use privileged credentials, why wouldn’t you prioritize securing your privileged accounts? It is an educational journey for executives and security teams to assess and invest in technology and strategies that, ultimately, have the most substantive impact.

9. As a CTO/CISO, book author, blogger speaker, what do you read/do to stay on top of the PAM, IAM, and broader security space? Is it more challenging or easier than before?

I read prolifically. I have a staple set of web sites that I visit to stay on top of current trends and technology and, if something really piques my curiosity, I find a subject matter expert and read what they have published on the topic. The most important piece for me, however, is to keep an open mind. While I have been classified as an expert in my space, I often feel like a neophyte. That reflects the humbling nature of this business and the realities of cybersecurity. Analyzing and combining ideas from a diverse wealth of resources helps me to formulate the best responses. I try to make sure my mind is always open to something new, different, and, most importantly, challenging. If you become set in your ways, no matter what you read, you will never maintain that leadership mindset.

10. You have three books under your belt, are there plans for more?

Maybe. I have outlined a few science fiction books but have not had the time to complete them (maybe when I’m retired). As for cybersecurity books, I have two new outlines complete on topics outside of PAM. There is a need to educate professionals and businesses on critical topics related to the cyber security industry, and, if I find something that will help people solve real problems, I will probably pursue writing about it. But for the time being, three books in three years, plus one second edition, is enough. We will see if I can keep away from the keyboard… I probably will not be able to show restraint.

11. Is there anything else you would like to add that we haven’t covered here?

One of the hardest parts about writing these books was deciding on a dedication. Who should I thank, and who should my co-authors thank? I mentioned my children and thanked my wife for endless patience while I typed; even on vacations. The dedication for Privileged Attack Vectors 2^nd Edition was written before the COVID-19 outbreak and really means a lot to me now. I hope it translates to you as well. “Having a happy and healthy life is all the privileges anyone in the world should ever need.”

Get the Privileged Attack Vectors (2nd Edition) Book

You can order the new edition of Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations here. Morey is also hosting a webinar that will cover privileged attack vectors and some of the content from the book. You can register here.

Morey’s other two books, also published by Apress Media, are available as well:

Identity Attack Vectors (co-authored with Darran Rolls, CTO at SailPoint)

Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations

Together, the trilogy of Attack Vectors books provides a holistic understanding of enterprise security risk, and how to effectively manage it, across identities, assets, and privileges.