Episode 66
EPISODE SUMMARY
Subscribe or listen now: 
George Eapen:
So I think we need to bring a lot of data science into cyber security to really understand, "What are we protecting?" Because most of the times we build the great wall around everything, with an aim to protect everything. Which in a traditional world is super expensive, right? And more time consuming. So the question which I asked when I started my journey was, "Okay, do we need all these things? Can we lean? Can we eliminate? Can we standardize?"
Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. I'm the host of the episode today, Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea. And it's a pleasure to be back with you today, and I've got another great episode.
Today, I've got a special guest who's joined me. George Eapen has joined me for today's show. So George, do you want to give us a little introduction about yourself and what you do, and some of the fun facts that you like to get up to?
George Eapen:
Hey Joe, nice to meet you. I'm George Eapen, I'm the group CIO of Petro fac. So I oversee the IT digital cyber strategy of my company. And I'm a cyber security enthusiast. I spent the last 10 years in the field of cybersecurity, before I took the CIO role. So it was a fun transition from the CISO to CIO. And that's pretty much about myself.
Joseph Carson:
Any fun facts? Any hobbies or anythings you'd like to get up to? What do you do in your spare time?
George Eapen:
So I have a 3 year, 6 month old son, so I don't have much free time to be honest. All the time if I'm not working, is with my son, it's with my family. This keeps me really busy.
Joseph Carson:
Absolutely. That's always important is to make sure you always get the balance and family time is always important. It's sometimes hard in our industry as well. Because the industry itself it never stops. Whether the threats are never stopping or it's something that we always have to... continuous learning. There's always something new or some new trend or new technology that we stay up to date with. And for today's show what we really wanted to talk about was two major things. One was about the importance of privileged access management, as well as also where things stand today with remote working.
So I'd like to get started into, when did you realize in your role and organization, about how important it was about protecting identities, and privilege access being a top security priority? When did you start realizing that was something that you needed to be doing?
George Eapen:
So when I started my journey in my current organization, I have realized that, what is critical to me. And I have identified that to avoid an enterprise-level cyber incident, it can be a ransomware, it can be an attack where my data is being wiped or being lost, or it can be anything which can cause disruption to my business continuity. So one of my key priority when I started my role was to make sure there's no enterprise-wide cyber attack. Because there will be always a cyber risk. But what really I want to avoid was anything which can impact the business continuity. The second element which I was extremely focused was, ensure that we are compliant to the regulations where we are operating.
So I started my journey with these two priorities. And I want to figure out how do I get to the details of programs I need to run or investment I need to make. But these were the two key objectives I was hoping to achieve. And in my very early journey in my current organization, I have learned that if you want to avoid an enterprise-wide cyber incident, you have to protect your key services. Right? So it can be your domain controller, DNS, or any other services which is connected to the rest of your systems, right? And that's where I figured out that if you are going with the layered security control approach, one of the key control that you definitely need to have was protecting your identities. And managing your privileged access users was actually a key control in this journey. And that's where I figured out that it's not a good to do investment, rather a must investment for me.
Joseph Carson:
Absolutely. And even myself responding in my... Sometimes I wear multiple hats and primarily focus around security research. And sometimes I do get involved into things like incident response or penetration testing. And a lot of times, when I look back, pretty much most of the incidents I've worked on, whether it be data loss or ransomware cases, that the attackers have targeted the conglomerate's accounts and organizations because it's the one that gives them the greatest access. It allows them to hide their tracks and it also allows them to get the greatest reach in the environment if they do want to bring it to a sneeze, by deploying something like ransomware.
So absolutely, when I look at a lot of the attacks, some of the sensitive areas that organizations need to be resilient is around protecting privileged access for sure.
So when you look at those two top priorities, when you're looking at one as enterprise-wide security and also the compliance side of it, when you did start your journey, what was the top threats that you were worried about? Things like, was it business email compromise? Was it identities been stolen? What was the top threats that you were looking to mitigate by taking this approach?
George Eapen:
Look, I was actually playing it a bit more high level, right? So I was not worried about some of those threats because there will be always business email compromise. There will be always user's identity being compromised. There will be always job scams. So as a CISO, right, you need to be really accepting the fact that there is no perfect world where you can bring the cyber risk to absolute zero. Your role as a CISO is to minimize the cyber risk, right? And to make sure whatever that you operate your business in a safe environment. Because I can actually increase my controls to a level where I can really try to aim for a zero cyber risk environment. But at that point of time maybe you are doing things which probably will not help you to drive other priorities like digital transformation, right? So it may also have a significant impact on employee experience.
So coming back to your question, I was more interested in ensuring the business resiliency. Now, as a CISO, or historically most of the CISOs always think about how to reduce the probability of a cyber attack. My thought was more about how, Yes, I need to reduce the probability of an attack, but I also need to reduce the impact of an attack. So things like data backup, how good is your data backup? So to answer your question, Joe, my strategy was not... Yes, you will tell your developers to minimize all these attack vectors, but I am accepting the fact that in spite of your amazing job you will still have some issues. So it's more about how do you minimize the impact of those issues.
Joseph Carson:
Absolutely. And that's the right way to do it. To often a lot of CISOs come from a very technology security background, and they see themselves as enforcers of security. And this is why we're seeing the importance of the BISO role, which is the business information security officer, which focuses from the business aspect of things and how to translate security into business initiatives. So you're absolutely right, that one of the main things here is our job, and I realize many years ago that my job is not to enforce security, my job is to listen and understand business risk. And if I can identify the business risk, then the goal would be is how do we use our cybersecurity skills and knowledge to reduce the risk by enabling more resiliency? How do we make sure that when there is a cyber attack, that the services continue with as little disruption as possible.
So absolutely, I think this is where it's really important, that many organizations really need to take this, is a risk approach. I learned in Estonia years ago where they started evolving, and they look at everything from a service aspect is, "What is the service work delivering? What are we offering? What it makes up that service? What's the critical components?" And to your point, backup and recovery is an important part of resiliency and how to make sure, is it being tested? Is it resilient against all the different threats that's out there? And when something does happen, do you know that you can recover? So absolutely, you're spot on regarding the business side of things. It's really important to make that definition.
George Eapen:
Awesome.
Joseph Carson:
So one of the things I'd like to understand as well, when you started thinking about the different types of privileges and identities in your organization, today we're seeing a massive shift from a lot of time and especially during a lot of initiatives, we tend to highlight the user, the employee, the person side of things. But I'm seeing, especially in a lot of organizations, that the fastest growing area is even, sometimes we hear it referred to as the machine identities, I tend to refer to it as the non-human identities. And honestly, regardless, all identities are non-human because they're dissociated. It's a mapping side of things. But what other types of identities are you using in your organization, that you have manage that are not the human side of things? Where it's not somebody behind a keyboard entering a password, but it could be something like even code, it could be a script, it could be an application, it could be infrastructure. What types of identities and privileges did you see, that you needed to prioritize and focus on?
George Eapen:
Look, I think definitely you need to protect your core infrastructure. So identities which has access to your core infrastructure services. Identities which have access to your most critical data, right? Identities which have access to your core services, right? And identities which has access to your critical business applications. So to me, we started our journey by understanding ourselves better, right? For example, we always see a lot of applications in any ecosystem we go, right? I'm not talking about my kind of organization, I'm bringing a broader perspective here. But the question here is how many of those applications are actively used, right? So I think we need to bring a lot of data science into cybersecurity to really understand, what are we protecting? Because most of the times we build the great wall around everything, with an aim to protect everything, which in a traditional world, is super expensive and more time consuming.
So the question which I asked when I started my journey was, "Okay, do we need all these things? Can we lean? Can we eliminate? Can we standardize?". We did the same for our identities, right? But to really go after my identity's impact using key application, I started with application, right? Visibility of all our application. Visibility to our cause that we serve. Asking the right set of questions. Why do we need it? So it took a basic, I would say cleanup. Cleanup is not the right word, rather challenging the status quo and got to a stage where now we understand, Yeah, it is good. It is needed. The second part was how do we create identities? How do we off board identities? Do we have all those processes, right? Now once we have all those things, then we, again, created phased approach where we started onboarding our infrastructure identities. It can be a network administrator operating our firewall. It can be a domain admin who has access to our domain controller or our Active Directory.
And that part, which was one of the most critical phase of our journey, once it got completed, we moved to our application journey where we looked into our most critical application. And we don't want to go after everything, but it was worth to go after our ERP, right? So we looked into our DB administrators who can make DML commands, and we onboarded them. And if you ask me, Did I onboard all identities? No, but I have a reasonable level of assurance that the identities which I should care about has been onboarded to a privileged access management tool. But going back again, it's not the tool. If you don't have the right culture, right hygiene, right processes, I don't think the tool will solve the problem, right? Because you will start creating identities which in one way or other way, maybe caused you problem.
Joseph Carson:
Yep. No, absolutely. I think it's really about making sure that you get all the right companies together. I always say that when you're investing in something from a security strategy, you have to not just think about it from a tool perspective, but you also have to think about it as a process. How can it be used correctly? And then that also means if you want to make sure you've got process and a tool, then you actually also need to think about the training. How to make sure that people are aware how to use it correctly, to configure it. How to make sure the processes are followed. And not only by using it, but also making sure that when you implement install, that it's configured correctly as well.
So you're absolutely right, that all of those things need to be equally invested in to make sure that you get the most value. And you're absolute spot on is that I've taken the same approach in the past. I remember being brought in to help an organization, they were looking from, it was a data-loss prevention perspective, and it was very hard to do DLP because the data changed so often. And it was much easier to do it from an application perspective. If you knew the application then basically you just understood that these applications have access to all of this data. So therefore, you basically put the rules in the application side of things. And as long as you protect the access to the applications, it was a lot less kind of let's say workload and less complexity when you focus at that perspective.
And you're absolutely right as well, is that you don't need everything, you need to make sure that you look at it from that risk approach, that not all identities, not all privileges, not everything all has the same amount of risk. So you're actually going through making sure, what risk do they carry? What do they pose if they're ever compromised or ever abused? What's the potential outcome of those? So then going from a risk perspective again. So you're absolutely-
George Eapen:
Just add to that, it's not visibility sometimes. We probably will be in the position to get good visibility on all the potential identities used in an ecosystem, including human and non human accounts. But the knowledge of, what are these identities supposed to do or what are they doing, that is not an easy information. And in the historical world you deal with lot of back and forth discussions with business to understand certain rules. Why you need the service account. What is it doing, right? And you always get into that situation of getting into that unknown space. What impact, if I probably clean up this, will it break an operational thing? There's no easy answer, right? That's how it operates.
Joseph Carson:
Absolutely. I've seen in the past, looking at a service account and everyone's going, "Does anyone know the password to this account?". And I think the consultant who had configured the application maybe five or six years ago, who had already left and moved onto other companies. And everyone's going around, "If we disable this, what impact does it have? What does it break?". And everyone was really afraid of what this was going to break, because no one knew how it was associated or what it was dependent on. And ultimately, after doing a lot of mapping and understanding, if they actually turned or changed that service, actually their entire backup strategy would fail because it was actually related to backing up and archiving emails and other services. It was such a critical service and no one actually knew what it did. But until they actually did a proper investigation, they actually realized how critical that service was. And also that it needed to be the same credential, password on all of those other systems. So even if they disabled that, it would actually have brought a major service to the business down.
But again, they need to go through the process of making sure, well, how can we make sure that the risk of that, that account should not have a static password for such a long time. So how are they going to make sure that they can bring all of that over to process to make sure that the system managed it and rather than actually leaving it to be unmanaged. So it was a major risk as well.
George Eapen:
That's a great example, Joe. And it's a fantastic example. In my opinion, the visibility that you have a weak spot in that service account because of static password is that's a victory. Because now you can probably have a better monitoring of that account or compensating controls to still mitigate the risk, right? The real problem is, I call the sitting ducks, right? So not knowing these vulnerabilities are the problem, right? But once we have a good visibility to your weak spots, you can actually plan common setting controls.
Joseph Carson:
Absolutely. It's going through and it's knowing. It's getting that knowledge and knowing the risk landscape out there.
So on your journey, when you started this and you went down the path and you realized privileged access and securing identities was an important part, and you looked at mapping it from the business resiliency side of things. What lessons did you learn along the way? If you were to go back and redo it again or what lessons or what would you change? Or what, for the audience, should they consider as they go down this path as well?
George Eapen:
So I think, in my opinion, I'm probably quite happy with my team and the journey we had in our organization. Where I actually got it clean [inaudible 00:18:52] where we actually implement a lot of good controls. So if you ask me what we'll do different, honestly, I probably will do the same things. But I think we need to actually have a very good view of how you are layering your security controls, right? Because today, we have a lot of discussion on big, big themes, zero trust, that, this, right? And I've seen most of the partners or security vendors, they are put onto platforms. They can do more than one thing they were historically doing, right?
I personally feel what we have done quite well in my organization was, before making any tech investment, we fixed the processes, we fixed the culture page, we did the cleanup. What we also did was we looked into our historical investments. I saw that actually 80% of my... So if I split my investments into endpoint, EBAN, Cloud and network. I saw that 80% of my investment was going to endpoint. Historically, right? Before I started my journey. And then I saw that 80% of that investment is going to one single vendor. So technically, we put all eggs in one basket, right? And we are relying on one particular vendor to make sure that they'll be able to prevent from any enterprise-level event.
I always believe in patient zero. So I believe that there will be always a new variant which maybe your partner will not be able to prevent. So what we did was actually layered our controls in a way that we made our investments in all the right places. And today, if you look life cycle of an attack, right? The way it starts is it starts with the phishing or an identity compromise. 97% of the threats or attacks today starts with an identity compromise, right? And phishing is the most commonly used. So let's start with that, right? What we can do to reduce the probability of phishing. Better tools, email security and cybersecurity awareness. So industry, on an average industry, in any organization when you do phishing simulations at all, normally you see 10% to 15% still click on the phishing link. And most of them, they are not reproducers, they're unique users.
So when you do it two times in a span of one quarter, you see the number is around 10% to 15%. But these are different set of employees, right? So it's because maybe they have a bad day, they were weak on that moment, so it's quite human. Now with amazing investment in phishing as or in awareness, what we have done is reduced that to 3% to 5%, but it's still 3% to 5%, right? And I have talked to a lot of my peers, what's their outcome. And in spite of doing massive campaigns, they still have 3% to 5% of population. Now, what it means to me, that is my entitlement, right? I can't make it zero, period.
Joseph Carson:
It's impossible to make it zero.
George Eapen:
That's right. So assume you have your identity compromised of one of your user. Now, that identity can be used to land in your ecosystem, right? Now once you land in your ecosystem, maybe it's a server, maybe it's your endpoint, that's where your EDR tools may play a role, right? In my case, we invested in two EDRs, right? Purely because-
Joseph Carson:
It's good to de-risk things as well. One might catch something and the other might not.
George Eapen:
Yes. And what we have done is actually, the first one year we were looking the alert from both EDRs, right? And one EDR was missing something, I'll send it to that team, where it caught missed. So we were able to fine tune things. Same for the other ones. So we reached a level where we are quite happy that we tightened up our EDR systems quite well.
But when you talk about lateral movement, right? So eventually what will happen is, it's a lateral movement from internally, and then it'll go to privilege escalation through Mimecast. So what we have seen is actually, you can have a lot of controls to capture a lateral movement. So that means that that has not happened but the bad guy is in your system and is moving around, and you can still catch it, right? So there are different technologies which could do that, in our case we are India which is doing that.
Long story short, if all those controls failed, then finally, through privilege escalation they got access to your domain end, right? Now this is where a privileged access management, which is my final control, which I believe will protect me. Because if I know all my key services, and if all my key services can be accessed through a PAM, so I'm actually trying to protect my domain admin identity because it's not a password, it's a real time connection which is established, which gets over once that session is over. And we have a secret server of Delaine which we are using, which has other identities.
So my point here is actually, Joe, I don't want any of my protector to reach to the final level because I have 10 number of controls which I layered which can prevent it to reach my final step. So I still feel if I do this again I will do a layered approach. I will try to make sure the investment is going in different direction rather than stacking up it in one level where you're completely vulnerable if that layer breaks. And make the right investment.
One thing which I have done is historically a lot of time we as security professionals, one of my observation is once we get into a contract we continue that and we don't want to reduce our spending on cybersecurity because it's one of the top most priority for all of us. So the initial sales is difficult but if I or anyone look into the contracts and during a COVID time when we are pushing for cost out, one idea we don't really skew the security because we don't want compromise. So what I'm trying to tell here is, there's a good chance that you may have a lot of legacy engagements and technology was fast changing and rapidly changing. Maybe you have a much, much, much better technology out there. So you should be ready to change your incumbents. You should be ready to take a critical look to challenge your existing status quo, rather continue running it. I know it was quite a long response but I hope-
Joseph Carson:
No you're absolutely spot on and I think you're just going through the different layers and de-risking things along the way to make sure that you know want at least... First of all you want to make it as difficult for the attacker as possible and all of those layers across the way will at least force sometimes the attackers to change their techniques because it might stop them from either moving laterally or gaining access to other systems or elevating privileges. What you're doing is you're forcing them to use techniques which are typically more noisy and as they're creating more noise it gives you a chance of detecting much earlier. So absolutely defense in depth and layered approach and assuming... You're absolutely, when you talked about even getting the click rate down, is that the internet and the browsers were created to click on and to try and get employees to not click on something is somewhat telling them not to do their job.
And we are never going to turn everybody into cybersecurity professionals and that's not something we're going to be able to achieve. And I remember I conversation recently at a conference and we were chatting about, there was a particular talk that was on about cybersecurity awareness, and one things I raised was that you're always going to have somebody who clicks on something and it's thinking about assuming that that will happen. What other defenses do you have in place to protect your organization. And that's what's critical, is when you assume that that fence falls and that attackers are all in your network and they have access to this, is that you have to start assuming that, what if this fence falls? What do you have that's there to protect the flood, to protect it from getting further, to protect it from getting to your critical services? And that's really important. I remember even I've done some interesting phishing campaigns in the past and even one, I was given the challenge to try and get a hundred percent success rate just to see how good that you can craft a specific phishing.
And there was two that I find that was very successful. One was, actually the phishing campaign was speeding tickets, that using speeding tickets as a way to target employees and you also, you got it to where it was 5:30 PM on a Friday and you put all the information was accurate. And you're playing on certain things that, the attackers will always look for things like the fear of doing something wrong, they'll take advantage of the employee's trust, they never want to do things wrong and a speed ticket is doing something wrong. There's a financial component of it, there was a time component of it. So you're really playing on people's emotions.
Another great technique as well was it was the early days of when email was basically putting the footer, this email looks suspicious, please report it to your IT security team. And that phishing campaign was actually, the email itself was purposely done as looking suspicious but in the footer was actually the phish which was actually reported to your IT team security team. That was actually the phishing part of the email.
So really looking to take advantage of people. And attackers are always looking to craft things which will take advantage of people's trust and what they're used to expecting and it's getting the point where even a lot of those phishing attacks are getting so difficult, even I know as security professionals, are getting very difficult for them even detecting and being able to tell the difference between the authentic one and the malicious one. So you're absolutely the right that it needs to be a defense in depth and a layered approach for sure.
George Eapen:
And in some people's job you just need to make sure your basic hygiene is good. So I can give three or four exams. So multifactorial indication. I think it's an absolute bus control. So to make sure you are including a second layer of security if your identity is compromised so that no one can access any services using strong passwords. 15 plus character passwords. So in my organization we use passphrase, but we also make sure that the most commonly used passwords, top 50, 60 most commonly used password, it cannot be used as a password as simple as that because we blacklisted those. Things like stale accounts, we run a campaign every three months to see if an account is not used for more than 90 days we disable it, right? We're okay to take those toys.
What else? If a password spraying attack or brute force for example, if there was more than a certain number of unsuccessful attempts the account is locked. So my point here is, you probably should not need only technical or technology solutions. The need for better hygiene, the need for better-
Joseph Carson:
Absolutely.
George Eapen:
That is absolutely critical.
Joseph Carson:
And it's getting into, one of the things I really love is the book that some friends of mine wrote a few years ago, which is the AZs of Cybersecurity, which is also, it's about that we need to evolve from not just doing this point in time awareness training, which is a checkbox approach, but also getting to the point where you're able to then influence people's behaviors and this is where you do continuous awareness, this is where you're trying to improve and get more people to practice security in a good way. And then ultimately if you keep doing that, if you do the awareness and can try to persuade behavior, you can also get to bringing an organization's culture as being a security culture that therefore everybody will work together and everyone will look out for each other. And that's a part where people, they're then not afraid to speak out people.
I remember going to a session recently, there was actually the fear of employees about reporting incidents because they were afraid of showing that they accidentally clicked on something. And it's important that we get to a culture that people are not afraid to speak out, people are not afraid to report incidents, they're not afraid to say when they see something suspicious and that's really where we start getting into where the organization starts working together. So absolutely kind of moving through and getting into that culture DNA of an organization.
One of the things I'd like to kind of ask you about, we've been hit with, of course many organizations, by the pandemic in the past few years and a lot of organizations have had to shift to working remotely a hundred percent. Some organizations have had all employees working remotely, which meant that a lot of them had to change the way they did remote access or VPNs or access critical infrastructure. And now of course in the last year we've seen restrictions moving away, more employees starting to come back into the office but it's still not quite there. It's still a very much, some are still fully remote, some are still moving back to the office, some are still in hybrid. What have you seen with this shift in work life balance and working remotely and in the office? Are you seeing more employees move back into the office in your locations or is it still somewhat a hybrid flexible approach?
George Eapen:
It's a hybrid. We are flexible but we also encourage people to come back to work because we feel the physical connect and the collaboration which comes with the physical connect is irreplaceable. Look, from a CIO point of view, it was a huge digitalization, digital transformation opportunity. Well there are two things happened. One, we have opened to everyone working from home which challenged our traditional infrastructure, your VPN capacity, your network capacity. We needed to look into a lot of aspects of infrastructure to make sure you know can support. Before COVID I had 2000 users probably accessing my VPN because majority of them are in office and they don't want to use VPN and post COVID it was 12,000, right? So am I ready for a six times more increased bandwidth or network or traffic? So that was a big infrastructure related challenge.
Second was a lot of these keep our workloads which was traditionally accessible only on the prem, which was running on the prem and which was only accessible in our network. Now we have to make it more accessible, we a to move it as an Edge application and make it accessible for people working from home.
And it also resulted in a lot of Cloud transformation, Cloud adoption. So a lot of our workloads we had to host in Cloud from on prem to make it really accessible, not only for our employees but to our third parties. So that was the second big aspect which put a lot of stress to us from a security point of view. So I'm looking right, this is where security has to play a balancing act. Through COVID, or increase the size and the length of the wall, we probably crippled the business where security should really come up with the risk minimizing actions and facilitate an environment where business can eventually operate.
So what we did in this case is actually start focusing more on moving from perimeter security to start focusing on core security. Our focus is now related to our applications, our core. And more related to who is accessing, identity. Because today a lot of these things which is accessible or the Cloud or Edge, you don't need your company shared laptop, you can still access it from your personal laptop. So all the EDS which we have deployed is of no use anymore. Now I have no control on the wifi security of someone's home. Is it weak, vulnerable-
Joseph Carson:
Is it secure? What credentials?
George Eapen:
There is no control. So what only I can control today is what is being accessed by these connections. So we have to make the right logic and right security controls to ensure that anything which is not a valid connection can be flat and second identity. Make sure that those multifactorial identification and all those aspects are being clear.
We also now rely lot on VPN security also for the folks using VPN, because again we hand off a lot of things to Cloud but we still have a significant amount of core application. Not all on Edge, my Edge were historically 20%, core was 80, post COVID it's 60/40. But we still have our most critical application as code, which use VPN access. Now we have a lot of controls around VPN security to make sure our third party traffic is monitored more or scrutinized more to make sure that we do. Now we also have a lot of engagement with our key third parties who have access to our data or to services to demonstrate to us they have good security practices there. We always tell that people are the weakest link but I think your weakest link, so you are as weak as your weakest suppliers in your supply chain. As simple as that, right?
Joseph Carson:
Yeah. Yeah I always try to reverse it. Always looking at people is, how do we empower them so they can become the strongest link? How do we give them the right resources and tools and knowledge so that they can be stronger perimeter? Because you're absolutely right. When we think about, I remember somebody used a great metaphor when I was doing, it was a CISO round table event and it was almost like they had one big massive highway that came into their office and that was internet connection and they only needed to secure that and post pandemic, it was almost like they had 20,000 different lanes that came into the office now and it was almost impossible for them to have security at every single one of those entry points. And and we can't be expected to secure people's homes. That's something that, it's beyond organization security.
So you're absolutely right, as we move to things like, BYOD is real but now I always refer to it as bring your own office. It's almost like employees are little Clouds of their homes are almost like micro Clouds that will basically be accessing from and too and to your point, you know start need to think about, getting done to the granular rules, but what can they access and what security controls do they need to satisfy? A lot of that comes down to the identity as been being able to verify and continuously verify identities.
George Eapen:
Makes sense.
Joseph Carson:
I'd like to talk about two trends there's been in the industry. So two of the trends, one has been around passwordless authentication and I've kind of got to the point where when we talk about pass wordless, I don't like to use the word pass wordless by itself because it usually comes without context. I like to think of it more as a pass wordless experience. That the password's moving into the background and not necessarily because... It gives that false impression that it's disappearing. And what it's really doing is, it's just changing the experience that there still is a secret that's being exchanged. What's your view on that pass wordless experience in the future of authentication?
George Eapen:
I think in my opinion it'll be a good change. So we are still authenticating, right? So password is just a method of authentication. So we can actually use biometrics available today. The technology's out there but we have not been able to popularize it. But I'm pretty sure that actually in future, that's one day we will be moving away from passwords to a different way of authentication and securing. Historically we have this physical tokens to authenticate. So I'm talking about maybe last decade. So it's not something that's not there, right?
Joseph Carson:
Something
George Eapen:
There, right?
Joseph Carson:
Yeah, I think I have my tokens, hardware, tokens 20 years ago.
George Eapen:
Exactly. But the point here is actually since I bring a CIO perspective as well as a CISO perspective, as a CISO you only think about securing your company and reducing the bills, minimizing the bills, eliminating the bills. But the truth here is actually security is existing because there's a business which is-
Joseph Carson:
Absolutely, absolutely.
George Eapen:
So employee experience has to be, we need to watch out for. I'm not sure pass wordless would be a better employee experience or less employee ex... I'm not sure. And we also need to think about non user authentication. So how do you authenticate to your OT legacy systems? So I can see pass wordless happening, how you access your laptop or your physical asset, that I can see happening. But when you are accessing an application or when you are accessing a service, I still think there will be a password or multifactorial authentication.
Joseph Carson:
Something changing in the background. That's the secret that's enabling that because you're absolutely right is that I think it's that consumer experience that people want to have in the enterprise. And I think with devices you're absolutely right, that will be the primary area, but you get into a lot of applications or services which will still be running for many years, that the authentication won't change and that service will remain. So therefore we just have to find ways to work with the new and the old and hopefully services and applications will help provide that experience to be much better. And I think my goal is ultimately to try and get where we're not having people choosing passwords and it's done for them and they just need to have a way of unlocking access to those credentials. Another big buzzword as well has been around zero trust and least privilege.
And I've got to the point where what you said was absolutely right is that security doesn't exist by itself, it's there to support the business. And everything you have to do is a balance between making sure that you are empowering the business to do what it needs to be doing in a secure way, but also a resilient way. And it's all about supporting the business to be able to succeed and zero trust at least probably sometimes has that negative approach to social security. It's the negative wording that, what do you mean, you're not trusting our people anymore? So I'd like to think of one thing I've got to the point is referring to it is now is that if you're going down this zero trust least release path, you also need to be thinking about zero friction security. It's about security that is not causing the employee to struggle to do their job. It should always be actually helping them do their job better.
So anything, your thoughts around when you hear zero trust there's been a lot of talk around, what's the first things that comes to mind when you think of zero trust?
George Eapen:
I see it as a framework which I believe most of the organization has already implemented without claiming it as zero trust. So what we are talking about authentication and authorization and least privilege, all these are, I will say key criteria which will help you develop that zero trust framework. I love when you mentioned about do we have trust issues? Because I personally feel when you talk to a non-technical person or a non cyber person about zero trust, especially from business, giving a wrong impression. It's giving impression that as cyber professionals we have trusts issues, which is not the case, right?
Yeah, it's a buzz word. I believe it's a framework and I believe you can achieve it, not in one way in many ways. But end of the day what you're talking is actually, yeah, I'm just ensuring least privileges. I'm ensuring that I'm having the right authentication and authorization before we can do anything. To me that's zero trust.
Joseph Carson:
Absolutely. I will say that the best phrase I always hear and comes the mind, it's a mindset in how you wish to operate your business. And there's many paths to zero trust as a strategy and as a framework and you're always on the journey. You never complete it. So you always have to keep kind of progressing and keep improving towards it.
What's the next direction for you, what's the future kind of path for you? What's next on your mind or to take on or to tackle?
George Eapen:
So I think we are focusing a lot on Cloud, not focusing a lot on old key security, focusing a lot on third party security. Third party security I briefly mentioned earlier when I mentioned about remote working, but the truth here is if you are working with a vulnerable third party, you're making yourself vulnerable. So how do you ensure, we talked about perimeter security, no more relevant as remote working happening. Think about it, as an organization, you work with a lot of third parties who may have access or may not have access to your systems, applications, to your services and what control you have on their security posture. So this is where we probably need to do a better job working with our business stakeholders. When you onboard a third party, you also need to go back and look who are your high risk third parties and how do you minimize. So to me that's a big idea which we need to focus on.
So there are a lot of things which trust me, we always have something to focus on. So there's no time for us to be relaxed in cybersecurity, but I don't believe in all those cliche statements like what keeps me up in the night. I don't. Because I think that's truly cliche because end of the day, one of the things that we do bad in cyber, we freak out people, you make it look like so scary.
Joseph Carson:
It's a scary, it's scary. The industry of scares-
George Eapen:
And I think cybersecurity, we are like traffic police. So the traffic signals are not slowing you down to be honest. Traffic signals ensure you reach your end destination safely and securely and most probably faster. And if there's no traffic rules, I'm pretty sure that you'll have traffic accidents which will slow you down further. So to me as cybersecurity professionals, we need to know what you're protecting, what's your core processes? You need to make sure you have a layered control to reduce the probability of an attack, but you also need to invest in your backups and your strategy. So in case if something happens, you can reduce the impact of that attack and you need to enjoy your work.
Joseph Carson:
Absolutely, Absolutely. I think what you reminded me is that sometimes though is with the traffic police, sometimes the security team's doing a lot of roadworks at the same time. And sometimes with the roadworks there's a lot of detours to go in order to get to your final destination. But let's hope that that experience... And absolutely you're right. And the goal is always making sure that the person gets to the final destination and in a time that makes them successful in how they're measured and help them do their job and help the experience be better. I think one of the more most important things is to make sure that we remember, is that the key metric in all the things we do is user experience, is that we make people want to use security and that it's enjoyable and it helps them be successful.
George Eapen:
I agree.
Joseph Carson:
So any final words of wisdom that you would like to share with the audience? Anything that, for the audience listening in?
George Eapen:
Yeah, I think first of all, thanks for the opportunity, Joe. I know it's a very popular podcast. You got a big fan base.
Joseph Carson:
Thank you.
George Eapen:
Okay, so for people listening to me, look, I think cybersecurity is an exciting area. I do meet a lot of young professionals, I do a lot of mentoring and also in many forums I interact. I think there's a lot of interest for young professionals to come and join cybersecurity profession, but I would like to give an advice to them through using this podcast. So what I like to tell them that cybersecurity is not as sexy as we always see movies like being a Hacker. I know Joe, you are a hacker, but this is an ethical hacker, right? But my opinion is when you look at enterprise cybersecurity, there are different aspects of, there is a policy making, which we call as GRC, there are elements of [inaudible 00:48:53] . There are things like, as I mentioned, like identity, third party.
So one thing I like to share to the young professionals, who may be listening to this podcast is actually, if you're looking for a career in cyber, be here for the long run. Patience and personality will take you a long way. You need to build skill set on many areas to really get the full touch. It's a huge area and please don't get stuck into only this account or... That's more exciting and sexy, but that is one of other elements which will also be equally good.
Joseph Carson:
Absolutely. I think that's very, very wise words of wisdom for the audience that, there's a lot of aspects. Sometimes what people see of my role is the cool, the ethical hacking, the pen testing, but what they don't see is a lot of the real research and the book me, I'm sitting here with tons of books next to me that I spend lots of time reading to keep my skills up to date.
And absolutely, while I also mentor quite a lot of people, I also have my mentors as well. I still have the people around me that I go to for advice. So I think it's really important for the audience and getting into the industry is, definitely there's a lot of things to learn and it's a continuous learning opportunity. But definitely get your community and get your network, get the people who can support you and help you along that journey for sure.
So George, it's been fantastic having you on the episode. Really fantastic and I think this is really great for the audience and to hear your story and your journey on some of the kind of thoughts and prioritization, especially as you've moved from a CISO role to a CIO role and also some of that mindset of what you were thinking about. So it's been a pleasure having on the show.
For the audience, again, tune in every two weeks. For this is the 401 Access Denied podcast, really bringing you hot topics, trends, news, educational information to really help you on your journey. So hopefully this has been an educational episode. Again, George. Many thanks. And for everyone out there, tune in, look forward to seeing you in the future and stay safe. Thank you.
George Eapen:
Thank you, Joe. It's pleasure. Thank you again.
So I think we need to bring a lot of data science into cyber security to really understand, "What are we protecting?" Because most of the times we build the great wall around everything, with an aim to protect everything. Which in a traditional world is super expensive, right? And more time consuming. So the question which I asked when I started my journey was, "Okay, do we need all these things? Can we lean? Can we eliminate? Can we standardize?"
Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. I'm the host of the episode today, Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea. And it's a pleasure to be back with you today, and I've got another great episode.
Today, I've got a special guest who's joined me. George Eapen has joined me for today's show. So George, do you want to give us a little introduction about yourself and what you do, and some of the fun facts that you like to get up to?
George Eapen:
Hey Joe, nice to meet you. I'm George Eapen, I'm the group CIO of Petro fac. So I oversee the IT digital cyber strategy of my company. And I'm a cyber security enthusiast. I spent the last 10 years in the field of cybersecurity, before I took the CIO role. So it was a fun transition from the CISO to CIO. And that's pretty much about myself.
Joseph Carson:
Any fun facts? Any hobbies or anythings you'd like to get up to? What do you do in your spare time?
George Eapen:
So I have a 3 year, 6 month old son, so I don't have much free time to be honest. All the time if I'm not working, is with my son, it's with my family. This keeps me really busy.
Joseph Carson:
Absolutely. That's always important is to make sure you always get the balance and family time is always important. It's sometimes hard in our industry as well. Because the industry itself it never stops. Whether the threats are never stopping or it's something that we always have to... continuous learning. There's always something new or some new trend or new technology that we stay up to date with. And for today's show what we really wanted to talk about was two major things. One was about the importance of privileged access management, as well as also where things stand today with remote working.
So I'd like to get started into, when did you realize in your role and organization, about how important it was about protecting identities, and privilege access being a top security priority? When did you start realizing that was something that you needed to be doing?
George Eapen:
So when I started my journey in my current organization, I have realized that, what is critical to me. And I have identified that to avoid an enterprise-level cyber incident, it can be a ransomware, it can be an attack where my data is being wiped or being lost, or it can be anything which can cause disruption to my business continuity. So one of my key priority when I started my role was to make sure there's no enterprise-wide cyber attack. Because there will be always a cyber risk. But what really I want to avoid was anything which can impact the business continuity. The second element which I was extremely focused was, ensure that we are compliant to the regulations where we are operating.
So I started my journey with these two priorities. And I want to figure out how do I get to the details of programs I need to run or investment I need to make. But these were the two key objectives I was hoping to achieve. And in my very early journey in my current organization, I have learned that if you want to avoid an enterprise-wide cyber incident, you have to protect your key services. Right? So it can be your domain controller, DNS, or any other services which is connected to the rest of your systems, right? And that's where I figured out that if you are going with the layered security control approach, one of the key control that you definitely need to have was protecting your identities. And managing your privileged access users was actually a key control in this journey. And that's where I figured out that it's not a good to do investment, rather a must investment for me.
Joseph Carson:
Absolutely. And even myself responding in my... Sometimes I wear multiple hats and primarily focus around security research. And sometimes I do get involved into things like incident response or penetration testing. And a lot of times, when I look back, pretty much most of the incidents I've worked on, whether it be data loss or ransomware cases, that the attackers have targeted the conglomerate's accounts and organizations because it's the one that gives them the greatest access. It allows them to hide their tracks and it also allows them to get the greatest reach in the environment if they do want to bring it to a sneeze, by deploying something like ransomware.
So absolutely, when I look at a lot of the attacks, some of the sensitive areas that organizations need to be resilient is around protecting privileged access for sure.
So when you look at those two top priorities, when you're looking at one as enterprise-wide security and also the compliance side of it, when you did start your journey, what was the top threats that you were worried about? Things like, was it business email compromise? Was it identities been stolen? What was the top threats that you were looking to mitigate by taking this approach?
George Eapen:
Look, I was actually playing it a bit more high level, right? So I was not worried about some of those threats because there will be always business email compromise. There will be always user's identity being compromised. There will be always job scams. So as a CISO, right, you need to be really accepting the fact that there is no perfect world where you can bring the cyber risk to absolute zero. Your role as a CISO is to minimize the cyber risk, right? And to make sure whatever that you operate your business in a safe environment. Because I can actually increase my controls to a level where I can really try to aim for a zero cyber risk environment. But at that point of time maybe you are doing things which probably will not help you to drive other priorities like digital transformation, right? So it may also have a significant impact on employee experience.
So coming back to your question, I was more interested in ensuring the business resiliency. Now, as a CISO, or historically most of the CISOs always think about how to reduce the probability of a cyber attack. My thought was more about how, Yes, I need to reduce the probability of an attack, but I also need to reduce the impact of an attack. So things like data backup, how good is your data backup? So to answer your question, Joe, my strategy was not... Yes, you will tell your developers to minimize all these attack vectors, but I am accepting the fact that in spite of your amazing job you will still have some issues. So it's more about how do you minimize the impact of those issues.
Joseph Carson:
Absolutely. And that's the right way to do it. To often a lot of CISOs come from a very technology security background, and they see themselves as enforcers of security. And this is why we're seeing the importance of the BISO role, which is the business information security officer, which focuses from the business aspect of things and how to translate security into business initiatives. So you're absolutely right, that one of the main things here is our job, and I realize many years ago that my job is not to enforce security, my job is to listen and understand business risk. And if I can identify the business risk, then the goal would be is how do we use our cybersecurity skills and knowledge to reduce the risk by enabling more resiliency? How do we make sure that when there is a cyber attack, that the services continue with as little disruption as possible.
So absolutely, I think this is where it's really important, that many organizations really need to take this, is a risk approach. I learned in Estonia years ago where they started evolving, and they look at everything from a service aspect is, "What is the service work delivering? What are we offering? What it makes up that service? What's the critical components?" And to your point, backup and recovery is an important part of resiliency and how to make sure, is it being tested? Is it resilient against all the different threats that's out there? And when something does happen, do you know that you can recover? So absolutely, you're spot on regarding the business side of things. It's really important to make that definition.
George Eapen:
Awesome.
Joseph Carson:
So one of the things I'd like to understand as well, when you started thinking about the different types of privileges and identities in your organization, today we're seeing a massive shift from a lot of time and especially during a lot of initiatives, we tend to highlight the user, the employee, the person side of things. But I'm seeing, especially in a lot of organizations, that the fastest growing area is even, sometimes we hear it referred to as the machine identities, I tend to refer to it as the non-human identities. And honestly, regardless, all identities are non-human because they're dissociated. It's a mapping side of things. But what other types of identities are you using in your organization, that you have manage that are not the human side of things? Where it's not somebody behind a keyboard entering a password, but it could be something like even code, it could be a script, it could be an application, it could be infrastructure. What types of identities and privileges did you see, that you needed to prioritize and focus on?
George Eapen:
Look, I think definitely you need to protect your core infrastructure. So identities which has access to your core infrastructure services. Identities which have access to your most critical data, right? Identities which have access to your core services, right? And identities which has access to your critical business applications. So to me, we started our journey by understanding ourselves better, right? For example, we always see a lot of applications in any ecosystem we go, right? I'm not talking about my kind of organization, I'm bringing a broader perspective here. But the question here is how many of those applications are actively used, right? So I think we need to bring a lot of data science into cybersecurity to really understand, what are we protecting? Because most of the times we build the great wall around everything, with an aim to protect everything, which in a traditional world, is super expensive and more time consuming.
So the question which I asked when I started my journey was, "Okay, do we need all these things? Can we lean? Can we eliminate? Can we standardize?". We did the same for our identities, right? But to really go after my identity's impact using key application, I started with application, right? Visibility of all our application. Visibility to our cause that we serve. Asking the right set of questions. Why do we need it? So it took a basic, I would say cleanup. Cleanup is not the right word, rather challenging the status quo and got to a stage where now we understand, Yeah, it is good. It is needed. The second part was how do we create identities? How do we off board identities? Do we have all those processes, right? Now once we have all those things, then we, again, created phased approach where we started onboarding our infrastructure identities. It can be a network administrator operating our firewall. It can be a domain admin who has access to our domain controller or our Active Directory.
And that part, which was one of the most critical phase of our journey, once it got completed, we moved to our application journey where we looked into our most critical application. And we don't want to go after everything, but it was worth to go after our ERP, right? So we looked into our DB administrators who can make DML commands, and we onboarded them. And if you ask me, Did I onboard all identities? No, but I have a reasonable level of assurance that the identities which I should care about has been onboarded to a privileged access management tool. But going back again, it's not the tool. If you don't have the right culture, right hygiene, right processes, I don't think the tool will solve the problem, right? Because you will start creating identities which in one way or other way, maybe caused you problem.
Joseph Carson:
Yep. No, absolutely. I think it's really about making sure that you get all the right companies together. I always say that when you're investing in something from a security strategy, you have to not just think about it from a tool perspective, but you also have to think about it as a process. How can it be used correctly? And then that also means if you want to make sure you've got process and a tool, then you actually also need to think about the training. How to make sure that people are aware how to use it correctly, to configure it. How to make sure the processes are followed. And not only by using it, but also making sure that when you implement install, that it's configured correctly as well.
So you're absolutely right, that all of those things need to be equally invested in to make sure that you get the most value. And you're absolute spot on is that I've taken the same approach in the past. I remember being brought in to help an organization, they were looking from, it was a data-loss prevention perspective, and it was very hard to do DLP because the data changed so often. And it was much easier to do it from an application perspective. If you knew the application then basically you just understood that these applications have access to all of this data. So therefore, you basically put the rules in the application side of things. And as long as you protect the access to the applications, it was a lot less kind of let's say workload and less complexity when you focus at that perspective.
And you're absolutely right as well, is that you don't need everything, you need to make sure that you look at it from that risk approach, that not all identities, not all privileges, not everything all has the same amount of risk. So you're actually going through making sure, what risk do they carry? What do they pose if they're ever compromised or ever abused? What's the potential outcome of those? So then going from a risk perspective again. So you're absolutely-
George Eapen:
Just add to that, it's not visibility sometimes. We probably will be in the position to get good visibility on all the potential identities used in an ecosystem, including human and non human accounts. But the knowledge of, what are these identities supposed to do or what are they doing, that is not an easy information. And in the historical world you deal with lot of back and forth discussions with business to understand certain rules. Why you need the service account. What is it doing, right? And you always get into that situation of getting into that unknown space. What impact, if I probably clean up this, will it break an operational thing? There's no easy answer, right? That's how it operates.
Joseph Carson:
Absolutely. I've seen in the past, looking at a service account and everyone's going, "Does anyone know the password to this account?". And I think the consultant who had configured the application maybe five or six years ago, who had already left and moved onto other companies. And everyone's going around, "If we disable this, what impact does it have? What does it break?". And everyone was really afraid of what this was going to break, because no one knew how it was associated or what it was dependent on. And ultimately, after doing a lot of mapping and understanding, if they actually turned or changed that service, actually their entire backup strategy would fail because it was actually related to backing up and archiving emails and other services. It was such a critical service and no one actually knew what it did. But until they actually did a proper investigation, they actually realized how critical that service was. And also that it needed to be the same credential, password on all of those other systems. So even if they disabled that, it would actually have brought a major service to the business down.
But again, they need to go through the process of making sure, well, how can we make sure that the risk of that, that account should not have a static password for such a long time. So how are they going to make sure that they can bring all of that over to process to make sure that the system managed it and rather than actually leaving it to be unmanaged. So it was a major risk as well.
George Eapen:
That's a great example, Joe. And it's a fantastic example. In my opinion, the visibility that you have a weak spot in that service account because of static password is that's a victory. Because now you can probably have a better monitoring of that account or compensating controls to still mitigate the risk, right? The real problem is, I call the sitting ducks, right? So not knowing these vulnerabilities are the problem, right? But once we have a good visibility to your weak spots, you can actually plan common setting controls.
Joseph Carson:
Absolutely. It's going through and it's knowing. It's getting that knowledge and knowing the risk landscape out there.
So on your journey, when you started this and you went down the path and you realized privileged access and securing identities was an important part, and you looked at mapping it from the business resiliency side of things. What lessons did you learn along the way? If you were to go back and redo it again or what lessons or what would you change? Or what, for the audience, should they consider as they go down this path as well?
George Eapen:
So I think, in my opinion, I'm probably quite happy with my team and the journey we had in our organization. Where I actually got it clean [inaudible 00:18:52] where we actually implement a lot of good controls. So if you ask me what we'll do different, honestly, I probably will do the same things. But I think we need to actually have a very good view of how you are layering your security controls, right? Because today, we have a lot of discussion on big, big themes, zero trust, that, this, right? And I've seen most of the partners or security vendors, they are put onto platforms. They can do more than one thing they were historically doing, right?
I personally feel what we have done quite well in my organization was, before making any tech investment, we fixed the processes, we fixed the culture page, we did the cleanup. What we also did was we looked into our historical investments. I saw that actually 80% of my... So if I split my investments into endpoint, EBAN, Cloud and network. I saw that 80% of my investment was going to endpoint. Historically, right? Before I started my journey. And then I saw that 80% of that investment is going to one single vendor. So technically, we put all eggs in one basket, right? And we are relying on one particular vendor to make sure that they'll be able to prevent from any enterprise-level event.
I always believe in patient zero. So I believe that there will be always a new variant which maybe your partner will not be able to prevent. So what we did was actually layered our controls in a way that we made our investments in all the right places. And today, if you look life cycle of an attack, right? The way it starts is it starts with the phishing or an identity compromise. 97% of the threats or attacks today starts with an identity compromise, right? And phishing is the most commonly used. So let's start with that, right? What we can do to reduce the probability of phishing. Better tools, email security and cybersecurity awareness. So industry, on an average industry, in any organization when you do phishing simulations at all, normally you see 10% to 15% still click on the phishing link. And most of them, they are not reproducers, they're unique users.
So when you do it two times in a span of one quarter, you see the number is around 10% to 15%. But these are different set of employees, right? So it's because maybe they have a bad day, they were weak on that moment, so it's quite human. Now with amazing investment in phishing as or in awareness, what we have done is reduced that to 3% to 5%, but it's still 3% to 5%, right? And I have talked to a lot of my peers, what's their outcome. And in spite of doing massive campaigns, they still have 3% to 5% of population. Now, what it means to me, that is my entitlement, right? I can't make it zero, period.
Joseph Carson:
It's impossible to make it zero.
George Eapen:
That's right. So assume you have your identity compromised of one of your user. Now, that identity can be used to land in your ecosystem, right? Now once you land in your ecosystem, maybe it's a server, maybe it's your endpoint, that's where your EDR tools may play a role, right? In my case, we invested in two EDRs, right? Purely because-
Joseph Carson:
It's good to de-risk things as well. One might catch something and the other might not.
George Eapen:
Yes. And what we have done is actually, the first one year we were looking the alert from both EDRs, right? And one EDR was missing something, I'll send it to that team, where it caught missed. So we were able to fine tune things. Same for the other ones. So we reached a level where we are quite happy that we tightened up our EDR systems quite well.
But when you talk about lateral movement, right? So eventually what will happen is, it's a lateral movement from internally, and then it'll go to privilege escalation through Mimecast. So what we have seen is actually, you can have a lot of controls to capture a lateral movement. So that means that that has not happened but the bad guy is in your system and is moving around, and you can still catch it, right? So there are different technologies which could do that, in our case we are India which is doing that.
Long story short, if all those controls failed, then finally, through privilege escalation they got access to your domain end, right? Now this is where a privileged access management, which is my final control, which I believe will protect me. Because if I know all my key services, and if all my key services can be accessed through a PAM, so I'm actually trying to protect my domain admin identity because it's not a password, it's a real time connection which is established, which gets over once that session is over. And we have a secret server of Delaine which we are using, which has other identities.
So my point here is actually, Joe, I don't want any of my protector to reach to the final level because I have 10 number of controls which I layered which can prevent it to reach my final step. So I still feel if I do this again I will do a layered approach. I will try to make sure the investment is going in different direction rather than stacking up it in one level where you're completely vulnerable if that layer breaks. And make the right investment.
One thing which I have done is historically a lot of time we as security professionals, one of my observation is once we get into a contract we continue that and we don't want to reduce our spending on cybersecurity because it's one of the top most priority for all of us. So the initial sales is difficult but if I or anyone look into the contracts and during a COVID time when we are pushing for cost out, one idea we don't really skew the security because we don't want compromise. So what I'm trying to tell here is, there's a good chance that you may have a lot of legacy engagements and technology was fast changing and rapidly changing. Maybe you have a much, much, much better technology out there. So you should be ready to change your incumbents. You should be ready to take a critical look to challenge your existing status quo, rather continue running it. I know it was quite a long response but I hope-
Joseph Carson:
No you're absolutely spot on and I think you're just going through the different layers and de-risking things along the way to make sure that you know want at least... First of all you want to make it as difficult for the attacker as possible and all of those layers across the way will at least force sometimes the attackers to change their techniques because it might stop them from either moving laterally or gaining access to other systems or elevating privileges. What you're doing is you're forcing them to use techniques which are typically more noisy and as they're creating more noise it gives you a chance of detecting much earlier. So absolutely defense in depth and layered approach and assuming... You're absolutely, when you talked about even getting the click rate down, is that the internet and the browsers were created to click on and to try and get employees to not click on something is somewhat telling them not to do their job.
And we are never going to turn everybody into cybersecurity professionals and that's not something we're going to be able to achieve. And I remember I conversation recently at a conference and we were chatting about, there was a particular talk that was on about cybersecurity awareness, and one things I raised was that you're always going to have somebody who clicks on something and it's thinking about assuming that that will happen. What other defenses do you have in place to protect your organization. And that's what's critical, is when you assume that that fence falls and that attackers are all in your network and they have access to this, is that you have to start assuming that, what if this fence falls? What do you have that's there to protect the flood, to protect it from getting further, to protect it from getting to your critical services? And that's really important. I remember even I've done some interesting phishing campaigns in the past and even one, I was given the challenge to try and get a hundred percent success rate just to see how good that you can craft a specific phishing.
And there was two that I find that was very successful. One was, actually the phishing campaign was speeding tickets, that using speeding tickets as a way to target employees and you also, you got it to where it was 5:30 PM on a Friday and you put all the information was accurate. And you're playing on certain things that, the attackers will always look for things like the fear of doing something wrong, they'll take advantage of the employee's trust, they never want to do things wrong and a speed ticket is doing something wrong. There's a financial component of it, there was a time component of it. So you're really playing on people's emotions.
Another great technique as well was it was the early days of when email was basically putting the footer, this email looks suspicious, please report it to your IT security team. And that phishing campaign was actually, the email itself was purposely done as looking suspicious but in the footer was actually the phish which was actually reported to your IT team security team. That was actually the phishing part of the email.
So really looking to take advantage of people. And attackers are always looking to craft things which will take advantage of people's trust and what they're used to expecting and it's getting the point where even a lot of those phishing attacks are getting so difficult, even I know as security professionals, are getting very difficult for them even detecting and being able to tell the difference between the authentic one and the malicious one. So you're absolutely the right that it needs to be a defense in depth and a layered approach for sure.
George Eapen:
And in some people's job you just need to make sure your basic hygiene is good. So I can give three or four exams. So multifactorial indication. I think it's an absolute bus control. So to make sure you are including a second layer of security if your identity is compromised so that no one can access any services using strong passwords. 15 plus character passwords. So in my organization we use passphrase, but we also make sure that the most commonly used passwords, top 50, 60 most commonly used password, it cannot be used as a password as simple as that because we blacklisted those. Things like stale accounts, we run a campaign every three months to see if an account is not used for more than 90 days we disable it, right? We're okay to take those toys.
What else? If a password spraying attack or brute force for example, if there was more than a certain number of unsuccessful attempts the account is locked. So my point here is, you probably should not need only technical or technology solutions. The need for better hygiene, the need for better-
Joseph Carson:
Absolutely.
George Eapen:
That is absolutely critical.
Joseph Carson:
And it's getting into, one of the things I really love is the book that some friends of mine wrote a few years ago, which is the AZs of Cybersecurity, which is also, it's about that we need to evolve from not just doing this point in time awareness training, which is a checkbox approach, but also getting to the point where you're able to then influence people's behaviors and this is where you do continuous awareness, this is where you're trying to improve and get more people to practice security in a good way. And then ultimately if you keep doing that, if you do the awareness and can try to persuade behavior, you can also get to bringing an organization's culture as being a security culture that therefore everybody will work together and everyone will look out for each other. And that's a part where people, they're then not afraid to speak out people.
I remember going to a session recently, there was actually the fear of employees about reporting incidents because they were afraid of showing that they accidentally clicked on something. And it's important that we get to a culture that people are not afraid to speak out, people are not afraid to report incidents, they're not afraid to say when they see something suspicious and that's really where we start getting into where the organization starts working together. So absolutely kind of moving through and getting into that culture DNA of an organization.
One of the things I'd like to kind of ask you about, we've been hit with, of course many organizations, by the pandemic in the past few years and a lot of organizations have had to shift to working remotely a hundred percent. Some organizations have had all employees working remotely, which meant that a lot of them had to change the way they did remote access or VPNs or access critical infrastructure. And now of course in the last year we've seen restrictions moving away, more employees starting to come back into the office but it's still not quite there. It's still a very much, some are still fully remote, some are still moving back to the office, some are still in hybrid. What have you seen with this shift in work life balance and working remotely and in the office? Are you seeing more employees move back into the office in your locations or is it still somewhat a hybrid flexible approach?
George Eapen:
It's a hybrid. We are flexible but we also encourage people to come back to work because we feel the physical connect and the collaboration which comes with the physical connect is irreplaceable. Look, from a CIO point of view, it was a huge digitalization, digital transformation opportunity. Well there are two things happened. One, we have opened to everyone working from home which challenged our traditional infrastructure, your VPN capacity, your network capacity. We needed to look into a lot of aspects of infrastructure to make sure you know can support. Before COVID I had 2000 users probably accessing my VPN because majority of them are in office and they don't want to use VPN and post COVID it was 12,000, right? So am I ready for a six times more increased bandwidth or network or traffic? So that was a big infrastructure related challenge.
Second was a lot of these keep our workloads which was traditionally accessible only on the prem, which was running on the prem and which was only accessible in our network. Now we have to make it more accessible, we a to move it as an Edge application and make it accessible for people working from home.
And it also resulted in a lot of Cloud transformation, Cloud adoption. So a lot of our workloads we had to host in Cloud from on prem to make it really accessible, not only for our employees but to our third parties. So that was the second big aspect which put a lot of stress to us from a security point of view. So I'm looking right, this is where security has to play a balancing act. Through COVID, or increase the size and the length of the wall, we probably crippled the business where security should really come up with the risk minimizing actions and facilitate an environment where business can eventually operate.
So what we did in this case is actually start focusing more on moving from perimeter security to start focusing on core security. Our focus is now related to our applications, our core. And more related to who is accessing, identity. Because today a lot of these things which is accessible or the Cloud or Edge, you don't need your company shared laptop, you can still access it from your personal laptop. So all the EDS which we have deployed is of no use anymore. Now I have no control on the wifi security of someone's home. Is it weak, vulnerable-
Joseph Carson:
Is it secure? What credentials?
George Eapen:
There is no control. So what only I can control today is what is being accessed by these connections. So we have to make the right logic and right security controls to ensure that anything which is not a valid connection can be flat and second identity. Make sure that those multifactorial identification and all those aspects are being clear.
We also now rely lot on VPN security also for the folks using VPN, because again we hand off a lot of things to Cloud but we still have a significant amount of core application. Not all on Edge, my Edge were historically 20%, core was 80, post COVID it's 60/40. But we still have our most critical application as code, which use VPN access. Now we have a lot of controls around VPN security to make sure our third party traffic is monitored more or scrutinized more to make sure that we do. Now we also have a lot of engagement with our key third parties who have access to our data or to services to demonstrate to us they have good security practices there. We always tell that people are the weakest link but I think your weakest link, so you are as weak as your weakest suppliers in your supply chain. As simple as that, right?
Joseph Carson:
Yeah. Yeah I always try to reverse it. Always looking at people is, how do we empower them so they can become the strongest link? How do we give them the right resources and tools and knowledge so that they can be stronger perimeter? Because you're absolutely right. When we think about, I remember somebody used a great metaphor when I was doing, it was a CISO round table event and it was almost like they had one big massive highway that came into their office and that was internet connection and they only needed to secure that and post pandemic, it was almost like they had 20,000 different lanes that came into the office now and it was almost impossible for them to have security at every single one of those entry points. And and we can't be expected to secure people's homes. That's something that, it's beyond organization security.
So you're absolutely right, as we move to things like, BYOD is real but now I always refer to it as bring your own office. It's almost like employees are little Clouds of their homes are almost like micro Clouds that will basically be accessing from and too and to your point, you know start need to think about, getting done to the granular rules, but what can they access and what security controls do they need to satisfy? A lot of that comes down to the identity as been being able to verify and continuously verify identities.
George Eapen:
Makes sense.
Joseph Carson:
I'd like to talk about two trends there's been in the industry. So two of the trends, one has been around passwordless authentication and I've kind of got to the point where when we talk about pass wordless, I don't like to use the word pass wordless by itself because it usually comes without context. I like to think of it more as a pass wordless experience. That the password's moving into the background and not necessarily because... It gives that false impression that it's disappearing. And what it's really doing is, it's just changing the experience that there still is a secret that's being exchanged. What's your view on that pass wordless experience in the future of authentication?
George Eapen:
I think in my opinion it'll be a good change. So we are still authenticating, right? So password is just a method of authentication. So we can actually use biometrics available today. The technology's out there but we have not been able to popularize it. But I'm pretty sure that actually in future, that's one day we will be moving away from passwords to a different way of authentication and securing. Historically we have this physical tokens to authenticate. So I'm talking about maybe last decade. So it's not something that's not there, right?
Joseph Carson:
Something
George Eapen:
There, right?
Joseph Carson:
Yeah, I think I have my tokens, hardware, tokens 20 years ago.
George Eapen:
Exactly. But the point here is actually since I bring a CIO perspective as well as a CISO perspective, as a CISO you only think about securing your company and reducing the bills, minimizing the bills, eliminating the bills. But the truth here is actually security is existing because there's a business which is-
Joseph Carson:
Absolutely, absolutely.
George Eapen:
So employee experience has to be, we need to watch out for. I'm not sure pass wordless would be a better employee experience or less employee ex... I'm not sure. And we also need to think about non user authentication. So how do you authenticate to your OT legacy systems? So I can see pass wordless happening, how you access your laptop or your physical asset, that I can see happening. But when you are accessing an application or when you are accessing a service, I still think there will be a password or multifactorial authentication.
Joseph Carson:
Something changing in the background. That's the secret that's enabling that because you're absolutely right is that I think it's that consumer experience that people want to have in the enterprise. And I think with devices you're absolutely right, that will be the primary area, but you get into a lot of applications or services which will still be running for many years, that the authentication won't change and that service will remain. So therefore we just have to find ways to work with the new and the old and hopefully services and applications will help provide that experience to be much better. And I think my goal is ultimately to try and get where we're not having people choosing passwords and it's done for them and they just need to have a way of unlocking access to those credentials. Another big buzzword as well has been around zero trust and least privilege.
And I've got to the point where what you said was absolutely right is that security doesn't exist by itself, it's there to support the business. And everything you have to do is a balance between making sure that you are empowering the business to do what it needs to be doing in a secure way, but also a resilient way. And it's all about supporting the business to be able to succeed and zero trust at least probably sometimes has that negative approach to social security. It's the negative wording that, what do you mean, you're not trusting our people anymore? So I'd like to think of one thing I've got to the point is referring to it is now is that if you're going down this zero trust least release path, you also need to be thinking about zero friction security. It's about security that is not causing the employee to struggle to do their job. It should always be actually helping them do their job better.
So anything, your thoughts around when you hear zero trust there's been a lot of talk around, what's the first things that comes to mind when you think of zero trust?
George Eapen:
I see it as a framework which I believe most of the organization has already implemented without claiming it as zero trust. So what we are talking about authentication and authorization and least privilege, all these are, I will say key criteria which will help you develop that zero trust framework. I love when you mentioned about do we have trust issues? Because I personally feel when you talk to a non-technical person or a non cyber person about zero trust, especially from business, giving a wrong impression. It's giving impression that as cyber professionals we have trusts issues, which is not the case, right?
Yeah, it's a buzz word. I believe it's a framework and I believe you can achieve it, not in one way in many ways. But end of the day what you're talking is actually, yeah, I'm just ensuring least privileges. I'm ensuring that I'm having the right authentication and authorization before we can do anything. To me that's zero trust.
Joseph Carson:
Absolutely. I will say that the best phrase I always hear and comes the mind, it's a mindset in how you wish to operate your business. And there's many paths to zero trust as a strategy and as a framework and you're always on the journey. You never complete it. So you always have to keep kind of progressing and keep improving towards it.
What's the next direction for you, what's the future kind of path for you? What's next on your mind or to take on or to tackle?
George Eapen:
So I think we are focusing a lot on Cloud, not focusing a lot on old key security, focusing a lot on third party security. Third party security I briefly mentioned earlier when I mentioned about remote working, but the truth here is if you are working with a vulnerable third party, you're making yourself vulnerable. So how do you ensure, we talked about perimeter security, no more relevant as remote working happening. Think about it, as an organization, you work with a lot of third parties who may have access or may not have access to your systems, applications, to your services and what control you have on their security posture. So this is where we probably need to do a better job working with our business stakeholders. When you onboard a third party, you also need to go back and look who are your high risk third parties and how do you minimize. So to me that's a big idea which we need to focus on.
So there are a lot of things which trust me, we always have something to focus on. So there's no time for us to be relaxed in cybersecurity, but I don't believe in all those cliche statements like what keeps me up in the night. I don't. Because I think that's truly cliche because end of the day, one of the things that we do bad in cyber, we freak out people, you make it look like so scary.
Joseph Carson:
It's a scary, it's scary. The industry of scares-
George Eapen:
And I think cybersecurity, we are like traffic police. So the traffic signals are not slowing you down to be honest. Traffic signals ensure you reach your end destination safely and securely and most probably faster. And if there's no traffic rules, I'm pretty sure that you'll have traffic accidents which will slow you down further. So to me as cybersecurity professionals, we need to know what you're protecting, what's your core processes? You need to make sure you have a layered control to reduce the probability of an attack, but you also need to invest in your backups and your strategy. So in case if something happens, you can reduce the impact of that attack and you need to enjoy your work.
Joseph Carson:
Absolutely, Absolutely. I think what you reminded me is that sometimes though is with the traffic police, sometimes the security team's doing a lot of roadworks at the same time. And sometimes with the roadworks there's a lot of detours to go in order to get to your final destination. But let's hope that that experience... And absolutely you're right. And the goal is always making sure that the person gets to the final destination and in a time that makes them successful in how they're measured and help them do their job and help the experience be better. I think one of the more most important things is to make sure that we remember, is that the key metric in all the things we do is user experience, is that we make people want to use security and that it's enjoyable and it helps them be successful.
George Eapen:
I agree.
Joseph Carson:
So any final words of wisdom that you would like to share with the audience? Anything that, for the audience listening in?
George Eapen:
Yeah, I think first of all, thanks for the opportunity, Joe. I know it's a very popular podcast. You got a big fan base.
Joseph Carson:
Thank you.
George Eapen:
Okay, so for people listening to me, look, I think cybersecurity is an exciting area. I do meet a lot of young professionals, I do a lot of mentoring and also in many forums I interact. I think there's a lot of interest for young professionals to come and join cybersecurity profession, but I would like to give an advice to them through using this podcast. So what I like to tell them that cybersecurity is not as sexy as we always see movies like being a Hacker. I know Joe, you are a hacker, but this is an ethical hacker, right? But my opinion is when you look at enterprise cybersecurity, there are different aspects of, there is a policy making, which we call as GRC, there are elements of [inaudible 00:48:53] . There are things like, as I mentioned, like identity, third party.
So one thing I like to share to the young professionals, who may be listening to this podcast is actually, if you're looking for a career in cyber, be here for the long run. Patience and personality will take you a long way. You need to build skill set on many areas to really get the full touch. It's a huge area and please don't get stuck into only this account or... That's more exciting and sexy, but that is one of other elements which will also be equally good.
Joseph Carson:
Absolutely. I think that's very, very wise words of wisdom for the audience that, there's a lot of aspects. Sometimes what people see of my role is the cool, the ethical hacking, the pen testing, but what they don't see is a lot of the real research and the book me, I'm sitting here with tons of books next to me that I spend lots of time reading to keep my skills up to date.
And absolutely, while I also mentor quite a lot of people, I also have my mentors as well. I still have the people around me that I go to for advice. So I think it's really important for the audience and getting into the industry is, definitely there's a lot of things to learn and it's a continuous learning opportunity. But definitely get your community and get your network, get the people who can support you and help you along that journey for sure.
So George, it's been fantastic having you on the episode. Really fantastic and I think this is really great for the audience and to hear your story and your journey on some of the kind of thoughts and prioritization, especially as you've moved from a CISO role to a CIO role and also some of that mindset of what you were thinking about. So it's been a pleasure having on the show.
For the audience, again, tune in every two weeks. For this is the 401 Access Denied podcast, really bringing you hot topics, trends, news, educational information to really help you on your journey. So hopefully this has been an educational episode. Again, George. Many thanks. And for everyone out there, tune in, look forward to seeing you in the future and stay safe. Thank you.
George Eapen:
Thank you, Joe. It's pleasure. Thank you again.
