Fresh off the release of his book, Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations, BeyondTrust CTO, Morey Haber, was among the BeyondTrust execs who came down to Phuket for the inaugural BeyondTrust Partner Conference last week. It was definitely an honour and a privilege for us to be afforded the opportunity to meet and interview Haber, who’s also a guest blogger for our sister publication, CSA, to get his perspective on how cyber threats have evolved over the years and where privileged access management fits into the cyber security picture.
Haber stated that when he first started out over 20 years ago, “We were still trying to understand and establish the [security] perimeter. The concept of vulnerabilities and exploits really didn’t start until around 2000, when we started to understand the problems that software can have in terms of vulnerabilities and exploits. [The threat] has evolved from what a threat actor can do to be cool or cause problems to how they can actually make a difference by attacking a server or infecting a computer and translating it into money or potential gain. So I think the biggest change is not necessarily in the security solutions themselves because they’ve always evolved to be defensive. It’s really the motive of the threat actors that is changing the security landscape over the last many years.”
But why has privileged access management (PAM) become such a hot market in recent years? Antivirus or firewall, according to Haber, were considered the lowest hanging fruit for many years. Recently, however, threat actors have begun to realise that passwords are not a hard target to go after either. “We suffer from a very human problem of not being able to remember complex passwords. We reuse passwords, we don’t necessarily change the default passwords, or we change them once and never change them again. So it’s the path of least resistance. Vulnerabilities and exploits are not going away, but passwords are where the bulk of new attacks are coming from. And if you look at the attack chain, you’ll find that once an attack starts, the threat actors always want privileges in some capacity. Why? Because that’s how they can get to the data on critical servers – it’s their way of installing malware, it’s their way to exfiltrate the data that you have. So it has become so hot because it’s now the lowest hanging fruit and no matter what, you need privileges.”
This new threat landscape has given companies like BeyondTrust a massive opportunity for growth, especially in regions such as the Asia Pacific or ASEAN in particular due to what Haber’s team refers to as “white space” in the market for PAM solutions. “When we talk about white space, we’re talking about any client, actually, anywhere in the world. But it’s more important in this region than others because the higher amount of commerce, volume, nation-states, and smaller nations compared to Australia, the US or even Great Britain. When you have smaller countries, with not as much growth capital, they’re still learning about the threat of privileges to their government, to their people, to their data systems, to their banks, and across the board.” Haber continued, “They realise that they’re just as much of a target as these big nations that have already developed policies. Therefore, what do they use [to protect themselves]? Then the white space becomes apparent because now, they’re just getting started in protecting their systems the same way.“
In securing data, Haber said there are three fundamental cyber security hygiene steps that make the most difference. The first is to eliminate admin rights (which is what BeyondTrust excel at). He mentioned that there are proven statistics that once admin rights are removed, malware and other forms of attacks can’t succeed. The second step is vulnerability management. If a machine is fully patched, the odds of an attack succeeding are much lower. Therefore, patching is key. And then the third step of basic cyber security hygiene is just making sure simple antivirus or simple security solutions are met. Sounds simple enough, but surprisingly, many organisations in this region are still lacking in this area both in terms of enforcement and awareness.
Haber admitted that PAM doesn’t solve every security issue. However, it allows organisations to limit lateral movements – which also limits an attacker’s ability or an employee’s capacity, either intentional or otherwise, to do something foolish – and fundamentally make themselves a little more secure. For CISOs, this is a big problem that they can solve.
He concluded with the following thought, “The global threat perspective is interesting because we all run the same operating systems no matter where we are in the world. Granted, some of it is localised. But a fundamental vulnerability in the operating system or application affects everyone. The benefit of the internet is we’re all connected. The downside of the internet is we’re all connected. Everybody can be hacked – it can be from any nation-state, rogue group or literally just someone trying to make a point – and that then places us all at risk.”