Morey Haber, BeyondTrust’s Chief Security Advisor, offers expert perspectives on cybersecurity challenges, including identity security and privileged access management.
In an age of increasingly sophisticated and pervasive cyber threats, Morey Haber, Chief Security Advisor at BeyondTrust, stands as a beacon of insight and expertise in cybersecurity. With a wealth of experience and a keen understanding of the evolving threat landscape, Haber offers invaluable perspectives on the greatest challenges facing organizations today.
From identity security to privileged access management (PAM), he delves into the intricacies of safeguarding digital assets and shares actionable recommendations for strengthening cybersecurity postures. Join us as we explore Haber’s insights, reflections on notable incidents, and vision for the future of cybersecurity, with BeyondTrust at the forefront of innovation and defense against emerging threats.
Excerpts from the interview;
Can you elaborate on the most pressing cybersecurity challenges organizations face today?
Arguably, the biggest challenge facing organizations right now has to do with managing identity security. The recent Microsoft and Okta breaches demonstrated that for a threat actor, “It is easier to login versus hack in.” Both of these attack vectors, credential theft and vulnerability exploitation, demonstrate that regardless of on-premises security technology, log monitoring, and threat detection, attacks in the cloud against licensed service providers can devastate your organization.
Your internal security controls would not perceive these threats until it was too late, and monitoring SaaS solutions is a supply chain issue with no foundational resolution yet outside of basic log monitoring. In fact, for most cybersecurity customers, outside of Security Assessment Questionnaires (SAQ) and public-facing Security Scorecards, there is no way to measure the security posture of your cloud-based solutions continuously.
The best any organization can do is invest in Identity Security and Identity Threat Detection and Response solutions to determine if an identity has been compromised in a SaaS vendor or Cloud Service Provider (CSP). If an identity is determined to be misbehaving or the incident is affecting the runtime of your organization, an identity-based attack using lateral movement could leave your organization exposed to data exfiltration, malware, and even ransomware. This is especially true for privileged accounts since if they are compromised, a ‘game over’ event could occur with a threat actor logging in versus hacking in and performing administrative functions within your environment without any potential repercussions.
How will the cybersecurity landscape evolve regarding privileged access management (PAM)?
Privileged Access Management (PAM) has existed since the mid-1980s. It is hard to believe that a nearly 40-year-old cybersecurity discipline is still relevant and not widely adopted today despite being a cybersecurity best practice. However, the definition of PAM has changed during the last 40 years. It has evolved from the Principle of Least Privilege (PoLP) to Password Management, Session Management, Directory Bridging, and Endpoint Privilege Management (EPM).
The obvious question is, who owns the definition of PAM, and where is it going? The answer is not simple. Cybersecurity vendors, analysts, and even governments contribute to evolving definitions of cybersecurity solutions. While they may conflict at times—for example, one group recognizes a feature set like remote access, and another assembly does not—one thing is for certain: the future of PAM lies with Identity Security and the protection of a business’s Identity Fabric.
By definition, Identity Security is the risk management of all aspects of Identity and Access Management (IAM) including PAM, and governs all solutions and workflows for IAM throughout an organization. That is the organization’s Identity Fabric. Therefore, the future landscape for PAM is the privileged management for all identities used within an IAM infrastructure to connect disparate solutions (SSO, MFA, IGA, PAM, etc.) that create workflows for authentication and authorization within a business. Since identities are the latest attack vector leveraged by threat actors, attacking all the plumbing within IAM and securing their privileged access is crucial to mitigate the risks of an attack. The future of PAM will provide security and detect abnormal behavior when deploying and managing IAM solutions.
Also Read: Beyond Net Neutrality: Why a Free Market Approach Benefits Consumers
What are some prevalent misconceptions about cybersecurity that you come across in your work?
Some of the most prevalent misconceptions about cyber security are rooted in human traits. Social engineering, to date, is the most devastating attack vector that can destroy a business and shatter customer confidence. How does a human trait-based, leveraged for a social engineering attack, translate into electronic destruction? Consider these human traits as they relate to social engineering attacks:
- Trust: The belief that the correspondence, of any type, is from a trustworthy source and clicking, responding, or opening the attachment will cause no harm.
- Naivety: The belief that the contents, as crazy or simple as they may be, are, real, even though common sense says otherwise.
- Sincerity: The intent of the contents is in your best interest to respond to or open, based on your employment, family, livelihood, or other emotional connection.
- Ignorance: The contents of the correspondence do not raise any concern, even if it originates from an unidentified phone number, email address, or text message.
- Curiosity: The end-user has not identified the attack technique, and sheer curiosity allows them to execute the attack vector.
- Arrogance: the end user believes that their defenses are sufficient and that engaging in a social engineering attack can have no repercussions for them or their business.
In my opinion, humans are the weakest link in cybersecurity. The traits listed above explain why many attacks occur and why end-user behavior is the biggest misconception. The business expects people to do the right thing, but ultimately, in cybersecurity, they do not.
What recommendations do you have for organizations aiming to strengthen their cybersecurity posture?
For organizations looking to strengthen their cybersecurity posture, I would recommend they focus on identities first and consider these six steps to improving their cybersecurity posture:
- Identity and Asset Inventory – Create a living, up-to-date database of all identities, accounts, systems, applications, and resources for modeling threats. This will help establish a basis for risk management and ownership for incident response.
- Identity Accountability – Mandate the proper implementation of critical IAM solutions, such as IGA, PAM, SSO, MFA, etc., to ensure all identities are managed and used appropriately. This will help develop your Identity Fabric and how you measure Identity Security risk.
- Remote Access – Outside of sitting in front of your computer, all web access and applications are done remotely. Therefore, all remote access pathways must be secured from identity attack vectors and credential theft.
- Least Privilege – All accounts, no matter who owns them, should have the fewest privileges to perform their tasks and follow guiding principles like zero trust. Never assign administrative privileges just to make something “work.”
- Integrate Directory Services – The more identity directory providers an organization has, the worse it is at managing identity-based threats. Platform and application directory services should be consolidated wherever possible, using solutions to fold dissimilar operating systems into a common directory service.
- Identity Security – Although identity security is the last recommendation, it should be applied at every step of the first five recommendations. It was added last so that existing organizations could consider modeling their legacy environments with identity security, and new organizations could build it in from the start.
Is there a cybersecurity incident that stands out in your memory, and how was it addressed?
In my years as a cybersecurity professional, the Okta Support Breach from November 2023 stands out as an inflection point. As the CSO, a victim of this attack, and the organization that identified and notified Okta of the issue, I was truly blessed that BeyondTrust’s solutions identified the risk and allowed us to remediate the threat within only a few hours. No on-premise indicators of compromise, malware detected, or corporate-owned assets or data penetration. The attack itself was fully in the cloud, within a third-party SaaS solution, and highlights the need for Identity Security and the protection of the entire Identity Fabric.
At BeyondTrust, we internally utilize all of the solutions we develop. I am very proud that our technology, Identity Security Insights, identified the attack and allowed us to respond promptly. Without the solution, we would have become victims, like hundreds of other Okta customers.
Looking to the future, what do you envision for the cybersecurity landscape, and what role do you believe BeyondTrust will play in shaping it?
The future of cybersecurity is not written. It is an empirical response to threat actors’ creativity and motivation for financial gain or geopolitical advantage over adversaries. Rarely does a theoretical approach for a cyber-attack become a reality that concerns the entire industry. As the cybersecurity landscape changes, the move to the cloud allows vulnerabilities to be patched more rapidly for all tenants, software development becomes more resistant to vulnerabilities due to a mature CI/CD pipeline, and AI assists with threat detection.
Also Read: What’s Next for Cybersecurity? An Industry Insider’s Look
I believe that identity security will become the most important topic of discussion in cyber defense in the next decade. BeyondTrust already plays a leading role in PAM and identity threat detection and response and will continue to lead the industry to ensure that identity theft, stolen credentials, and poor hygiene within an identity fabric do not become liabilities for organizations that result in a breach.
