Cyberthreats are increasing across all parts of the technology stack, and experts from Okta and Palo Alto Networks discuss tactics for continuous monitoring.
When it comes to protecting systems and data, two metrics stand alone at the top: the time it takes an organization to detect a problem and the time it takes them to respond to that real or potential vulnerability.
Over the past 12 to 18 months, both of those metrics have become more important as hackers are moving faster at breaking into networks and exfiltrating data.
“That that used to take weeks and now that has gone down to days because they’re using artificial intelligence and they’re using more sophisticated attacks, so that exfiltration is happening in a matter of hours,” said Jim Smid, DoD and Intelligence Community field chief technology officer for Palo Alto Networks.
“The window you have to the mean time to detect and the mean time to respond is shrinking. If you can’t catch what’s happening within that timeframe, then you have a whole different issue that you’re dealing with.”
He said recent data shows organizations are dealing with 1.7 million zero day attacks a day.
Smid joined Christine Halvorsen, public sector chief technology officer at Okta, to discuss continuous identity monitoring on a panel during Federal News Network’s Cyber Leaders Exchange 2024.
To lower those mean times, agencies need to stitch together data from a variety of tools. This also means the tools must integrate to be able to share cyber threat signals.
Halvorsen said a key aspect of that integration is through identity and access management capabilities.
“What we’re seeing now coming out is the identity proofing on the front end before the authentication or the user even logs in,” said Halvorsen, who spent 22 years working for the FBI. “There’s a whole identity proofing movement going on right now, which is really proving who you are, and then you have the authorization piece and, once you’re authenticated, what should you have authorization to. What we’re really seeing in the authorization space is the move to more of an attribute-based authorization of things.”
She added where public and private sector organizations really need to get to is the use of phishing-resistant, passwordless technologies. That’s necessary to address social engineering attacks, which are increasingly better and more successful than earlier iterations.
Halvorsen pointed to recent attacks that were effective like credential stuffing, spear phishing and social engineering of authentication capabilities, which hackers used in the MGM attack.
While identity and access management are foundational to cybersecurity, especially as agencies move to a zero trust architecture, threats are expanding across all parts of the technology stack.
“We realize that there’s threat signals that happen in each one of those [zero trust] stacks, and what we’re seeing is that those threat signals that are happening there have to be shared and consolidated together to take action,” Halvorsen said. “What we’re starting to see are the actors are actually operating in between the stacks right now, and that’s where the vulnerabilities are sitting. So working through shared signals is really where we see it going, especially with identity being the front door into the zero trust journey.”
Smid added if the tools are integrated then they provide continuous authorization through the different zero trust pillars and can recommend security experts take action if a user is doing something that is out of the ordinary.
Halvorsen added, “We’ve seen gaps in that continuous risk monitoring after that initial authentication. We’ve seen fragmented risk insights across the diverse security tools and systems, and then we have to balance the risk mitigation with the user experience to make sure that the user experience is what the user is expecting and it’s frictionless.”
She said if something happens at an endpoint that looks strange, organizations can take those shared threat signals and either initiate a universal logout or make the user reauthenticate into the system.
“There’s different things that you can do on the platform as it all comes into the identity threat protection. It gives you a lot of power there. Then we can automate some of that within our workflows,” she said.
Automation becomes even more important as agencies begin to take more advantage of artificial intelligence to help analyze the ever-growing volume of data the cyber tools collect.
Smid said these tools particularly can ensure an organization’s security operations center (SOC) analysts aren’t chasing “cyber noise.”
“Your people that are running your SOC are really the tip of the spear. They need to be focused on really important things that take real intelligence, not artificial intelligence. Let the AI and the automation take the things that are repetitive, redundant, simple, repeatable — and the tools really have a lot of that built into them,” he said.
“Today, we’re being very, very sophisticated. We’re being much more successful than we used to. At Palo Alto Networks, our SOC, we automate well over 90% of all of the alerts that come through, and that’s allowed us to really change the paradigm of what a SOC looks like. It lets your really talented people focus on things that are really critical and important.”
The other benefit of integrating tools and capabilities is the efficiency gains across the stack. For instance, Smid said, the Defense Department saw benefits when it implemented Palo Alto Networks tools.
“We’ve seen over 20 times improvement in the user experience. I can make anything secure, but you won’t be able to use it anymore and that’s such a critical piece because if you impact that user experience too significantly, your users start trying to find a way around your security tools, and that’s not what anybody wants,” he said.
“We’ve seen within some of our DoD deployments, around zero trust, and specifically zero trust network access, that they’ve said this works better than it did before. They say, ‘I turned it on, and not only am I more secure, but my user experience is so vastly better than it was. Don’t take this away from me.’ There’s no better thing than hearing that from customers that we didn’t break it when we when we secured it.”
Discover more articles and videos now on Federal News Network’s Cyber Leaders Exchange 2024 event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED