The intersection of User And Behavior Analytics, and a zero-trust approach to remote environments
Dr. Christine Izuakor: Welcome to the Veriato Insider, a biweekly podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, a next-generation employee monitoring, and insider threat detection software provider. To learn more about how Veriato can help protect your company, check out veriato.com. I'm Dr. Christine Izuakor, your host for today's segment and today's topic is covering the intersection of UEBA, User Behavior Analytics, and zero trust in a remote environment. Zero trust of course is not a new concept. However, it's been gaining a lot more attention in the context of this new and constantly evolving world we are operating in today.
Dr. Christine Izuakor: We have a special guest with us to cover this topic. Dr. Aken is an established IT professional with 15 plus years of executive leadership and consulting experience across multiple industries, including everything from oil and gas and telecommunications to the department of defense, transportation, and much more. He earned a Ph.D. in business administration and management information systems and is a certified information system security professional. As a former CIO and also former university professor, he brings a ton of thought leadership and tech expertise to the table, and in more recent years has focused more on zero trust, and so it's such a great addition to this conversation. Thank you so much for joining us, Andrew, and welcome.
Dr. Andrew Aken: Well, thank you for that wonderful introduction. It has been great getting to know you in the short time that we've had, but I'm sure this is going to be as enjoyable for me as it won't be for anyone else.
Dr. Christine Izuakor: Well, I've already gotten so many laughs in. Definitely looking forward to this conversation. Maybe kick us off by sharing a little bit more about your background.
Dr. Andrew Aken: All right. Well, I started my career as a software engineer working for IBM after getting my Bachelor's and Master's in computer science. Then for my next several roles, my focus and expertise were actually on internationalization and globalization. I even became the director of automation for a translation management company, but then to take advantage of the rapid evolution of the internet and the worldwide web, I partnered with some others to found a successful internet service and facilities-based telephone company that primarily serviced enterprise customers. It was there that I got my baptism fire into cybersecurity and we got some great stories when there's more time to go into that. Also, while I was running the telephone company, I was coerced into teaching a web application development force at my alma mater, which is, shout out to Southern Illinois University, who also paid for me to pursue my Ph.D. in business administration, specializing in management information systems as you had already pointed out.
Dr. Andrew Aken: Then after getting my Ph.D., I exited from the telephone company working as a professor for some different universities while doing cybersecurity, IT infrastructure, and application development consulting on the side. At one university, I actually utilized a web content data mart mining application that I had developed to identify what skills employers are looking for in order to improve the curriculum. That school eventually became a top 10 MIS school in the nation, so I'm proud of that. Then at the university, I was at most recently, I led the development of the MIS components of our cybersecurity degree program in collaboration with the criminal justice and the computer science department. Then last spring, I started my role as an advisory specialist master at Deloitte where I was a leader in the development of Deloitte's point of view and marketing strategy for zero trust and led several client engagements, building roadmaps with them to implement the zero trust model as well as other [inaudible 00:04:39].
Dr. Christine Izuakor: Now, you've touched on this already towards the end, so maybe in layman's terms, can you explain this concept of zero trust and maybe how it's evolved?
Dr. Andrew Aken: Well, the Forrester is generally credited with applying the name zero trust to this model of security although it had been around in various forms for several years before that. According to Forrester, the zero trust model of information security is a conceptual and architectural model for how security teams should redesign networks into secure micro-perimeters, strengthen data security using obfuscation techniques, limit the risks associated with excessive user privileges and access, and dramatically improve security detection and response with analytics and automation. Hold it, I think your question was how would I describe zero trust in layman's terms?
Dr. Christine Izuakor: Right.
Dr. Andrew Aken: All right. If we look at the dominant security architecture paradigm for the last several decades of defense and depth, we know that it relies typically heavily upon a strong perimeter defense through firewalls and various other technologies and network segmentation, so that we can get our PCI, PII, PHI systems and data or systems that hold that kind of data as well as our workstations segmented from each other. Then we'd couple that with the agents on the systems and the gateways to prevent malware infections, data loss prevention, et cetera along with identity and access management, logging traffic analysis, intrusion detection, and prevention systems, but there are a couple of fundamental flops in that defense-in-depth model.
Dr. Andrew Aken: Primarily, whenever a breach occurs and an attacker is able to gain unauthorized access to a system in one of those controlled network segments, they have almost free reign to move laterally within that segment to access other systems. Additionally, a lot of the security tools, policies, and procedures are really just loosely coupled without a single coherent strategy to bind them together and to orchestrate these cyber defenses in an organization, which can then leave significant gaps, overlapping and conflicting processes, which wastes time and money. Zero trust addresses the first flaw by taking on the mantra, never trust, always verify, which of course is related to a quote from Ronald Reagan where trust but verify was his mantra.
Never trust and always verify
Dr Andrew Aken: With zero trust, the real mantra is never trust and always verify. Basically, any communication between systems or requests for resources will be denied by default, even if those systems are in the same network segment. Only if the authorized user, vetted system, and context of the request are specifically allowed, should those requests also be allowed to go through? This is going to prevent intruders and malware who have been able to gain access to a protected system from moving laterally within the environment and potentially gaining access to the crown jewels.
Dr. Andrew Aken: The second flaw is also addressed by developing or utilizing a zero-trust reference architecture, which has a comprehensive design incorporating all of the different elements that need to be secured as well as the processes and procedures to streamline the cybersecurity architecture. Now, there are multiple zero trust models available, but my view is going to be an adaptive function of the Forrester Zero Trust eXtended architecture, where we have pillars or domains or identity, which is also referred to as user or people, networks, endpoints which can also be referred to as devices, workload, data, visibility and analytics, and automation and orchestration. That is what my view of zero trust is worded by Forrester and a lot of the other organizations.
How can UEBA make a difference in home work environments?
Dr. Christine Izuakor: Awesome. So well put. I mean, it sounds like generally speaking, people have trust issues, devices have trust issues and networks have trust issues. We all have trust issues. How does the zero trust kind of overlap or relate to UEBA and how can this make a difference in remote work environments especially? You've touched on some of this a little bit, but what are your thoughts there?
Dr. Andrew Aken: I mean, first we have to remember that zero trust isn't a binary state where you can say, "Yes, I have a zero-trust network." or, "No, I don't have a zero trust model employed." It's really more of a gradient or a maturity level. I've been, for example, working on a zero-trust maturity model where each one of the pillars that I was just talking about the domains of the zero-trust framework would be graded to determine the maturity of an organization on along each one of those domains, and then combining them to come up with an overall zero trust maturity assessment along with a gap analysis and roadmap to help organizations to achieve their desired level of zero trust.
User and entity behavior analytics or UEBA needs to be employed primarily as a part of the visibility and analytics domain
Dr. Andrew Aken: Now, to achieve the higher maturity levels within zero trust, user and entity behavior analytics or UEBA needs to be employed primarily as a part of the visibility and analytics domain, which is a part of the zero trust model, but then the identity and the endpoints [inaudible 00:10:46]. As part of the maturity assessment of where an organization is in implementing a zero trust architecture, we would use UEBA implementation as one of those things that will increase the maturity level of the organization across those domains. Certainly, UEBA is going to be a critical element in restricting unauthorized lateral movement between systems as well. Specifically within remote work environments, UEBA can be utilized in conjunction with SASE, secure access service edge technology.
Dr. Christine Izuakor: Yeah, that makes a lot of sense. I think the visibility element is so important right now, especially in this environment, and something that I think a lot of leaders are concerned with right now. What should security and tech leaders or anyone who's kind of thinking about adopting more zero trust strategies and integrating that more into to their environments, what are some tips that you have or things they should be thinking?
Dr Andrew Aken: Again, because zero trust is not a binary state, it's not a destination, it's a journey and it shouldn't be undertaken with a thought that we're going to implement zero trust as if we could do it by installing some tool or application. Any vendor that states that installing their tools or their tools suite is going to provide a zero trust network isn't either being honest or they aren't being accurate. It is going to be a coordinated effort across multiple domains, which begins first with determining where you are, then where you want to be and then making sure that the fundamentals or the foundation for cybersecurity are appropriately laid before starting down that long and winding road. Each step you take towards a zero trust implementation and improving the maturity level of the zero trust implementation in your organization is going to help make your organization more secure.
Dr. Christine Izuakor: I think that notion that it's definitely a journey more than it is something that you can just flip a switch on and fix all of our problems, right? As much as we wish that were the case. As we wrap up, are there any final thoughts you want to add?
Dr Andrew Aken: Well, I'd like to point out that a properly constructed zero trust architecture not only is going to provide much better protection from your adversaries, but it can also help an organization to reduce overall cost by eliminating a lot of that duplication of effort from all of the different tools that an organization may have purchased or is considering purchasing, and it can also dramatically improve the user experience. We're often frequently referred to, in the cybersecurity part of the organization, as the department of no, and certainly a lot of what we implement and the name of security can impede an organization's and the personnel's ability to perform a certain tasks, but if done properly, we can actually streamline, particularly when it comes to the authentication mechanisms that an organization utilizes by going with a passwordless technology under the guise of implementing as a part of zero trust, or we can also make the development of applications much more streamlined while still maintaining a secure dev ops structure. It doesn't necessarily need to impede progress, but in many cases properly implemented zero trust architecture can make an organization more streamlined, more secure and more fun.
Dr. Christine Izuakor: Who doesn't love more fun? Andrew, thanks so much for joining us today. That concludes the Veriato Insider podcast for this week. Again, this has been brought to you by Veriato, an award-winning cybersecurity company recently recognized with the gold award for best insider threat solution of 2020. Their solutions are anchored around four core pillars of cybersecurity protection. Quite a few of them relate to this topic of zero trust and moving in that direction, and those are employee monitoring and web filtering, workplace investigations, insider threat detection, and ransomware support. To learn more about how Veriato can help protect your company, check out veriato.com. Thank you all for tuning in, and a special thank you to Andrew again for joining us today.
Dr Andrew Aken: It was absolutely my pleasure.
Dr. Christine Izuakor: I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up, and it's been our pleasure to share these insights with you. Until next time, stay safe and secure, Insiders.