Timothy De Block sits down with Matt Topper of Uber Ether to discuss the critical intersection of Identity and Access Management (IAM) and the current cyber threat landscape. They explore how adversaries have shifted their focus to compromising user accounts and non-human identities, making identity the "last threat of security". Matt Topper argues that most enterprise Zero Trust implementations are merely "VPN 2.0" and fail to integrate the holistic signals needed for true protection. The conversation dives into the rise of cybercrime as a full-fledged business, the challenges of social engineering, and the promising future of frameworks like Shared Signals to fight back.

• The Easiest Way In: With security tooling improving, attackers focus on compromising user accounts or stealing OAuth tokens and API keys to gain legitimate access and exfiltrate data.

• Cybercrime as a Business: Cybercriminal groups now operate like legitimate businesses, with HR, marketing, and executives, selling initial access and internal recon capabilities to other groups for a cut of the final ransom.

• The Insider Threat: Cybercriminals are increasingly paying disgruntled employees for their corporate credentials, sometimes offering a percentage of the final ransom (which can be millions of dollars) or just a few thousand dollars.

• Social Engineering the Help Desk: Attackers easily bypass knowledge-based authentication (KBA) questions because personal data has been leaked and they exploit the help desk's desire to be helpful under pressure to gain access.

• Zero Trust is Underwhelming: Matt Topper views most enterprise implementations of Zero Trust as overly network-centric "VPN 2.0" that fail to solve problems for multi-cloud or SaaS-based organizations. True Zero Trust is a holistic strategy that requires linking user, device, and machine-to-machine signals.

• The Non-Human Identity Problem: Organizations must focus on mapping and securing non-human identities, which include API keys, service accounts, servers, mobile devices, and runners in CI/CD pipelines. These keys often have broad access and are running unchecked.

• Shared Signals Framework (SSF): A promising solution developed by the OpenID Foundation, SSF allows large vendors (like Microsoft, Google, and Salesforce) to share risk and identity signals. This allows a company to automatically revoke a user's session in a third-party application if a compromise is detected by the identity provider.

• User Behavior Analytics (UBA): Effective security requires UBA, such as tracking users' browsing habits and using data analytics to establish a baseline of normal behavior, moving toward the "Moneyball" approach seen in sports.

• Data Quality is Broken: Many problems in IAM stem from poor data quality in source systems like HR and Active Directory, where there is no standardization, legacy data remains, and roles are misaligned.

• Selling Security to Marketing: To gain funding and traction for UBA and data analytics, security teams should pitch the problem to the marketing team by showing how it can track user behavior, prevent fraud (like "pizza hacks" from rewards program abuse), and save the company money in chargebacks.

• UberEther: Matt Topper's company, which focuses on integrating identity access management tools to build secure systems right from day one.

• Shared Signals Framework (SSF): A framework from the OpenID Foundation for sharing security and identity signals across vendors.

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

[RSS Feed] [iTunes] [LinkedIn][YouTube]

Sign up with your email address to receive news and updates.

We respect your privacy.