What happens when organizations don’t have identity management practices and systems in place, and what can be done to solve the problems that result?
In this episode, Plurilock™ CEO Ian L.Paterson talks with Iain Paterson about how identity is at the heart of many breaches, about the challenges of implementing current identity management approaches, and about the dangers of third-party risk.
|Host:||Ian L. Paterson|
Ready to listen in? Click play below.
Ian: Welcome to the Identity in Cybersecurity Podcast. I’m your host, Ian L. Paterson, and in this episode I’m speaking with Iain Paterson— that’s not a mistake, we share the same name. Iain is the managing director of Cycura, with 15 plus years experience in enterprise-wide IT, including sectors like finance and healthcare. In this episode, we discuss how identity is at the heart of many breaches, the vulnerabilities of outsourcing business functions to third parties, and what it’s like to be on the front lines of a breach. Let’s get to it!
Ian: All right, well, let’s get started. So, Iain, how did you get started in cybersecurity?
Iain: I started in cybersecurity about 17 years ago now. I was recruited into one of the major banks here in Canada. My career started out in VARs. So I was doing reseller integration type work and one of the banks approached me for a contract role. I joined an infrastructure team at the bank doing workarounds for Windows servers because that was my background and they needed somebody to bear the brunt of patch management. Which was really back in those times, (and is still a really more of a black art than a science.) And I foolishly put my hand up and said, “Yeah, I can do that. I know how to patch things.” You know, I’ve done it in certain organizations and then learned that doing it at scale properly with change management and stuff like that is much more difficult and complicated than doing it in a medium business type of environment.
Iain: So, that kinda got me started down the path of really thinking and researching a lot about what vulnerabilities are important: what’s important to get patched, how to prioritize vulnerability management in a large organization. And we scaled very rapidly! We were acquiring tons of Windows servers at the time, getting rid of old Solaris and mainframe stuff. So at one point, we were running one of the largest patch management infrastructures in North America. Then what happened was the security team that I was interfacing a lot within the bank, asked me if I would come over and do the inverse and run the vulnerability management program for their organization—so, understanding where there are vulnerabilities across the organization. And then as we started acquiring US banks in 2008, and that program exploded and became probably one of the biggest (in North America) vulnerability management programs as well.
Identity is a huge problem in the healthcare space, and we could probably talk for an hour about that.” —Iain
Iain: So, that was kind of what started me out, though it was eight years. After that moved into healthcare, I was the Information Security Officer for a hospital, in charge of building out an information security practice, and then I eventually also moved into managing the privacy practice. My privacy team was really streets ahead of me on that kind of stuff but I learned a lot about healthcare and healthcare-specific cyber needs and the unique challenges in that space. And also why a lot of legacy healthcare applications really struggle with stuff, including identity. Identity is a huge problem in the healthcare space, and we could probably talk for an hour about that if you want. Then after—I spent four and a half years in the hospital— I moved to a government agency that was a part of the Ministry of Health in Ontario, as the Director of Security Operations.
Iain: So the mandate there is a centralized health record for all 13 million people within the province of Ontario. I was the Director of Security Operations for that organization for a period of time. And looking after how we managed security around the sensitive infrastructure and databases that were within that environment, as well as how we interfaced with our partners like hospitals and clinics and EMR providers, around how we secure those transactions with those customers. So yeah, that’s kind of the roadmap.
Iain: So that’s my background in cyber. And then I’ve been doing the consulting thing now for, I’ve been running Cycura as Managing Director for four and a half years now, working on the client-side of things. It’s been an interesting journey and I’ve had a lot of exposure to a lot of different environments, industries here as well too. So, I’ve seen a lot of challenges. And if we think about identity, I have certainly seen impacts to organizations where there has been poor or no identity management in place and what some of those outcomes are. Because, part of practice that we have here is, obviously, incident response and incident handling. So I’ve had an opportunity to work with a lot of organizations going through breaches, events and, identity has been at the heart of a lot of those.
I have certainly seen impacts to organizations where there has been poor or no identity management in place and what some of those outcomes are.” —Iain
Ian: Yup. So given where you sit and you’re able to see the threats coming at multiple organizations, including the ones that you’ve been at, what are the threats that are keeping you up at night?
Iain: The ones that have the most immediate impact, well, you can’t discount ransomware. Because the impact is so pronounced and the ability for most organizations to recover is very—it’s variable. You know, some companies might get away okay or relatively okay. And for other companies it could be an existential threat to the organization, depending on if they can or can’t recover. So that’s probably the biggest and most pronounced one at the moment. Business email compromise is obviously a challenging one and could be largely averted with just some decent identity management practices in place, you know, like multi-factor authentication.
Iain: I think the other one that type that worries me a lot is just the dependence on third-party services. We take a lot of our business processes and we start to move them outside the organization because that’s not the core competency of the business—you know—so we outsource things like our HR function or our payroll function, and then we start to outsource other processes that may even tie into what we deliver to our customers and stuff like that. What we see is a lot of these services are maybe not very well bedded from a technical perspective. People are in a rush to turn around and say, “Yeah, I’m compliant with SOC2” or something like that. I think practically a lot of these organizations might be more vulnerable than we understand. And then we are giving them important business functions and handing over kind of the keys to what we’re doing day-to-day operationally to these organizations. And we are probably taking on more risks than we understand.
Ian: What does a best-in-class identity strategy look like today? And I think that you’re touching upon some interesting things, like it’s not just about the identity of the employees of my company, but it’s the identity of the contractors working for the third- parties who access the data at my company. Like what does that look like today?
Business email compromise is obviously a challenging one and could be largely averted with just some decent identity management practices in place, you know, like multi-factor authentication.” Iain
Iain: Yeah, it’s so much more complicated than it was when it was just, “here’s your active directory, here’s the users in it.” As soon as we started really thinking about cloud services and storing stuff outside of our organization and, federating ourselves with others and things like that, it got really complicated. Traditional identity and access management approaches are challenging to implement, even if you are just doing fundamental stuff like active directory. I think today you have to be really thinking about that diverse, array of different services that you as an organization are leveraging and you have to factor that in.
Iain: And to your point, if you are relying on third parties delivering services for you, you have to also get your arms around “how do I validate that those entities are authenticating with me, appropriately and that I trust them.” And if there’s a problem that I have the ability to go into revoke things effectively. All of those are serious concerns! During my time in healthcare, I became really aware of how reliant healthcare providers can be on third-party service providers for say, clinical applications to be part of the supply chain to be part of the technology and support for those services that are delivered.
Iain: So the company that makes the x-ray equipment hardware and the imaging system always has access into your environment, so they can go in and they can test patches and stuff like that. Or a company that takes care of their records management component of your EMR is going to have access to go and make updates in case fields and can change to comply with some sort of new regulatory thing. Those third parties, they can present a tremendous amount of risks to the organization if they’re not properly managed. So I think it’s a very complex thing to build out a full, identity and access management strategy and to execute on it. My concern is that it requires typically multiple technology components and controls to do it effectively these days. I don’t think you can do it all—it’s very hard to do all under one roof. I feel like you get into—I use this to manage my privileged accounts and my secrets, I use this for my cloud services so I have a CASB product, and then I use this to manage my active directory. And, all of that makes for a difficult situation!
Those third parties— they can present a tremendous amount of risks to the organization if they’re not properly managed.” —Iain
Ian: So describing potentially three different vendors or solutions just to manage identity and then not to mention the rest of the cybersecurity stack, generally requires a large staff. And I think one of the things that we’re finding, particularly with our customer base, is nobody’s able to hire enough people quickly enough to meet the demand of, of their organization. Given that your company is effectively the SWAT team, right? I mean, people call you when their own security teams can’t necessarily get the job done, so you have to recruit the absolute best of the best. What are you finding that’s working for recruiting talent and retaining talent in the very competitive cybersecurity job market that exists today?
Iain: For us in particular, it’s two things. It’s creating that culture that attracts the kind of people that we need and want as part of our team. So to your point, we bring on super-talented individuals who are really good at what we do—the kind of offensive security pen testing and red team work. That’s a very distinct personality type and skill set. And it’s really self-motivated—you know, “I like to break things.” CTF inspired hackers that want to go out there and learn, and poke and tinker. And so we organizationally have to make sure that is part of our DNA—anything from sponsoring grassroots stuff like DEFCON or our local DEFCON chapter and a SecTor, which is now BlackHat here in Toronto. And then also things like, Hack Student, stuff like that. We make sure that we live and breathe this and that the people who work for us feel that.
Iain: So that’s one strategy around attracting and retaining people. You know, the other thing that we’ve realized that you have to do is you can’t always compete on salaries because, especially in Toronto, but I’m sure you’re feeling that out in Vancouver too. As you see, a lot of the big players like Amazon, Google, and Facebook and others move into town, even the banks —they’re driving the salaries up for even junior roles because they want and need the talent too. So we’re finding that you are going to have to take a chance on people who identify as best and brightest, who are probably just coming out of school or finishing a program, bring them on board and train them up and give them an opportunity. And then encourage them to do a lot of learning on their own—get upskilled with your team. They get the advantage of working side-by-side, is you can grow them into that talent that you need. Because the reality is you can’t invent these people. You can’t just materialize them out of thin air! A lot of what I’m seeing coming out of some of the school programs is really geared at like SOC Analyst, it’s not geared towards what we need to bring somebody on to work on a project for a client. You can’t—you can’t trust that. So bringing in somebody more junior and then having them shadow somebody for several months before they’re allowed to even try something that’s client-facing. That’s been a strategy that we’ve implemented and it has worked okay for us as well.
They get the advantage of working side-by-side, is you can grow them into that talent that you need. Because the reality is you can’t invent these people. You can’t just materialize them out of thin air!” —Iain
Ian: So, given you’re somebody who’s been both on the offensive side, like you are now and also on the defensive side, both in healthcare and financial services, if you were thrown into a mid-sized financial institution as a CISO, what does that first 60, 90-day plan look like? What are the first things that you need to do when you’re coming fresh into an organization to take a handle and take stock of what’s taking place?
Iain: For me, it all starts with, “what do I have?” I find most organizations don’t have a good handle at all on their asset management as an organization—what their footprint is. Legacy stuff that people forgot about, but still an act of domain on the internet and still trusted by my root authority. Like —not good! Then also the shadow IP that’s been going on in the background because people have been working around the processes that either do or don’t exist. So understanding what I have and then taking a hard look at it and understanding the business operations meets vulnerability-side of it. So, what are the important things that the businesses needs as far as my, IT goes? How are they leveraging it? What do those critical processes look like? And then where are these things vulnerable, right? How are we doing from a perspective of things like patch management and those types of concerns?
Iain: I’m not gonna worry too much about compliance if I’m an SMB, because, I’m probably not selling into many markets, but you know its front of mind if I am doing a whole bunch of business in Europe these days, right? GDPR could be devastating to me, but, most small-medium enterprises aren’t up against compliance-type challenges immediately. Once I have a good understanding of that, okay, “where are my actual technical risks?” So if I have the knowhow inside, I want to understand how effective, and what technology and controls I have in place today. So I want to test these things to see if they will stand up effectively or if they are functioning effectively because if I’m am being attacked all the time, I want to know what’s working and what’s not. And then from there I can assess, “okay, what do I need to implement to build out a security program that meets the needs of the of the business for the next two to three years” because that’s really as far as I can forecast on the road.
Iain: So it’s really about understanding what you have, assess how it’s being used and what criticality it is. And then it’s a mixture of vulnerability assessment and actual really testing the effectiveness of those controls. It’s going to give me as the CISO a sense of where I should be worried about what’s going on inside the environment. There’s obviously a lot of different context you need to look at: their policy, business operations, what we consider important as an organization, what kind of customer we serve, what markets we were operating in, all of those things layer into it, but I think what I’ve just outlined fundamentally what are the places that you’re going to get hurt from a technical perspective, regardless of what industry you work in. That’s how I would approach it, at least.
So it’s really about understanding what you have, assess how it’s being used and what criticality it is.” —Iain
Ian: So, this is going to be a topical question because we’ve actually paused the interview so you could take a call in regards to a breach! But what is the highest stress cyber incident you’ve been involved with? And if you can’t necessarily talk about that one, maybe what would be one that you’ve heard of from folks in your network.
Iain: I can actually talk slightly about one, because there was like a public announcement that we were working it—a press release. I was brought into this organization at the height of the Ashley Madison Data Breach, here in Toronto. And I worked very closely with the board and the executives there on managing that breach, as well as the technical team. So I was in the middle of the storm there, during that incident. Any breach though, we as an organization have probably worked on closing in on a hundred different data breaches, over the last few years. And going back in my career, I’ve been involved in ones, in different organizations, in healthcare and any breach, is a stressful situation. You’re trying to get your arms around, the root cause of the problem. You’re trying to do a containment of the issue, you’re trying to understand, particularly today with, the privacy concerns around breaches. You’re trying to understand what the exposure of patient records if you’re in healthcare space or personally identifiable information in the consumer space, you’re trying to get your arms around all those things very quickly so that you can bring awareness up to the executives of the organization—all the way up to the board level.
Iain: And then also report to the appropriate authorities, if it’s the privacy commissioner’s office or if you’re dealing with bodies, overseas, you need to assemble that data quickly, but you also need to try and be very sure of what you’re reporting. You don’t want to be, too early and not have a full understanding of the breadth of the situation—it could be worse than you think it is or it might not be as bad as you think it is. You don’t want to over or under-report. So, those are some of the initial things that you run into.
There’s a lot of pride that goes into that when we’re all up against the big gorillas of the world. Building an organization that thrives on that honesty and helping customers get to the heart of what their problems are.” —Iain
Iain: And then when you’re actually in a breach handling, then running up against the challenges of people burning out. You have only a limited number of technical people who understand how these systems are all put together, and you can’t have them work 24 hours a day for the entirety of it. And then you have challenges if you’re on the consulting side—customers don’t understand how long these things actually take and what the costs are going to look like. You’re lucky to get back up and operational, from, let’s say, a ransomware attack in about seven business days if you’re lucky, but it could be more like nine to fourteen. A lot of organizations can’t afford that kind of downtime, so there’s pressure there, to help get these people up and running because they’re experiencing significant losses. At the same time, though, you also have to take care to try and preserve evidence and rebuild environments in a sane and safe fashion so that you don’t go and expose yourself to the same thing again, or allow an attacker back into an environment. So there’s a lot of considerations and every incident is quite high pressure—It just depends on the nature of it.
Ian: Given how much breadth you’ve had over your career, what’s the thing that you’re most proud of but never really have an excuse to talk about?
Iain: That’s a good one. Not becoming an alcoholic? Haha. No, I think the work I’ve done with this firm has been good. I’m quite proud of having put together a good team and built out a company that —I think what we try and aim to do is—really eliminate a lot of the noise for customers. When we talk to customers, we try and approach their problems head-on and we try and help them assess what they need and whether we can help, even. What I’ve tried to do is emulate the thing I always wanted when I was on the buyer side of this, when I was director at the government agency, or, at the hospital. I wanted to have meaningful conversations about the challenges that I was experiencing and how people could potentially help if they have a solution or a service that fits the needs that we have. Whereas, you know, I always find our industry is very much, “I have a hammer. You look like a nail.” you know, and there’s certain colored hammers and certain colored nails, and this one only drives this nail—that’s always frustrated me a lot.
Iain: If I’m proud of something, I’m proud that I’ve built up an organization that competes with a lot of heavyweights in Canada. I think that’s important too that we can have Canadian providers that can work for Canadian and international companies. You know, there’s a lot of pride that goes into that when we’re all up against the big gorillas of the world. Building an organization that thrives on that honesty and helping customers get to the heart of what their problems are.
Ian: Awesome. Where can people find you online?
Iain: We’re at www.cycura.com with a new website coming up in March, hopefully. But the existing one covers what we do pretty well. I’m on LinkedIn — happy to connect with anybody on there.
Ian: Ian, always a pleasure. We’ll see you at the next event.
Iain: Awesome. Thank you so much for your time.
Ian: Thanks. ■