Unveiling the Complexity of Non-Human Identities in Cybersecurity with Evandro Goncalves

Posted by:

|

On:

|

The discussion with Evandro Goncalves centers on the critical topic of machine identities, which are non-human identities operating within IT environments. As organizations increasingly rely on automation, understanding and managing these identities has become paramount. Evandro elucidates the complexities and challenges associated with machine identities, highlighting the vast number of such identities in comparison to human counterparts and the potential risks they pose, including misconfigurations and privilege abuse. He emphasizes the importance of visibility and accountability in managing these identities, advocating for best practices such as implementing secure vaults and applying the principle of least privilege. This episode serves as a vital resource for those seeking to enhance their understanding of machine identities and bolster their organization’s security posture.

In this episode of the Security by Default podcast, Joseph Carson and Evandro Goncalves discuss the critical topic of machine identities also known as non-human identities (NHI), exploring their definitions, challenges, and best practices for management. They delve into the complexities of managing non-human identities in cybersecurity, emphasizing the importance of visibility, risk management, and the principle of least privilege.

The conversation also highlights experiences from the NATO Lock Shield event, showcasing the real-world implications of identity security. Evandro shares insights on staying updated in the cybersecurity field and the importance of hands-on learning.

Takeaways

  • The podcast aims to make security accessible to everyone.
  • Machine identities are non-interactive identities used in IT environments.
  • Organizations may have up to 80 machine identities for every human identity.
  • Visibility and management of machine identities are significant challenges.
  • Over-privileged accounts are a common issue in organizations.
  • Applying the principle of least privilege is crucial for security.
  • Communication and coordination are vital during cybersecurity events.
  • Hands-on experience and laboratories are effective for learning new technologies.
  • Staying updated with threat reports is essential for cybersecurity professionals.
  • Networking through platforms like LinkedIn is beneficial for knowledge sharing.

Keywords

machine identities, cybersecurity, identity security,

non-human identities, security management, best practices, NATO Lock Shield,

visibility, risk management, zero trust

The dialogue presented in this episode transcends a mere discussion; it represents a comprehensive inquiry into the multifaceted nature of machine identities, as articulated by the esteemed Evandro Goncalves of Aseguru. The conversation meticulously unravels the intricate tapestry of machine identities, often referred to as non-human identities, emphasizing their pivotal role within the contemporary IT ecosystem. Evandro posits that the ratio of machine identities to human identities can reach an astonishing 80 to 1, a statistic that underscores the pressing need for organizations to develop robust strategies for managing these identities effectively. As the discourse unfolds, the speakers delve into the inherent risks associated with machine identities, highlighting the rapid operational pace at which these identities function, often rendering traditional security measures insufficient. The dialogue further explores the criticality of visibility in identity management, as Evandro advocates for the establishment of comprehensive monitoring solutions that can provide organizations with insights into their machine identity landscape. He discusses the transition from conventional password management techniques to more advanced methodologies, such as the implementation of ephemeral accounts and just-in-time access strategies. This transformative approach not only enhances security but also aligns with the operational intricacies of modern IT environments, wherein machine identities operate without human intervention. Additionally, the conversation touches upon the principle of least privilege, urging organizations to reassess their access control measures to prevent the common pitfalls of privilege abuse that can compromise security integrity. In conclusion, the episode serves as a vital resource for security professionals, offering a wealth of knowledge and practical insights into the evolving domain of machine identities. Evandro Goncalves’s expertise, coupled with the engaging dialogue, equips listeners with the necessary understanding to navigate the complexities of identity management in an increasingly digital world. This episode is not merely an exposition of the challenges; it is a clarion call for organizations to adopt proactive measures in safeguarding their digital assets against the myriad threats posed by the contemporary cyber landscape.

Takeaways:

  • Evandro Goncalves elaborated on the evolving landscape of machine identities, emphasizing their significance in modern IT environments.
  • The discussion highlighted that organizations may have up to 80 machine identities for each human identity, illustrating the complexity of identity management.
  • Goncalves stressed the importance of visibility and accountability in managing machine identities to mitigate security risks effectively.
  • One key takeaway was the necessity of adhering to the principle of least privilege to prevent over-privileged machine identities from becoming security liabilities.
Transcript
Speaker A:

Hi everyone.

Speaker A:

Welcome back to another episode of the Security By Default podcast.

Speaker A:

It’s really great to have you all here and I’m always excited about fun episodes, fun topics and interesting guests.

Speaker A:

So.

Speaker A:

And I’ve got definitely one for you today.

Speaker A:

So this podcast is all about really bringing knowledge to you.

Speaker A:

And it’s about the goal is to make sure that everyone has the opportunity of getting security.

Speaker A:

And that’s the theme of the podcast, Security by default.

Speaker A:

Not just by design, but everyone should get security.

Speaker A:

So welcome to the show.

Speaker A:

Today I’ve got an awesome guest.

Speaker A:

So, Avandro, welcome to the podcast.

Speaker A:

Do you want to give the audience a bit of background about yourself, who you are, what you do, where you’re from and also your origin, how you get into the industry?

Speaker B:

Absolutely, Joseph, thank you.

Speaker B:

Thank you for the invite as well.

Speaker B:

Thank you everyone that is listening to this podcast.

Speaker B:

Yes, I today work as a security expert on Aseguru, a Latam origin company focused on identity security.

Speaker B:

I started my career maybe 10 years ago, roughly 10 years ago, Sophos expert.

Speaker B:

So working with endpoints, this was my kind of entry level on the industry, working with antivirus.

Speaker B:

Then I jump into firewall security, network security on a distributor side, and there I have the contact with some other identity players, which got me very, very interested into the topic.

Speaker B:

You know, remote access protection, password management, things like that.

Speaker B:

So I received an offering to be here at Segura and then I decided, ok, time to move for a vendor experience, see how that goes.

Speaker B:

And then I straight jump into this world of identity protection as kind of a consultant, sales engineer, solutions architect, kind of.

Speaker B:

So that’s a little bit about my, I would say corporate background.

Speaker B:

In the meantime, aside from being kind of an identity expert, I’m a gamer.

Speaker B:

So if you’re watching this and seeing the whole retro.

Speaker A:

So what, what, what’s some of the games you’re playing today?

Speaker A:

What would be some of them?

Speaker B:

I’m more of a hybrid kind of, you know, I don’t have any particularities in terms of whether it’s a new game or an old game.

Speaker B:

Currently I play a lot of RPGs, so currently I’ve been playing the latest Monster Hunter series.

Speaker B:

Kind of been addicted for a couple, you know, I reach at the 100 hours mark already this team, so I think I’m playing a lot, but that’s kind of the type.

Speaker B:

Recently we had also Elden Ring, so those sorts of games, that’s, that’s more of my vibe things I’ve been playing recently.

Speaker B:

And that’s What I do to kind of decompress, you know, take out all these traps from the day to day activities aside from being a pet owner.

Speaker B:

So I have a couple of cats, a girl and a boy, just very, very young, seven months I think just got them into the house.

Speaker B:

And of course my, my girlfriend, my, my company here that do me a lot of things day to day.

Speaker B:

So that’s, that’s a little bit of myself.

Speaker B:

No kids so far yet, but maybe in the near future.

Speaker A:

That’s awes.

Speaker A:

I myself I, I’m a big retro, retro gamer.

Speaker A:

So I, I always pull out, I’ve got a retro, which I pull out once in a while.

Speaker A:

Once, once I have a little bit of time.

Speaker A:

And also I use it to decompress as well if I need to take my mind off and you know, if I, if I’m, if I’ve got a blocker when I’m writing something or creating something, it’s a good way just to kind of have the mind almost reset and think about something completely different.

Speaker A:

So, so I usually pull out the retropod.

Speaker A:

But I’m an old school, I go to like things like Street Fighter.

Speaker B:

Yeah, I know.

Speaker A:

I, one of my kind of old school games.

Speaker B:

Yeah, I started my gamer career with a Super Famicom, a Super Nintendo, you know, Don Kong, Super Mario, all those games.

Speaker B:

Sometimes I pull up some, some, some, some of those old boxes and, and play a couple.

Speaker B:

Unfortunately they are too quick nowadays.

Speaker B:

You know, those old games finish them in four hours roughly.

Speaker B:

So they are kind of, you need to replay them a lot of times.

Speaker A:

Absolutely.

Speaker B:

But sometimes I also like.

Speaker A:

Yeah, fantastic.

Speaker A:

So, so for the audience, today’s theme.

Speaker A:

The reason why I brought Evander on is myself and Evander.

Speaker A:

Exciting times over the last two months, ever since I started with Segura as well.

Speaker A:

And one of the things I wanted to kind of get into in today’s topic, and let’s start the theme off is, is around machine identities, sometimes referred to as the non human identities or non interactive identities.

Speaker A:

So can you give us a little bit about, you know, what, you know, what is the kind of origins, help the audience understand a bit what is machine identities and what are they and where can they be found?

Speaker B:

Yes, it’s a little bit tricky to go over kind of machine identities because there is also kind of some, some, some different interpretations you’re going to see on the market.

Speaker B:

Right.

Speaker B:

Some may consider that all machine identities belong to things such as, you know, workloads, applications, machines with kind of service account, desktop computers, things like that.

Speaker B:

Some may go even above that looking to OT identities, things that you have running on OT environments and either other industries.

Speaker B:

But machine identity from my perspective at least is all types of identities on an IT environment, most especially that you use without human interaction.

Speaker B:

So things like app to app communication, an application connecting to something like a database or a service running in the background process that needs to consume local resources on a given workload and then it needs certain level of access.

Speaker B:

Am I data to do this access?

Speaker B:

So that would be a way to summarize from my perspective.

Speaker A:

Yeah, that was always my kind of my interpretation as well when I always thought of machine identities was non interactive.

Speaker A:

It’s from a human perspective.

Speaker A:

It’s something that I don’t log on and use and is directly associated to me it’s typically some automation that needs to work in the background, whether IT being infrastructure, data services, API integration, cloud integrations, all that, you know, kind of help just it’s the glue behind the scenes of IT that humans don’t necessarily need to be involved in.

Speaker A:

And what’s what you mean, what’s some of the.

Speaker A:

The kind of typical, let’s say what’s the risks and challenges?

Speaker A:

How do organizations tend to manage them today?

Speaker A:

Or what’s what’s the risks that are found and what some of the challenges around managing these types of credentials?

Speaker B:

Yes, so there is a lot of risks especially because when we take a look into the today’s market for machine identity in today’s thread landscape, there’s a couple of studies there from other security companies saying that for each human identity you have in your current organization, you might have up to 80 different machine identities.

Speaker B:

So one person can lead to 80 times the amount of credentials you could have.

Speaker B:

And the problem is it’s likely different from a human access that you do have more traditional concepts today kind of spread out, which is password management and things like that, changing passwords, managing passwords and also finding those passwords accounts to be managed.

Speaker B:

It’s quite difficult.

Speaker B:

You know, you always have the risk of executing something like a remote operation to manage on a normal sense and you could break a potential application because the time it takes for an application to access those credentials are immediately you have milliseconds.

Speaker B:

It’s not like a user that logs into those remote services every 30 minutes or even once a day even it’s no, it’s milliseconds and it’s happening pretty much every hour.

Speaker B:

So changing anything in terms of those accounts could lead to potential problems.

Speaker B:

And that’s where you know Security concerns comes in.

Speaker B:

You usually don’t have things like remote management or even just in time access.

Speaker B:

This is what I see as a common on different customers and different interactions I have with different specialists on the segment.

Speaker B:

This is one of the problems you don’t have, you know, smart ways or easy ways to kind of go into this management aspect.

Speaker B:

And another thing that is coming up is from kind of a developer perspective this is where machine ideas are most present in development environment is each individual Today each developer pretty much have access to different technologies that going to assist them during development cycles and protecting those identities.

Speaker B:

So a very common thing that became inside companies is you have multiple vaults identity vaults for machine identity, the secrets manager as they call.

Speaker B:

And having this distributed aspect has been challenging because each tool the developer decides to use have different capabilities.

Speaker B:

And there is no kind of one single solution for companies to kind of implement and stream down to users so they can have full visibility on everything that is going on in their environment.

Speaker B:

So this might be the second risk that is raising.

Speaker A:

Absolutely.

Speaker A:

That’s one of the common things I hear a lot from organizations is lack of visibility of those machine identities and non human accounts.

Speaker A:

And also ownership as well is the direct because a human we have an ownership tied to us with our credentials that we use on a day to day basis.

Speaker A:

And we have different types of security controls that can be applied to them.

Speaker A:

Whether being federated identity, single sign on recording the session and then also managing and rotating that password on our behalf as well.

Speaker A:

A lot of the things become much more challenging when it gets to the machine identities is they may not be tied directly to a person.

Speaker A:

So how do you make sure that someone’s accountable in owning those credentials?

Speaker A:

You can’t easily apply mfa.

Speaker A:

One positive thing that I do find with machine identities is that with human interactive accounts you can, you know, you have to go with the passphrase approach.

Speaker A:

It’s something that the user needs to remember a lot of cases.

Speaker A:

But we are moving to much more of a kind of passkey type of password list kind of approach.

Speaker A:

But with machine identities you can have that password be as long as it possibly can.

Speaker A:

The system can take which is great.

Speaker A:

Which means is that and you can rotate it frequently because it’s not something that we as humans need to remember which is always that kind of pain of password fatigue.

Speaker A:

So that’s one thing I do find there’s positives and negatives within the managing of machine identities which is also kind of something to do.

Speaker A:

And then we also get into is when you Think about also the, you know, how they get configured.

Speaker A:

One of the things I find in most cases, one of the biggest risks is they get misconfigured all the time in order to, you know, one of the points you made is that if you do rotate the password, it might break things.

Speaker A:

And I was, you know, I spent a long time ago, I was at Symantec and we had products like Enterprise Vault and we had products like Backup Exec and netbackup, stuff like that.

Speaker A:

And it meant that you had passwords that needed to be in five to 10 different locations and they all needed to be the same password and they all needed to be, you know, in sync and working in tandem.

Speaker A:

And if you ever change one of those service accounts, it would break everything and, you know, people would be screaming and, you know, be problems and stuff like that.

Speaker A:

So it’s really important when you’re managing service accounts, important to understand also the dependency mapping is where you know, which is the relationships between these accounts if you do rotate them.

Speaker A:

What’s some of the kind of poor practices do you see with organizations managing them today?

Speaker A:

Are they managing, are they managing them at all or are they leaving them poorly configured like a human account?

Speaker A:

Sometimes they configure them as it is an interactive account, which means you can log on to check that the account actually does function.

Speaker A:

So what’s some of the common kind of poor practices you see being done in organizations?

Speaker B:

Yeah, so I think machine identities just now started to kind of getting attractiveness from different companies.

Speaker B:

One, one thing that has been going on, and this is quite an old conversation, at least what I heard of the hard coded.

Speaker B:

Right.

Speaker B:

This is I, I think was one of the first use cases you would imagine as a machine.

Speaker B:

Right.

Speaker B:

To have your traditional scripts that you have passwords embed in, within them and they are potentially a problem in terms of security rate.

Speaker B:

And companies deal with that because this is kind of an old topic right now.

Speaker B:

You know, eliminating taking things out of the scripts, but now adding smart capabilities, the same capabilities that a PAM solution in general would cover in terms of visibility capabilities for a human and also management for a machine identity.

Speaker B:

I’ve been seeing this being explored more recently.

Speaker B:

So some companies are adopting technologies such as secret vaults, right, to have some levels of protection.

Speaker B:

They are quite complex because of that, because, you know, needing to connect to a different environment, needing to rotate different types of assets.

Speaker B:

So this is one thing.

Speaker B:

And more recently, some companies are shifting to certificate manager management as part of identities.

Speaker B:

But I’m seeing from our perspective especially Here at Segra, a lot of this movement happening on the enterprise level.

Speaker B:

So companies that already have a PAM program established, they aren’t managing properly the human identities.

Speaker B:

Now machine identity becomes a focus when you take a look into medium small business, they should be concerned about this.

Speaker B:

But this is still kind of things administrators are getting into the topic, gaining visibility in machine identities.

Speaker A:

Absolutely.

Speaker A:

It sounds like enterprises have a bit of an advantage in that regards because the enterprises have invested in managing identities and managing privilege access and those solutions have extended to the ability to managing machine identities and non human identities.

Speaker A:

If for an enterprise it’s a simple extension to an existing solution they’ve invested in.

Speaker A:

It sounds like the SMB side of organizations which still might be kind of doing password management features, you know, whether managing passwords.

Speaker A:

Those solutions do not expand to machine identities and non human identities.

Speaker A:

So they now have to look at how to either invest in a new solution or expand and move beyond a password manager to a much more enterprise PAM solution that helps them manage that.

Speaker A:

Is that something kind of you would.

Speaker A:

You would agree with?

Speaker B:

I would say yes.

Speaker B:

This is definitely something I agree.

Speaker B:

You know, from from small business perspective, the amount of I would say identities, it’s quite similar.

Speaker B:

You still have the same challenges there.

Speaker B:

So every small company or at least in general, it’s what I see have development teams or are moving assets to the cloud or at least and this is one very common use case I like to bring that that belongs to kind of machine identities and maybe few people are aware is that a simple integration between your communication apps, you’re using Slack internally or using teams or whatever solution and you have something like single sign on behind the scenes with say your Google account or even your Microsoft.

Speaker B:

That’s a very simple example of machine identities that happens on pretty much everywhere.

Speaker B:

So every company might have this type of integration from small to enterprise.

Speaker B:

And there is a machine identity behind the scenes.

Speaker B:

So there is something that tells Slack is a machine, is a sort of machine is a workload as we know and needs access to your Gmail account or to your Microsoft account.

Speaker B:

So there is an authorization process happening there.

Speaker B:

This is a very simple use case that goes from the smallest company to the smallest individual.

Speaker B:

Even companies that have one, two persons going all the way to the enterprise level where things get more complicated, you have more accounts, you have more things connected to each other.

Speaker B:

This definitely is a topic of concern.

Speaker B:

Now the thing that becomes a struggle on the I would say small and medium sized companies is of course capacity.

Speaker B:

Right.

Speaker B:

So dealing, having teams dedicated to such solutions because it’s not an easy task.

Speaker B:

Coming back to the topic of discovering those accounts, this by itself is challenging because one very interesting question I got from one of the Gartner specialists I had the opportunity to speak with with is what is a machine identity?

Speaker B:

How can you identify them?

Speaker B:

What defines what is this boundary between a human identity and a machine identity?

Speaker B:

Because again, you have a lot of types of machine identities and you have a lot of resources talking to each other.

Speaker B:

Is it a Kubernetes service account?

Speaker B:

Is it a Slack integration?

Speaker B:

Is it an API token?

Speaker B:

Is it an oauth token?

Speaker B:

So there’s a lot of types of things that could be considered machine identity with different formats.

Speaker B:

Not only your username, password anymore, you have again all those types.

Speaker B:

Certificates as a huge part of machine identity.

Speaker B:

Certificates are being used in mutual tls on kind of microservices and they are machine identities as well.

Speaker B:

So when you think on a small company that might be using those services, they might be developing things on microservices and having all those machines identities spread across with not much capacity to manage them, this is definitely something that it’s going to become a problem if already it’s not so, if companies not noticing that those are problems already.

Speaker A:

Absolutely.

Speaker A:

I remember, I mean I’ve worked in some interesting projects over the years and I’ve been fortunate enough to be kind of seeing some of these real kind of life scenarios.

Speaker A:

You know, some of the ones that I’ve expanded on is in the maritime industry.

Speaker A:

I worked on a project a number of years ago ago where a shipping, you know, a massive cargo ship that has hundreds, maybe even thousands of containers sitting on that vessel.

Speaker A:

And each of those containers has basically an RFID and a sensor that’s, that’s basically sending a signal back to basically a central control on the vessel that’s telling it about moisture levels, location, temperature readings.

Speaker A:

Because it might have food process in it, it might have electronics in it, it might have vehicles in that container, it might have toxins that if that sensors, you know, measuring the toxins that could be flammable.

Speaker A:

So all of those things, if you think about each container having those tags, that is an identity.

Speaker A:

It is a machine identity that you know, there all of a sudden you have a cargo ship that now has thousands of identities sitting on the vessel, all reporting back, all basically telling location, telling information about the signals that that actually identity is generating.

Speaker A:

And then you have to think about, you know, managing that and then you get into even.

Speaker A:

I remember a friend of mine who does Pen testing was talking about one time where he basically drove past a farmer’s field that had hundreds of cows in the field.

Speaker A:

And each of those cows had basically tagged RFID signals, video signals, transmitting, all generating identities, all having identifiers so that the farmer knew kind of where that cow might be or when they’re coming through, basically for feeding and for cleaning and for maintenance and stuff like that, that they can actually he, you know, track every single cow as they went through, basically a reader.

Speaker A:

And so it’s really impressive with that, you know.

Speaker A:

And I always remember Felix’s image about machine identities.

Speaker A:

I remember his social image about the farm and the zoo, which always made it makes me laugh a bit.

Speaker A:

But in the reality, when we think about machine identities, you know, it does expand to many different things, whether it being a container on a cargo vessel or even a cow in a field.

Speaker A:

It’s impressive kind of how expanding and to your point, that really gives you a clear idea of a farm that might have to manage hundreds and if not thousands of identities of cattle or a cargo vessel.

Speaker A:

An organization who’s managing logistics and ships has to manage thousands and thousands of identities.

Speaker A:

It might only be 30 people, 30 people on that cargo ship, 30 humans, but they still have over a thousand identities to manage.

Speaker A:

And that just gives you the kind of acceleration and the visibility of how big this problem’s becoming.

Speaker A:

Evander, one of the things I’d like to move into, some of the best practices about managing machine identities.

Speaker A:

So what kind of.

Speaker A:

Is there a lifecycle process?

Speaker A:

Is there a step by step process?

Speaker A:

I think one of the things we talked a little bit about, you know, discovery can you walk through.

Speaker A:

If you were to go in an organization and start managing machine identities, what would be your process?

Speaker A:

How, how would you go around in order to get the best practices?

Speaker B:

Yes, there is a couple of them.

Speaker B:

Now, the, the challenging with machine identities also comes because there is no standard ways of handling those identities, right.

Speaker B:

And mostly because each company took the smallest to the enterprise level, have their own internal process on how they develop things or what types of business they are running, such as maybe a farm company is running a scenario and they might now need different ways to leverage machine identity.

Speaker B:

So there is no, I would say one single rule that applies to everything.

Speaker B:

So the thing we do here especially is more of a consultancy side on.

Speaker B:

First thing is assessing, right.

Speaker B:

So you want to understand as much as possible what, what types of technology are you running that potentially have machine identities.

Speaker B:

And we gave a few examples, most commonly on development environment, most common IT scenarios, you have the CI CD pipelines as they call.

Speaker B:

So it is a one single place of orchestration on most of the companies and within those types of services, services and solutions, even GitHub, GitLab, there’s Jenkins and others.

Speaker B:

You are connecting to a lot of different things behind the scenes and, and it’s all automations.

Speaker B:

So an automation scenario, it’s very propense for machine identities.

Speaker B:

So that’s one thing we take a look into when we’re talking to customers.

Speaker B:

Do you have any CI CD pipelines?

Speaker B:

What are they connecting to?

Speaker B:

Are they deploying things on the cloud for you?

Speaker B:

So this is a often good starting place to see this is your core of connections, this is where everything pass through usually so gaining as much as visibility.

Speaker B:

And there’s some tools of course that can help you with such as reading things from your pipeline, you’re reading things from your cloud environment.

Speaker B:

Now moving to the legacy part, then you might need kind of a more, a little bit dedicated approach, delicated approach to kind of talk through your developers, talk through your different teams to understand how they are using identities, how they’re constructing.

Speaker B:

Because one thing that definitely is machine identity is a, I would say requires multiple teams and multiple knowledge to kind of of address this.

Speaker B:

It is usually an effort of multiple people inside of a company even to adopt some of those best practices.

Speaker B:

Then once you have visibility now you understood generally at least how machine identities are being used, then you can develop techniques which could be similar to a PAM solution.

Speaker B:

Right.

Speaker B:

First thing would be have a way to vote all those.

Speaker B:there are still companies in:Speaker B:

One thing with topic.

Speaker B:

So once you have general idea at least of your critical assets, I would say the best practices would be try to move them at least to a secure vault where you have encryption technology and you have the option then later to start adding some automation techniques.

Speaker B:

And not to the sense of rotation, I usually don’t recommend password rotation on such scenarios.

Speaker B:

What we are seeing as a more common approach is you have ephemeral accounts because again if you’re rotating something on an environment, you might break this.

Speaker B:

So what we often suggest is you implement a process where when an application needs an account, it’s going to request one to be provisioned and then you have a time to leave.

Speaker B:

So you have a time span in between those interactions and every time the application needs to connect to something, you’re going to create an account.

Speaker B:

And this can happen in milliseconds there’s technology today that allows moving more just in time access.

Speaker B:

Yeah.

Speaker B:

So you would implement such techniques taking out the risks of if a password gets rotated in the middle of an operation, you break something.

Speaker B:

Now you don’t have this challenge anymore, generally talking, of course.

Speaker B:

And then now you’re gonna, once you implement this, you’re gonna see all those connections.

Speaker B:

So visibility is something that of course, if you have the right tools, it’s a given.

Speaker B:

So now that you have vaulted all those accounts, you know who is connecting to those vault vaults that you created and who is requesting credentials for what purposes.

Speaker B:

In general, now you have all the visibility that you need from kind of a authentication authorization source.

Speaker B:

So which applications you have on your environment, which types of scenarios.

Speaker B:

So you can then adjust those kind of business rules that you might have.

Speaker A:

Okay, and what about Ryan?

Speaker A:

You know, a lot of times as we mentioned earlier, there’s two things.

Speaker A:

There’s misconfigurations, but also a lot of the service and privilege accounts.

Speaker A:

Those service accounts and machine identities typically are over privileged.

Speaker A:

How important is to then start applying things like the principle of least privilege in order to make sure that they just have the right privileges to do the task or workload or action or automation.

Speaker B:

So that’s very crucial.

Speaker B:

Once you have this map of identities that you have and what they are being used for now you’re going to start reducing privileges.

Speaker B:

It’s very important because one thing I saw on most companies companies is those credentials, especially those types of access they are, they suffer from privilege abuse.

Speaker B:

Because when you’re setting up some sort of integration, of course there is this problem.

Speaker B:

How much privilege do I need for this account in order to connect to a very specific service or an application call API?

Speaker B:

So what usually happens is you create full administrator accounts and give that to a developer one because the developer gonna test a lot of things.

Speaker B:

So it needs to be sure.

Speaker B:

But you don’t have the time to I would say go all through this needs and beats of finding the right privilege for the right service.

Speaker B:

Especially in cloud environment, you have thousands of thousands of privileges to select from.

Speaker B:

So the common practice today is create an administrator account, give that to your developer.

Speaker B:

Your developer gonna use that to test things to make sure the application he’s developing works correctly.

Speaker B:

And then instead of okay, now that you test it out, we know the privileges, let’s switch back to a list privileged.

Speaker B:

Sometimes what happens is you use that same account you created with full privileges on production.

Speaker B:

So this is something definitely to avoid is moving now into this Least privilege scenario on cloud you have solutions such as scheme solutions that can help you with, even Segura can help you with that as well.

Speaker B:

Well, finding the right privileges so you can kind of remove unnecessary access that a machine identity usually going to have.

Speaker B:

It’s very, very common to, to have over privileges on such scenarios.

Speaker A:

Yeah, that’s one of the things that you know, I’ve seen, I’ve, I’ve responded in a lot of inter response over the years.

Speaker A:

And one of the common things is, you know, I do see the human identities being the initial access.

Speaker A:

That’s where attackers are able to gain that initial foot, you know, kind of foothold in organizations.

Speaker A:

But it’s the machine identities and service accounts where it allows the attackers to at look lateral move.

Speaker A:

And I’ve seen cases where for example a financial database backup job that was running on a scheduled task was taking a backup of the financial database running as a domain administrator account.

Speaker A:

So it was only a matter of time before an attacker was able to compromise that account and be able to extract a hash, be able to then get the password and clear text using tools like Mimikatz and then be able to laterally move.

Speaker A:

Once that happens, then it’s literally endgame for the organization.

Speaker A:

It’s, it’s a matter of time before disaster strike strike.

Speaker A:

So, so it’s critical, you know, as your point, how these types of identities are crucial to the business, to functional and running, but also crucial to protect and managing and get accountability and visibility.

Speaker A:

So just to summarize things is, you know, to go into a proper assessment into understanding about where machine identities might lie within your organization, what types of business and services and applications and IT infrastructure there.

Speaker A:

Then to go through the process of then thinking about let’s get them discovered and then vaulted and protected, then going through the process of automation to then put, you know, get them automated in the environment and then moving away from having persistent controls to getting temporary controls and applying auditing and reporting visibility and ensuring to apply the principle of least privilege which is a crucial step on a zero trust journey.

Speaker A:

So I want to move into the next phase and where we first got to work very closely together on was a recent event which was then the NATO lock shield.

Speaker A:

So we both participated as Blue team members.

Speaker A:

Can can you share with the audience a little bit about, you know, how much did you know beforehand and when did you realize how big this was and what were some of the your experiences that you had through the event?

Speaker B:

Yeah, absolutely.

Speaker B:

And I could keep talking about Lockheed Shields for a year unfortunately we do have of course a time interval, but locket shields.

Speaker B:

It was my first contact with it.

Speaker B:

I didn’t know such an event and what’s happening.

Speaker B:

And I was missing that for, you know, again 10 years I’ve been working on in the industry and just now I got invited.

Speaker B:

Thanks for that as well.

Speaker B:

Joseph really changed my life.

Speaker B:

And the thing started quite, quite strange for me because the first request we received from Marcus, our CEO is Evandro.

Speaker B:

I need you to help Joseph.

Speaker B:

Joseph is coming to the company.

Speaker B:

We are working on a small project and he needs your help to.

Speaker B:

To set up the instance or product on the environment.

Speaker B:

And that’s the only thing I need you.

Speaker B:

So that this was pretty much Mark’s wording, right?

Speaker B:

Very simple task, just setting up an infrastructure so Joseph can take on.

Speaker B:

So this is when we first talked about, and you explained me all the environment and the complexity behind this and more details about the exercise.

Speaker B:

You know, being a full week that you have to defend a pretty much full functional.

Speaker B:

Yes, yeah, two full weeks.

Speaker B:

One of them just studying the environment, the second one actually doing the hard lifting.

Speaker B:

So when we first talk, I thought to myself, okay, this is not just what Markus requested.

Speaker B:

Maybe it might be a little more complex.

Speaker B:

You know, it’s not just about setting up the infrastructure needed to protect those identities on such environment.

Speaker B:

We actually going to need to be there on the operation.

Speaker B:

It was quite a funny story.

Speaker B:

Even internally, some people still struggles to kind of understand the complexity of that.

Speaker B:

Mostly because.

Speaker B:

Because we are still talking to people about this experience.

Speaker B:

Right.

Speaker B:

So the one that didn’t listen to the story still thinks, okay, it’s just a setup that Evander went and did and Joseph did all the things no one thought that I.

Speaker B:

You know, sleep deprivation and things like that.

Speaker A:

No, both of us, I think, yes.

Speaker A:

When we put into kind of realization how big it is.

Speaker A:

It’s thousands of people from all around the world participating in this.

Speaker A:

Over 40 countries that set up and dedicate teams that sometimes work for and prepare for one year.

Speaker A:

I know teams that’s already actually, I know teams that’s already started preparing for next years in training and simulations and preparations.

Speaker A:

And it was 18 blue teams defending a small country that has pretty much all functions of a real country, from financial systems to air traffic controls to air defense, to energy grids and everything else.

Speaker A:

It was.

Speaker A:

It’s impressive that the.

Speaker A:

The scale of the environment that you have to protect.

Speaker B:

Absolutely.

Speaker A:

Which has got over 300 something systems, over a thousand credentials.

Speaker A:

And then during the live fire event, you get over 8,000 cyber attacks over the space of two days.

Speaker A:

Yeah.

Speaker A:

So the realization when that hits, it’s a big.

Speaker A:

Yeah, it’s a big requirement and a big kind of pressure.

Speaker B:

Absolutely.

Speaker A:

Yeah.

Speaker B:

And it was very, very kind of rewarding experience, you know, from the moment you have the opportunity to bring your tools and bring your solutions to this very complex environment.

Speaker B:

You know, usually I, I’m very proud of myself because I have some environments containing 10, 12, 15 machines.

Speaker B:

Now you have access to one that have 300 different types of assets.

Speaker B:

Wow, that’s a huge playground.

Speaker B:

So now you have the opportunity.

Speaker B:

Yeah.

Speaker B:

Test this on different, different technologies and.

Speaker A:

Critical systems and scatter control systems.

Speaker A:

And then we had a team of over 200 people all needing access and all working together and designated and allocated to different kind of rules and requirements throughout the environment.

Speaker B:

Yes, it was a very fantastic.

Speaker B:

Because of this and of course the experience in terms, because again, I, I, I, I hope it, you know, maybe one day we’re gonna have something like, okay, it’s just deploying your applications and then just doing the work.

Speaker B:

Because it’s not only about the tools you bring to the table.

Speaker B:

There is also, and I think even more importantly is strategizing on how you’re going to do this.

Speaker B:

And identities, which was our topic, is again, something that go across all the teams.

Speaker B:

So we had different pods, as they call.

Speaker B:

Right.

Speaker B:

And everyone needs access, everyone needs to be on their machines, log it into their machines to kind of defend and remove malware and threats.

Speaker B:

So everyone needs access.

Speaker B:

It’s something we need to think for the 300 different servers.

Speaker B:

And we had more than thousands of identities there.

Speaker B:

So communication, how you’re going to set up this, how your team’s going to access not only the blue team, so how the blue team going to fetch credentials, going to use those accounts to log in and prevent things, but also the user experience they promote.

Speaker B:

So you need still implement identity security without disrupting user access.

Speaker B:

So you have, you need a lot of communication.

Speaker B:

You need to talk with a lot of different people handling different tasks, different experts in the scenario, and not all of them are experts in identity.

Speaker B:

That’s why we were there.

Speaker A:

You’re absolutely right.

Speaker A:

One of the big things is the leadership side of things.

Speaker A:

And, you know, the coordination.

Speaker A:

For me, I think one is we had a lot of lack of sleep because we were, you know, the time zones didn’t fare well for both of us.

Speaker A:

But I remember also, you know, for me, there was so many different channels that I needed to be part of and Listening to everyone going, I need the credential to access this server.

Speaker A:

You know, this credential is no longer working or this system needs to be protected.

Speaker A:

And it was just all that coordination and, you know, communication that was going behind the scenes.

Speaker A:

That also kind of added to the pressure, but it also added to the experience as well.

Speaker B:

Absolutely, yeah.

Speaker B:

Because one thing I would definitely prepare myself for the next year and this is one thing I didn’t have the time to, was actually creating a strategy for identities.

Speaker B:

Not only you have the environment and you have a general idea of what’s going to be there, but how are you going to talk to each one of those pods to kind of define strategies?

Speaker B:

And you’re going to definitely require different strategies because there is not only your Windows and Linux services running.

Speaker B:

You have you g telco.

Speaker B:

You have other types of infrastructure, kind of OT environments available for you and they need kind of a slightly different approach in terms of machine identities and not machine identities and also human access as well.

Speaker B:

So definitely what I would do is kind of creating strategies for those different environments before doing anything such as connecting and doing a password rotation.

Speaker B:

Right?

Speaker A:

Absolutely.

Speaker A:

One of the things, and that’s because you’ve got so many attacks over that, you know, short period of time, I think you’re absolutely, you know, thinking about a strategy just for different zones or different operating environments as well, because there’s a lot, you know, Windows Active Directory, there was cloud environment, there was Linux machines, there was scatter controls.

Speaker A:

So having a strategy kind of applies to, to do the best of each of those types of, you know, complexities.

Speaker B:

Absolutely.

Speaker A:

So one of the things that can, you know, many thanks for your amazing help during this year’s event.

Speaker A:

It was definitely, it was a fun, fun, fun time.

Speaker A:

Next year I’m definitely going to make sure I’m on the right time zone because that definitely makes a big difference.

Speaker A:

And I’m pretty sure for yourself as well, it’d be great if we were able to get you in the headquarters, but with the team as well because that also means coordination is much more easier and simpler.

Speaker A:

One of the things I’d like to kind of ask for you is what areas, how do you stay up to date?

Speaker A:

What’s some of the places you go for knowledge and education?

Speaker A:

What’s some of the things that, you know, you look to, to.

Speaker A:

To kind of help you expand your knowledge?

Speaker B:

Yeah.

Speaker B:

So very recently I started digging into more of the threat scenario.

Speaker B:

I’ve been working with kind of 10 years just on the protection side.

Speaker B:

So I read A lot of, you know, techniques in terms of zero trust.

Speaker B:

There’s awesome books there.

Speaker B:

But now recently I started taking a look into more of the thread perspective.

Speaker B:

So common threads and things.

Speaker B:

There is data breach reports from Verizon.

Speaker B:

This is a very important resource.

Speaker B:

I read every year pretty much much and others that kind of keep me up to date in terms of threats and even you know, newspapers on customers attacks that, that potentially happen.

Speaker B:

You know, not even customers, but companies attacks that happens every day.

Speaker B:

So reading and understanding those as much as possible you have available on LinkedIn.

Speaker B:

There is some very known thread, also newsletters.

Speaker B:

But one thing I like to do a lot is I’m a very hands on type of, of a person to learn things.

Speaker B:

So every time I see a new technology in general, I tend to do something like a laboratory.

Speaker B:

So we spoke about machine identities and machine identities have very recent technology people it’s getting familiar with such as Pfinspire and how they’re going to behave and change the landscape of machine identities.

Speaker A:

Right.

Speaker B:

So one thing I love to do is every time I have the opportunity to explore a new tool or a new solution that is available there, I want to jump in.

Speaker B:

So I want to create something like maybe a POC, a small test even for 30 days.

Speaker B:

That’s, that’s usually enough for me.

Speaker B:

So I like to take some time to create those environments, those laboratories and learn a lot from them and some books and maybe some YouTube videos as well to kind of guide me through the setup process so I can at least remove that friction.

Speaker B:

But of course this other main resources.

Speaker B:

So a couple of books.

Speaker B:

Of course there is some courses I do behind the scenes, but mostly kind of of those thread reports and those news that we see daily.

Speaker A:

Okay, fantastic.

Speaker A:

Excellent Evandro.

Speaker A:

It’s been a fantastic and a pleasure and honor to have you on the show this time.

Speaker A:

And I look forward to doing more activities, more events with you in the near future.

Speaker A:

If the audience do want to connect with you or be in touch.

Speaker A:

What’s the, what’s the best way if the audience does have questions later, how can they get in contact with you?

Speaker B:

Absolutely.

Speaker B:

So I’m on LinkedIn again.

Speaker B:

Evandro Goncalvesegura Security.

Speaker B:

You can follow me there, you can ping, you can send me messages.

Speaker B:

There is is my email as well.

Speaker B:

So I have my, my business email which is a Goncalves with C S again at Cigarette Security.

Speaker B:

People can get in touch.

Speaker B:

I might.

Speaker B:

I’m gonna give you some other kind of resources.

Speaker B:

Those are the most ones I use.

Speaker B:

It on my day to day activities, but there is some contact numbers as well for people if they want to get in touch more quickly.

Speaker B:

So definitely I’m gonna share them with you.

Speaker B:

So maybe you can add to notes.

Speaker B:

I would say Gmail would be the preferable end link.

Speaker B:

You can follow me there.

Speaker B:

Definitely.

Speaker A:

Fantastic.

Speaker A:

Excellent.

Speaker A:

I’ll make sure they get added to the show notes so the audience can easily get and reach out to you if they do have follow up questions.

Speaker A:

So as many thanks for being on the show.

Speaker A:

So for everyone, this is the security by default podcast bringing you different guests from around the world, different knowledge, different experience to really kind of provide you lessons and how to make the world a safer place for everyone.

Speaker A:

Stay safe, take care and again, thank you and all the best.

Posted by

in