CSOs - are you prepared for the next security breach?
Duo Security is the easiest two-factor authentication service to deploy, manage, and use. Duo’s service can be set up in as little as 15 minutes, and used immediately by anyone with a phone. Over 1,000 organizations in over 80 countries rely upon Duo to prevent online account takeover and data theft. Backed by Google Ventures and True Ventures, Duo has been deployed by some of the most security-conscious organizations on the planet along with 3 of the top 5 social networks. Learn more and try it for free at www.duosecurity.com.
Rake Narang: Why is there an increase in security breaches these days? Who’s behind these targeted attacks? Are these attacks happening mostly to organizations based in USA?
Dug Song: Today’s breaches are really the result of three critical market forces at work:
Loss of endpoint and user control - BYOD is the most obvious example of a much larger phenomenon at work - the intersection of employees’ personal and professional digital lives. Between social networking, casual web browsing, and increasingly open electronic communication between employees and the outside world, employees now present the largest remotely-discoverable attack surface for any organization. Who wants to portscan a firewall or noisely probe for web app vulnerabilities when the blueprint for a successful phishing attack is only a LinkedIn search away?
The industrialization of cybercrime - The underground economy has grown from commercially-motivated identity theft rings targeting consumers, to politically or ideologically-motivated actors running massive account harvesting operations for persistent, infrastructure-level compromise. The tools for performing such attacks are now well-packaged and supported commercial software, not random exploit source code posted to mailing lists. You know that offensive security as a market opportunity has finally arrived when the bad guys have adopted the strategies and tactics of the good guys – and vice-versa!
De-perimeterization - Organizations now rely on a combination of infrastructure, applications, and work both inside and outside the building, requiring a careful calculus of dependency, compliance, and trust. Most organizations get this wrong, for reasons often beyond their control (lack of resources).
There are clearly macroeconomic issues driving computer intrusion as a tactic of economic conquest and ideological warfare; I’d defer to folks like Mandiant or Richard Stiennon to elaborate on those topics, though.
About Dug Song
Dug has a history of leading successful products and companies to solve pressing security problems. Dug spent 7 years as founding Chief Security Architect at Arbor Networks, protecting 80% of the world's Internet service providers, and growing to $120M+ annual revenue before its acquisition by Danaher.
Before Arbor, Dug built the first commercial network anomaly detection system (acquired by NFR / Check Point), and managed security for the world's largest production Kerberos environment (University of Michigan).
Dug's contributions to the security community include popular open source security, distributed filesystem, and operating system projects, and co-founding the USENIX Workshop On Offensive Technologies.
Rake Narang: What can we learn from the recent cyber attacks on the Facebook, New York Times, Twitter and even the US government? Where are the next big threats coming from?
Dug Song: While it’s easy to understand how such major organizations might be specifically targeted, today, every organization on the Internet is as much a target of chance, as a target of choice.
For example, when attackers breached NBC this month, they didn’t do so to post screwball articles about Martians landing on Earth (or the resurrection of dead celebrities), or to falsify financial reports to game the stock market. They set up drive-by malware to compromise NBC News readers, and harvest further account en masse – likely in the same manner as they originally found access to NBC. Even when sites are breached via web application attacks, the goal is often to extract the user database to recover emails and passwords to broaden the scope of an attack to other organizations. Users hold the keys to many kingdoms, it turns out.
The next big threats aren’t coming from anywhere in particular – they’re increasingly pervasive as attackers find ways to hack the public at large.
Rake Narang: Why are organizations unable to handle security breaches that come through numerous mobile devices including tablets and smartphone?
Dug Song: Mobile devices will eventually be a rich target for attackers, as they find further reach into the enterprise. But the adoption of such platforms is slowed by the security questions organizations rightfully have about them, which have as much to do about who is responsible for securing them, as how they might actually be secured.
Employee-owned devices are a poor fit for the current landscape of MDM (Mobile Device Management) and MAM (Mobile Application Management) vendors, as employees really don’t want their personal phone to be managed by their employer. In a BYOD model, an organization needs to apply stronger and more sophisticated mobile-aware access controls on their side, versus mobile application and device management on the user’s.
With a wide variety of consumer mobile platforms, and very diffferent security strategies employed by each, most organizations we talk to are simply waiting it out, buying their own devices to manage, or turning a blind eye to the problem. Platforms like Android, where no single entity has responsibility or control over the security of the device (neither the user, nor their employer, nor the carrier, handset manufacturer, or Google itself!) are quickly evolving, while companies like ours work to find ways to at least assess the security posture of such devices for compliance.
We believe the future of mobile security lies in a shared access configuration model of device inspection, security assessment, and compliance assertion across platforms – not total device control (particularly in BYOD environments), and not in any device monoculture.
Rake Narang: How can products and solutions from Duo Security enhance security?
Dug Song: As a company, we’ve focused on democratizing proven, but previously inaccessible security technologies for the mass market by making them easy and scalable.
Mandiant points out that 100% of breaches involve stolen credentials – there’s no better way to gain insider access, than to become the insider. And identity is the most critical organizational boundary to protect as traditional network, application, and endpoint controls are obliterated by cloud, SaaS, and BYOD models.
When your attacker is otherwise indistinguishable from an employee, two-factor authentication is the only hard security control you have left. It works, and prevents simple user password-stealing attacks from escalating into catastrophic breaches. For the last twenty years, two-factor authentication has been hampered by the cost and complexity of traditional solutions, and terrible user experience. We’ve worked hard to make two-factor authentication ridiculously simple to implement, manage, and use, and are proud to be innovators in a market which has stagnated for decades.
Over a decade ago, I worked with a group of friends to release OpenSSH, the de facto open-source standard for secure remote access to Unix-based systems and nearly all modern network devices. With Duo, we are proud to have an even larger impact in protecting the data for hundreds of millions of users worldwide across companies big and small.
Company: Duo Security 617 Detroit Street, Ann Arbor, MI 48104 U.S.A.
Founded in: 2009 CEO: Dug Song Public or Private: Private Head Office in Country: Ann Arbor, MI United States Products: Duo Security provides two-factor authentication as a service, built to prevent account takeover and data theft. Company's Goals: Democratize two-factor authentication for the mass market
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN