Attacking BeyondCorp with Daniel Cuthbert & Steve Manzuik V2 - Duo Tech Talk

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today's Tech Talks is one of our first tech talks at the London theme and the office is doing so for us it's quite a big achievement after think nearly three years operating in a mere so we're quite proud of that in terms of the the topic we're going to be talking about what is beyond Corp and what does it mean to attackers this new this new landscape that's gonna be created from from beyond from this new technology around beyond Corp so I'm gonna hand over to Daniel and to to Steve they can introduce themselves and get get the show started so alright hey everyone thanks for thanks for joining us and you know hopefully one got their fill of food and drinks and all that stuff my name is Steve Mann zyk and I'm the director of security research at duo security conneautville my name's Dan Acosta i'm i've got the world's longest title and it includes cyber and that wasn't my choice but i'm global head of cyber security research force anthem that group so me hable espanol no pero we'll keep it in english though it makes life easier alright and what we're going to talk about today is we want to talk about beyond core right so everyone's probably heard a little bit about it or maybe you haven't but we want to talk about first you know what it is why companies are starting to consider this architecture or this you know security strategy I guess is a you know another way to put it but then something we want to do that's you know a little bit different is we actually want to look at beyond court more from a what does it mean to attackers right so so what attacks will be on Corp kill right so if I'm if I'm your bad guy or your bad guys attacking you where's be on Corp gonna stop us but then where are the areas we're gonna switch right so if if history has taught us anything as soon as we make something more secure or better attackers will change tactics and find find a new way around it so we're gonna walk through some of that stuff so I think one of my roles are sent in there is I've got a small remit I dueled Scootie research for 133 million people and two new thousand employees so Santander is vast like most banks and in 23 years similar to Steve I've been polling a lot of stuff so I've now moved back into the defensive realm and because defense is harder like anybody can hack today and if you look at the sad state of affairs it's it's too easy to own something I'm gonna go into some examples what be on court gives you is the move away from making it really easy to an attacker so I know there's a few pen testers in the room it was a joke if you did an internal pen test or an external pen test our one you've owned the ad so the pen test dots and that hasn't changed in a decade it's embarrassing easy to own internal networks and people built up this moat and lots of protection and what Bianca does is saying well actually let's move away from that less wipe the slate clean let's build something a lot more secure and if you look at some of the numerous breaches that happen on a weekly basis now the actual attack isn't sexy anymore it's not hard I know we talked about advanced persistent threats and all the other threat Intel names that people come out with but Equifax breach lame like it was pathetic it really was but it happened target breach lame pathetic OPM breach DNC hack all these attacks they aren't sexy there's no O'Day's being dropped it's so they ask the question how do you deal when a network has been owned so let's say you're a large organization and you know that your network is no longer your network how do you fix that no fire was gonna stop that no new things gonna stop that so that was kind of the whole idea behind beyond Corp and it works by moving the trust so as any pentest will tell you when you own an internal network you're inherently trusted as a person on that network and that's a really bad decision and also be on court really does raise the bar of security and notice a really cliched thing to say but as an ex attacker in building my beyond court type thing I look at it going this is gonna make my life miserable if I try to own it so it's a genuinely a better way of doing stuff yeah so it's so real quick you know what is what is beyond Corp right so the the you know the first thing we're gonna say and hopefully none of the salespeople room throw a chair at me for this it's not a product you can buy right you you can't go you know going to Amazon or go to your favorite vendor and say give me beyond Corp and they can't hand you a box right and it's really a bunch of different components and and processes where you're essentially you know like Daniel said moving you're moving where you make your trust decisions you're also removing the single point of failure right so the thing we saw in common with all of the different attacks that you know the Daniel talked about in the in the previous side was not only were they lame and you know and mostly email phishing you know based attacks all it took was that one successful you know piece of that attack to give the attacker the foothold and and once as an attacker you have the foothold it's it's super easy to move laterally you know from system to system and and look for the actual network gold right attackers will always take the easiest way in into an environment it's lower risk it's easier less chance of getting caught and and beyond Corp removes a lot of those a lot of those easy ways and and moves where you're making the decision whether or not you allow something away from the firewalls and VPNs and and and the network itself so bianco so the idea beyond beyond Corp is that you have zero trust as in I'm naturally a paranoid person I don't like any human being so therefore if you want to access my stuff I want to know about you your device who you aren't should you have access and it puts us at odds at traditional network security architecture I don't just have any here a network architects none if you sit in a network architecture meeting like I do in a weekly basis you'll find that they build networks with a lot of trust if you're on the VLAN well the web server should talk to the database servant you've got an entire micro services layer that well there they've got to talk to other things we assume trust and as an ex attacker that I play to that benefit because I want to abuse that trust relationship just like a good phishing email if I pretend to be my group chairwoman and I bought in all right guaranteed if an ex go member sends an email to an they're gonna click on the email that's how phishing works because you're not gonna ignore the boss it's an in soon trust model beyond Corp gets rid of that trust and it's also a combination of technology and processes so I'm not gonna sugarcoat it beyond cup is really hard because you need to understand what you've got who you people are how they work what the applications do what the networks do how they talk to each other the protocols the different layers there's a lot you need to understand it's not just you know Steve said a product you can plug in and go we're good in golden there's a hundred thousand pound box you're good to go and it also assumes that networks hostile and that's probably one of the biggest challenges you'll have because when you present it to people you say we think the networks owned more like one of my old clients when we got to the company in the u.s. very large US customer admitted that that network was no longer owned by them was owned by the Chinese so what they do and what they did was move around the network to try and bypass the Chinese beyond Corp assumes that you've already been oKed it just moves it along to trust away yeah and so one of the ways that beyond Corp accomplishes that right is it actually makes decisions on how much it you know trusts you know air quotes a user and a device so so it's no longer hey you had the right credentials so you could be PN now you're on the network so we're gonna trust you now it's you had the right credentials you multi-factor authentication your device is patched your device you know may have a certificate on it that you know that you need tax has certain resources and so it starts to take all of these different factors and and determine whether or not it you know that you trust that login that authentication or that accessing of the resource enough to allow it to happen and and what's interesting about about this kind of architecture is that you really can do what I would call like dynamic access right so I'll give you guys a quick example of kind of how we do things here at duo so when I want to get at my corporate email my calendar you know our chat server you know things that are fairly low risk if they were you know you know compromised I can do that from pretty much any device as long as I'm multi-factor authentication as long as those devices are patched if I want to access say duo source code or you know something more sensitive you know future project plans things like that well then the bar is actually a little bit higher and not only do I have to a multi-factor authentication a corporate issue device that has the proper certificates and is also patched and so as you can see you're able to start building you know building out scenarios as to you know where you would scenarios where you would trust things and scenarios where you would not you know trust things and and what's interesting about that is that you can then do dynamic access control so say for example that I am accessing something that I'm allowed to normally access from any machine from anywhere my machine se has unfortunately flash installed on it again you know as we see probably you know at least a few times a month a new flash zero-day pops up and there's active attacks well administrators can actually say oh wow this is bad enough I'm gonna click this button here and now block any machine that has flashed from a dedicating to the you know critical things and now let's send my session I now have to Rio thinik eight and it's actually gonna tell me well hey no you have flash you know uninstall it go use this device you know whatever right so you can almost instantly allow or deny access depending on you know changing conditions right there's opportunity to do things like integrates threat intelligence as well right so as you start to see different conditions happen and as the risk of your organization changes you can actually on the fly change your access policies as well and and and really you know like I said before what it's doing is its removing that whole all-or-nothing thing right just being on a network should no longer be enough to actually access resources right I mean all the attacks we've seen over over the years have have proven that because pretty much every single attack I mean that's the one thing in common right attacker gains the foothold attacker pivots to the actual important stuff and yoen steals it it sounds like it's pretty much paradise and to a degree it is almost but there's actually a lot more moving parts the first thing is you've got your multi factor auth so it's no longer a RSA style device you've got a phone that as Steve said is going to be updated if you're using Android you can specify it's going to be a certain version etc etc you've then got the key thing device management and if you look at any big organization this is where a lot of them fails what do you have on your network right and the whole bring your own device and everything else has muddied the waters so in order for beyond corporate to work you've got to say right I need to trust and know about this device so Google got around this by saying right actually we will only allow Google devices onto our network and that's going to be a Google issue device and it uses a search on the device to confirm it's a Google device and only then do we start through the process that means trusted hardware you can do it with be OID Steve said at duo but if you want you're more paranoid stuff say you've got you know you're a small bank and you use a antiquated system like Swift built with bubble gum and old packets and everything else right you know for a fact that's shaky as hell but it's a really important part of the global financial system so you can say I only will allow people to connect to Swift if it's a anchoring device that we know about and it's got all the policies so what you're doing is you're making it a little harder for the attacks to own it you've then also got granular access controls so for example with all VPN networks you could say right if you've got a VPN token you can collect into the VLAN you've got access to everything well in this case I only want Swift people to be able to connect to a swift endpoint the ssag which is on this address but they can only connect using this device in this to your location during these office hours using this patched version to see where I'm going from an attacking perspective you've made my life really miserable because I've now got to pretend to be somebody I've got to go and physically kidnap them we're a mix Mexico I deal with that now you've got to do these steps because you can now say that person will only able be able to connect the input unlike traditional networks they're on the neck and you've then got other things like certificate management which as we saw two weeks ago a week ago where a certain CA decided to push a lot of certificates CMS certificate management is still very hard to do in organizations 2018 and we still struggle with certificates then you've got this thing called truss engine and this is quite cool I want to say hey I don't trust you at all except for these policies sit for this process so you can start to really understand what users are doing on networks and at first what we had to do is we have to look at right here's an application you have to go back to the old network sniffing what does it do what does it look like on the wire how does it talk out should I trust this protocol should I not trust this protocol and then finally got policies like Steve just said the flash thing is a perfect example in reality nobody should be using flash just kill them with fire please but people still do so you can say you can only connect to this if your flash is the latest version so you've got a lot of granular control in a beyond hope star setup that you don't have an enormous setup so we kind of talked about you know what it is and you know why we feel you know people need it right but what does that actually mean to attackers right so I sat down with with the labs team and you know talked with Daniel a bit where we kind of did some very informal threat modeling on alright so with this architecture what attacks are gonna be completely stopped or maybe the result of the attack is gonna be useless if it's not you know if it's not stopped but then what are the new areas right so I mean the first piece are you know what are the attacks it become not worth it for it for an attacker right so obviously password theft right so if you have multi-factor authentication and everything really it is your passwords practically disposable right it almost doesn't matter if you fall for that fish and they get your credentials because the users still gonna get tipped off when they get that you know multi-factor you know education push network based attacks if the organization you're attacking is assuming they can't trust the network well that means getting on the network has zero value to me as your attacker there's no point in me trying to maintain persistence or go after you know a router or something like that that's going to keep me on your network because you don't care about the network either so it's not like I'm gonna be able to easily pivot to other machines you know on that network phishing is going to have to change big time right you I mean we're gonna have to get to the level of you know fine funeral you know ways to attack the actual phone apps that people are using for multi-factor authentication right or if you have to be using SMS still for multi-factor authentication we'll probably start to see a lot more you know attacks on on that network as well but again you're all you're you're you're still fairly limited even in that scenario especially if you're you know going the ultimate paranoid route where you still need certificates and you know everything else on you know on the machine the big thing that's going to become very very important is obviously cloud security not only the security of the cloud provider themselves but also how you're configuring and setting things up in the cloud the nice advantage of a beyond core of architecture is that if you're an organization that is moving to the cloud which I mean today most are five years ago I had a conversation probably every day about whether or not you should trust the cloud today it happens maybe once every six months right so I mean people in general are just starting to trust and move to the cloud a lot more this helps you do that because it helps remove a lot of you know a lot of those threats but again if you don't know what you're doing you know from a you know configuration and setup perspective with your cloud infrastructure you definitely could get trapped there and and these are the things attackers are looking for I mean we already see attackers doing you know lots of you know probing and looking for ways to you know go after cloud services so I guess for me one of the biggest benefits of bianco is that I really don't care about the lovesick skiddy idiots who use Empire today really go away you're like a mosquito in the middle of night don't care about you all right because you're easy to annoy with deception technology I'm more worried about the people that a have a vested financial interest so Kim Young and his merry band of hackers Mexican cartels generally the ones that keep people up at night so I want them to effectively burn through as much cash and time and effort when it comes to attacking me because I'm annoying like that and that's what be on Corp gives me because if you're gonna try and attack anything I've got I want you to a get frustrated B get really angry because there's nothing worse than a pissed-off pentester or attacker and three burn through time because in doing that right you're gonna have to start doing more advanced tax one you're gonna have to go down a shotgun approach right so you're not gonna be able to say well I'm gonna scan the internet like no sectored and get really happy if I saw a sequel map and go to youtube to understand how to use sequel map and own stuff that way alright - you're gonna have to physically kidnap something now here's an interesting thing one of my threat models was the Sinaloa cartel so you have biometric device and I grew up in Africa and it seems the Mexicans are very good with this if they want to gain access to somebody's some print they just take their finger right so it adds a whole new meaning to the term red team right but if that's the level you're gonna go to great take some nice finger off but still doesn't matter with beyond court because the fingers not really going to work much and that asks the question how do you start targeting these people so for example if we look at what Kim did with a lot of the Swift attacks superlame attack but it worked they looked for people who on LinkedIn put Swift administrators which again really bad they then set up either a phishing email against them or they owned a waterhole that their new fish swift people would attack a visit and own them that way so it's not that hard to figure out in organization who does that kind of stuff but with Byung Corp it's a lot harder because it doesn't matter if you know that person is a swift person you've got to only the device so you could possibly kidnap them or take the device but I can guarantee quick poll how many of you've got keys while that's on the phone on you what's the first thing you do when you can't find your phone for a couple of minutes Chitwood nor phone so if you're using your phone as your MFA device you've got a very small window so what beyond caught this brought for me in an attackers perspective whereas before when over the Aurora sorry so beyond court came about because Google Google owned and Google owned got really badly project Aurora mid late 2008 2009 seems the Chinese decided to own Google and they did so and it was only in 2010 that Google finally we lost hey this networks not ours annual and that's when they came about Bianca those attackers had a good year plus to rummage around the network all right now as any good attacker will tell you the more time you have the stealthy you are you don't have to be noisy but with Beyond Corp you've got to move fast and move quickly in doing so you become very very noisy John termed it earlier you got to open up all the kitchen doors to find out what's going on you like that drunk two o'clock in the morning when he trying to be quiet when your wife's upstairs that's an attacker and Bianca all right so you've got to make more speed you're gonna be noisy and if you're in a good organization the new buzzword is telemetry you're gonna see when somebody's doing this because you can no longer do a brute-force attack because it's newsy if you start accessing stuff you're gonna start seeing all the stuff pop open your network so for me Bianca was great because it allows Bennet's limitary and it's also very hard to do lateral Reuben so for example if you own my web server or my JIRA or my slack or something else you've earned it well done job done you want to pivot to that box now you've got to do the whole thing again that's then it becomes expensive and like I said it's top I want it become really expensive for an attacker to own us that's what be on corpse brings me at the moment being noisy yeah and I mean and so they're they're definitely still some areas where attackers will go after you right I mean yes beyond Cerf solves a lot of the issues that we've definitely seen from past attacks you know light light like Daniel said I mean the fact that attackers sat on Google juniper Cisco I mean there's a it was something like eight or nine different tech companies were all owned by this project Aurora and all of them for you know like you said for a year plus that is definitely going to change but but attackers are definitely going to adjust and and go after some different things right so the big thing is the endpoints right so I need to if I need to get access to your device well what are the weak links on the device itself very unfortunate to say this as a security vendor but your security products it's been proven a million times go look up a gentleman that works for Google project zero by the name Tavis on Twitter and give his fee to read he literally looks at an antivirus product and then you know a day later has you know 50 devastating bugs with it I mean it's it's it's been a bloodbath as he's gone through looking at these different security products that's pretty bad to say right that security vendors are actually adding to the attack surface now that said the impact of owning your device is actually not as great as it is under you know your normal you know molten castle type you know you know architecture because of the way beyond works right you have right you have the ability to have dynamic policies based on threats and because you have to jump through all of the different hoops to own your target getting persistence on this on this device matters way less because the device may not be fully trusted you're still not going to get a certificate unless you're actually able to get at private keys and you know things like that so again yes there's issues here but attackers might not you know wanted want to care too much about that but an area where we see today even with traditional you know network architectures that that's been a real problem for a lot of organization is how do you deal with API keys you know authentication tokens you know things like that right anything that gets you around you know your multi-factor authentication is obviously gonna be you know interesting you know to an attacker and then application based attacks are definitely gonna see a lot more of those especially when you have apps and and there was a public example of this I believe is the gentleman from think'st talked about a editor that's very popular amongst developers right so if you know the tool is popular amongst developers so that means there's developers you know at giant companies and maybe you're your target well a lot of these support plugins and you can go and you can download you know a plugin written by another developer that says hey this really helped me do this you know just add it to your plug-in directory and it'll go ahead and work inside this tool well that's also dangerous from a security perspective right one could write a malicious plugin one could write a plug-in that looks super helpful but behind the scenes is doing something malicious and those are going to be the new ways to start going after people is by attacking the apps they use and of course cloud apps are definitely a target I mean they are today but that's also a pretty tough target right because I mean again the whole point here is you've removed the script kiddies and and the people that are just hitting the point-and-click tools you're you've removed them from the discussion because there's not one of these attacks that they're gonna be able to pull off right if anyone's going to be you know attacking your cloud apps the actual cloud companies themselves successfully I guarantee you they they have funding and skill and you know all that all that kind of stuff behind them and those are really the attackers you want to focus on right so the advantage of beyond is you get to rule out the attackers you don't care about and you have to focus on the attackers that can actually do damage to your organization I think it's the thing if you look at or ask any sock person what consumes most their time it's these lame low-level mosquito style noise attacks that they are worried so Equifax patchy struts you can just assign the patch and what we know what happens from there if you remove that the case out of the whole equation you've got the ability for your sock or your NOC to concentrate on the stuff that's actually more worried and there's the benefit because I think today's alerts on everything world if you speak to any sock person they look 900 years old and they have a serious narcotics problem because life is miserable because there's thousands of alerts coming in so Steven I had a lovely chat about this and was quite nice to go back to the ugly criminal world we thought like how would we now own as two old men these new style networks api's so in banking you now have open api or open banking which is phenomenal because let's a p i-- everything which is great but anything to do with authorization or auth issues that could be really bad and if you look at a lot of applications especially in the api world they have been built with full trust in mind so for example if you tear apart most mobile banking applications and you look at the underlying code you'll see API name API endpoints that may or may not allow you to interact with that API endpoint because it's trusted the mobile app more nobody's to reverse engineer that you can ask that set so bugs in that category is gonna be really bad and the other thing is the cloud stuff so we've seen now we were talking I think there's this 40 or 50 different AWS bucket scanners in github that's the new thing that pen testers get into they write hey Darius bucket scanner and it's quite a sad sign of the times because it obviously means that there's a lot of people putting stuff into the cloud they shouldn't do so again it goes back to the fact you willing to understand what stuff you've got how you use it and how does it communicate if you're dumping your secrets into the cloud you're not hardening it well beyond hopes not going to help you because you know you're not doing the basics that goes to expose resources permissions and they're sketchy providers we talked about the CA example but you know you need to get better at choosing who your providers are if you're choosing a cheap CA cert who gets angry and decides to publish or email 20,000 certs life is going to be miserable for you no matter what and then the last one we talked about was that the cloud infrastructure there's a lot of people who now offer clouds I mean the three biggest ones would be effectively Google AWS and Microsoft so the CPU style chipset floor yes it's definitely a possibility but as Steve said if people are going down that level yeah you've got to contend with Tavis and project zero for Google most of Microsoft product team for Azure and you know Amazon's team so there are hundreds of people looking at the cloud stuff so you've got to get better than them you got to try and hone that their tax a lot more harder so you're generally probably dealing with really persistent people that are gonna be you know pretty good at what they're doing that world is probably the 1% of hacking to generate for most people to not have to worry about the cloud infrastructure now knowing that tomorrow they'll be probably some ugly cards attack that comes to and I look like a rat Ted yeah and I mean we we actually thought about deleting this bullet point because I mean most sane threat models you can probably ignore this especially if you're using one of the you know talk to your cloud providers I can definitely say from my experience in my consulting days because I've worked with some of these top-tier cloud buyers that they've definitely thought about that right they've definitely thought about the scenario of someone sneaks into our data center and actually touches Hardware yeah they definitely have things in place and it is a very unlikely scenario but in some cases you might want to consider that especially if you've you know picked you know Bob's cloud Emporium as your provider right or you know some you know one of the smaller providers so some of the other attacks that we think people are you know going to start looking at is obviously identity providers right so part of they beyond Corp architecture right is is working with identity providers managing users properly multi-factor authentication well that makes all of those components also targets right so again if you're attacking someone and you need to get past their multi-factor authentication why wouldn't you try and attack their multi-factor vendor makes sense I mean if you've raised the bar to that level of attack that's definitely in the realm of yeah why wouldn't we do that so the same advice would kind of go along with you know what we say about cloud providers right make sure that the vendors you're picking to be part of this beyond Corp architecture our vendors that have thought about hey what happens when we become the target because we're gonna be the pivot point right because essentially that's what you've done right you've moved those points pivot points over to other other areas where you do have to give us some trust to two years service providers and of course the big one that we've talked about quite a bit right is the whole CA thing I don't know anyone that does this perfect yet right or it doesn't well I know as a consultant this was always an area where if we knew they had a internal CA that you know that became a primary target and it was usually easy to get at things we've seen some very interesting bugs of management tools where you're able to actually get it to just send you a certificate for you you know think things like you know parsing bugs right so we saw going back to the identity provider attacks we saw a bunch of sam'l bugs recently right I got a couple weeks ago those bugs came down to the fact that you're just parsing XML and for anyone that's done security for a long time especially at the application you know layer of security as soon as you hear those two words together in a sentence you know there's gonna be a security problem without even looking at it right parsing an XML is usually always bad it doesn't matter who wrote it right and in both cases right so here you had issues to you know mess with your identity providers because of XML parsing issues and down here well what about the software and hardware that's parsing those certificates same theory right I mean we have seen historically bugs where a really long name in a certain field on a certificate causes you know something to fall over right and they're kind of silly bugs and in the past when we've seen them they've maybe only been important to say a pen tester that already has internal access well now these bugs become important to your external attackers too right so that's definitely an area that things are gonna shift and the whole supply chain attacks right so whether that's again going after the software that they know organizations use or the you know extreme cases where we've seen you know in the news of you know counterfeit routers and things like that being sent out now on a network level probably not as big of a deal anymore because you already don't trust the network so who cares if you know somebody's replaced the chips on it and is you know sniffing all your traffic but again at the application and maybe you know computer hardware level and device level you definitely want to care about supply chain type attacks I mean how many of you know people ordered gem you know people using Python everything else I mean it's quite easy to do that kind of attack but that just makes life a lot harder for you to defend mmm so there are a couple of things in my experience of moving towards beyond Corp my biggest experience was the whole administrative policy issues the key thing I can recommend is there's got to be buying and at first when you suggest something like this there's gonna be no firewalls there will be no rooters there's been no VPN and generally people cry when they have no VPN because that means it's secure right when you say it's going to be on the internet and you know it'll be there they're like where's the firewall you know yeah it's ufw you know good so there's the king you can have the buy it and the other thing is the acid assets management this is the killer so for example how do you handle the absolute abortion that is Android all right and I'm gonna be blunt it's an awful thing from a security perspective Google had not knowledge this couple of years ago Glen and I found a lot of flaws in Wireless Apple were secretly fixing it Google's hit a hard finally was fixed in Android eights we've been told how do you deal with that right and it all comes down to what do you own what are you willing to accept as we set the start understanding what you have in the network and what users have that's probably only the biggest things and if you look at any big organization they will admit we don't generally know what people have or what's on the network then there's the policy thing and calm believe I'm now talking about policies but a lot of policies that are easy and open are really hot you have to understand and find drill say right I'm gonna be really anal here you can only connect might be on KITT if X Y Z that's the hard thing to get right at first and you then got patch management now this is something that's confused me for 26 years now um both Steve and I were talking about this earlier we've been in a lot of clients where they'll have a policy for patch manager that says hi critical will be fixed in 30 days medium is in 180 days all right what like what are you doing for half a year right that's when life becomes miserable but we can do it beyond corporate you can say fine do you know what I'm gonna push a lot of patch management on to the user you will only connect into this network if your device is fully patched or a dot one release behind if it stops people doing their work I can guarantee you they give you a lot more forceful and making sure their own device is more secure so you're kind of shifting a lot of the responsibility and I think that's one of the key things with security that I've seen is that old security was always denied disabled no modern security has to be let's think about this how can we get it to work and it's a shared endeavor so if you say to the user you can only work you can use your own device we need to make sure it's patched and up-to-date or you can't work what are they gonna do they're invested in doing it so they'll make sure their device is uploaded and I am that freak who looks at people's phones on the tube to see how many red dots our brother little gear icon thinking man how I dated their software is right and I said empower the user and then finally legacy and I was with Heather so H at google.com and she's the big component of beyond Corp at Google and it surprised me to know that Google's got a lot of legacy equipment which at first was like what like your Google like yeah we've got leg see everywhere mostly HR finance etc there is the biggest problem like how do you deal with it and my small little bank so different there's legs here but we have everything from mainframes which those who don't remember massive computers that cost a fortune and all the way down to micro services a lot of the times that's very hard to do you're not gonna be able to put a mainframe in a beyond Corp style organization you still have to use it so there's a lot of play coming in here going right this is really gonna push your network architecture design what can work what can we migrate over what do we have to go that will never change we need to try and build something here because you can't have a secure mainframe and then the ugly one the one that I've got a lot of experience with is the hole PCI compliance world let me tell you a regulator coming in with a checkbook in a clipboard and a suit from primark going sorry I don't like regulators going alright so I need to see a firewall where's the if I was the firewall computer says no you have to go to more we don't have a firewall because we've got x y&z I think this is gonna be the next biggest thing for a beyond Corp style thing convincing the regulators and the PC on the compliance world we don't have that because we've got this we've not experienced it yet but I can see it coming in the next year especially with gdpr yeah in fact I emailed somebody on the PCI Council and asked them if they've been talking or thinking about beyond Corp and I haven't gotten a response yet but we'll see I mean that's exactly true right I mean the compliance strategy that people usually follow is let's segment our network down so we shrink the compliance scope down to be as small as possible well beyond Kurt's telling you to blow that out right so so under beyond Corp I could see the argument made that well no now your whole environment is in scope because right you don't have it segmented right so there's definitely gonna be some interesting changes that have to happen when it when it comes to compliance before we can see companies fully dive in right the way I do see companies today getting around this is they do do those mix environments right they keep the you know legacy you know stuff still in the traditional you know build your firewalls build your VPNs all of that you know all of that stuff but then all of the new things they're you know pushing out to the cloud and pushing you know starting to start using beyond but but the big key here though right is that you need to make sure those who control your funding for keeping things secure understand that they're still going to be a cost to those legacy environments just because you've switched half your environment over a little piece your environment over doesn't mean you take your eye off the ball here right or or things I'll get you know way way worse for you the other thing anyone that's ever done IT it men you know type work or any kind of user management type work exceptions right so especially coming from a MFA you know a traditional EMF a vendor you know we're duo gotta start we hear a lot like oh yeah well you know our executives didn't want to deal with you know hitting a button on their phone or you know whatever it was so we've added them to an exception rule and they don't have to two-factor sure okay maybe that's fine you know in you know your old-school thing I mean there's still at very high risk in my opinion but when you go to beyond Corp these will be your targets right the people that are the exceptions are the people that I'm going to attack because I know they're gonna be easier than the people who aren't part of the exceptions so the big things you need to understand as you're trying to build out you know your environment to to to look a little bit more like a beyond beyond core architecture is the big thing you understand is what connects to what right who's working with what where is your data going right one of those data flows look like that's very important because you obviously the one kind of one of the concepts in in beyond Corp is you push the authentication and the decision-making on whether or not someone should have access to that resource as close to that resource as possible so if you don't know where those resources are and what they're doing it's it's very difficult to do that again we talked about asset management a lot of companies struggle with that you know today and then of course you know micro services right so just like API is just like we see a lot of API is being designed assuming that they're on an internal network or assuming that they're in a trusted network which is gonna be horrible for those organizations when those api's end up on the internet right or you know traversing the internet same thing goes with micro services my experience with micro services has been authenticated authorization no we don't need that we're just this little service and someone else will build another service that we can you know use that for hey if no one gets around to it well then I guess we just don't do it and unfortunately no one's really gotten around to it yet right so there's definitely a lot of micro services out there that are built on that theory of Oh we'll just be running on a trusted network it's all fine and you know we already did you know talked a little bit about you know telemetry right beyond Corp works really well if you actually are able to detect and respond quickly right so you need to understand what the logs are where you're getting them from where they're going and then what they actually mean right and and and you can do things like make those risk decisions right so the logs can feed into one system and then you can feed that into your policy and you didn't say hey we see this type of thing on the logs here's the policy what we want to apply for that or we see this type of thing in the logs that might be an attack pull the fire alarm and you'll get the instant response people to to scramble and then we've definitely seen some issues with certificate authorities you know where you do things like have internal only resources and you're trying to have properly signed certs for those resources versus external resources because users are accessing things externally it's expecting to see an external IP in a certificate in some cases and causes issues right wild-card certs might be the fix there and then of course the last thing to is some applications just don't play nice with with that architecture of of beyond court because when you look at it behind the scenes what's happening when you're accessing a web app is that you're first being redirected to you know the proxy server then you get redirected to ascetic age and then you end up you know somewhere else where maybe you're you know determined how much the system trusts you and then you're going to the app well some applications just don't know what to do with that many you know redirects in the chain before you get to them this one's getting getting more and more rare I saw it I saw the application issue one probably three four years ago we experienced it a little bit of duo we decided this joke about it we called it the authentication loop where we had this app that wasn't playing nice and it would just keep getting stuck in that authentication piece but we do see a lot of those you know issues being you know being addressed over time especially at the major apps that we see a lot of organizations using except maybe meta most so one of the things that we've got internally is a slack line because I don't trust lack they're not very good at security so we moved to matter most in a bianco which works fine on the Windows and Mac using electron before the bug came out but on the mobile app it doesn't work because Steve said there's a weird or group where the app just go as well I want to connect to slack dot whatever calm but I'm going through five different boxes I'm just gonna fall over and it does that so a thing as more and more people start moving towards or beyond caught up thing the app developers gonna have to start thinking about this that there could be six endpoints to an authentication input so it again it goes down how does the app work what are we connecting to what are we looking at there's still a long way to go beyond core but generally I'm quite excited about it's probably the first time in nearly three decades of doing this that is this is a really exciting way of actually keeping attackers out with that we went you know a little bit fast but we do have time for questions if anyone has any we have a little portable microphone [Music]

Info

Channel: Duo Security

Views: 2,438

Rating: 5 out of 5

Keywords: infosec, hacking, techtalk

Id: WgSMaiCaBpw

Channel Id: undefined

Length: 43min 3sec (2583 seconds)

Published: Wed Jul 18 2018