Report from RSA - Today was Yesterday’s
Worst Case Scenario
Lieberman, President & CEO
RSA 2014 was an exciting and exhausting
experience filled with new partnerships, new technology and a general
reset on what security means today (what works and what doesn’t).
In our presentation at RSA we discussed the general assumption that
password and certificate maximum age standards for compliance are now
irrelevant. We now see password ages for privileged accounts limited to
hours rather than the conventional 30 to 90 days maximum. In the case
of certificate lifetimes of years or decades, we are now seeing
certificate lifetimes in minutes to days. In both cases, there is a
realization that privileged credentials and the components for
encryption are being captured, and the goal is to limit the value of
The general wisdom of a defense being 100% effective has come to an
end. We see the realization of a new reality where at least one or more
systems within an environment are compromised, and now the job of IT
Security is to minimize damage, and to discover and neutralize
intruders after they have entered the environment.
Target’s breach was also a common wakeup call for many at the
conference confirming that even at the largest companies in the world,
the basics of simply having different random passwords on each device
and server was not being done. The Target breach pointed out that many
breaches are not from the lack of technology, but from the lack of
corporate competence. Concurrent with the disclosure of the fundamental
incompetence of IT security at Target, their CIO left in March 2014.
As a company we are pushing privileged identity management from a point
solution that is used to remediate existing poor practices and
implement a hard control into the realm of a privileged identity
security platform. Our latest versions are being deployed in a headless
configuration (no console or web GUI needed) and being driven by
PowerShell and Web Service APIs. These APIs orchestrate the discovery,
randomization and release of credentials for a limited amount of time
as a baked in feature of each machine (virtual and physical) and
application’s lifetime. In essence our product is becoming a platform
for cloud providers, MSPs, and government projects that are seeking to
secure identities as part of their offering stack.
We have also seen our product move from a compliance requirement to
being part of a cyber-warfare strategy to minimize the surface area of
the entire environment. The product is used by both Red (offence) and
Blue (defense) cyber warriors to find weaknesses and to minimize them
(depending on which team is using the platform). The evolution from
basic compliance, to core security, and then to cyber-warfare/defense
and what it means to product development has been one of the most
interesting areas we have been working on these days.
The other evolution has been the requirement from many customers for a
hard SLA for security coverage in strict periods of time, every day,
with no down times or unscheduled outages. Certainly this is in line
with the move from point-in-time compliance to handling real threats
that are occurring every hour of every day (yes, hackers and nation
states attack after the auditor leaves).
RSA was quite a show, and with it we have all seen that the worst case
scenarios of the “future” are “today’s” reality. The general wisdom of
compliance having any lasting value has been dropped as a valid
concept, and those CIOs that cling to it should be looking for another
job. RSA taught us that there are no perfect solutions, only
mitigations to minimize risk and damage and the duration an intruder
can move around in your environment.
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- Cyber Espionage is Nothing New.
Cyber espionage has been prominent in the headlines recently, with the
Snowden affair in particular garnering much publicity. However, for
anyone who has been tracking the growth of malware over the years,
Snowden’s disclosure that security agencies use malware did not come as
IT Security Training a Liability? One of the fundamental
problems with most businesses today is that they are not investing in
providing IT staff with basic information security training. Many
companies have compartmentalized in such a way that security and
operations don’t meet. And, in fact, quite a few organizations have
fostered an environment where IT actually views security as a hindrance
Events / Press /
Software has been named The Innovation Leaders
in Privilege Management by
analyst firm KuppingerCole - "Lieberman Software is ahead of the
hacked - get over it. CSO. Here's a sobering thought. Phil
Lieberman, the President of Lieberman Software, says, "Every day you
wake up, you know somebody is in your network. You just don’t know
where they are, what they're getting and what you can do to stop them".
The overwhelming theme of this year's RSA Conference has been that
border protection, while an important layer in our security, is not
enough. The distribution of end points, characterised today by
increased numbers of mobile devices but expanding rapidly as the
Internet of Things becomes a reality, and the distribution of critical
systems out of private data centres into shared service providers has
changed the nature of our information systems and infrastructure.
the Hash: Segment Your Environment to Contain Security Breaches.
Computer Technology Review. There was a time many moons ago
when, in an age of innocence, the term, “pass the hash” had an entirely
different meaning. For some of us old enough to remember, or still have
our wits about us, “pass the hash” was something you did at the back of
the school on a Friday night. But times move on, and suddenly it seems
that “pass the hash” is in vogue again.
Tech Tip of the Month
Get a Registry Values Report in Real-Time with User Manager Pro Suite
This report will discovery the contents of registry keys on all
machines selected. Choose to report on only a particular key value, or
all values in a key and all its sub-keys.
This report can be used for a large number of things. For example, use
the report to determine what will be automatically run at startup on
each machine. If a program/virus creates a particular key or value, you
can test for the presence of that program/virus on all targeted
systems. The registry report enables systems administrators to check
for versions of applications (which store their version information in
the registry) on every system on the network, and order by version.
This report can also detect the presence of specific applications
installed on individual workstations. In short, the usefulness of this
feature is only limited by the data which is stored in the registry. Here's