• United States



Security leaders need to sprint before getting forced to scramble

Apr 19, 20177 mins
Identity Management SolutionsIT Leadership

Udi Mokady shares insights on the changing nature of security threats and how a focused sprint now builds trust and sets the stage for future success

sprint track runners
Credit: Thinkstock

Security is a team sport.

Out of the shadows, our success increasingly depends on working with others. That places a premium on trust. Our colleagues need to trust us. And we need to trust them — even as they have increasingly more access in more areas.

Coupled with the changing nature of threats, we need to think about how we secure the proverbial keys to the IT kingdom.

I recently talked with Udi Mokady (LinkedIn), Chairman and CEO, CyberArk about what that means for security leaders in today’s pressure-filled environment. Udi co-founded CyberArk in 1999 and established the Privileged Account Security market. Today, CyberArk works with more than 3,075 global organizations, including more than 45% of the Fortune 100.

Udi and I talked about the reality of what happens after a breach… and how it forces people to scramble in conditions where they are not likely to do their best work. We talked about trust and understanding how threats are changing.

And why sprinting by our choice with the right prioritized steps makes it less likely we’ll have to scramble down the road. We started our conversation on the blurring lines between insiders and outsiders…

What do you mean that we now lack a distinction between insiders and outsiders?

The traditional understanding of insiders versus external attackers often focuses on distinguishing between individual attributes – such as where they’re located, what their motivations are, and who they’re working with or employed by.  But insiders aren’t just employees on a company’s payroll, they also include those individuals who have “insider access” such as a third-party advisors or consultants providing services to a company, and the sophisticated attackers who make it inside.

Research shows that every advanced cyber attack has a common denominator: the exploitation of privileged accounts. Today, determined attackers are as strong as our most sophisticated insiders, which has caused the lines to blur. To be successful, an attacker requires the privileged credentials of an insider. Technically, these attackers are no different than if you hired them and gave them privileged access – it’s impossible to tell the difference.

A great example is the U.S. Office of Personnel Management (OPM) breach. External attackers targeted a third-party contractor – who was provided with insider credentials. The attacker stole and exploited these privileged credentials to conduct the attack.

How can organizations rebuild trust in their IT infrastructure following a breach?

High profile breach cases like Yahoo reinforce the concept of how attackers are using cold war-inspired espionage tactics in modern cyber attacks. Privileged accounts become the ultimate espionage asset. They no longer need a person, just the representation of one — the human asset is now a digital asset. Cyber attackers are well aware of the power of privileged accounts. Once privileged credentials are captured, attackers can escalate privileges in order to move about the network, virtually undetected. With the right access, attackers can live on a network for weeks or months, basically hiding in plain sight while conducting reconnaissance on the network to find out where data is stored, how it’s transferred and the security processes working to protecting it. Once an attacker reaches the domain controller, it’s synonymous with taking over the passport authority. Following a breach, trust in the IT infrastructure is completely compromised, leaving organizations to wonder if the perpetrator is still entrenched in the network, and who has control of the business.

In this situation, an organization’s first call is typically to an incident response team to understand the source of the breach and assess damage. The second call is often focused on helping to restore trust in the IT infrastructure. Even though incident response is not our area of focus, CyberArk has been “the second call” following several high profile incidents. Restoring that trust often begins with identifying where all privileged accounts exist within the network, getting them under control, and rebuilding systems from the ground up so there is confidence the moment an asset is first brought back online.

With a 30-day sprint focused on protecting privileged credentials, where do security leaders need to focus?

The question of focus is a critical one. In my conversations with CISOs, with staffing constraints, talent shortages and unrelenting cyber threats, their job is incredibly difficult. Despite the many IT decisions that have been driven by audit and compliance requirements, it’s well known that compliant companies still get breached. Today, it’s imperative that security leaders think like an attacker. This means conducting Red Team exercises to simulate an attack, and focusing on protecting high value assets that are coveted by attackers, including privileged accounts, to limit business impact and damage.

In our recent CISO View report, we drew from the experiences of security professionals and technical experts who have been on the front lines of breach remediation efforts to offer a framework for protecting privileged credentials. Based on real-world experiences, this framework helps security teams prioritize their efforts and implement critical controls in a relatively short period of time. CISOs and other security leaders should prioritize identifying accounts quickly, giving precedence to the riskiest accounts, and being realistic about addressing the volume of accounts. Even if security leaders aren’t able to put all the controls in place in 30 days, there’s still value in adopting a new mindset that places emphasis on rapid risk reduction.  

A lot of people get nervous about sprints. What makes this sprint different?

One of our now-customers shared with us how they “sprinted” following a breach, suddenly finding themselves with all the C-level support they never had prior to the attack. We like to think of adopting a sprint mindset as making the choice to take a proactive approach to cyber security: “Sprint now, rather than scrambling later.”

How quickly can a new set of security controls be deployed across an enterprise? It depends on the organization’s sense of urgency. In the aftermath of a breach, the organization becomes internally aligned, decision-making speeds up, immediate results take priority over bureaucracy, and tremendous progress in security becomes possible in a short timeframe. We saw this happen in one organization where a small team of just eight members working with a security consultant in the aftermath of a breach was able to vault the administrator accounts for 20 domains and 6,500 servers in just four weeks.

Inevitably, all breach survivors wish that they had made that spurt of progress in time to have prevented the damage. Compared with implementing controls in a stressful post-breach environment, doing the work proactively is likely a much smoother process. We really try to break it down into an easy to implement framework that makes it simple for companies to establish some quick wins, then transition into a longer-term program with key milestones and measurable results.

In your experience, what is the key factor that drives success for a security leader?

In my experience, the most successful security leaders are the ones who assume breach and have invested in Red Team exercises and adversary simulation. By testing all forms of security controls, organizations can establish a baseline to continue to test and measure against. They can then layer on additional tactics like investing in cyber threat hunting to proactively look for an in-process attack, including signs of privileged account abuse, and deviation from the established baseline.

In one of our now-customers, a Red Team was hired to operate within their environment for two weeks, and provide the CSO with a report at the end of the engagement. However, after only a few hours, they were able to steal the credentials necessary to gain domain admin privileges. Those privileges allowed them to compromise the entire domain, and gain control of the network. Performing proactive security initiatives like this helps security leaders understand what’s needed to protect their organization in a variety of attack situations, and enables them to better test and benchmark security controls.


Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles. He guides leaders and teams on the best next step of their journey.

More from this author