From the start, two-factor authentication, or 2FA, established itself as a simple, effective way to verify identities with more certainty.
Related: A primer on IoT security risks
The big hitch with 2FA, and what it evolved into – multi-factor authentication, or MFA – has always been balancing user convenience and security. That seminal tension still exists today even as the global cybersecurity community is moving to extend MFA as a key security component in much more complex digital systems spinning out of digital transformation.
One leading innovator in this space is Tel Aviv-based Silverfort. I’ve had a number of conversations with company co-founder and CEO Hed Kovetz over the past couple of years, and I had the chance to meet with him again at Black Hat 2019.
One thing I learned from Kovetz this time was that secure authentication seems destined to play a major role, going forward in verifying, not just human identities, but also machine identities. In terms of baking in security at a fundamental level of future systems, that’s very significant. For a drill down on why that’s so, give a listen to our full discussion in the accompanying podcast. Here are the key takeaways:
A machine’s world
Machines are taking over. A machine, in this context, is any piece of hardware or software that can accept and execute instructions. This includes the beefy servers humming along in vast data centers and providing the infrastructure for cloud services.
And it also include software: the modular “microservices” written by third-party developers; the software “containers” inside of which these microservices get mixed and matched; and the billions of APIs that enable two disparate machines to exchange data. In this realm, the identity of each and every machine must be verified, or chaos would rule.
Machine identities are verified by digital certificates that leverage the public key infrastructure (PKI), a framework for encrypting data and authenticating web entities. These identity certificates — and the encrypted keys to authenticate them – get issued bu Certificate Authorities (CAs) — vendors that diligently verify the authenticity of websites.
Companies today are hell bent on deepening their reliance of cloud services. They’re doing this by increasingly relying on DevOps to speed up software development. This is translating into an explosion in the number of machines, which has opened up a new frontier of attack vectors — and threat actors already are on the move to take advantage.
“Networks are becoming more dynamic,” Kovetz observed. “In these cloud environments, all these resources and instances are being created on the fly. Organizations don’t actually know what’s out there, at any given moment. So how can they hope to secure it?”
Enter secure authentication, or more precisely, risk-based authentication.
When it comes to verifying the identity of both human and machine accounts, Silverfort takes an umbrella view. Using an approach it refers to as ““adaptive” MFA, Silverfort leverages directory services to monitor all the authentication activity, including human and machine access requests, without needing agents, proxies or any integration with the protected system.
Each verification request, whether from a human or a machine, gets noted, assessed and logged. Over time the risk engine gets better and better at recognizing routine, i.e. legitimate, patterns. Established low-risk patterns are allowed to run unhindered. Any out-of-the ordinary activity gets flagged. Based on the severity of the anomaly, a range of policies automatically get enforced. A second-factor of authentication might be required or access could be denied. In the case of machine-to-machine access, where there is no human to address the MFA requirement, the policy can be set to alert or block access in real-time.
“For a human we can just send a message to the phone and request proof that it’s really them,” Kovetz told me. “But with a machine you have to be more creative. So we built a solution that actually learns the behavior of these accounts and identifies anomalies.”
Machines are nothing like humans. “Machines are super predictable; they do exactly the same thing every time,” Kovetz continued. “With machine accounts, it’s pretty easy to detect when someone is doing something different. They might have stolen the credentials and are trying to misuse the account or cause damage.”
Silverfort watches for any machine activity that’s the slightest bit out of whack. “We learn the behaviors and we look for deviations from normal behavior,” he said. “Then we intervene. We can prevent certain kind of access or do step-up authentication, or forward an MFA request to someone from the organization to approve any kind of abnormal access. There are all kinds of policies we can enforce.”
It struck me, as we got toward the close of the interview, that Silverfort is contributing to a tectonic shift that’s gaining momentum in cybersecurity. The lion’s share of security budgets still gets spent on legacy technologies deployed on network gateways, servers and endpoints.
However, the leading-edge defenses increasingly are focusing on generalized north-to-south traffic – the packets moving to-and-fro between both on-prem and in-the-cloud data centers, as well as on east-to-west traffic – the packets moving between systems inside the network perimeter.
There are two reasons this makes a lot of sense. First, it enables seamless protection for any type of system, by taking away the need to deploy software agents on each protected system, or doing custom integration, which often become a barrier to deploying security solutions. And second, because it sees all the traffic, it gives a much more comprehensive picture of all user and machine activities. This provides all the needed data to ensure machine learning algorithms work best. And as a result, it can provide better protection.
“The key for doing better AI is having more data,” Kovetz told me. “If you only look at the gateway you won’t find enough data about user behaviors. But if you look at everything users are doing inside the network or inside the cloud, this is tens of times more data than you would see at the gateways. This is where normal users and hackers look really different.”
By more granularly parsing traffic at this level, Silverfort can make snap decisions about the lion’s share of network activity, and eliminate unnecessary second-factor authentication routines.
“Not only do we make security better, we actually make the user experience better because we only require multi-factor authentication if there is a reason to do so,” Kovetz said. “In most cases we know whether it is you or not, just based on the behavior.”
It’s good to see the good guys continuing to get incrementally smarter about curtailing threat actors. There’s a lot more coming. I’ll keep watch.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-silverfort-deploys-multi-factor-authentication-to-lock-down-machine-identities/