Avsnitt
-
Ever wondered how a NASDAQ listed company navigates the murky waters of cybersecurity? Join us on Identity Radicals with the CISO at Axon Enterprise,Jenner Holden, who pulls back the curtain on their operations and innovative security programs. One such program, which awards physical swords to employees, has successfully gamified the process of security awareness. Jenner also opens up about his involvement in the AZ Cyber Initiative, a program empowering high school students to kickstart their careers in cybersecurity.
Holden enlightens us on the importance of security reviews and access control processes – the unsung heroes in the fight against security threats. We unravel the complexities of automating provisioning and de-provisioning processes and shine a light on the hidden risks that linger even after an employee departs. Tune in as we delve into the art and science of detecting unusual activities and bolstering resilience to contain potential threats.
We also venture into the labyrinth of compliance frameworks such as Sarban's Oxley, SOC2, GDPR, and FedRAMP. We discuss the challenges of data sovereignty for international clients and the intricacies of securing service accounts. Jenner shares intriguing tales of unusual security threats including police impersonators trying to buy Axon gear. We conclude by emphasizing the crucial role that resilience plays in cybersecurity and the importance of promoting careers in this field.
Key Quotes
I tend to not over focus on how quickly it takes the security operations center or the incident responders to correct the incident, to fix the incident. I measure how quickly it takes them to detect and start working on it. But I don't want us to rush through the process of identifying what happened to who, when, just to get it closed and quote fixed, because I mean, it's not that infrequent that you hear about a breach that occurred where the company noticed something, they responded, but they didn't quite understand the breadth of the issue.There's always pockets of applications and access that need to be a little bit more manually done with eyes on the ball. But the bulk of it can be automated and we've done a good job getting to that point.Unfortunately, the target is maybe to just pass an audit, not to actually reduce risk to the company. Actually reducing risk probably takes a different approach that we're not yet doing but we're working towards.W hich I would describe as a little bit more real time. So if you could, if you imagine you could classify applications and or more privileged groups and access levels from highest risk to lowest risk. And use systems like Veza could definitely have a role here. And we hope to use it this way to identify through some of the workflow features, right, to identify when a change happens that involves these higher risk areas, the access review must happen right now, meaning not just the normal, they requested access and the access was approved.I would actually set a metric that our number of privileged users should actually be going down over time. Because we don't need people with deep individual access because we have built systems and automated things to the point where the deepest level operations can occur without anyone actually really needing access. If you have a lot of people with a lot of privileged access, that's actually an indicator of just general broken IT operations, probably, or process issues. It's showing me that there's other things in the business that aren't right. Therefore, we have to band-aid it by having people with deep access that can go manually fix things.We're working in other countries across Europe and the EU. And one concept that's important to our international customers is the idea of data sovereignty. So their government data, which is the data that we process on their behalf, the services that we're providing. Must stay within the boundaries that they define, the physical country boundaries, boundaries that they define. And then on top of that, the core identity characteristics of the people that are supporting them and working on that system and operating that system is also important to them from a sovereignty standpoint. So they care about where those people physically reside. Are they in my country? Are they in my continent? Are they on the other side of the world? Where are they when they're supporting the system that holds my government data? And what is their citizenship? Where might their loyalties lie? Right? Is [an] EU citizen okay, or do they have to be a citizen of Italy?Can they be a US citizen or not? These are interesting and complex issues that we navigate with our international customers as a U.S.-based company.Time Stamps
4:40-The Information Security Quest for Immortal Honor at Axon7:10-Staying prepared for the inevitability of identity attacks13:15-Understanding provisioning, keeping it effective, and impacts of automation18:50-Pivoting away from the “old school” of access reviews29:20-Unique challenges of service accounts at Axon31:40-The AZ Cyber Initiative programLinks
Follow Jenner on LinkedInCheck out all things AxonIdentity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out:
Why Veza, Why Anything, Why NowVeza on YouTubeVeza.com
Or, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.
-
Join us this week as we engage in an enlightening conversation with David Tyburski, VP of Information Security and the CISO of Wynn Resorts. With over 15 years in the field, David offers his expertise on the significance of infrastructure and cybersecurity in today's increasingly digital world. Get ready to uncover the intriguing challenges he has faced, his strategies for data protection, and his outlook on the inevitability of breaches in security.
We explore the critical role of identity management and access control in cybersecurity. Listen in as we dissect the crucial aspects of identity management, and learn why pre-authorization and continuous monitoring are indispensable in warding off potential intruders. We take you through the necessity of automating security processes and how this can relieve an audit team's burden and let them concentrate on more pressing matters.
Finally, we take a step back and look at the broader picture - leadership in the advancement of the security field. Drawing on David’s experiences, he shares tips on networking, professional growth, and the importance of understanding the industry we’re in.
Key Quotes
-You need to know who has access to all of those systems, all of those applications, all of that data. There's a big problem of managing that access, especially as people come into a company, move through their positions, leave an organization, there's a problem of over-provisioning. People have more access than they really need.
-We've kind of flipped the attestation over in, as well so that we do both sides of it. And we do what's called a pre-authorization. So, based on our rollback model, we say these roles are approved to do these things in these applications. And if you don't have that authority assigned, At the beginning, you can't even request that access because we've already determined you shouldn't have it. So by, by looking at the attestation in reverse, we've been able to say, okay, now we can kind of build a framework around who should have access.
-You got to know the who, the what, the where, and [who] approves. You got to be able to authenticate it. And then you have to prove that you did the right things.
-It's just good hygiene and cleanup practices to say, the new roles don't need it, get rid of it, right? Let the people who are, who need to do that do it, but take it away from the people who don't. It's not even taking the malicious statement out of it, of somebody doing it intentionally, bad permission. It happens because of time and how people move around in the organization. And you have to realize you got to fix for that too.
- You need tooling like Veza to help you decide how does Audit find it, and then how do I find it faster than audit? And then how do I make sure that I retool my processes so that it never occurs to begin with?
-Security professionals, unlike hackers, tend to try to hold everything close to their chest and not share, but that's changing. I do think that's great that it's, I'm a big proponent of sharing, sharing processes, sharing techniques, sharing everything we can. At least sharing what you can.
Time Stamps
4:05-Regulations in the gaming industry
10:25-Radical ideas in identity problems/solutions
16:35-Adapting to new roles and access necessities
18:10-Working with your internal audit teams for maximum efficiency
29:15-Advice for future cybersecurity leaders
Links
Follow David on LinkedInCheck out all things Wynn ResortsIdentity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out:
Why Veza, Why Anything, Why NowVeza on YouTubeVeza.com
Or, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.
-
Saknas det avsnitt?
-
This week, Identity Radicals brings you an insightful episode, with Rachel Wilson, head of Cyber Security at Morgan Stanley Wealth Management, delving into the critical aspects of cybersecurity and information protection. Rachel explores with host, Jason Garoutte, about the ever-growing concern of identity-based targeting, shedding light on the vulnerabilities that persist in our interconnected world.
Rachel characterizes how Multifactor Authentication (MFA) alone falls short of guaranteeing robust security. We dive into the critical scaling security measures practically while maintaining an optimum balance between risk management and compliance adherence.
They also provide invaluable insights into addressing security queries from the board of organizations. Moreover, the hosts highlight the transformative power of automation in fortifying cybersecurity defenses and discuss the ongoing challenge of recruiting and nurturing new talent in the field.
Key Quotes
-We've gotta be reconciled to the idea that our employees, and I tell this to people all the time, they are both our first line of defense and our greatest point of risk. This is why, you know, as you and I have discussed, the monitoring both internally and externally is crucial, and I think that people give short shrift.To that internal monitoring, recognizing that if you can identify an employee whose behavior is abnormal, either because they are doing something strange, or to your point, Jason, their identity has been co-opted in a way that indicates that you've got a problem. These kinds of detective controls are crucial in today's environment.
- Those of us who come from government. We're very used to living in a world where your internal network does not touch the external internet, where you're not bringing personal devices. You know, into a classified environment.Now, obviously that does not work in a private sector environment, and it certainly does not work with our new generation of employees who can't imagine a world in which I left my cell phone in my car all day
-The clients that I work with now, we're telling all of them, they have to assume that it's a when, not an if, right? And that the idea being that in a world where there is no perimeter anymore, where all of us are accessing sensitive data, proprietary data from personal devices on your local home network, your traveling, we've gotta be able to give our employees all of that functionality anywhere in the world on virtually any device, but we've gotta secure it as well.
-If I have someone who is accessing customer data that they really shouldn't be seeing to perform their job function, I've got a bad seed in my midst, right? And I've gotta address that quickly.I can't afford to have a bad apple
Time Stamps
:22-Intro2:58-Identity-based targeting7:10-MFA is not enough21:00-The practicality of scale in security26:10-The balance of risk and compliance29:00-Answering to the board on security questions37:15-How automation can change security41:55-The challenge of recruiting new talentLinks
Follow Rachel on LinkedInCheck out Morgan Stanley Wealth ManagementIdentity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out:
Why Veza, Why Anything, Why NowVeza on YouTubeVeza.com
Or, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.
-
Welcome to "Identity Radicals: Conversations with cybersecurity experts,' the podcast that gives you exclusive access to the latest insights and strategies from the world’s top security professionals as they discuss how they’re defending against ever-evolving identity threats.
Hosted by industry experts and featuring exclusive interviews with security executives, we’ll cover the critical topics that every organization is facing as they secure their apps and systems, both in the cloud and on-prem.
When things go wrong with security, it’s the CISO who ends up in the hot seat. That’s why a proactive approach to Identity Security has never been more important - not only to protect your organization and customers, but your sanity too! “Identity Radicals" is your trusted source for practical advice, real-world examples, and actionable solutions. Whether you're a seasoned security professional or someone looking to enhance your understanding of identity security, this podcast is designed to propel you forward on your cybersecurity journey.
Join us for “Identity Radicals” – brought to you by Veza.