Identity security: it’s a battle being waged on three fronts – and a rallying point for global cybersecurity professionals attending CyberArk IMPACT23, the identity security event of the year, held this week in Boston.
While intelligent privilege controls remain the critical foundation for securing access across organizations, today’s challenges have grown more complex thanks to three driving forces:
1. New identities
2. New environments
3. New attack methods
With 84% of organizations experiencing an identity-related breach in the past year, the ability to build business resiliency depends on meeting these three challenges head-on. With this urgency top-of-mind, IMPACT speakers and panelists – including CyberArk customers and partners – explained how to meet those challenges, drawing from their firsthand experiences and diving into identity security trends.
From cutting-edge research on how generative AI can be used to create polymorphic malware to exciting announcements about how CyberArk is securing the most-used application of all – the browser – there were plenty of key insights and exciting real-world examples shared.
Now, with IMPACT just wrapped after a busy three days of energizing keynotes, panels and breakout sessions (plus all those nightly networking gatherings), the following are our initial reflections on some top highlights from the past few days.
Distributed workforces, third-party users and the surge of machine identities have led to identity sprawl like we’ve never seen before. Today’s security leaders must protect hundreds of thousands of identities – human and machine – on a daily basis, from external contractors developing applications to robotic process automation bots performing formerly manual tasks.
All of these identities are key contributors to organizations’ cloud and digital initiatives. The trouble is, they often have far more access to sensitive resources than they need. It’s not just the IT admins of the world who need our protection – it’s every identity that comes into contact with an enterprise’s data, infrastructure and environments.
As identities proliferate, our industry must evolve to meet the challenge. CyberArk experts discussed ways security teams can ensure least privilege for every form of identity by leveraging automation, machine learning and controls typically reserved for privileged users, such as enterprise-grade password protection, session protection and just-in-time capabilities.
CyberArk also revealed some significant new innovations from the CyberArk Identity Security Platform that are helping to lead the charge – including automation and artificial intelligence.
It’s not just the identities that are getting more complex to manage. As CyberArk CEO Matt Cohen said in his opening keynote, “No longer are we living in the walled garden of the on-prem data center.” In fact, in a recent CyberArk survey, respondents highlighted that they are already using three or more cloud service providers (CSPs).
Not only does the number of environments pose a challenge for security teams – but also the sheer intricacy. In the cloud breakout sessions, our experts highlighted that there are four layers to consider when it comes to cloud security:
- Securing high-risk access to third-party SaaS applications.
- Securing access for lift-and-shift workloads running in virtual machines (VMs).
- Securing access for workloads on cloud infrastructure (IaaS).
- Securing access, controls and experience for CSP services in the cloud.
Our speakers also brought up the balancing act security teams must maintain when it comes to enabling innovation in these new environments. Many of the IMPACT sessions emphasized that security must meet developers where they are, creating a seamless experience that enables the devs to do what they do best while still securing the environments they work in. That means moving beyond simple standing access into more dynamic and ephemeral access policies such as just-in-time access and Zero Standing Privileges.
New Attack Methods
During Tuesday’s keynote session, CyberArk Founder and Executive Chairman Udi Mokady reminded the audience that companies aren’t the only ones innovating. Today’s attackers employ a business innovation mindset and are constantly upping their game. Intermittent encryption and a new attack group’s weaponization of Discord to spread malware were just two examples of the combination of business and attack innovation our CyberArk Labs team is seeing today.
Software supply chain attacks also continue to be a hot topic of discussion. Multiple breakout sessions covered the importance of taking a holistic approach to securing CI/CD pipelines to combat new attacker innovations. Mokady also brought up the specter of what we’ve dubbed a “cascading software supply chain attack,” like what was seen in the 3CX attack, in which attackers gained a foothold in the popular VoIP desktop tool through a user who had been a victim of a software supply chain attack on the now-unmanaged trading platform X_Trader.
VP of Cyber Research and the head of CyberArk Research Labs, Lavi Lazarovitz showed attendees just how sophisticated attackers can get when using generative AI. After demonstrating a spooky deepfake of Mokady and how it could be used in a vishing attack – the voice version of phishing – Lazarovitz emphasized that the distance from creating these types of deepfakes to gaining access to sensitive information or credentials is short. He also touched on how biometric authentication could be hacked using generative AI, referencing chilling research from Tel Aviv University on creating a master key to unlock facial recognition protocols. Finally, he showcased how the CyberArk Labs team was able to use ChatGPT to generate code for a type of malware that attackers could use to harvest valuable credentials and sensitive information.
We also got a glimpse into how attackers innovate and think from the firsthand experiences of Marcus Hutchins, who shared his story of how he made the journey from developing malware as a young hacker to halting the 2017 WannaCry attack. He delivered it from the unique perspective of a former malware author now fighting on the side of cybersecurity defenders. One of his biggest cautions looking at the threat landscape today had to do with how credentials are now often harvested by malware but not immediately used. Instead, they’re sold on again and again, meaning that it could be years before they’re used to break into the target organization.
And that brings us to one of the biggest attack vectors of interest at IMPACT23: cookie or session hijacking. Using this method, attackers gain control of a user’s session and gather important information (like cookies) that can then be used to further penetrate the network. CircleCI and Linus Tech Tips are just two of the most recent breaches tied to session hijacking, but as our CyberArk Labs team has shown, cookies and session IDs can be stolen with ease and are highly valuable to attackers. Across the breakouts, IMPACT speakers illustrated the risks around current browser usage and how easily cookies can be stolen and used to gain access to critical systems. There is an obvious need for a secure browser that can protect cookies and data while still providing a seamless user experience.
As Mokady emphasized in his keynote, a foundational piece of CyberArk’s constitution is to “combat attacker innovation with innovation,” staying one step ahead of these cutting-edge attack methods. Throughout the breakout sessions and keynotes, our experts offered clear strategies on how to mitigate identity-based attacks with the help of CyberArk.
Though there were many new CyberArk capabilities revealed – which we touched on above – the marquee IMPACT23 announcement focused on the new CyberArk Secure Browser. Part of the CyberArk Identity Security Platform, the Chromium-based CyberArk Secure Browser supports enterprise Zero Trust initiatives with integrated security, centralized policy management and productivity tools while delivering a familiar user experience. By extending the CyberArk Identity Security Platform to the browser itself, CyberArk makes it easy for IT teams to tailor security, privacy and productivity controls on managed and unmanaged devices. CyberArk Secure Browser offers cookieless browsing to allow users to access and use web-based resources without exposing cookie files to attackers.
Thank you to all our customers and partners for being with us on this identity security journey, and welcome to those who have joined us this week at IMPACT23 as we continue to work together on all three fronts – because the future of security is identity.