PHISH-PROOF YOUR USERSNegate Sto len Credent ia ls & Go Beyond 2FA

June 13, 2018

Damon TepeDirector, Product Marketing

dtepe@secureauth.com

WEBINAR HOUSEKEEPING

• All attendee audio lines are muted • Submit questions via Q&A panel at any

time• Questions will be answered during Q&A

at the end of the presentation• Slides and recording will be sent later

this week• Contact us at

webinars@secureauth.com

AGENDA

1 Humans are weakest link

2 What’s the problem?

3 Why 2FA is not enough

4 Adaptive/No-Trust benefits

5 Scenarios/Use cases

6 Business impact (Savings)

7 Questions & Answers

Billions are spent on network and endpoint security…..

….. but breaches still happen and are on the rise, 40% increase last year!

Network Security

Endpoint Security

Identity Security

$90 Billion

$6 Billion

“In 2018, we will see increased sophistication in the threat landscape with threats being personalized to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place”

—“Global Security Threats Outlook for 2018”, Information Security Forum (IFS) Managing Director, Steve Durbin

Humans are the Weakest Link• Phishing attempts increased 65% last year1

• 76% reported being a phishing victim last year2

• 30% of phishing messages get opened by users3

• 12% of those users click on the malicious

attachment or link3

—

ATTACKER GOAL - Come and go without detection

& exfiltrate the prize without notice

1- http://cofense.com/wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017.pdf

2- https://info.wombatsecurity.com/state-of-the-phish

3- VDBIR 2018 - https://www.verizonenterprise.com/verizon-insights-lab/dbir/

Compromising Your Security

• Humans pick weak passwords

• Everyone re-uses their passwords

• Something to think about…

—

http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/

Compromising Your Security

• Humans pick weak passwords

• Everyone re-uses their passwords

• Something to think about…

—

https://keepersecurity.com/assets/pdf/Keeper-Mobile-Survey-Infographic.pdf

Compromising Your Security

• Humans pick weak passwords

• Everyone re-uses their passwords

• Something to think about…

—

YahooAdult Friend FindereBayEquifax

Total

3 Billion412 Million145 M143 M

3.7 Billion

Population of USA = 323.4 MPop of China = 1.4 BPop of India = 1.3 B

Why is this a problem?• Cyber attackers are walking in your front door

undetected - 81% of breaches involve use of stolen or weak credentials

• 40% of assets are protected by password or less -60% have taken at least a 2FA step

• Attackers go undetected for 99 days - although better that previous years, 3+ months is too much

• Cost of US breach now $7.3 Million - up from ~4 million a couple years ago

• Boardrooms & Brand Erosion

—

SOLUTIONS—

PASSWORDS

• More secure PWs• Change PWs more• Phishing education• Single Sign-on

SOLUTIONS—

2FA/MFAPASSWORDS

• More secure PWs• Change PWs more• Phishing education• Single Sign-on

• Hard tokens - poor UX, expensive

• Phone-based - for everyone?

• Popular methods bypassed

SOLUTIONS—

2FA/MFAPASSWORDS

• More secure PWs• Change PWs more• Phishing education• Single Sign-on

CONTEXT & RISK

• Hard tokens - poor UX, expensive

• Phone-based - for everyone?

• Popular methods bypassed

• More context -more clues

• Additional security layers

• Can be dynamic/ evolving

2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA

One Time Passcodes

Phishing attack (MitM)Malware SMS/Call Intercept (SS7)

Variety of techniques:

2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA

One Time Passcodes

Phishing attack (MitM)

Malware

SMS/Call Intercept (SS7)

Variety of techniques:

Phone # Porting

youtu.be/lc7scxvKQOo

2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA

One Time Passcodes

Phishing attack (MitM)

Malware

SMS/Call Intercept (SS7)

Variety of techniques:

Push-to-Accept

Phone # Porting

youtu.be/lc7scxvKQOo

youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s

2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA

One Time Passcodes

Phishing attack (MitM)

Malware

SMS/Call Intercept (SS7)

Variety of techniques:

Push-to-Accept

Phone # Porting

Knowledge-based Q&A

• Street you grew up on?

• Name of first pet?

• 1st grade teacher’s name?

• Mother’s maiden name?

We over share on Social Media

youtu.be/lc7scxvKQOo

youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s

2FA IS NOT ENOUGHHOW ATTACKERS BYPASS 2FA

One Time Passcodes

Phishing attack (MitM)

Malware

SMS/Call Intercept (SS7)

Variety of techniques:

Push-to-Accept

Phone # Porting

Knowledge-based Q&A

• Street you grew up on?

• Name of first pet?

• 1st grade teacher’s name?

• Mother’s maiden name?

We over share on Social Media

youtu.be/lc7scxvKQOo

youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s

HUMAN ARE THE WEAKEST LINK

TRUST NOTHING – CHECK EVERYTHINGTHE MORE YOU KNOW – THE MORE PROTECTED

DEVICE

• Access device (PC)• Authentication device

(Phone)

ACCOUNT

• Attributes?• Segregation of duties?• Priviliged/Sensitive?

LOCATION

• Known?• Permitted?

BEHAVIOR

• Irregularities –Attempts? Times? Apps?

IP ADDRESS

• Known?• Anonymous network?• Multiple threat feeds

3RD PARTY

• 3rd Party Risk Score –SIEM? UEBA? IGA?

SECURITY IN LAYERSNot a New Concept…

BUILDING SECURITY• Fences• Door locks• Key cards/ID badge(s)• Security guard(s)• Cameras

POLICE PROTECTION• Many layers of woven or laminate

fibers• No one layer stops a bullet• Some have metal or ceramic plates

for added protection

IDENTITY PROTECTION• Can’t rely on just a password• Attackers can bypass 2FA• IDs need more security

‘layers’• The more we know, the

better

More Checks = More Secure

PASSWORD

Traditional Authentication

2-FACTOR AUTHENTICATION

THE PRIZE

ATTACKERAdaptive Authentication

ATTACKER

THE PRIZE

Password

Device Recognition

Anonymous proxy

Threat services

Directory attributes

Sensitive/privileged

Segregation of duties

Irregular Behavior

3rd party risk sccore

2-factor auth

IP white/black list

Geography

Phone type

Phone carrier

Phone porting status

AllowMFA Step

PW-Reset

DenyRedirect

DenyRedirectPW-Reset

AllowMFA Step

Allow

DenyRedirect

MFA Step

PW-Reset

Device Recognition

Geo-Location

IP White/Black List

Attributes & Profile Check

Anonymous Proxy (e.g. Tor)

IP Checked - Multiple Threat DBs

Phone # Recently Ported

Phone Type

Phone # Carrier

High Risk Account - Privileged

High Risk Account - Sensitive

High Risk Account - SoD

Behavior Analysis - Machine Learning

Geo-Velocity

Bring Any 3rd Party Risk Score

• 617 Million Authentications - 90% did not have to take MFA step

• Confidence to go passwordless

• Protected even if credentials are known and attacker can get past MFA

Adaptive Authentication Risk/Context Checks

Normal DayStolen

CredentialsCreated ID

Enrolled in MFA

or

or

Authent icat ion Scenar ios

Calculating Business ValueRemoving Disruptions Has Benefits5000 User Organization

• Save 2 minutes/day (240 x 2mins = 8 hrs/yr)

• $24/hr x 8 hrs/yr = $192/yr

• $192/yr x 5000 employees

= $960,000 in saved labor costs/productivity gains

www2.secureauth.com/SSO_Calculator

Cost Savings Calculator

Calculating Business ValuePasswords Can Be Expensive5000 User Organization• 7500 Password Reset Calls/year• $20/call= $150,000 spent annually on password resetswww2.secureauth.com/Password_Calculator

Cost Savings Calculator

• Cyber attacks are increasing despite increasing security investment• Cyber attackers are often taking path of least resistance and mis-using valid credentials• 2FA is not enough and attackers are increasingly figuring out ways past it• Security in layers has proven effective• Context around any given access attempt/authentication improves security without

causing undue disruptions to users

What Have We Covered Today?

PHISH-PROOF USERS

Q U E S T I O N S& A N S W E R S

© 2018 by SecureAuthAll rights reserved

T H A N K YO U