Who is Watching the Watchers - An Interview with Marton Illes of Balabit.
Interview with Marton Illes of Balabit:
Cyber Security Dispatch: Season 2, Episode 07
On today’s episode of the Cyber Security, we welcome Marton Illes, Director of Privileged Access Management at Balabit. Martin is here to talk to us about his work and role in the company and also to shed some light on this area of cyber security. Most of us are familiar with the ideas of privileges in varying forms but Martin is here to explain exactly how they can work to certain organizations’ benefit and the serviced that Balabit provide. Our guest gives us his background in security and then proceeds to lay out the ways in which privileges can work in company systems as well as some of the pitfalls to avoid. We go on to discuss the idea of monitoring and how to monitor those in higher positions or so-called super-users. Martin details certain pain points within this area and openly describes some of the shortcomings of the technology. From there we go onto discuss current security affairs such as GDPR and the impact of the cloud on his work.
Key Points From This Episode:
- Martin’s background and the current climate of privileged access management.
- Managing the changing roles of privileges within hierarchical organizations.
- How the inevitable shift to the cloud is changing cyber security concerns.
- Who watches the watchers? What is the freedom of a super-user?
- Points of friction within and without organizations around admin roles.
- The increasing space of AI and what that means for job creation.
- The lack of development in cyber security skills due to increased AI roles.
- Data regulation and balancing freedom with control.
- Comparing Europe and the US and the influence of GDPR.
- Who should be considering the option of security privileges?
- And much more!
Links Mentioned in Today’s Episode:
Marton Illes on Linkedin — https://www.linkedin.com/in/martonilles/
Balabit — https://www.balabit.com/
EC2 — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
S3 — https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonS3.html
Salesforce - https://www.salesforce.com/
GDPR — https://www.eugdpr.org/
Welcome folks to another edition of Cyber Security Dispatch. In today’s talk, we are going to be catching up with Marton Illes, Director of Privileged Access Management at Balabit. The episode is titled, Who is Watching the Watchers? Our focus is going to be on user privileges, the need for AI and MLS tools to augment the stock operator and not replace him or her, and the frictionless security that allows lines of businesses to see the value of security to ensure business continuity versus a roadblock they the need to skirt around.
[0:00:40.5] Ashwin Krishnan: Welcome to the Cyber Security Dispatch. We have a very interesting guest today. Marton Illes, is that how you pronounce your last name?
[0:00:48.3] Martin Illes: Yup.
[0:00:49.3] AK: Okay, close enough.
[0:00:50.2] MI: Close enough, yeah.
[0:00:52.1] AK: So we are actually going to be talking about what his company really does, so we can break any suspense right now. But we are really going to talk about two things that have plagued the industry for a very long time. One is about the whole issue of privileges and what does access privileges really mean and why does it still continue to be such a contentious issue; that’s number one.
I think the second thing is really talking about the impact of not protecting a breach, and letting it wallow for a long period of time. Even that continues to be something - that we struggled with a decade ago - that still continues to plague us today. Again, I think we’ll have enough to talk about in the next 25 minutes. Before I do that, let me hand it over to Marton, to talk a little bit about himself and what he does.
[0:01:40.5] MI: All right, let me just give a brief introduction. My name is Marton Illes, so your pronunciation is pretty good. I’m from the company called Balabit. Basically, what we are doing, we are working with privileged user management or privileged access management, that’s where we are basically coming from.
Just back to your original question and first thing first: why privileges do matter and why we still need to work with them. When you look at privileged users or privileged accesses - basically, the needs to have privileges just to do your work - in an average environment in an average organization, users do require certain privileges in order to do their daily jobs. Without that it would be very difficult for them to work. Just take an example like system administrator or database administrator; if you revoke the system administrator rights or if you don’t give the tools to run certain privileged tasks or jobs, it won’t be able to work and that’s why we need the privileges.
But also, it’s like a double-edged sword because we need to give them the privileges but also then the question comes, how do we control, how can we oversee what they are doing and how they are using those privileges?
To answer the other, from another perspective that I think privileges will stay with us for a long, long, long time in order to make sure that people can work. The types of privileges are changing over time so if you look back by 10 or maybe 15 years ago, you’re talking about root privileges or administrative privileges. While the world is changing, it’s now much more fine grained but still - at the end of the day - it’s still privileges, so it means that someone can access data or modify data or access systems or modify system states and these people still need to have those privileges in order to work.
[0:03:21.4] AK: Yes, so tell me a little bit about this, which is, like I mentioned earlier, everybody needs something to get their job done, right? One of the things that I frequently encountered is let’s say my boss decides to take a vacation or assigns me as system admin or something. For me to get my job done, I’m assigned some sort of privileges, which is over and above my normal day job just because the so called super user is absent – is it still true that there are no processes in place where once the super admin comes back or once I’ve got my job done, it automatically revokes those privileges back? Is that still something that plagues us today?
[0:04:00.0] MI: I think it’s changing and it totally depends on the organization themselves. They may treat the organization from a security perspective - all of this you see is less and less. One holy super users or one [inaudible] user who can to do everything. They are trying to break out this super user privilege.
Also, it’s much more about how you control: which regular user can act as a super user in order to act on this certain task. So that is much more where discussions are much more today like: how can I control either from a time or an access perspective, what the users can do?
This is exactly what we are trying to help with. Give the tools - which is still, you know, security is always the question whether user ability or security. In order to be efficient, we need to give the tools to the organization so that it can delegate this super user or privileged access rights to a given user for a given task at a given time - so define when the certain people have access to some sorts of systems.
[0:05:03.8] AK: Let’s extend this now to the cloud. We can’t have a conversation without the cloud.
[0:05:07.6] MI: Of course.
[0:05:10.7] AK: Has everything in the state now got to this stage, where it’s really based on the database admin or any other kind of infrastructure either. How does that account go in once it’s moved on? Is it the same set of folks, that a super user on-prem is the same super user on the cloud or are these so-called experts, the Google experts who mastered what EC2 or S3 is? Are those people now holding the keys to the kingdom and is the impact of what they can do less or more now that they have a cloud? How does that change the equation?
[0:05:45.6] MI: I would say, it doesn’t change and it changes as well. It very much depends on what type of cloud usage we are talking about.
You talk about like infrastructure to service, it’s basically just someone who has computers. We still have the root account and all the accounts need to have control for monitoring over.
We talk about much more like platform or software service type of cloud then there is a slight change there. For example, right now, we even consider released access, someone who has access to a Twitter account - we can see a Twitter account can be very powerful - to take it back, or a Facebook account or any social media. Plus, if you look at like Salesforce, like another cloud service, someone who is the Salesforce administrator, is in some way a privileged user. I would say like, there are different types of privileged users and certainly, we need different types of controls and also different types of monitoring capabilities too, to monitor that.
[0:06:39.5] AK: Okay, then, that leads to a really interesting question which is, you mentioned monitoring, right? Which means oversight of these users themselves. I mean, who actually does this monitoring of the super user? Are you looking at automation software, AI? It’s almost like saying, “I’m Superman,” and somebody has to make sure Superman is actually doing his or her job right.
[0:07:01.6] MI: Yeah, this is basically where Balabit are coming from. To look at who watches the watchers problem, this is exactly what you’re asking about. I think it’s a multi-fold thing, like in one case, are we going to talk about that there are users who are actually running the IP operation and have super user privileges and there’s another set of users who are like the security team and this is a segregation of duties.
Once it’s done properly, and once I have this control and monitoring capabilities, there should be no overlap. Then comes the monitoring part, in many cases, what we see is it’s a difference, that you know that you are being monitored. People think twice what you are doing and then, for example, what we do at Balabit when we are applying machine learning technologies because the problem at the end of the day is that, even if you are using monitoring, it’s too much data.
Even if you look at like the control part, like what entitlements users have, it’s too much data. AI or machine learning can help significantly from a perspective to understand what user privileges are there, what we call at Balabit: monitoring at rest. Or what users are doing, some monitoring like activities and combining all these together.
[0:08:14.6] AK: Interesting. If you were to kind of put this in perspective in an enterprise. Do you see friction between organizations, lines of businesses, that need to get their job done? Is this kind of monitoring something that needs to come down from a security handled perspective, and compliance perspective as a, “Hey, you won’t be able to launch this new CRM (Customer relationship management) tool or this new marketing campaign unless you have this in place.”
Or, do you think the evolution of the maturity of the organizations are already getting to that level where lines of businesses - themselves - feel that they’ve had outages or they’ve had issues, where the user has stolen credentials. I mean, has the needle moved at all or is it still this kind of fist fight going on inside organizations?
[0:09:01.0] MI: It’s a rookie question I would say. I would say still, a line of business wants to do the business and our experience at Balabit shows that they don’t really care about security. Security is still like, not even a second-class citizen, probably the third or the fourth class citizen.
[0:09:14.7] AK: Hey, thanks for your honesty.
[0:09:16.5] MI: That’s just life. I think that’s why it’s very important that we need to make security as frictionless as possible. We don’t want a lot of business to care about security but still, you want to come up with a solution where they can benefit from the security. That’s why at Balabit, we believe that it’s very important to combine the control and the monitoring aspect.
Because basically, the control aspect is the one that - really I would say - freaks out the business people because it’s another control - I need someone to approve it or an additional approval. Don’t get me wrong, these are very important but you cannot add like a third, fourth or a fifth layer on top of that because people will just find a shadow IT solution.
[0:09:55.1] AK: Right, exactly.
[0:09:56.6] MI: What we are saying that it should have a right balance of combining this control type of security with the monitoring type of security. Monitoring is much less invasive, so people are just doing their daily job and like all of a sudden, they just get authenticated.
Just by looking at their behavior, for example, which is a very attractive thing. We don’t really change the way how they do their job but still we get some of the benefits of what this type of security can provide.
[0:10:24.8] AK: It’s interesting you mentioned that because talking about benefits and being monitored, right? This morning when I was here, I get an email saying, “Hey, 36 Euros have been charged to your credit card. If you’re okay with it then you don’t need to do anything. If not, please call us on this number,” right?
So I called my wife, she had done the transaction so everything is okay. I like that kind of monitoring, right? This is actually giving me the ability to stay in control of how my credit card is being used. The question is: is Balabit and other kinds of companies getting to that point where the actual value of what monitoring will bring is being elevated to a point where you can say, “Okay, I get. I know what the value is here.”
[0:11:08.0] MI: I think yes. There are many drivers for that. For example, obviously compliance being like a very serious driver - organizations need to be compliant. We see more and more organizations moving into the direction where they want security for the sake of security because they don’t want to make it to the headlines, for example.
It’s a very interesting the example you brought up. This is something actually we also do at Balabit, what we call a ‘Push to Confirm’. For example, we’re running our monitoring and we are running all the machine learning or AI based analytic. If we detect something suspicious based on certain behavioral aspects then we can modify the user and check whether that unusual activity was really an intentional one and an unintentional one.
Now it’s very interesting – remember, it’s also like reminding the user that they are safe, they are being watched but also it’s like a very fast feedback loop that user can say “No” or “Yes.” Also, if you look at another problem and I think that’s again, still a topic of interest in 2018 that organizations cannot find the talents to run their security operations standard.
As much as you can automate, and instead of letting the security operation personnel pick up the phone, call the guy and ask like, “Was it really you or not?” This is something that could be automated. The point when user gives the feedback, whether it’s positive or negative, we already took over some of the very repetitive job of a security personnel who can spend the same amount of time and effort on something much more meaningful.
[0:12:37.2] AK: Yes, I’m going to ask you a slightly tougher question right now.
[0:12:40.9] MI: All right.
[0:12:42.0] AK: Heading down the path, because you mentioned something that has been kind of making headlines right now, which is really is AI and ML actually going to take away jobs? In some sense, either obviously or subtlety, is there assistance inside organizations where in common, exactly like you say, you position tools which traditionally people have been doing however flawed because people are a number of alerts coming in and being able to react to that.
Is there a sense that we’ve come to a point where there is — these realizations on the C-suite level that this is big. This mitigation cyber insurance is constantly doing nothing et cetera. The actual practitioners who have actually been doing stuff like this, how is that going to be solved? I mean, if you don’t solve the people problem, we can talk all day long and nothing happens.
[0:13:33.6] MI: That’s a very good question. I think it’s really, focus is the really important part. Now, machine learning or this type of automation can be done in very different ways. At Balabit, we believe that this type of automation and machine learning should not replace the human factor.
Rather, what we are trying to say is get all the job that could be done by a computer in an efficient way and let the computer do it, maybe it’s like the 80/20 rule. Let the computer handle the 80% of boring stuff. I mean, who wants to look at hours and hours of recording or who wants to look at gigabytes of data, it’s just not efficient.
Also, if human beings could be biased on looking at data. What we are saying that take the data that could be easily processed by a computer and let the computer, whether it’s an AI or just a simple machine learning doesn’t really matter, process that data. Understand like we have for example, at Balabit, like thousands or 10,000 hours of recording of privileged users, you know, like running their daily job. It’s super boring to look at.
So we are utilizing the machine technologies to detect the unusual part and then we are signaling and giving a reason why those are unusual. That’s exactly the point to rely on a human being - we don’t try to be like 100% automated - but we say that if a security operation standard a guy has like 15 minutes to evaluate an alert, then he or she should spend that 15 minutes in the most efficient way.
Even if we can take off some of let’s say, just half of the other thing, then that person will have 30 minutes to evaluate something and we want to make sure that that 15 minutes or 30 minutes is spent in the most efficient way.
So I think the last thing that people should be worried about is AI taking over their job. Of course there are certain jobs where AI could potentially takeover but what people very much advocate at Balabit it is that you should train your person and there should be the decision that only humans can make and it is not really efficient or not really accurate to make it by a computer or an algorithm.
[0:15:29.7] AK: Okay, which leads me to another interesting question, which is you mentioned a lack of talent, cyber security talent, right? So the machine is doing its number crunching, coming up with its recommendation. The impact of a human actually saying “Yes” or “No” is far greater, right? So you are still looking at the need for – but it has to be at a much higher level. A much more advanced level to begin to understand the impact of what they are doing.
Which is, versus somebody – I mean if I am doing a system admin change and I’m doing a CLR change is one thing, but if all of that is automated to be taken over by computers and then it’s like, “Hey do I hit the new button or not?” It still requires a high degree of sophistication.
[0:16:12.4] MI: Yes and no, I would say. So obviously there are certain decisions, that were made by humans and still will be made by humans, that require a certain talent or certain skills, there’s no question on that. But also what we need to be able to understand then, and that’s really again what, the way how we are trying to tackle this machine learning thing at Balabit, is that we are trying to help these people. Instead of them spending a lot of time to understanding a situation to make an educated decision, they are trying to provide all of the details that are required.
So actually the important part of the human decision is to understand the fact and if they can help with the machine learning then still, we all need to do the boring job. So I would say it is in many cases just the opposite of what you are describing.
[0:16:57.1] AK: Okay so it makes it more exciting.
[0:16:58.5] MI: Yeah actually because you don’t need to do the boring part.
[0:17:01.3] AK: Yeah. So let me come back to other things, which again, as an AI involved company you probably have to deal with this is, there is a lot of data that is being collected for you and others and that Facebook came out saying that they are not going to escape that. What sorts of protections have been put in place where everybody who wants to collect data has a sense of their own space?
So, from a data privacy standpoint, what is your stance, what do you think the industry needs to go out with right now where you have to balance the fact that hey, you’re only as effective as the data you collect, sure the data you collect belongs to somebody else and how much better are you to collect that?
[0:17:39.5] MI: That is a very good question and being a European company, we are coming from Europe and especially Germany there are some really strict rules and regulations around that. I think the important part here is again, to understand that the customer or the organizations that we often deal they are not – it is not customer data. It’s their privileged user, their own employees or their subcontractor or vendors actually working on their system and accessing their own customer data.
In order to protect the customer data, we are monitoring the privilege users and these privileged users I would say 99 or probably a 100, I wouldn’t say 100%, there is no 100% in security but most of the cases they are aware that they are being monitored; so that is an important factor. More so in other aspect and we are basically they are trying to do two things here. One is that you want to make sure that people understand they are monitoring.
So they have a lot of features around them, notifying them when they are logging in the system that their session is being recorded and the other thing is that they provide different levels of encryption. So we are encrypting all that sensitive data and we have different cold call mechanisms to protect who can access those recordings. Just to give you an example, we have some German customers where the trade union is very strong.
So they are saying that, “You have to understand you need to monitor privileged users but you don’t want their managers spying on them,” so what we are doing, we are using like a multi-factor authentication that isn’t just one key for the encryption is by the security team and the other is by trade unions. So in order to understand what a person was doing both the trade union and the security personal needs the data.
So it is another form of protocol and it is very important to do that. It’s just the monitoring system needs to provide a right way of doing it.
[0:19:21.5] AK: So let’s switch gears for a while. The one thing which you mentioned which is being at a German company who is sitting in the EU, from a customer sophistication standpoint how are you seeing where GDPR (General Data Protection Regulation) has taken the awareness of the new enterprise perspective versus the rest of the world? Are you seeing any difference in sophistication and maturity and understanding for what you bring to the table, depending on which GO customers?
[0:19:48.8] MI: So I think the interesting fact about GDPR that it is not just about EU companies. It is basically about any company who deals with EU citizens which is pretty much every global company, so I would say in that sense it is really not a big shock. We understand it is much more like companies are made up there, that they should care about their customer data. For example, when the [inaudible] regulation actually came out it was like a big shock for the publicly traded company, especially because they were very strict enforcement and that also CFO’s were very much made of there, so very similar things are happening with GDPR and it is not just happening in the EU or European level but it’s also happening on the global level.
[0:20:28.9] AK: Got it, okay so I think that we are almost out of time. Any last final thoughts to our audiences in terms of people who are looking for, “Okay does my organization have access privileges? Is that an issue for me?” What would you tell them?
[0:20:42.7] MI: So it is basically what we are iterating over and over that you need to care about access. Access rights and what entitlements users have - you won’t get away from that. So what we are trying to say at Balabit is that it should take like a two layered approach. Firstly, it was obviously controlling who has access to what. The second was monitoring and understanding not just from a perspective that if someone is doing something out the normal - that is a very important part - but also mapping to like what the person is entitled to do and what is happening in real life, to close that gap between policies and realities.
[0:21:20.6] AK: Yeah, so I think a very fascinating conversation and I can honestly say, I thought the same way. So thank you for your time Marton and I think this has been very illuminating. Hopefully the readers will enjoy this as much as I do.
[0:21:30.6] MI: Thank you very much for accommodating me.