ISMG Editors: How a Teen's Hack of Uber Adds to MFA CrisisAlso: SD-WAN, SASE Trends and Big Gaps in Security Culture Anna Delaney (annamadeline) • September 23, 2022
In the latest weekly update, ISMG editors discuss the industrywide implications of a teenager hacking into Uber's internal systems, key trends in the new Gartner SD-WAN Magic Quadrant report, and how ethics and security culture are center stage due to recent CISO revelations at Uber and Twitter.
The panelists - Anna Delaney, director of productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Michael Novinson, managing editor of business - discuss:
- What the hack of ride-hailing service Uber by a teenager in another high-profile multifactor authentication bypass attack means for the worldwide security industry, which heavily relies on MFA;
- How the conversation around single-vendor SASE versus multivendor SASE is evolving and whether Gartner's projection of 50% adoption of a single-vendor approach to applications, gateways and zero trust will come true;
- The recent security incidents and revelations at Uber and Twitter centering on former CISOs and the nagging questions they raise about ethics, security culture and the future of cybersecurity leadership.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 9 edition with cryptocurrency expert Ari Redbord and the Sept. 16 edition discussing the increasing use of intermittent or partial encryption by ransomware gangs.
Anna Delaney: Hello, and thank you for joining us for the weekly edition of the ISMG's Editors' Panel. I'm Anna Delaney, and this week I'm joined by two of my esteemed colleagues to discuss and digest some of the most important and interesting cybersecurity stories of the moment. Mathew Schwartz, executive editor of DataBreachToday and Europe and Michael Novinson, managing editor for ISMG business. Great to see you both.
Mathew Schwartz: Great to be here.
Michael Novinson: Thank you for having me.
Delaney: Matt, Uber is in the news again this week. As it emerges, a young hacker gained access to pretty much everything in Uber's internal systems, including customer data, what happened?
Schwartz: Yes, so it's yet another MFA bypass attack. We've been seeing so many of these recently. A lot of organizations have multifactor authentication (MFA) in place. When you try to log into a resource or access the corporate network, especially if you're remote, you'll get a window that opens up on your system that says, "Is this you? Do you want to log in?" Unfortunately, for organizations, a lot of employees appear to be falling for these types of attacks, and remote hackers are able to spoof them into providing them with access. The latest victim is Uber. But we've been seeing this left, right and center. Okta was one of the big organizations that got hit. Mailchimp, another. And the MO, if you will, for a lot of these attacks is we have these apparent youngsters, oftentimes it seems, finding these bypass tactics. In the case of Uber, as you mentioned, this seems to be a teenager based on information that's been doxed about the alleged attacker. This teenager looks like he was able to bypass or access Uber's Duo Security. It's one login. It's Amazon Web Services. Its Google environments, as well as various tools, and also the bug bounty program that Uber participates in. There's a lot to take away here for any CISO. I think the big one that I'm going to highlight is hardware keys. Well, anything that's kind of FIDO compliant, the likes of YubiKey. What we've seen from the organizations that have been targeted but not fallen victim and Cloudflare comes to mind is they're using hardware keys because this means that unless you've got the key, you can't be given access to the network. In other cases, though, employees keep getting tricked. This isn't employees' fault. This is the fact that attackers have found a way to game the MFA system in order to trick the employees into giving them access and they can get in remotely. A lot of people think MFA will stop anything, but it's yet one more defense and you need to have layer defenses that organizations can and should have in place, but we're seeing as with Uber most recently, it's easy to bypass or maybe that easy. I shouldn't put it that way. But if you're a teenager with too much time on your hands, you've got the school holidays, we sometimes see a rise in attacks, I think because of that. They found a way to get past it. Like I say, the latest is Uber and organizations should be studying this attack and figuring out if they could fall victim. If so, what can they do to help ensure that that doesn't happen?
Delaney: Pretty embarrassing if a teenager can hack into the system. Well, the hack - the social engineering, I suppose - how much sympathy do you have with Uber on this one? Because as you say MFA was implemented.
Schwartz: It's tricky. You do have sympathy, don't you? We've gotten data breaches here. Uber says it believes that the attacker involved using the aliased TeaPot may have just hit Rockstar Games, for example, and stolen some information, videos, source code, about the latest or upcoming Grand Theft Auto video game. This is somebody who's very good at what they do. Doesn't matter if they're 18 years old, or whatever. They're good at getting in, they're good at stealing things. Uber is an obvious target. I guess Rockstar Games is as well. But the Lapsus$ hacking group that this attacker allegedly belongs to, has hit not just Okta, but also Microsoft, Nvidia, Samsung, Ubisoft, and many more. A lot of people like to say they were hit by sophisticated attacker. But a lot of times this comes down to bored teenagers. Do you want to call them sophisticated? We don't need to argue that point right now. I do have sympathy. I think this should be a learning experience. We've seen some big names get taken down by these MFA bypass attacks. Cisco being another one of them; reputable companies with excellent security departments. This is a workaround that some teenagers and now everybody else will have figured out how to exploit. Anybody who gets hit with it going forward, I'd say you probably should have been prepared. You maybe have a few more weeks' grace period. But you need to lock this down, and you need to do it right away.
Delaney: Why aren't more organizations implementing FIDO too?
Schwartz: Costs is one thing. There was an interesting series of blog posts by a Microsoft researcher talking to me about the importance of hardware keys, especially as a lesson to be learned from all of these recent breaches. There's another security researcher who commented, so does Microsoft have that implemented for every one of its employees? This was a former Microsoft employee. The insinuation there is no, even Microsoft doesn't have these keys. There's probably going to be some user resistance to having to haul around a key like this. There could be some challenges, getting it in place for all of the various applications that you might want to use it with. It's another cost. Maybe you've got to convince senior management. But you're going to have a much easier time of doing that with this crisis that we've been having with the MFA bypass attacks.
Delaney: Do you think we'll see some change there, then?
Schwartz: I would hope we would see some change there definitely.
Delaney: Has Uber said anything in the aftermath of this case?
Schwartz: They've been providing some updates about what did or didn't happen. They've committed to doing better, basically, they're going to be rotating their keys more often. A lot of the things that you would expect, they disabled some of the affected or potentially affected tools. They are continuing to review their code base. They say they don't think the attacker changed any of their code. They have separation, which is good, between their development and production systems. They don't think the attacker was able to get access to production systems, or to access credit card information, user data, any of that sort of stuff. Uber had some good defenses that everybody should have in place. Their testing environment couldn't be used to push code into their production environment, things like that. That's all good. That helped arrest the full impact of this breach. Uber's also said it traced to a third party to one of its contractors, which again, we see, very often. If an attacker wants to get in, they're not afraid to hack an organization in order to then pivot into a business that it does business for. We saw that in this case as well. Everybody should be reviewing the kinds of access that their employees have and also that their contractors have, make sure they've got the right defenses in place. Yes, Uber has shared further details and I invite all CISOs to learn from their missteps.
Delaney: Rich insight as always, Matt, thank you. Michael, Gartner's four-year-old Magic Quadrant for WAN Edge Infrastructure report has a new name this year - the Magic Quadrant for SD-WAN. What else has changed or not?
Novinson: Interesting question, Anna. Thank you for asking. Gartner did rebrand, it was a recognition that SD-WAN is just the term that the market is using for WAN edge infrastructure technology. Not a huge, meaningful change in criteria with the rebranding but realized especially as the conversation revolves around secure access service edge or SASE that SD-WAN has become the main term used to refer to the networking side of that. In terms of this year's SD-WAN Magic Quadrant, we're seeing three companies pulling away from the pack, that being Fortinet, VMware and Cisco. I believe they're three market cheerleaders that our group and others have found, so are definitely having the best ability to execute and have a pretty robust and broad set of SD-WAN tooling as well. What's interesting this year is that we're starting to see a pretty big divide between single-vendor SASE and multi-vendor SASE? Gartner has been pushing pretty hard now, for vendors to adopt a single-vendor SASE approach that means that they would have organic SD-WAN capabilities as well as organic security service edge your SSE capabilities. SSE consisting of cloud access security broker, secure web gateway, and zero trust network access. Gartner wants vendors who are serious about SASE to do it all themselves rather than relying on partnerships. In terms of where that's going so far, Gartner says that today less than 10% of customers are using a single vendor for SASE, but they expect that number to hit 50% by 2025. It's working its way from the bottom up. That small and midsize businesses, mid-market customers are starting to do single vendor SASE. Since they have less specific requirements, they like the cost savings, like the ease of use that comes from getting all of their SASE technology in one place. Where there's been more resistance is in the enterprise, particularly the upper enterprise where there sometimes are unique configuration requirements or demand for best of breed technology. If you're look at the two quadrants right now, Forrester earlier this year had put out the first ever Wave looking at security service edge. If you looked at the top three performing companies in the Forrester Wave for SSE, that being Zscalar. Netskope and Skyhigh Security, there's no overlap with the top performing SD-WAN companies as according to Gartner, which are Cisco, Fortinet, VMware as well as Palo Alto Networks, Versa Networks and HPE (Aruba). If you take one step back on the SSE side, at that second strong performer level, you will see Cisco and Palo Alto Networks, strong performers in SSE and leaders in SD-WAN, but vice versa in terms of the SSE leaders, none of them at the time of the Forrester Wave came out how to play an SD-WAN, since that point Netskope, has bought its way into SD-WAN with an acquisition of Infiot, which will allow them to offer folks single-vendor SASE, but they're still also committed to maintaining a multi-vendor SASE strategy as well. They have a very close partnership with HPE (Aruba) for SD-WAN and they're committed to offering customers flexibility. Where we see the market breaking down here is that Fortinet, Palo Alto Networks and Cisco are all in on single-vendor SASE. The executive I was speaking to from Fortinet made it clear that they are not looking to offer any partnerships around SSE since they see that it's direct competition to what Fortinet can do. On the multi-vendor SASE front - Versa Networks, Zscalar, Skyhigh Security, HPE (Aruba) are fully committed to a multi-vendor strategy. They feel SASE is a team sport, and you can't be good at everything. Then kind of straddling the fence in the middle you see Netskope, which has the single vendor offering now but they still seem to acknowledge that a lot of customers will tell for multi-vendor and VMware, which both has partnerships, but also has some cloud security capabilities as well.
Delaney: Are you surprised by any of this or how it's evolving? Will there be a time where we see a single-vendor SASE dominate?
Novinson: I'm a little surprised by the amount of pressure that Gartner is putting on in this front that they have a clear point of view. I do think that does influence where the market goes. I think we've seen this consolidation story in security before. If you go back to the mid-2010s, there was a lot of dialogue around creating platform security, a place where customers could go into all their security needs met in one place. You saw Symantec prior to its Broadcom acquisition, and McAfee prior to the split of its consumer and enterprise business. It's going after this platform approach. It never took off and we do see at least among more robust security organizations that they want to have top flight technology, ensure maybe they don't want seven year AD vendors, but they're willing to work with 5-10-15. I guess I do wonder at the customer level, particularly for ones that are doing rigorous security testing, I understand that, that they don't want to work with a different vendor for CASB, and a different vendor for SWG, and a different vendor for zero trust network access. That's a lot of things to configure and implement and manage. But if you can have simply two vendors, one who does security service edge the second one who does SD-WAN, it's not going to be that much of an inconvenience for them. It's not going to be that much of a deal breaker, or is it important in order to optimize performance and to optimize simplicity to go to one? Gartner sees that moving there. I think it's a question of ultimately they're saying 50% by 2025. Ultimately, what percentage of customers end up on single-vendor SASE? How fast do we get there? From my personal opinion, I think there's a lot of folks who are comfortable working with separate vendors vs for SD-WAN and for SSE. And I think that may stay that way for a little while.
Schwartz: I was going to ask exactly what Anna did. A lot of organizations are wanting to get this technology now, if they don't already have it. You have Gartner saying, wouldn't it be nice if it was all available - available from the same vendor. A lot of these businesses are saying, look, we've already got it, or we've decided to go like you say it with maybe two or three vendors, maybe hoping to get it down to two. It just seems to me like we'll be revisiting this in a few years. I would be surprised if Gartner's vision comes to pass. We've seen so many calls for a single vendor for this, a single vendor for that. Like you say, there's so often tradeoffs with a platform approach. Things change, things evolve. I don't know, I'm not holding my breath maybe.
Novinson: I think it's important to remember that all the top players who started in very different spaces - Fortinet and Palo Alto Networks started as firewall vendors. Cisco in routers and switching VMware in virtualization. Zscalar in secure web gateway. Skyhigh Security as well as Netskope started as cloud access security brokers. Fundamentally, as a company, you're going to be strongest at wherever you started. I think it's hard to ask even the best capitalized vendors - or the Palo Altos of the world - to be good at everything. The broader you get, how robust is the technology and then also, if you're relying on acquisitions to do it. How well integrated is it? One interesting note I'll just make on the SD-WAN side is that, essentially, of the six vendors who are leaders all but two of them built their SD-WAN portfolios through acquisition. Only Fortinet and Versa Networks did it all themselves. HPE bought Aruba. Palo Alto Networks bought CloudGenix. Cisco bought both Meraki and Viptela and the VMware has also made acquisitions to get into that market. As you rely more and more on M&A, are you sacrificing some in terms of quality integration and ease of use?
Schwartz: Just to have the boilerplate that says we have all of this stuff now that we offer. Yeah, definitely.
Delaney: Michael, thanks so much for sharing the latest trends. That was great. Final question - reflecting on the news stories of the year so far, which one stands out as having an important impact on the industry and security leaders? Something that's leading to or has led to a shift in the space?
Schwartz: Difficult question. I am going to go back to what I spoke about before. When you see these big name organizations like Okta, and then customers of Okta getting their data exposed, because they're using MFA, but hackers have found a way to get around it. I would say this is definitely much more than nuisance territory. I don't know, it's definitely not a SolarWinds level of thing happening. But I do think it's enough of a clear and present danger, that for my money, this is one of the things that I will be acting on now. Because if you can't guard against attackers accessing your network remotely, then you're not just going to have these darn teenagers that are part of Lapsus$, you're probably going to have those darn teenagers that are part of a ransomware group, etc. I will get that locked down soon as, again, not as sexy maybe as a nation-state attack of the SolarWinds variety, but probably the SolarWinds hackers are investigating this for their own purposes as well. Justify it however you need, but I'd say for my money, this is a story that's screaming out to act now.
Delaney: Very convincing. Mathew. We agree, I think. We cannot speak for you, Michael. But yes, indeed.
Novinson: Absolutely. I think from my standpoint, in the world of business, the impact of the macroeconomic downturn on the cybersecurity industry is the biggest thing I've been tracking. Cybersecurity is a fast growing space, but it can't defy the laws of gravity, whether it's rising inflation rates, the war on Russia and Ukraine, supply chain issues that affect this industry as well. One of the most interesting trend I think it's been driving is what we call take private deals or private equity firms coming in and buying publicly traded companies. We've been seeing a lot of it since the stock market peaked in November of 2021. Most notably, we've had Thoma Bravo purchased SailPoint. They've agreed to buy Ping Identity. They've had conversations with Darktrace about making an acquisition, because that ultimately didn't come through. Turn/River Capital bought Tufin. Now we have, just this week Vista Equity has made an offer to buy the remaining shares of KnowBefore it takes the company private at a valuation of $4.2 billion. What does this mean for companies when they leave the private market? It usually means a little bit more pressure on efficiency, taking out some of those general and administrative costs. There's no public reporting requirements anymore. Sometimes that leads to job cuts, and then also there's a lot of pressure to try to grow that total addressable market or TAM. I know a common part of that Thoma Bravo playbook is to encourage targeted acquisitions to allow their portfolio companies to enter new markets, and increase the amount of cross sell and upsell activity. It was the playbook that followed with both Sophos and with Barracuda, which under Thoma has made a number of acquisitions. You can expect some streamlining, some cutting in non-core areas, but also some movement into some new areas with smaller acquisitions when companies go private.
Delaney: So much happening in this space simultaneously. But I was going to talk about Twitter versus Uber. We've seen these two fascinating yet contrasting stories involving former heads of security for both organizations. I guess both bring up an interesting question around cybersecurity leadership and ethics and decision making. The industry is watching both cases closely as to see how they will evolve. We were speaking to former CISO David Pollino, on the Proof of Concept show recently, and he says both of these cases speak to security culture, the security culture of a company. A CISO just can't keep a company secure. You need the support of the board and executives and you need to align, or you need to make sure the incentives and behavior are aligned to promote good security practices. So perhaps pivotal stories around the future of cybersecurity leadership.
Schwartz: CISO Joe Sullivan, formerly of Uber, his case could conclude this week or very soon. That's fascinating. I think we're getting glimpses on what was the culture like at Uber. That's been part of the testimony. There's going to be some lessons to be learned there for sure. Especially if you're a CISO, make sure you've got legal cover before you do anything. With Peiter Zatko's, aka Mudge's testimony recently and his whistleblowing about Twitter, a very different story of someone who left and said, "We're not doing good enough. I'm concerned." Slightly different story. But CISOs are in the spotlight, as you mentioned, which is maybe a little unusual, but hopefully for the best.
Delaney: Two revered CISOs, they are very well respected.
Schwartz: Extremely, both of them.
Delaney: Lots happening. As always, thank you very much, Mathew and Michael. This has been brilliant.
Schwartz: Thanks for having me, Anna.
Novinson: Thank you for the time. It's been great journey.
Delaney: Thank you very much for watching. Until next time.