AMMON: I believe you have to separate authentication from authorization. This idea that you authenticate yourself via legacy mechanisms like VPN and then you're allowed to move about can no longer be tolerated. You should authenticate yourself and only then be provided the specific access you need. It makes it much easier to monitor. You get rid of a lot of the noise, particularly with privileged users.
And once you're containing and controlling and monitoring that access, you have to move to a level of in-line enforcement rather than post analysis. So you want to be able to enforce your policy in a more proactive way, and I think you want to provide tools that are more efficient. I know we have moved away from using the log data as the primary format to a full recording of the session. So if it looks like someone has attempted a violation you can replay exactly what they were doing on the screen and that greatly reduces the task of trying to stitch together the pieces.
Are some organizations out in front on this, doing it properly using all the latest tools?
AMMON: I was on a panel about a month ago, and one CSO gave a very thorough presentation about this issue and everything they were doing, and on the other side of the spectrum, the other CSO didn't have a clue there was even a focus in this area and technology available. So I think you've got real peaks and valleys.
RIFAI: I couldn't agree more with that. Some clients have their perimeter under control, their network under control, but they still have this deficiency understanding what's happening to their sensitive information, while others are aware and making the appropriate investments and even driving a lot of the requirements. That's not the majority right now, but it is certainly moving in that direction.
AMMON: When we get a new customer, we typically see they have been attempting to cobble together a solution made up of existing security investments. And inevitably they learn that building and maintaining that is a very expensive endeavor. And it never really satisfies the auditor because it is so distributed and never really worked in the first place. There are many security investments doing exactly what they were supposed to, but don't necessarily expand to some of these other use cases. So there is growing recognition the existing approach is probably never going to quite get you there and you need something new.
OGREN: I've seen some companies doing this, John. Like in industries such as finance, where they need to be able to monitor user behavior and report on that. A lot of that is driven by a sea change in the technology -- someone comes in with a tablet or a phone and bypasses the firewall and everything else and the old perimeter model is simply long gone.