Vlog: Pipelines, Executive Orders, and More with Mike Engle

1Kosmos CSO, Mike Engle, and CMO, Michael Cichon, discuss a variety of topics including ransomware and executive orders in their recent vlog.

Michael Cichon:
Hey Mike. Quite a day, huh?

Mike Engle:
Yeah, it was a good one. It’s been, jeez, about 24 hours since we have a major breach and an executive order passed, right?

Michael Cichon:
Exactly. Well, listen, I wanted to catch up with you before the sun went down, at least in California.

Mike Engle:
Yeah. No, it’s good to be here. We’re 24/7 in this work-from-home COVID world.

Michael Cichon:
So, in all seriousness, I want to get your take on the executive order, especially coming on the heels of this attack at Colonial. I mean, this has happened before. We’ve seen government attacked, we’ve seen major businesses attacked. We haven’t quite seen people filling up plastic bags of gasoline, but we have seen passwords being called out as the initial attack vector. And this has been called out by experts. So, why all the panic now?

Mike Engle:
Well, you’re right, there is something different about this one. It’s the size, the scale. It’s the impact to so many Americans, right? People didn’t take security seriously until 9/11. It takes typically a major incident for people to do the right thing sometimes and that’s what’s going on here. So, despite all the security professionals doing the best they can, they’re slammed, they’ve got new challenges with everybody being digitally remote connected. But the criminals are taking advantage of it, and it just takes one weakness in a system and that’s it, the bad guys will get in. So, companies are spending more time implemented systems than fighting attackers. They don’t have time to really catch their breath.

Michael Cichon:
So, I guess that might explain why you and me are here on LinkedIn?

Mike Engle:
Yeah exactly, exactly.

Michael Cichon:
Okay. So, what to do about it? I mean, what’s the takeaway here?

Mike Engle:
Well, the executive order is spot on, right? Better sharing, zero trust, better security controls. It says all the right things. And what’s different about this, I think, this time, is we have a very fresh incident in our minds. We’ve got people buying dozens of gas cans and, as you said, pouring gasoline into plastic bags, which just sounds horrific. I don’t know how that’s going to work when you go to put that back into your vehicle the next day. That’ll make for some interesting TikToks, right? But the executive order does touch on actually the right things.

Mike Engle:
And what’s really great about it is it has timelines, right? Reviews in 60 days, implementation deadlines in 80 days. So, it’s a step in the right direction. We’re working with a whole bunch of companies to implement these controls. We’ve been doing it for a few years but obviously things are a lot more aggressive now. So, while this has been focused on the government sector, I definitely expect this to have bleed-over into the commercial sector as well.

Michael Cichon:
Well, so can you talk about who you’re working with?

Mike Engle:
Yeah. A couple of our large Wall Street banks and Teleco partners, for example, either them directly or through their downstream partners, are looking to use now identity for log on, right? Usernames, passwords, 2FA. We called those hope-based authentication. You hope they have the right password. You hope they get their text message. You hope that somebody else hasn’t compromised it etc. So, what they’re doing is now using identity, right? A trusted credential to get into their systems without usernames and without passwords, right? So, a bank right down the street from us here in New Jersey are using it to get into their front door, with identity.

Michael Cichon:
So, is the takeaway that we have to have a cataclysmic problem to move on this type of thing?

Mike Engle:
No. Companies have been moving in that direction, but this is a catalyst that will really accelerate change, right? So, first the government. I understand there’s a lot of non-top-secret or lower-security systems that are still using name and password, just from dealing with our government partners. That’s going to change because those are typically a foot in the door. So, blocking all them off is going to happen now at a much accelerated pace. And in the commercial sector, our consumers are doing the right things.

Mike Engle:
They’ve been doing this for a long time. So, they’ve all had username, password, and typically a token or code. But that in itself is a huge productivity waste, right? Just dealing with passwords, having to change them every 90 days, protecting your code, what happens if you lose your code? So, we’ve been moved to mobile being your primary authenticator with biometrics built into the mobile, and you’re in in one step, one second, without even touching the keyboard. And so they’re looking at it not only from a security perspective, because it is more secure, you can’t intercept a biometric, but it’s really about the user experience and getting rid of the burden on the help desk.

Michael Cichon:
Got it. Got it. The executive order mentioned, I think, zero trust. Now, I’m not an expert on zero trust but this also sounds like maybe an area where government might be a little bit ahead of the private sector. Is that true, or can you talk about that a little bit?

Mike Engle:
Yeah. Well, definitely for top-secret systems, they’ve had requirements around credentials, credentialization, smart cards and things like that that are way ahead. There’s always that risk-reward, right? Imagine if you made your 20,000 employees have smart cards, multiple for different systems, smart card readers at home, biometric readers at home. Right? It would be a disaster. So, the government’s been ahead, but that’s also been incredibly expensive. It slows things down. It can take you weeks to get a credential replaced, or even just a credential in the first place. But now today, we’ve got really the equivalent of a smart card in our hands.

Mike Engle:
We’ve got a phone with a trusted platform module in it, right? That’s a fancy way of saying a super-safe place to keep the equivalent of a smart card certificate. So, we leverage that. It’s in everybody’s hands already. And we leverage real user biometrics. And we really have something that’s on par with what the government’s been doing. So, I see this as an accelerator to get that adoption to more and more companies very quickly, especially with the Russians knocking at our door.

Michael Cichon:
Yeah, no doubt, no doubt. All right, well listen, I appreciate you taking time, I know it’s late. Thanks for summing it up and I’ll reach out next time news like this breaks.

Mike Engle:
That sounds great. I’ll see you at the gas station.

Michael Cichon:
Thanks Mike.

Mike Engle:
All right, take care.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More