Rethinking Cybersecurity: Why Traditional MFA Fails and the Future of Phishing-Resistant Solutions with Bob Burke

[00:00:02] We're diving into some bold rethinking of cybersecurity identity and why traditional MFA might be setting us up to fail. My guest is Bob Burke, Chief Information Security Officer at Beyond Identity. Bob isn't just another voice in the security echo chamber, he's outspoken about the flaws in legacy authentication, critical of what he calls compliance theater, and laser-focused on securing today's messy reality. We'll talk about phishing-resistant authentication, why endpoint detection may not be enough, and more.

[00:00:31] If you're an IT service provider looking for real talk, you're in the right place. Let's get into it on this bonus episode of the Business of Tech. Well, Bob, welcome to the show. Bob Burke, Chief Information Officer, Business of Tech Right, thank you. Bob Burke, Chief Information Officer, Business of Tech Now, I was excited to have you on because you're a bit of a contrarian sometimes in the security space and have a couple of positions that I'm really curious about. The first one I want to dive right in with is you've said that you think traditional multi-factor authentication is failing, particularly in BYOD and bring your own device environment.

[00:01:01] That's right. So unpack your statements there. Like what's broken and why hasn't the industry course corrected? Yeah, I think, and we've talked about this quite a bit on our blogs, anybody who's familiar with Beyond Identity. A lot of the, so the threat landscape three, four or five years ago was a strong push towards to address those access problems and through deploying multi-factor authentication.

[00:01:26] And the first round of multi-factor authentication was really just an out of band authorization. Fundamentally, whether that's a push notification, you log in and you get a push notification or you get an OTP or TOTP. And then they moved on to magic emails. And that was fine four or five years ago because it created the friction to actually attack you was much higher in the cost benefit analysis of a typical threat actor was pretty high.

[00:01:52] But in the last few years, we've seen a radical change in kind of that threat landscape where almost all of the attacks now are as a service, whether it's malware as a service or phishing as a service. And so fundamentally, it's very easy now for anybody to attack any company with a few hundred dollars. They can stand up a phishing as a service platform. They can get the infrastructure. They can get the templates. Really, there's a low barrier to entry.

[00:02:19] And those fundamental solutions, now that the cost benefit is where it is and there's turnkey solutions to bypass them with either whether you stand up an attack in the middle, they're no longer sufficient. So what you really need, and NIST has been very strong about this, is you need truly a phishing resistant MFA. It's not good enough. Legacy MFA does not mean it's not phishable. It means it's a little bit harder to phish.

[00:02:43] So today, if you think you have an MFA solution and it's not phishing resistance, all you've done is adjusted the cost benefit analysis of the attacker. All of those systems are easily bypassed. Now, FIDO2 and Passkeys have been positioned as the future, but you're critical of it as a solution. Like, where do you think this falls short? Yeah, so huge step forward. Now, we came out a few years. We were one of the earliest phishing resistant solutions on the market.

[00:03:11] And we're super supportive of FIDO, but it does have its limitations. First of all, you really don't get a lot of device posture with a FIDO solution. It's usually in browser with a roaming authenticator, whether that's a YubiKey or some other solution. And also, the push has also been for ease of use for the consumer to make those passkeys what they call syncable.

[00:03:36] And if anybody actually has multiple browsers on their desktop and go to multiple sites, they're getting confused all the time about whether I have a passkey, I don't have a passkey, is the passkey in this browser the same as that one? And fundamentally, that changes the risk in the security profile. When we come in for enterprise solutions, we do support the FIDO standard, and we think that's a good start.

[00:03:56] But what we add to that is device posture, and we make sure that the credential that you have, which is at this point required for an enterprise, is embedded in the device, and it's not movable. Now, what does an SMB or a mid-market organization do? How should they be approaching addressing the solution? Yeah, I think at a very minimum, they have to look for a phishing resistant solution.

[00:04:22] And if they're going to start with FIDO, that's fine, but that's generally going to be in the browser. But if they want an enterprise, easy-to-use solution, they really have to look for a phishing resistant solution that provides both browser protection and also device authentication and device posture. Because really what it's about is it's not necessarily just the initial access that's a problem. It's also what happens after that access. And what happens if the device itself is untrusted? It's not just the individual, but the device is untrusted.

[00:04:54] So there's a lot of conversation around the SSO tax, right? That many, particularly software as a solution, delivery solutions, put proper integration of single sign-on behind a much higher tier. And they make customers pay tier to have that. So, for example, and it's significantly more expensive than most products. You know, what's your position on the way SaaS should be approaching this?

[00:05:23] Because right now they're actively discouraging customers from being more secure. Oh, that's exactly right. No, that's exactly right. So if you look at some of the legacy solutions, and like I said, they're all great companies with great products and great teams. But they're struggling with this skew sprawl based on a legacy solution. And so when you start looking at it, and this goes back to the core proposition of any solution that someone needs to buy is it has to be secure by design from the ground up.

[00:05:51] You can't actually look at security as something you buy post the SSO. And that also applies to compliance. It really has to come and it has to be part of the original solution. And it needs to be cost affordable. You can't expect someone to buy an SSO and then through 15 different SKUs add in the appropriate level of security that you need. Certainly when it comes to maybe you can argue there may be a really sophisticated ITDR solution, IPSM or something.

[00:06:20] But when it comes to phishing resistant authentication, that is your authentication layer is core to the business. And you should expect that from whatever the skew is. That should just come right out of the box. Okay. That's a good strong position. And I'm definitely for it. Now, the other area in particular is I was preparing to put this together. You know, one of the things that there's a lot of movement in the managed services space is around both endpoint detection and response solutions and also managed endpoint detection and response.

[00:06:46] But you've made some comments that you argue that the EDR space is already becoming obsolete. Like, where do you see that portion of the market moving? Yeah, I think it's not – I don't think it's – that the core functionality of EDR is not obsolete. You need an endpoint detection solution. I think what's happening is the EDR space is starting to evolve and they're starting to layer on more capabilities.

[00:07:10] So when you go and just say EDR, they really mean an XDR, which is really a solution that not only does your device trust, but it's integrated into more sophisticated backend, which starts to look at the entire ecosystem. Like every point solution, they're starting to evolve into something much larger. So you do need strong endpoint detection. There's no way around that. But it's going to take the form of a larger solution. If you look at some of the larger players like CrowdStrike, that is kind of where they're trying to pull their customers.

[00:07:40] But interestingly, these solutions are not necessarily priced or delivered for what I would argue is the vast majority of the market. They are priced in position for enterprise organizations and unrealistic for most SMBs, even mid-market. And I would argue even into the upper mid-market of that. These are enterprise solutions.

[00:08:01] So how do you recommend organizations of that size and the providers that serve them address the current landscape? Yeah. No, they have to look at solutions that are going to provide the minimum capabilities that they need. And I think what that's – and it is a tough situation. But that's also opened up the market for a lot of other companies that are coming in to serve that SMB market. And I would argue that Beyond Identity, in a lot of ways, kind of has recognized that early on.

[00:08:31] And I've run into that. Personally, I've run into that. And I can totally appreciate where people are. When I was at a previous company, we literally were told by some of our vendors that we're too small for them. And they just moved on to the enterprise. So I think you really have to look strategically at your security architecture. And you have to look for solutions that are budgeted for what you have. And there was a lot of other companies in the market that are trying to address that. Interesting. Yeah. And I would – I mean, thematically, I'm very much in line with that.

[00:09:02] We'll be right back after this message. This episode is supported by Synchro. Synchro, the integrated remote monitoring and management and professional services automation platform, is designed for mid-sized and growing managed service providers. Its latest innovations include an AI-powered smart ticket management system with automatic ticket classifications, guided resolution steps using pre-approved scripts, and a natural language smart search function.

[00:09:29] These tools streamline ticket handling and improve response times. Discover more at synchromsp.com. And we're back. The other area that I'm really curious to get your take on is the positioning both of service providers and the end customers. One of my concerns and pushbacks on the cybersecurity sector in general has been the – look, I get criminals' motivation. They're in the business of making money, right?

[00:09:58] And let's not – all of this conversation is about pushing back against the illegal activity. But I get it. They're in the business of making money and generally reasonably successful at sucking money out of customers. But on the other side of this, we have a very active cybersecurity tool space. Yes. That is also in the business of extracting money from customers. And neither side makes any real guarantees other than we're in the risk space, right? Like you're just pressuring the people on the side.

[00:10:25] What is your thought on actual shared responsibility? Where if a tool vendor would have some liability for the delivery of preventative or be involved in some kind of a joint responsibility model, like where do you think the market should go to do best by the customer? No, that's a really – that's a really good question.

[00:10:50] And I'll go back to I think – so when you look at a vendor, a vendor has to be committed to making sure that the security guarantees that they are making are embedded in the product, right? So secure by design. And they have to have secure configurations. And when you deploy their solution, they have to be able to say categorically that these types of attacks are designed out and they're not possible.

[00:11:18] And in terms of liability, I'm not sure. That gets really complicated, right? Potentially. I mean I could make a parallel argument of – we talk about there's minimum safety standards in automobiles, for example, right? And of course we know that if a user doesn't use their seatbelt by driving around and something happens, look, liability – like the auto manufacturer is not responsible.

[00:11:45] But if the seatbelt fails, right, there is responsibility of the automaker. I can make an argument that there's been certainly circumstances where software solutions fail. CrowdStrike is a great example, right? Yeah. And we like it because it's not an incident-based one. It's literally just the software failed. The software failed. But they're making a pretty strong argument that they have no liability and responsibility for anybody's damages over their failure.

[00:12:13] And my concern here in the cybersecurity market is I'm on board that this is a risk management exercise. But at the same time, there is a responsibility, as you said, to deliver a certain level of quality. Yet the software vendors push back pretty hard by saying we have no liability. It's in our end-user license agreement. And that isn't really a shared model. And I'm looking to say like from experts like yourself, like what might a shared responsibility model look like?

[00:12:45] Again, that's a really, really difficult question. And from an SLA, I guess when a company argues, at least from my perspective, that embedded in their product, they have certain guarantees around whether it's phishing resistant or other security guarantees. They have to put that in the license agreement and they have to be held accountable. I think at the end of the day, and I could totally appreciate the smaller businesses feel like they don't have a lot of leverage, right? Because even companies large like us are pretty small.

[00:13:13] But I mean, some of the larger companies, really, it's very difficult to go up against someone like CrowdStrike, right? But at the end of the day, I think, and I think part of also what's going to, if the smaller businesses are involved in a lot of the vendor risk management consortiums, at some point, companies that have a bad reputation and haven't delivered the services to their customers, they're going to get down selected through their vendor risk management. And I think the small companies need to have a voice there.

[00:13:40] I'm starting to see that evolve pretty quickly where we had some of the early vendor risk management companies, like Security Scorecard and some of the other ones that are actually giving purchasers and procurement insight into the reliability of vendors. I think breaches and the feedback from companies needs to be part of that because at the end of the day, those companies need to meet their requirements. I'm with you. And I think thematically, we're very much in alignment here.

[00:14:09] And I think this is an important conversation to have. But the other thing that I really wanted to talk about with some of our time remaining was you've been involved in the FedRAMP journey. Yes. And I think that there are some real lessons learned that the managed services provider space can take away with that. Tell me a little bit about your FedRAMP journey and what those key lessons from investment there have been. So I'll start with the outcome. The outcome was very positive for us.

[00:14:38] And I can go into why it opens up markets, but that's really not the question. It was really a great journey because it forced us to reassess our own security competency. And so at the end of this journey, we had a much stronger insight into our own security posture, which was really good. And actually working with some of the larger vendors and the larger, how do I say, very sophisticated auditors really shined a light on kind of our own internal compliance program.

[00:15:04] Now, from a School of Hard Knocks journey perspective, it was very difficult. And one of the things that we learned early on is you really have to find, and it's hard in this space, and I can say, strong partners. Partners that actually you can trust. That was probably the hardest thing when we started. When you reach out to the FedRAMP space, you feel honestly, sometimes you feel like it's almost compliance extortion.

[00:15:32] Meaning, and again, this ties into your previous, when you're a small company, you feel like you don't have a lot of influence, and you're searching for that partner that's going to really tell you what you really need to do. And so when we first started, that was really difficult because we really couldn't put our head around the entire journey. What we learned very quickly is you have to build an internal level of competency to hold your vendors accountable, even the trusted ones.

[00:15:56] And if anybody wants to start that journey, having an internal, a strong internal security team, both from a, it's not just a security team, it's an integrated engineering and security team. At a company like Beyond Identity, security and product are tightly coupled, and also our SRE teams, our development teams, and our security teams are tightly coupled.

[00:16:18] And because we were tightly coupled, we were able to accelerate that journey with a partner because FedRAMP isn't just meet the compliance. It's a fundamental engineering journey. It isn't just, you know, bolt stuff on at the end. You literally have to change your product to achieve the FedRAMP certification. And I would think, and in particular, I want to make sure that I leave our listeners with some kind of tactical things that they can do in their business.

[00:16:44] I would think that that journey, plus your thoughts around, you know, a lot of cybersecurity as compliance theater, like are there particular actionable items that you think are really important for organizations as solution providers that are advising their customers? Where should they spend most of their time?

[00:17:04] So if you're asking if a company, what a company needs to do to start that journey, or at least be positioned for that journey, they have to actually, I would, if you're thinking about that, you really need to pick a internal compliance program. I would recommend NIST. That is at least something that you drive your entire organization to. If we hadn't started with the NIST compliance as our core framework, it would have been very difficult to get that reciprocity with an ISO or a SOC because you're really starting from zero.

[00:17:33] So I think having an internal compliance program that is very clear. The other thing too is when you start to look at your product offering, you really need to think of FedRAMP. You can't, it's not a separate product offering. It's your core commercial product offering running with more visibility and compliance controls. I have talked to so many companies that thought that there's a Fed, they have one product, they start with one product, but now they have a FedRAMP product and a commercial product. That never works.

[00:18:03] You really have to accept the fact that you're going to have one product and you need to look at the commonalities between what you need on the FedRAMP side and the commercial side and make sure they're common. So a perfect example is if you have to be FIPS compliant, right? With all your cryptography, don't create a FIPS compliant FedRAMP. You need to go look at your commercial side and then step that up and make that FIPS compliant so you can just move it over to the FedRAMP gov cloud or the FedRAMP controls.

[00:18:31] Well, my last little question here, you're thinking about future trends a little bit. What's the big particular identity security trend that you think is being most underestimated right now, but you won't be able to ignore by next year? Yeah. Well, so I think two things. One is what I said before. I think companies are really starting to come to the realization that their current MFA solutions just aren't where they need to be.

[00:18:53] And the other trend is, and I think people really need to get a hold of this very quickly, and this isn't just a pitch for AI, but the tempo and the scope of the attacks are escalating faster than the industry is dealing with them. And they have a lot of legacy things that they're trying to bring along into that new battle, that new space, that cyberspace, and they really need to take a look at their architecture.

[00:19:15] And that tempo and that scope with all that AI-supported attacks is, I mean, every three months I look and I'm just shocked at how much more is almost automated with AI. You've given us a place to start. Bob Burke is the chief information security officer at Beyond Identity, where he's redefining modern authentication. Known for his critical stance on legacy MFA and compliance theater, Bob recently led the company through an accredited FedRAMP certification

[00:19:41] and works hands-on with customers to identify threats in the BRIOD and unmanaged device environment spaces. Bob, if people are interested in reaching out, learning more, and having a conversation, what's the best way to do so? So reach out to our website, beyondidentity.com, and also we'll be at Black Hat, and we welcome anybody. Bob, this has been great. Thanks for joining me today. Thank you very much, Dave.

[00:20:03] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP radio, and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech.

[00:20:32] Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question, at mspradio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit mspradio.com slash engage.

[00:21:00] Once again, thanks for listening, and I will talk to you again on our next episode. Part of the MSP Radio Network.