Among the many highlights of the 2023 Bitwarden Open Source Security Summit, the global conference for thought leaders, industry experts, and open source security enthusiasts, was the fireside chat with Alyssa Miller, CISO at Epiq Global.
Alyssa is a lifelong hacker and seasoned cybersecurity executive with over two decades of experience building and growing security programs. Some of the financial services and consulting firms she’s worked for include FIS, EY, and S&P Global. Alyssa is currently the CISO of Epiq Global, as well as an internationally renowned speaker, author, and cybersecurity researcher. Alyssa is an advocate for making security an enabler rather than an obstacle for efficient development pipelines. She is also involved in initiatives to build a more inclusive and collaborative security community.
Bitwarden: With over two decades of experience, how have you seen the cybersecurity landscape evolve over the years? What are the emerging trends or challenges you find the most intriguing or even concerning?
Alyssa Miller: The cybersecurity landscape has become so much more vast now than it ever was before. When I started my career, we were simply the information security team, and we were focused on, as the name would suggest, protecting information. That still is the focus, but, as we've seen, the online, connected, digital world just exploded, so now we have a much broader scope of things to worry about.
We've seen the cat and mouse game of defenders versus attackers as hackers get more refined in efforts and skill sets. That mirrors what we've seen with technology in general, which is that technology doesn't slow down. The introduction of new technologies means new security challenges. We have to stay on top of new technologies along with the ever-increasing sophistication of attackers. We’re also now at a point where we have a commoditized market, where attackers sell their services. That keeps me on my toes.
The other thing that does worry me is user apathy toward privacy and protecting personal data. People just assume it's all compromised. Certainly, when you look at the news, and you see all these big stories about breaches, it's easy to understand why people have that level of apathy toward trying to secure anything.
Bitwarden: Along the lines of keeping pace with new technology, one new technology is passkeys. How do you anticipate the role of passkeys evolving in the broader context of authentication methods? What advancements or trends do you foresee in this area of cybersecurity?
I believe passkeys are one solution that could get us to the point of being truly passwordless, where you’re not authenticating someone off of a password.
Looking at the implementations of these, there's usually a pin or something that's attached. If you use Windows Hello, and you've got a Titan or a YubiKey, you have to give it a passphrase or a pin or something. One might argue that’s still a password, but it’s a little more of a universal identity. You have a credential that you're authenticating against this passkey, but it's all a single token or the single hardware piece that provides the access to it.
Now, what if I lose it? That's a realistic challenge. We've seen some other solutions like authenticator apps that have the same problem. But, I think it’s a lot easier with a passkey than it is trying to recover an identity from an authenticator app. We've seen Google move forward with the creation of their Titan keys and their overall authentication mechanisms. I think, as that grows, we'll start to see more of it, especially in more corporate spaces and in organizations that have a commitment to really strong authentication.
We have Microsoft, NIST, and others saying that it’s time to get away from the traditional form of passwords because we keep making them more complex. After a while, it just becomes impossible for people to remember their passwords. Passkeys get away from that challenge and the cost is low, which is why we can expect more of a shift.
Bitwarden: Earlier you talked about the apathy of users, especially in relation to their information already being out there. Another development that’s challenging in corporate environments is the rise of remote work in that it increases the attack surface. What recommendations do you have for organizations to secure their networks, data, and distributed work environments?
I know most people don’t want to hear about user education, but fostering a more secure environment means the culture of security has to extend beyond your corporate walls. If you have people working in hybrid environments, or who are fully remote, you have to understand their network just became yours.
Every corporate environment I've worked in has different remote access solutions meant to build some level of barrier. We have VPNs, private access applications, and other proxies. But, at the end of the day, we have to understand that there are devices we own sitting on a network we do not control. No matter how many technological controls we put on that system, we cannot forget about the people in the process side of things. It’s got to be holistic.
You have to understand there are a lot of people in your organization who are not technical. I work in a legal services company with a lot of lawyers. Understanding security is not their day job. So, I have to make sure they have the ability to understand how some of their actions could impact the safety of their home networks.
It’s about more than just home networks and keeping laptops safe. Why not parlay that into how you’re protecting your family, because that becomes a strong motivator for your users to want to learn about security and make it feel less onerous. This could also help address some of that apathy as people think “Oh, I understand this a little more, and I have a little more control about how to defend myself.”
Bitwarden: That’s a good point; we’re all human. Whether it's for home or work, it's about creating secure habits across the board. What about zero-trust security? How do you see the role of zero-trust security models evolving in response to the distributed nature of work?
Alyssa Miller: Zero trust is a great theory, but it’s been absorbed by marketing teams as something that can be sold as a product. You can’t just say “my product is zero trust.” A lot of people have joked that zero trust is basically doing what we already should have always been doing. And that's true, to a large extent. I think we’re going to see more effort to adopt many of those principles. And I think that's how we have to look at zero trust.
Zero trust is not necessarily a thing that we implement. It’s a framework we can work within.
For each organization, what zero trust is going to look like and what’s going to be practical is going to be different. If I look at a fully laid out zero-trust model, there are elements that may not fit my risk posture with my organization. They may be very, very costly and reduce very little risk for us.
Implementation will evolve as people start to figure out what parts of the zero-trust model apply to their organization and how it fits within the overall risk picture. And, most importantly - what value is this going to bring to the business? How am I making it so that my business units can innovate better and work more efficiently? How can I leverage zero trust? We need to think in those terms, rather than, “Oh, I'm going to try to implement this whole framework.”
Is implementing some type of zero trust, remote access proxy, or private access what the business needs? Is that going to allow people to work from anywhere with any device and remain secure? For some businesses, that might be a really attractive option. For others, that may not be something that's valuable to them, especially if they're one of the organizations that have gone fully back to the office.
I think we're starting to have that realization now that zero trust is not a product. It's not all or nothing or something you turn on and off.
Bitwarden: That makes a lot of sense. Shifting gears a bit since this is the Open Source Security Summit. Open source has gained popularity in cybersecurity tools, what is your perspective? What do you think are some of the advantages and challenges to using open source packages in enterprise environments?
Alyssa Miller: The advantage of open source is that it’s open. People in research programs at universities can dig in and find vulnerabilities in open source software.
Open source gives us the ability to be more aware and do a much deeper inspection than we could do with a commercial, off-the-shelf product.
In the world of software development, open source packages are pretty much ubiquitous now. They enable efficient, quick development of software. There’s been tremendous improvement in how we enable reusability to create packages that implement, in some cases, really complex functionality.
The challenge is you don’t know who is writing the code. Not every open source package has a whole consortium or foundation behind it. It might be one or two people, and if you’re implementing that software into your corporate IP, you may not be able to get the support that you need right away. Then it becomes a question of - do we fix it ourselves? I would argue that you probably should since that’s being part of the community and giving back.
But there are organizations who have reasons to be rigid. Licensing can be a challenge. With some of the open source licenses, if you integrate open source software, suddenly the license calls for open sourcing all of your stuff. That can be problematic for organizations that have software that is their competitive advantage.
It’s great that everybody can assess code, but at the same time, you have massive communities of people trying to attack packages they know are popular. Think about the Log4j vulnerability discovered a few years ago. Log4j is used in 90% of Java applications everywhere. It was a remote, exploitable vulnerability - and that's a problem.
As open source grows in popularity, there are a lot of observable vulnerabilities and not everybody's reporting those when they find them. They’re holding on to them to use them when they're convenient. There’s also the complexity of finding those vulnerabilities. My classic example is Equifax in 2017. The company had a Struts vulnerability buried multiple levels deep in their dependencies. They found out about it and they knew it was there but they hadn't gotten to fixing it yet, because it was buried so deep. It was not a simple fix, but they still got breached, which is why we see tools like SCA, or why we see the U.S. government mandating things like SBOMs, and so forth.
Bitwarden: Can you tell the audience more about SCA and why it’s critical?
Alyssa Miller: SCA stands for Software Composition Analysis. It’s become another necessary piece of a secure software development life cycle, part of a DevOps pipeline. Let’s say I create an 80,000 line application. There are probably close to a million lines because I've incorporated a bunch of dependencies from the open source world. But each dependency has its own dependencies, and so on.
The SCA looks through these dependencies. It identifies the open source packages that are written as part of the code and analyzes where they are vulnerable. A good SCA package can help you figure out if your code is vulnerable. Is it just a vulnerability sitting somewhere that never gets called and is therefore never a problem? SCA is built to address these situations.
Bitwarden: Building on your experience as a woman in cybersecurity, how can organizations create more inclusive environments and encourage individuals from diverse backgrounds to pursue careers in cybersecurity?
Alyssa Miller: My number one piece of advice here is to fix how you hire. We've got to fix how we write job descriptions, how we address the way we think about who it is we want to hire. When we sit down to write a job description, we typically think about who's on the team. We ask, “what do they do? How did I address this when it was my job?” Then write that into our job descriptions. That puts a lot of bias into our job descriptions.
What I try to do when I hire – and what I encourage others to do – is keep that job description pretty open. Look for people who bring something that surprises you, or something that makes you stand up and take note of something different. My favorite example is the barista I ended up hiring as an SOC analyst. Baristas have a lot of really cool, transferable skills from working in a coffee shop and having to absorb all that information. It’s coming in really fast and you have to break it down, turn it into tasks, and respond to it. If you put it in those terms, that’s an SOC analyst.
We need to recognize the value people bring that’s more than just five years of experience working with a SIEM tool or 15 years working in cloud technology. We need to get away from that hyper focus and think more about what they are going to bring to the team.
What are they going to challenge about how my team operates to make the team better? Taking this approach allows diversity to happen naturally. Now people feel valued in the workspace and don't feel like they're an outsider.
Inclusion isn't just about people's feelings. It's about getting them to come in, feel comfortable contributing, feel like they belong there, because that's when they will do their best work for you. I want lots of different perspectives and ideas. If I've got a room full of people who look just like me, and think about things the same way I do, we're not going to get that diversity.
Bitwarden: I’d love to talk about AI. How do you see the intersection of AI and user authentication evolving? What steps can organizations take to ensure a balance of security and AI user friendliness?
Alyssa Miller: We have to get away from this idea that AI is going to start replacing people. That’s not the case. But we do have to get better at demonstrating what AI can help us with. We need to show what unique values human beings are going to bring to AI.
I just had a conversation with Microsoft a few days ago, about how we’ll soon be able to analyze user login patterns and some of the outliers and bad behaviors, or suspected behaviors, in user activity. From an authentication standpoint, I think it’s the first really big thing that we're going to see because we've been pushing toward this idea of user behavior analytics for a while.
I think we're actually farther away from that than a lot of people want to admit. As we look at what's going on in AI and some of the bias problems that we have, with things like facial recognition, for example. Turns out that biased humans aren't very good at writing unbiased AI systems. We’ve got a long way to go but I also think we're going to continue to see progress accelerate tremendously and grow.
Bitwarden: When it comes to the increased use of AI, what do you see as different ways to prepare for that future?
Alyssa Miller: Again, there's a user education problem more than anything else. When large language models came out, there were organizations on both ends of the spectrum and somewhere in the middle. Some had their IP exposed via ChatGPT; on the other end, you had organizations that decided to block it all, which impedes innovation. And I don't think there's an organization in this entire world right now that isn't trying to look at how they can use generative AI to innovate in their product space. So, smart organizations are the ones that have decided to adopt it in a safe way.
The key is determining how to educate your users on the safe use of AI because it’s brand new. A lot of people don’t understand that what they feed into a ChatGPT could potentially be accessed at a later date and exposed intentionally or unintentionally. Then there’s the ongoing discussion about artwork that's AI-generated and written materials that are AI-generated. Who that ultimately belongs to at the end of the day is a big question that has created skepticism and hesitation among organizations.
Bitwarden: What do you see as the emerging trends and challenges at the intersection of open source and cybersecurity looking ahead into 2024 and beyond?
Alyssa Miller: From an open source perspective, I think we're going to continue to see organizations becoming more of an active part in the open source community. I expect to see companies feel like they can contribute back to the open source community safely and not put themselves at risk.
I think we're going to continue to see this push toward SBOMs. I'm starting to see some of the larger, more mature organizations add that to their security questionnaires when they're considering a vendor. I think what the government has defined so far might be a little more complex than what we'll probably see in everyday life. However, it will continue to grow because being able to understand what I have in my environment, and what’s going to be problematic, is valuable.
When the Log4j vulnerability was announced, I can’t even count how many people spent the first two weeks trying to figure out where they even had it in their environment. This was coupled with different vendors releasing free tools to help businesses try and find it. It was crazy. I think we learned our lesson from that and from some subsequent vulnerabilities, so I expect to see a lot of growth in technologies that figure out how to really get ahead of the curve and that make it easier to understand what is in our environments without inhibiting innovation.
Learn more about the 2023 Bitwarden Open Source Security Summit.
Ready to get started password sharing with Bitwarden? Quickly sign up with a free Bitwarden account, or a 7-day free trial of our business plans to keep your business safe online. Got questions? Sign up for the free weekly demo.