Meet Kevin Bocek, who is responsible for security strategy and threat intelligence at Venafi. He brings more than 16 years of experience in IT security with leading security and privacy leaders, including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, NCipher, and Xcert. Most recently, Bocek led the investigation that identified Secretary Hillary Clinton’s email server did not use digital certificates and encryption for the first three months of term. In 2013, Bocek led Venafi’s investigation into how Edward Snowden used cryptographic keys and digital certificates to breach the NSA. 

Here, we talk to Bocek about a topic he is passionate about: machine identity management. 

Security: What is your background and responsibilities? 

Bocek: My expertise is in machine identities which is essentially the intersection of engineering, encryption, digital signatures and certificates. In the past 16 years, I’ve led numerous investigations, including the one that discovered Secretary Hillary Clinton’s email server did not use digital certificates and encryption for 3 months. I also led the investigation into the cryptographic keys and digital certificates used by Edward Snowden in the breach of the NSA.

I started out deploying authentication and encryption solutions for some of the world’s most demanding financial institutions, telcos and government agencies. One of my first, and favorite, projects was engineering cutting-edge Java, smart card–based encryption and PKI applications for the U.S. government.

In my role at Venafi, I am responsible for overall security strategy and lead our threat intelligence teams. I’m also heavily involved in leading Venafi’s threat research and investigations.

Security: What critical role do machine identities play in security?

Bocek: We are in a world of clouds and no firewalls, so identity is the new perimeter. Digital transformation has led to an explosion of connected devices, from POS systems to cloud-native software that enables remote work to AI algorithms and applications, and even IoT devices like Peloton bikes. Each of these is a type of ‘machine.’

Just like humans, every machine requires an identity to authenticate and communicate safely with other machines. Instead of username and password, machines   use cryptographic keys and digital certificates, as well as other authentication tokens to identify themselves and communicate.

Mismanaged machine identities can lead to critical outages. Just this summer, for example, California’s COVID-19 reporting system had a backlog of 300,000 lab test results, all due to an expired digital certificate. Microsoft also suffered from expired certificates last year, resulting in Microsoft Teams going down for nearly three hours.

Despite the explosion of machines, the security industry has focused the majority of identity and access management on human authentication. But how can our digital transformation efforts and economy stay safe and work without machine identity management?

Without machine identity management we’re in for trouble, and bad actors know this. Weak management of machine identities has played a key role in many of the biggest breaches over the years, such as Stuxnet, Equifax, Heartbleed and now, unfortunately, SolarWinds. Our research found that cyberattacks associated with machine identities grew by more than 400% between 2018 and 2019, and we anticipate that this trend will continue until businesses get serious when it comes to securing machine identities.

Security: Why is the SolarWinds hack an example of how critical machine identities are?

Bocek: Adversaries know exactly how powerful machine identities can be, but the software industry is failing repeatedly to see these identities as dangerous weapons that bad actors can abuse. Details about the breach are emerging daily, but we already know that attackers got into the SolarWinds software build process early and injected malicious code into a software update that authenticated as trusted through the power of a compromised X.509 certificate. This was just the first step threat actors took to abuse machine identities. We also know that part of their strategy was to forge SAML tokens and sign them with legitimate certificates in order to impersonate trusted, authorized users to get access to data and services that should have been protected. This is essentially an unlimited credential counterfeiting attack powered by machine identities.

Compromised machine identities were clearly an essential part of the kill chain in this attack on multiple levels. Cyber weapons move from the most sophisticated attackers down to common, off-the-street cybercriminals seeking a quick profit, so these attacks will only increase in the future.

The impact of a successful software supply chain attack can be devastating because there just is not much that software customers can do to protect themselves against attacks coming from a compromised vendor. Awareness of these risks is critical, but software development companies must hold themselves accountable. And these threats are not limited to commercial software, internal software tools are also vulnerable.

Security: What lessons can the security industry and security executives take from this hack?

Bocek: Now, every business is now essentially a software developer, whether they build web apps or operate microservices built on containers.

I am hopeful that the SolarWinds attack has finally opened the software industry’s eyes to the critical importance that machine identities play from the very start of software development to its continued implementation. The most important lesson to be learned here is that software, developers and cloud providers absolutely must reevaluate how they secure machine identities - this starts with “shifting left” and baking machine identity management and protection into the software development process. 

These efforts need to go beyond improving security efforts focused solely on reducing vulnerabilities in the code. Each of the identities throughout the build process needs to be managed properly; this includes visibility of all code-signing certificates, intelligence about how and where they are being used and automation to manage the certificates’ full lifecycle. Without each of these components, malicious actors will continue to successfully target the software development process because they know it is an easy way to slip into the network unseen.