Elevate Security

Solutions

Use Cases

Identity & User Risk Authentication
For Identity and Access Management (IAM) and Identity Governance and Administration (IGA) professionals, Elevate Security provides proactive protection against workforce cybersecurity risk by applying the unique risk each user represents as a conditional factor in the authentication and access governance review processes.

Security Awareness & Human Risk Management
For Security Awareness professionals, Elevate Security helps you engage employees to become your best defenders. By deeply understanding the behavior of each individual, Elevate helps you make better decisions for protecting your organization, and fostering a culture of security accountability.

Security Operations & Case Management
For Security Operations (SecOps) professionals, Elevate Security reduces operational burdens on the SOC resulting from high-risk user generated incidents. By injecting individual risk data into SecOps policies, tooling, and controls automation, you'll free up resources to fight real adversaries, strengthen workforce safeguards, and improve response efficiencies.

Products

Elevate Identity
Inject user risk intelligence into IAM and IGA systems and processes as a conditional factor for authenticating or revoking system access, and enhancing access governance workflows.

Elevate Engage
Actively deliver personalized feedback nudges, scorecards, and direct targeted training based on individual computing behaviors and current security risk.

Elevate Control
Inject user risk intelligence into security operations tooling and processes to accelerate incident triage and response, enable better help desk decision making, and automate controls for risky individuals.

Use Cases

Identity & User Risk Authentication
Security Awareness & Human Risk Management
Security Operations & Case Management

Products

Elevate Identity
Elevate Engage
Elevate Control

Resources

Partners

Partners

Technology Partners
Value-Add Partners

Company

Company

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases

Careers
Awards & Recognition
Contact Us

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases
Careers
Awards & Recognition
Contact Us

Support
Book a Demo

Search
User Risk

Three (Non-Obvious) Tips for Dealing with Social Engineering

Robert Fly

While information is unfolding in the most recent Uber breach (and now Rockstar, too), one thing we’re already seeing is:

  1. Startup vendors telling everyone how they would have prevented the breach
  2. “Security experts” giving obvious advice (“enable MFA!”, “use a password manager!”)

As Nathan Burke likes to say in one of my favorite quotes ever  — “stick your head out the window and you’ll hear the sound of a million PowerPoint decks being updated.” That sound is coming!

Full transparency, I’m a vendor, so I fall squarely in bucket #1, but I also spent about 20 years as a practitioner and executive dealing with these types of issues on the front lines dating back to when I was on the Microsoft Outlook team working to protect customers against the first email born viruses, like ILoveYou.

To start, Uber has a strong security program. I know many folks on the team and they are some of the best in the world. So sharing hot takes and elementary tips is a waste of breath. At this moment, we know it was a social engineering attack regarding MFA push notifications that gave the attacker access, but we haven’t seen all the details.

What I’d like to do is share a few tips on dealing with social engineering attacks for companies that have fairly mature practices in place and need to take them to the next level. Here we go!

Know Your Risky Users

Social engineering attacks start and end with taking advantage of a well-meaning employee just trying to do their job. Attackers know this and take advantage of it time and time again — they’ll go on LinkedIn, look up the person, their role, what they do, check out their social media profile, etc. There’s tons of information on the internet that allows them to hyper-target individuals with sophisticated attacks.

Because employees are so often the targets of attacks, organizations need a way to understand that risk at an individual level.

When you buy car insurance, the insurer doesn’t just evaluate the car — most signals they get are on the driver. Same thing is true for the employees of our organizations.

Every company needs to measure, historically, the risk of every employee. We can’t manage what we can’t measure and if 82% of breaches are due to human error, we better start measuring it.

Proactive Response

If we’ve measured the risk of all employees we can take the obvious next step of how we best protect them. Every functional security team I’ve ever worked with has the basics of control technologies in place — protecting their endpoints, networks, email, and web traffic. But, these technologies are often disconnected and reactive.

Even mature teams focus on playing the security equivalent of whack-a-mole in their security operations and incident response teams.

With social engineering attacks, we should be taking a much more proactive stance. How do we embed the intelligence we know about employee risk in our control technologies to make more intelligent, proactive decisions?

For example, why aren’t our Identity solutions smart enough to know whether a user consistently clicks on phishing links? Or that they just downloaded malware? Clearly, we can make better decisions if our systems are more interconnected.

Beyond Zero Trust Marketing

Because social engineering relies on actively targeting employees, we need systems that are both constantly fed and updated with new intelligence combined with validation of security postures upon identity and access decisions. Some would call this zero trust, but most implementations within enterprises that I see are slight upgrades to VPNs or identity systems that simply check the trustworthiness of a device posture at the point of entry into a network or application.

If you read NIST’s guidance, you’ll see they touch on a few key principles:

  1. Continuously Verify – verify access and trust for all resources
  2. Context Awareness – incorporate behavioral data, intelligence and context from other systems for stronger validation
  3. Automated Dynamic Response – access is determined by dynamic policy validation and enforcement based on risk and resource sensitivity

Social engineering often relies on single points of failure, but as an industry we need to continue moving towards a stronger, dynamic, more intelligent security control plane where trust is consistently verified and validated and it’s not just a new flavor of NAC tied into VPNs or identity systems.

Share This

Robert Fly

Led security and engineering teams at Salesforce and Microsoft. Picked up first hacker magazine at age 9.
IAM in the Age of Remote Work: Ensuring Security and Productivity

IAM in the Age of Remote Work: Ensuring Security and Productivity

Today, organizations need to adapt their Identity and Access Management (IAM) strategies to ensure their remote workforces are secure and productive. Above all else, today’s […]

Read More
Discover how data-driven interventions and intelligent risk management can transform security outcomes.

Rethinking Security: Shifting Focus to Employees

Last Friday, I shared on LinkedIn some amazing statistics we saw across our customers. That post just scratched the surface and deserves a deeper dive […]

Read More
Get our eBook helping IAM and security professionals dramatically improve their IAM processes to better secure their people and their organization.

Strengthening IAM in 2023: A Comprehensive Guide [eBook]

8% of users are causing 80% of security incidents. But most identity and access management (IAM) teams today can’t understand the cyber risk context of […]

Read More

Get Started Today

Quantify risk across the organization, and identify areas where increased safeguards and processes are needed to reduce your risk profile and protect your team.
Book a Demo
>