Interview: Morey Haber, VP of Technology at BeyondTrust
With more than 20 years of IT industry experience, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees solutions for both Vulnerability and Privileged Identity management. In 2004, Mr. Haber joined eEye as the Director of Security Engineering. There, he was responsible for Strategic Business Discussions and Vulnerability Management Architectures in Fortune 500 clients.
Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for their SWAT Team and management of new product beta cycles. He earned his Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.
What should you learn next?
1. After joining BeyondTrust as part of the eEye Digital Security takeover, you were tasked with overseeing solutions for both vulnerability and privileged identity management. What exactly does this role entail?
There is a natural synergy between vulnerabilities and privileges that has been overlooked by the security community for years. For example, in 2014, nearly 80% of the security patches issued by Microsoft could be mitigated by reducing privileged access to a standard user. In my position at BeyondTrust, it was product management's (myself and team members) responsibility to find a methodology for linking these different disciplines and providing a meaningful way to secure users and assets. Vulnerability-Based Application Management (VBAM) is just one example (patented technology) available from BeyondTrust. It links the Retina vulnerability database, and least privileged access using PowerBroker for Windows to the decided on privileges given to an application (the actual security token per application) based on published vulnerabilities for any application. Therefore, in real-time, any application launched by an end user can be verified for vulnerabilities or acceptable risk, and then modified to have only standard user privileges, elevated to have administrative rights, or have a custom token with permissions anywhere in between. The results are then available in reports and heatmaps providing details about the risks to an environment based on regulatory requirements, permissions, and user activity. My role was to expand the products capabilities to not only be best of breed, but also solve a common problem that can drastically reduce the risk to any organization by linking the disciplines.
2. What sorts of trends do you see in the vulnerability and privileged identity management spaces, and how does your company's solutions help businesses in this regard?
Vulnerability management has entered a stage of commoditization while privileged account management is emerging as a re-energized solution to solve many problems associated with recent breaches. Many of the tools in the Privilege Account and Vulnerability Management space have been around for decades, and organizations are just realizing the importance and benefits for implementing them from password safe solutions to least privilege on UNIX, Linux, Windows, and even OS X. The problem with both markets is the same; communications. There are many tools that can detect a missing patch and many tools that can change a password. The problem is communicating the results to key individuals within an organization in a meaningful way without labor-intensive custom reports or PDF files and spreadsheets that are hundreds of pages long. This is where BeyondTrust excels in taking a commoditized market and mature solutions to the next level; reporting and analytics. BeyondInsight is the only solution that ships with a structured big data warehouse that can correlate vulnerability and privilege data into meaningful reports for auditors, executives, and engineers. In fact, there are over 270+ reports that ship out-of-the-box to solve real world business problems, a true ad-hoc report builder, and advanced analytics based on self-organizing map neural network technology that identify risks. Trends in the industry show a saturation of vendors in both of these mature spaces but BeyondTrust technology demonstrates how better communication via automation, reporting, and analytics can solve this problems than dedicated standalone solutions that have not evolved in years.
3. How do you convince clients of the need to invest their IT/IS dollars in the types of solutions that BeyondTrust provides – and is it a challenge getting them to know how important it is to invest as required?
Each BeyondTrust solution, when viewed as best of breed, has a different set of competitors with almost no overlap between them. This is most evident for something like least privilege. Each platform such as UNIX, Linux and Windows has a different set of competitive vendors. Why would an organization embrace multiple vendors, multiple technologies and licenses, and endless hours of training with different management consoles to solve each of these security problems? Then add additional tools like vulnerability management, active directory bridging, and password safe and you could end up with more than 6 different vendors; many of which only make one product. This discussion, while platform based, is an easy discussion with any organization to consolidate vendors, lower cost, increase efficiency with simplified training, and bring all the separate security tools together under one interface. It is not a challenge to convince them this is a better approach. The challenge is getting organizations to change from the status quo and embrace newer and better solutions that are thinking out of the box and adaptable to modern threats.
4. Why should businesses consider BeyondTrust over any of its rivals for the solutions they need to address IT security issues?
If a business is looking for a strategic partnership with a vendor and not a single best of breed "one off" technology to solve a security or operations problem, BeyondTrust is the best vendor to meet their needs. Many of BeyondTrust competitors only produce one product. Really, just one. This is true for vulnerability management and privileged account management. If there is ever a need to use more than one security product, correlate security data, and streamline processes, the technology we produce just makes sense. It is best of breed and fully integrated. Not just at the management console either, many products like PowerBroker for Windows and PowerBroker Password Safe have patent-pending integration at the product level, integrate in the management console, BeyondInsight, and have integrated reporting and sharing of data to view security information in ways none of our rivals can compete against.
5. With new vulnerabilities popping up on the radar all the time, how exactly does BeyondTrust keep up so that its solutions help businesses to meet the challenges?
This is an age-old process that has been around since the inception of Retina in 1999. It has adapted to new challenges like SCAP and continues to evolve with emerging standards like CVSS 3.0 (not yet ratified). The BeyondTrust Research team uses a variety of touch points from the United States Department of Defense, to vendor announcements, and even obscure hacker websites to identify new and changing vulnerabilities. These are adapted into product in the form of audits and updated with critical information in the form of public exploits, malware toolkits, and even patch supercedence when applicable. Regulatory standards such as NIST, HIPAA, and SOX are coded into each audit to make sure that even when a flaw is identified on a host (new audit releases come out multiple times per week), businesses can translate the findings from patch information to executives and auditors based on regulations. If vulnerability audits are not updated frequently, since the threats in the wild vary day by day, the information becomes stale very fast. The challenge is not keeping the information up to date, as BeyondTrust does that automatically for clients and has been doing so for years. The challenge is having organization assess assets frequently, using the latest audits, and providing timely and meaningful reports to teams for immediate action. This is something BeyondTrust excels at performing however many organizations still have challenges just adhering to these best practices for their own reasons; and there are many.
6. What sorts of IT security challenges do companies face today that they may not have had to deal with half a decade ago?
There are so many new challenges companies have to face today that the list of buzz words feels almost endless: virtualization, cloud, mobility, work from home, BYOD, etc. Some of these have been more hype than threat, while others are a real security concern. For example, BYOD. Gartner identified over 100 vendors in the space a year ago but many companies still have not chosen to implement a solution because the threat has been more hype than reality. Please do not get me wrong, there are plenty of mobile threats but none have been massive game changers to warrant an investment for many organizations. On the other hand the cloud is a real issue. When moving resources into an environment where you have less control represents a real risk of the unknown. Limitations on vulnerability assessment and privileged access governed by the providers' policy introduce unknown risks that require a firm and coherent security strategy. This concept eludes many organizations just because of the unknown and many technologies just are not adaptable to the space.
7. What's the most enjoyable aspect of your job, and what's the most difficult?
The most enjoyable aspect of my job is the "thrill of the kill" and the "success of a satisfied client." I sincerely enjoy the competitive landscape BeyondTrust engages clients within and when they select BeyondTrust as a partner, the energy of providing them a solution that successfully meets their needs and their resulting happiness in the security it provides. I guess you could call it the thrill of winning and succeeding with a fantastic solution which my team has developed and designed.
The most difficult aspect of the job is availability. Security changes so fast that being able to respond to everyone in a timely manner is difficult and even sometimes stressful. Whether it is a support issue, enhancement request, or a new threat, addressing the need in a timely fashion while writing blogs, whitepapers, demos, speaking, and visiting clients can be overwhelming for myself and the team. Being available to anyone and at any time to assist their needs is definitely the most difficult part of my job.
8. In any given day, what sorts of tasks might you perform in the capacity of a vice president of technology?
My position has me interacting with almost every department in the organization. On a day-to-day basis this could involve strategy sessions with executives, support assistance, high level or product presentations with sales, webinars with marketing, whitepapers and collateral creation and even completing questions like this for our press agency. The job varies daily but the main focus is on the success of the BeyondInsight platform and helping create the tools and messaging to make it successful through any channel necessary. This could be internal communications, clients, analysts, and press.
9. What sort of hard and soft skills should a VP of technology have to be successful at his or her job – and have the requirements changed at all over the last five years or so?
The primary requirement for VP of Technology (not to be confused with a VP of Information Technology; which commonly occurs) is communication skills followed by a broad range of product, market, and technology knowledge. My position requires strong communication skills and the ability to articulate the company strategy and messaging to anyone at any time. A VP of Technology must be able to think on their feet when given a technology or security question and have the knowledge to dive pretty deep on a broad set of topics or product questions. Success is measured in sales growth and the ability for all team members to understand the value the technology offers. You could almost think of the position as a "technology evangelist" role from the early 2000's with a forward-thinking methodology assisting the CTO with comprehensive information (in any form necessary) to make educated strategic and product decisions.
10. What advice would you give to someone in college or university who is interested in getting into the cyber security industry?
If you are an individual that does not like change and prefers the status quo, cybersecurity is definitely not for you. Cybersecurity changes daily, appears in the news weekly, and is best suited for individuals that are willing to constantly learn, read, and adapt to new technology and risks. Getting a certification like CISSP is not enough to succeed in this space. While you may receive a good salary due to the shortage of security professionals, I would recommend you pick a type of security discipline and become the best at that niche you can possibly be. People overgeneralize cybersecurity as a trade but forget that there is a need for pen testers, security professionals per platform, encryption, authentication, and even coding (not forgetting vulnerability management and privileged access). I often see paid pen testers just using tools to perform their assessments and many do not have the skills to perform an actual pen test by hand. This devalues the work they are performing and opens a void for actual pen testers that can really prove if your environment is secure or not. I would recommend being the best at what you like and then expanding outward. After years of experience, with multiple disciplines potentially mastered, your title in cybersecurity is more than just a certification exam.