Cloud Control: Q&A with Tim Youngblood on Securing Non-Human Identities and Preparing for AI-Driven Cyber Threats

June 18, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Tim Youngblood on Securing Non-Human Identities and Preparing for AI-Driven Cyber Threats

Hey Cloud Control family ✌️

I'm thrilled to bring you an in-depth conversation with Tim Youngblood, the CISO in Residence at Astrix Security. Tim’s experience is incredible – from steering security strategies at giants like T-Mobile and McDonald's to now focusing on the challenges of non-human identities at Astrix.

We talked about a lot of exciting topics. One thing that really stood out was Tim's approach to aligning security with business goals. He shared some fantastic insights on how startups can leverage frameworks like NIST CSF and OWASP to build a solid security foundation. Trust me, this is gold for anyone looking to enhance their cybersecurity game.

Tim also opened up about the intricacies of managing NHIs and the critical steps companies should take to stay ahead of threats. His practical advice on building a robust security posture is something you’ll definitely want to implement.

So settle in and enjoy this insightful chat with Tim Youngblood. I promise you, it's worth every minute.

Cheers,

Ian

Question 1 💭

Welcome to Cloud Control, Tim! To kick things off, could you tell us a bit about your current focus areas at - and outside of - Astrix Security and some of the key initiatives you're working on?

Answer 1 🎯

Appreciate this opportunity to connect with your subscribers. Well I’m not one to twiddle my thumbs waiting for something to do. At Astrix I’m the CISO-in-Residence, my focus is on helping to mature an already amazing solution to combat the challenges of Non-Human Identities (NHI) challenges, working closely with the organization on product strategy. My focus is to ensure the Astrix security platform is built to address NHI risks while fitting enterprise security teams’ day-to-day practices and challenges. I also work as an NHI security evangelist with the marketing team to bring awareness of NHI security to the industry. Outside of Astrix I’m an active Angel Investor and participate in deal screens in my investment thesis areas of cyber, medical devices, cleantech, and media. I’m also active on several boards in private equity, healthcare, cyber, and media among others. With my spare time I’m enrolled in a Professional Education program at MIT working with some of the best researchers in the world on product engineering, product design, design thinking program that’s been a year long commitment. So never a dull day.

Question 2 💭

You've led cybersecurity strategies at major brands like T-Mobile and McDonald's. What key principles have guided your approach to aligning security strategies with business objectives across these diverse organizations? How can startup founders bring these principles to their teams?

Answer 2 🎯

I have a masters degree in entrepreneurship from the University of Texas at Austin. I also have been working with several international and domestic venture capital companies over the last fifteen years. I understand the challenges of the startup ecosystem very well. Having been the CSO/CISO for four major brands I’ve learned a lot about building strategy. Some of these lessons can certainly apply to startup founders.

Lesson one, there is strength in numbers, never attempt to do strategy in a black box on your own. Strategy is a team sport and you need to include all your leaders in your planning and get feedback from partners, investors, and customers.

Lesson one, there is strength in numbers, never attempt to do strategy in a black box on your own. Strategy is a team sport and you need to include all your leaders in your planning and get feedback from partners, investors, and customers. Lesson two, set stretchable goals. In order to create an amazing product you have to do things that others are not doing which means setting goals that are not easy to obtain. If you obtain all your goals in the first year of your strategy then you weren’t ambitious enough. There is learning in failure. Lesson three, connect the dots. Your strategy may be supporting a bigger strategy for a partner or customer. Have tangible outcomes in the strategy that show that support. Understand how your Objectives and Key Results (OKRs) make an impact on others. No strategy stands alone.

Question 3 💭

Throughout your career, you’ve overseen incident responses to various high-stakes situations. Can you share a particularly challenging incident and the key lessons learned from it?

Answer 3 🎯

Throughout my career I have been up close and personal to many tragic events. I was a consultant at Enron when it exploded before my very eyes. I participated in some diligence of MCI WorldComm as it went under, I had just started with a company and had to respond to the largest breach in telecom history. I can’t go into detail on any one event, yet I can point to some general principles in dealing with a crisis. The most important aspect in any crisis is communication. There has to be a communication plan for every level of our company. One that focuses on customers, one for partners/regulators, one for internal employees, and one for the executive team. In the middle of a major event the first thing to break down will be communication. You have to do some prep work with legal and compliance teams on how you will define containment of an event. In many cases operations may not be impacted so customers won’t notice any changes in service but that doesn’t mean you can state an event as contained. Ensure your incident response team has the support they need to do their jobs. That may be bringing in a third-party responder with more experience, assigning an incident commander to deal with politics, or establishing a war room as central location for all operation teams so they’re not hunting for answers. The best thing any team can do is to continuously practice the plan. It is the only way to become competent at responding.

With many of these requirements [HIPAA, GLBA, GDPR and State Privacy laws] for companies, security leaders are taking the bulk of responsibility. It is not uncommon for a CISO to also be the Privacy Officer. The connecting glue are the controls. Companies have to do a good job of understanding the necessary controls for their organization to meet the privacy rules and drive a higher compliance with cybersecurity rules.

Question 4 💭

Privacy and cybersecurity are getting more intertwined, especially with all the new regulations popping up. How do you see these fields coming together, and what should companies be doing to stay compliant while keeping their security tight?

Answer 4 🎯

The saying goes there is no privacy without security, yet there can be security without privacy. There have been connections to these worlds since they evolved as formal disciplines in industry. Privacy controls support security outcomes on almost every level. Security is supported by Privacy that can bring rules and expectations of behavior to the table. The last decade we’ve seen the connections with things like HIPAA, GLBA, GDPR and State Privacy laws. With many of these requirements for companies, security leaders are taking the bulk of responsibility. It is not uncommon for a CISO to also be the Privacy Officer. The connecting glue are the controls. Companies have to do a good job of understanding the necessary controls for their organization to meet the privacy rules and drive a higher compliance with cybersecurity rules. At the center of most of these requirements is data. So CISO’s should be putting a significant amount of their investment in data protection and protecting things that have access to that data. It is one of the hidden blind spots that I think Astrix does a great job of highlighting with its platform. Few security shops understand the machine to machine identities that are connecting to data. NHI issues related to data include service/process accounts, over-permissive API keys, and malicious OAuth apps. These have the potential to violate many privacy law expectations if not managed appropriately so it’s an important aspect of a cyber program these days. We’ve seen the security issues with the recent attacks with NY Times, Snowflake, Okta, and Microsoft.

Question 5 💭

Cybersecurity-as-a-Service (CSaaS) is becoming a go-to solution for many startups. How does this model benefit smaller, agile companies, and what aspects of CSaaS do you find most game-changing?

Answer 5 🎯

Look, XaaS is what fuels many startup companies. It is one of the killer features of cloud platforms to bring disparate services together to serve a company in ways it could never accomplish. CSaaS is particularly helpful for companies that can’t hire the expertise needed to secure their services. Being able to push XDR, IPS, next gen FW to a platform without having to own the infrastructure is game-changing for startups that would be slowed to a halt attempting to deploy these capabilities on their own. Speed is the name of the game, and being able to subscribe to what you need allows for startups to deliver to their customers a higher value and in some cases a lower cost. Of course, all of this has to be evaluated as things scale and the ROI can change rapidly at some transaction levels. Yet for a company getting started it is the only way to go if you don’t want to be in a hole from the very start.

Question 6 💭

You've managed cybersecurity across multiple global regions. Can you share an example where regional considerations significantly impacted your strategy and how you addressed those challenges?

Answer 6 🎯

I’ve been fortunate to see much of this world through my executive roles in the last twenty-five years. I’ve visited over thirty-two countries over this time. I’ve managed teams in every major region EMEA, APJ, LATAM, and of course the U.S. When you manage a global organization you have to think globally. You no longer can just assume everyone will align to an U.S. way of thinking. I’ve had to deal with trying to get U.S. based encryption solutions deployed in regions where there are specific laws limiting importing encryption technology. You need to be aware of those challenges and have solutions and alternatives that are flexible to local requirements. When you think of talent you need to have a good understanding of the university systems in countries to ensure you can have a healthy talent pool to address shifts in demand. Leaders also have to be aware of local customs and religious holidays so as not to offend team members and be supportive of their lives outside the office. Being a global leader is a different kind of muscle than leaders that just have resources in the same city or time zone.

Question 7 💭

With cloud technologies being everywhere now, what are the top security concerns you see with cloud-focused startups, and how do you tackle them?

Eventually a startup will grow to connect with customers or partners that are on a different cloud which will require an effort to port over capability or identify cost effective ways of transferring data between clouds. Either way it is a resource intensive effort for a startup to go through. It’s not dissimilar to the challenges you’ve seen in the mobile world where app developers had to choose IoS or Android as a starting platform and figure out how to expand their footprint in the competing ecosystem. Startups should do thorough analysis of their potential customers and align as closely to their community as possible.

Answer 7 🎯

These days every startup is a cloud-based company. I honestly can’t think of a startup I’ve talked to in the last two years that didn’t start in the cloud. Of course there are significant benefits to leverage resources on a cloud scale that would be tremendously difficult to build on your own. Some of the challenges come in the area of compatibility for some companies. Typically, companies will select one of the three big clouds Azure, AWS, GCP to be their footprint partner. Once that is done then most of the development work is focused on leveraging that cloud's resources. Eventually a startup will grow to connect with customers or partners that are on a different cloud which will require an effort to port over capability or identify cost effective ways of transferring data between clouds. Either way it is a resource intensive effort for a startup to go through. It’s not dissimilar to the challenges you’ve seen in the mobile world where app developers had to choose IoS or Android as a starting platform and figure out how to expand their footprint in the competing ecosystem. Startups should do thorough analysis of their potential customers and align as closely to their community as possible. At some point when it’s time to expand the footprint include this effort in the overall strategic plan. There are no quick fixes for this as it will take different skill sets and investments to make the transition.

Question 8 💭

At Astrix Security, you're tackling the big issue of non-human identities. What are the critical components of a solid defense strategy for managing these identities, and how do you ensure continuous improvement in this area?

Answer 8 🎯

NHIs are the biggest blind spot in a cybersecurity program. It’s a blind spot that is becoming a favorite vehicle of threat actors as a point of entry and a method to move laterally through an environment. For every 1,000 human identities there are over 20,000 non-human identities (machine credentials). It doesn’t take much for that to break into the thousands or hundreds of thousands for a large-scale company. Think of that as having hundreds and thousands of opportunities for a threat actor to get into your environment and you have to ensure that these Nonhuman identities (NHIs) are always secure and protected from evolving threats real-time. How do you do that? Well that’s why Astrix was created. The common threads that connect cloud and on-prem environments are APIs, Service Accounts, Oauth connections, and Web Hooks. To get control of this you have to do a thorough inventory of them all. This is the old challenge with asset management that has been with us since the expansion of computing. Not to mention the challenge with the growth in adopting third-party cloud services via SaaS platforms without involving operations. Without a good tool to do inventory, you’re stuck going through a manual process that will never be accurate or sustainable. Once you have that inventory you need to be able to account for the behavior of these accounts and notice when they could be potentially abused. There are some custom configurations with SIEM platforms that can be helpful but because of the volume of change and the sprawl in areas like SaaS, PaaS, and IaaS it’s difficult to capture it all holistically. Then lastly you need real-time accountability with these types of accounts that are proactively configured. Having an alert fire off from a passive log is too late to prevent an incident. Astrix has been designed to address all these areas which is why the company is seeing tremendous growth right now.

Question 9 💭

You've seen a lot of companies, especially startups, struggle with cybersecurity maturity. What are the most common pitfalls you notice, and how do you help these organizations build a solid security posture?

Answer 9 🎯

Well it starts with having a foundation of what good security looks like for your company. You can gather an understanding of that from the various frameworks that are available today. NIST CSF, CIS Controls, OWASP and many others will give you a baseline of what good looks like. Once you’ve evaluated yourself, you can begin to understand what is most important to focus on and how you get to a level of posture management that is right for the company. Many companies try to skip the hard work and think they can buy a tool to solve all their problems or put too much weight into a single vulnerability assessment. These singular efforts can be misleading. A good practitioner will assess the entire environment internal to external and determine what gaps they have in the framework they choose. Then they will do a thorough intrusion kill chain prevention assessment to determine threat actor gaps which will lead them to the correct areas to prioritize their cyber security posture.

Question 10 💭

Looking ahead, what emerging trends or technologies do you think will shake up the cybersecurity world the most, especially for startups? And how is Astrix Security getting ready to integrate these advancements into its services?

Answer 10 🎯

Right now we are at the foot of a technology revolution with generative A.I. (Gen A.I.) being filtrated in every aspect of our lives. Companies are still in the early stages of seeing how Gen A.I. will translate into competitive advantages for them and the cybersecurity industry is determining how it can make sure companies do this securely. I speak to many companies that have an A.I. type twist or story but few have anything that I see as disruptive enough to be unique. It’s very much a me too overtone with everyone’s messaging. I do expect that to change as the technology matures and the ability to get more personalized with the results evolves. I’m excited about what that means for the cybersecurity industry as most of what you see in the threat intel or security operations space is about generating reports with minimal insights.

I expect to see maturity in driving real-time decision making to actually turn the table on what threat actors do so easily today. In the near future platforms will determine an employee account is compromised real-time and take defensive actions before an event escalates to an incident.

I expect to see maturity in driving real-time decision making to actually turn the table on what threat actors do so easily today. In the near future platforms will determine an employee account is compromised real-time and take defensive actions before an event escalates to an incident. Astrix is well on its way to leverage A.I. and ML capability in the NHI space. What Astrix is already gathering on token authentication manipulation, MFA bypass on machine-machine connections, and Secrets abuse will be fed into new models that will be the real-time protection mechanism of the connected fiber of companies. It’s a necessary transformation considering how A.I. will expand app-to-app, service-to-service, and machine-to-machine connectivity for enterprises.