Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  1. Blogs

CISO Perspectives: Eric Richard, HubSpot

PreviousCisco Announces Intent to Acquire OortNextDefining Roles & Responsibilities for an Identity Security Program

Our CEO, Matt Caulfield, recently sat down with Eric Richard, CISO at HubSpot. Eric spoke about his challenges, career path to becoming a CISO, why water balloons are like security, and advice for retaining security talent.

Matt: Tell me a bit about your background and journey to CISO

Eric: I've taken a very non-traditional path to becoming a CISO. I'm a VP of Engineering and I have spent my entire career running engineering teams creating software products.

I joined HubSpot 9 years ago when there were about 500 employees, and for the first six years focused on leading the engineering and product teams.

In my past roles I've always had an interest in security, and even had some security functions report to me. But this is the first time I’ve taken on the CISO title.

Although it’s considered non-traditional, I actually think there’s a lot of benefits coming from an engineering background – especially at a software company. It’s really helped me with threat modeling: I’m in a position where I know where we keep the crown jewels and the data that attackers are after.

Matt: What are your biggest challenges today?

Eric: The biggest challenge today is around MFA. It’s extremely difficult and challenging to get to truly unphishable 2FA. I don't want to rely on passwords that are stealable. Instead, I want to have mandatory, phish-resistant MFA, ideally tied to something you own and something you are.

I want phish-resistant MFA across all the devices that people log in from. Right now, it's challenging to get that. The current solutions that are out there don’t offer this, especially in a way where the user experience for our users is good.

We're finding that we can get 95% coverage but that five percent is still dangerous to not have it. It's a dangerous world and we know that bad actors are out there conducting phishing attacks against us all of the time.

Matt: How has the world of remote work changed your job?

Eric: The world we’re protecting now is very different to that of three years ago. Back then, when most of our employees came into the office, enormous amounts of effort went into our firewall and protecting our office network.

The edge of our network is probably getting attacked, you know, a bazillion times every single day. And the sophistication of those attacks and the ability for those attacks to get through is pretty low. Obviously, when you have things like Log4J things get interesting pretty fast, but I can’t remember the last time one of those sorts of attacks actually turned into something substantial.

Now, 80 to 90% of our employees are not in the office on any given day. We have had to move all of those traditional protections to the endpoint.

Attackers have now shifted to attack the employees and their devices.

So the first thing that I'm super focused on is protecting employee accounts, which are absolutely being targeted regularly. And as we know, humans are the weak spot in any security system. I'm always going to have some people who are gonna be tricked, but we’re getting pretty good at securing this side of things.

Twitter Quote (1)

If attackers can’t trick users into giving them credentials and getting through MFA, the next obvious step is to trick them into installing software. This is often on their mobile devices. So the next obvious theme is device protection.

Finally, it’s one thing preventing someone from getting in from the outside, but what if they're inside? And how do you handle that? I think that's a whole new challenge that is the next journey we’re trying to go on.

Security is like a water balloon. If you squeeze one side, it just pushes water to the other. We’re never gonna say we're perfect but are the walls around the castle high enough that it pushes attackers to the next vector. The path of least resistance.

Matt: Should IAM sit under IT or Security?

Eric: I can tell you that we have an incredibly tight relationship between our IT and security team as it comes to IAM. The line that we've drawn is that IT can own the operations of IAM. For policy decisions around IAM, security is heavily heavily influencing–if not deciding.

For example, one of the things that we've been spending a lot of time on over the last year is asking which of our applications users have access to and from which devices? That's a policy question and sits with security. IT then helps to go and execute on making those changes, and that sort of relationship is the right one.

Our security team has been incredibly involved in questions like what sorts of 2FA should we have? How do you want to make it so things aren't phishable?

You can't see organizational boundaries. It’s just two teams working together.

When employees are terminated, all their company accounts–including Salesforce–should be deprovisioned. Unfortunately, the reality is that there are often discrepancies between what is in the HR directory and identities in Salesforce.

Matt: How do you make cyber security a board-level issue?

Eric: When something makes the news, for better or for worse, it obviously draws attention from the Board. If you look at the 0ktapus attacks from last year, all of those hundreds of companies are very recognizable. This makes it very relatable and ensures cybersecurity is not a strange, esoteric and theoretical conversation. I can then show the executive team how our employees are being attacked by similar techniques and similar actors.

The new SEC rules that are going into place around cyber security will also have a very interesting effect. Boards will be much more interested in this than they might have been in the past. I’m fortunate that the Board here is already really interested in cybersecurity, so this extends that further. People asking harder questions, challenging and pushing is going to result in better cyber security over time.

Matt: How do you go about attracting and retaining security talent?

Eric: Retaining strong security talent is critical. I am by no means the strongest security technical security practitioner in our team. By no means.

But I think this actually is why my background from engineering actually might be more applicable than a traditional CISO. Engineers love problems. They love puzzles. Almost everyone in my team is like that. They see the work as puzzles, interesting, and challenging. We have people in our security team who transfer from our product and engineering team and vice versa.

For me, the other most important thing I can do is make sure they know that what they’re doing is important. They have to believe this. Can they wrap their head around this really exciting and challenging problem that will have a meaningful difference to the company if they succeed?

In terms of attracting talent, I think it's probably very different depending on the stage of the company. For us, I tend to talk to people about how we are evolving our security program to meet the needs of a larger company. This is where Hubspot is at: we used to be a much smaller company and the security program that we had then might have been the right for that size of the company, but now we're a much larger company.

So some folks are attracted by the idea of helping the company grow up and transform it from one piece to the other. They understand where you're at and they understand what things have to change to get there and what might be different from other types of companies. Fortunately, there’s a group of people who see those as exciting challenges.

Matt: What advice would you give to yourself when you were first starting out? Any good books or resources?

Eric: It really is making sure that I understand the fundamentals. A lot of it is also being able to articulate that to our Board and Executive Team with that in mind.

Years ago, I went through the CISSP certification process and I think that gives you just a broad general understanding of things. We’ve also leaned heavily into the Center for Internet Security CIS Controls.

I’d also encourage you to find really good stories about just what's going on. I'm a big fan of following Krebs on Security and everything that he publishes. There's always interesting stuff going on in there.

My favorites are Kevin Mitnick's book Ghost in the Wires, Katie Hafner’s CYBERPUNK, Cliff Stoll’s The Cuckoo's Egg, and Takedown.