Phil Lieberman is a teacher, a writer, an entrepreneur and last, but not least, a programmer. This unassuming gentleman is equally adept at providing technical explanations as he is at breaking things down into laymen’s terms.
He is also the founder and chief executive of a small, privately held software and security company that bears his own name. But Lieberman Software, with its 40 employees based in Los Angeles and Austin, Texas, claims among its clients some of America’s largest private and public sector organizations, including the Department of Homeland Security, the Department of Defense, in addition to a number of credit card issuers, numerous intelligence agencies...and the list goes on.
It’s a list that the company’s CEO is only too happy to relay.
Tell Me About Your Company
Phil Lieberman was kind enough to lay down, in figurative terms, on the Infosecurity couch and spill all the details. Lieberman Software started as a consulting company in 1978, and has since migrated into developing Windows and cross-platform security tools. The company’s background has been in finding solutions to problems brought to Lieberman by its customers.
Offerings include password management solutions sold internationally, such as password synchronization, self-service password resets, and mass management security tools. Before the turn of the 21st century, many of Lieberman Software’s customers came to the company looking for a solution to manage local administrator accounts on all of their machines.
Lieberman’s first security product debuted in 1998, and the company’s entree into the security field began in earnest.
Where is Lieberman Software Heading?
Since 2000, Phil Lieberman has observed an interesting phenomenon within the industry – one that has accelerated since the ramp up of virtualization. “We are starting to see a situation where companies have so many machines in their environment that they no longer know what they have – they don’t know what accounts they have, they don’t know how those accounts were being used.”
Complicating this trend are regulations that require companies to verify their accounts, change passwords regularly, and enforce segregation of duties over specific user accounts. It’s a problem Lieberman Software was seeking to address with its latest product being demoed on the Infosecurity Europe show floor last month in London.
“The ability to retrieve, or discover, all this undiscovered information” is the problem Phil Lieberman and his company are attacking now. “Its auto correlation that finds out not only what’s out there, but how it’s being used in real time.”
It’s an account management system that seeks to ease the lack of identity management in SIEM systems, Lieberman claims, and one that can help address the problems of long-term insider attacks, whether intentional or unintentional.
“The challenge we have is that, with SIEM systems, they were never built for identity management”, Lieberman says. “Identity management is not one of its core components.”
Then the company co-founder and CEO was asked bluntly: “What problems does Lieberman Software attempt to identify and solve?”
“Too many people having too much access to too many systems, for too long, for no reason”, he fires back.
“IT admins like to share information and never change passwords, so they put everything on a spreadsheet. They then share that spreadsheet and never change the passwords, and they like it that way.” The underlying tone in Lieberman’s voice is that this status quo creates a huge security risk.
“We solve that problem – we get rid of all knowledge in people’s heads, we get rid of all spreadsheets”, he adds. “So we take the problem of managing passwords from other privileged accounts and we make it easy.”
Security’s Cultural Divide
The topic of conversation then shifts to insider threats, and specifically whether or not the ‘insider’ is more dangerous than the external hacker. The discussion then takes a more philosophical tone, as Phil Lieberman outlines the difference between attitudes in Europe versus the US.
Lieberman believes solutions to insider threats tend to be more behavioral-based than rooted in technology, adding that many organizations do not have a true appreciation for what the term ‘insider threat’ really means.
“In Europe, since they have so much respect for the individual, they believe there is so much honor within the individual and there is no insider threat problem here”, which is a nod to the fact that he is one of two Americans sitting on either side of a table in London discussing the cultural differences between the two sides of the Atlantic.
Americans, on the other hand, tend to be a bit more skeptical of those around them, a point on which both Lieberman and myself agree.
“I try to explain that insider threat does not mean that a person is malicious”, Lieberman continues. “It simply means that the machine they are working on, if it gets compromised, can become a vector for attacking the rest of the system.”
But beyond the cultural differences, or notions of insider threats, Lieberman contends many organizations’ security strategies are flawed, and he has no problem providing a list of technologies he thinks are utterly useless in today’s environment. Among them: anti-virus, anti-malware, intrusion detection systems (IDS), and data loss prevention (DLP) technologies.
“Firewalls work”, he proclaims, but only until a machine within your network is compromised.
“We see companies that would rather pay fines than fix their security problems”, Lieberman laments. To these organizations, he believes, it is simply the cost of doing business. In order to fix these security problems, Lieberman continues, organizations must change their culture. “Fixing culture is hard”, he acknowledges, “but paying a fine is easy”.
After being candid with his responses throughout our time together, Lieberman gives a few final pieces of sage-like advice for organizational security in the face of today’s threats: “Understand that you are going to be compromised, and plan for it. Ask ‘what you are going to do to limit it?’ Compartmentalize information – don’t put everything in one giant database. Security and convenience are not compatible with each other. That does not mean that security has to be inconvenient, it just means you need to use your brain and assume bad things will happen.”