Being Better: Solving Today’s Infrastructure Security Challenges with Better’s CISO

Modern infrastructure security isn’t easy - you’re faced with constantly evolving threats, changes to compliance guidelines, and understanding how new technologies can help you keep up.

That’s why StrongDM’s CTO and co-founder, Justin McCarthy, sat down with Ali Khan, Chief Information Security Officer at Better, to discuss everything from artificial intelligence and machine learning’s role in a next-gen approach to alert fatigue, workstation hygiene, and security, to NYDFS amendments and their impact on InfoSec teams, and best practices for secrets management in a cloud-first world.

Artificial Intelligence & Machine Learning’s Role in Alert Fatigue

As with any business in the mortgage industry, Better is faced with the challenge of addressing constant attempts on their security. As you’d expect, with these attacks increasing exponentially year after year, and with that increase, there comes a fair share of alert fatigue. How do you know which attacks are real, if the red light is blinking all the time? That’s why Better is taking a hybrid approach at managing alert fatigue—internal resources supported by third-party vendors.

With a team of about twenty or so employees managing security, dealing with a constant influx of daily alerts from their millions of clients would quickly wear out any team. By leaning on third-party vendors, Better is able to more successfully automate their alert process. These vendors assess alerts before Better’s team reviews them.

This approach then enables Better to be selective on the types of automation they use to further help take some of the pressures of alert fatigue off the backs of their teams.

Having this kind of flexibility and by working with third-party providers, Better can focus its energy on developing the experience level of their security engineers and end-users. Given that the company cleared $20 billion in revenue last year, it’s imperative that professionals are on the ground, and able to step in and speak to end-users when things pop up.

“We want to subscribe to tooling that we believe is right for us as a company, not tooling that is mandated to us by a third party partner.” - Ali Khan, CISO at Better

Workstation Hygiene and Security

Ali and Justin went on to chat further about Better’s relationship with workstation hygiene and their network layer security as a remote work environment.

Key Takeaways:

• Endpoints represent a new challenge. With fewer and fewer employees in the office, it’s become increasingly difficult to manage endpoints. Since you can’t lock endpoints behind a firewall as you would in an on-prem environment, every endpoint is a risk. This led Better to shift gears and focus more on trying to eliminate the risks associated with endpoint security. Ali mentioned, “Endpoint protection and security are top of mind for us. We have tools [...] like StrongDM to help isolate and manage traffic and access to certain resources. That’s a big thing on our mind.”
• Different devices require different tools. Like endpoint security, device management in a remote cloud environment creates a host of challenges. Better’s main focus on this front has been working to maintain a clean and consistent process for device management across the board. With remote work as the new normal, there’s a whole new level of work required to keep their workstations as minimal as possible.
• Remote work calls for a new approach. Better’s largest onboarding group during COVID was about 500 people. With a group that size, you’re probably thinking, “How can someone reasonably manage all of that?” Well, Better has managed this by concentrating the effort of three separate hubs to distribute workstations and redeveloped their whole process around working from home.

Keeping your sights on the security of endpoints while making sure you’re practicing proper workstation and device management is paramount when working in a remote environment.

NYDFS Amendments and InfoSec Teams

Eventually, all financial instruments will flow through the New York Department of Financial Services at some point. As such, these instruments are directly affected by new amendments and changes to regulations. Since the recent release of new amendments, Better has recognized a shift in the way governmental bodies are paying attention to security. Ali said, “[Regulatory bodies] are becoming much more aggressive in enforcing [regulations] and making companies, in turn, reevaluate what real risk is [out] there.”

While previous NYDFS amendments were far more generalized in the way they tackled security regulations, recent DFS amendments now take a prescriptive approach, providing specific rules for password lengths and refined definitions of what true two-factor authentication really means. This new direction shows us that security is a real issue that can’t be ignored. Governments are right to begin taking a look at it in a much more serious way.

Secrets Management in a Cloud-First Environment

When it comes to secrets management, Better takes a streamlined approach. When chatting with Justin, Ali mentioned that Better only enforces password rotation for service accounts, not for users. Instead, they aim to keep passwords for as long as they can until they’re proven to be compromised. Keeping the consistency of secrets presents a challenge when moving from local or on-prem networks to remote or even cloud environments. By putting a heavier emphasis on the complexity of passwords and mandatory multi-factor authentication for users, Better more easily segments and manages their production of secrets.

📢 You may also like, StrongDM Works With Your Secrets Manager

Miss the webinar? It’s on-demand!

To check out the full webinar, it’s available on-demand.

If you’re looking to better manage your infrastructure in a remote environment, you can try a 14 day free trial of StrongDM today.