[Interview] Mushegh Hakhinian, Intralinks: "In information security, there is rarely a dull day"

Mushegh Hakhinian defcamp 2018

If there any company executives that don’t share this opinion, then they must’ve not watched the news in the past year. Or week. Or day.

You cannot engineer sustainable growth without a security-first mindset. Not in 2018 and beyond.

That is why some of those who learned this lesson early, made it their mission to provide other companies with the tools and processes they need to develop. Not only that, but they built it with security at heart.
Intralinks is one of those companies.
Established in 1996 (while some of us were in third grade, we won’t’ say who), Intralinks is a fintech that builds cloud-based solutions for complex, geographically distributed companies that you’d most likely love to work on securing. That’s why we’re excited to have them as one of our awesome partners for DefCamp 2018!
Because sharing is such an important staple of the infosec industry, we talked to Mushegh Hakhinian, Security Architect at Intralinks, to get more specifics about what it’s like to work on these tools and solutions.
With so many data breaches and new legislation trying to curb them, Information Rights Management popped up right at the beginning of the interview:

We provide business process automation services to facilitate information exchange for collaboration over high value/regulated data in and outside corporate firewalls.
It can be boiled down to allowing secure exchange of unstructured data but brings with it some good security hygiene benefits.

Because this is one of the most interesting infosec challenges that they’re helping companies deal with currently, Mushegh mentioned the key layer of transparency in building trust:

All operations over data are auditable, so customers can keep track of who had access to which files at any point in time and who actually has opened the files, how many times etc.
Using Intralinks IRM technology – data owners can maintain control over data even after sharing – sending over to people outside their own IT control. That data can be digitally shredded or “unshared” at any point in time.

Given that Intralinks serves 99% of Fortune 1000 users, you can imagine why this is a business priority.

Another focal point on that list: insider threats.

Mushegh called them “one of the most challenging issues to enumerate and address”. As I’m sure you know, the challenge is made more difficult by the widespread adoption of cloud computing.

In cloud computing, the insider risks of cloud providers become the customer’s risks to manage.

Even so, the team at Intralinks works to mitigate insider threats by executing on a strategy they’ve tested with their clients in a huge range of scenarios.

We have implemented a rich set of technical controls to address these risks:

  • Strict, auditable access controls
  • Encrypting customer data in transit both over public and our private networks
  • De-valuing data before storage by encrypting databases and individual files,
  • And giving customers control over encryption key management, to name a few.

Even after that – customers need a way to verify that cryptographic controls are properly implemented. For that reason, we not only hire third-party auditors to test our policies, procedures, and controls, but we also give our customers the right to audit, so they can use their own subject matter experts to assess our security.

A trust-based relationship is essential in cybersecurity, so transparency is a valuable way to build it. In fact, trust is a keyword for another key component in the work Mushegh and the rest of the Intralinks do. Especially when it comes to threat modeling.

Threat modeling is a pattern that allows engineering teams to understand trust boundaries between major components, anticipate all external threats and enumerate necessary controls to address known threats while enumerating what is an acceptable and unacceptable risk to the company.
Understanding the risk within the individual components of a complex system and how they relate allow teams to focus on the most beneficial security improvements first.

While doing such an in-depth review, the question infosec professionals are still presented with, even though not always articulated, is: how do you balance agility with robust security?

It is important to have a reasonable granularity of models, so agility is not affected. That comes with experience and training. Every scrum team has such individual, who is available to help with threat modeling and teach others to become effective at this task.
We treat threat modeling not as a one-time deal, but as a mechanism to document the continuous improvement of our understanding and way of addressing threats pertaining to different subsystems. The first model may take some time, but by allowing for early identification of security controls, it saves time and money down the line.

The Intralinks team sure has plenty of training and experience. Here’s a great statistic from their portfolio: since 2014, they’ve done 280+ customer-led security audits and penetration tests. If that doesn’t paint a high learning curve, I don’t know what does!
A crucial element for success during this process is: “listening to the customer and understanding their objectives […]”.
Mushegh mentioned that this ”is essential to providing services across diverse security requirements landscape at the high end of the spectrum.”
If you’d be interested in working with a team like Intralinks, here are some valuable tips Mushegh shared:

It is very important to know existing industry standards for basic security controls such as authentication, authorization and session management. Working knowledge of cryptography and different implementation technologies of it is a huge plus.

Speaking of hot topics, I couldn’t help to ask Mushegh about process automation. I was curious to better understand which risks it eliminates and which it adds to the monitoring list. Here’s what he replied:

Automation is essential in enforcing our Secure Development Lifecycle across all teams at a micro-service level.
There are security gates in the build pipeline that will fail builds if certain thresholds are not met. It eliminates a large number of coding and open source software licensing risks. It can address vulnerability management risks, as well as establish if tools that identify components with published vulnerabilities are used.

To wrap things up, Mushegh shared an exciting project he and his colleagues are working on:

In information security, there is rarely a dull day.
One current project I would single out is our attack modeling activities, where we use our internal knowledge of how the applications are engineered and deployed to build test cases with actual attacks.

If you enjoyed this interview, know there’s a lot more coming to you at DefCamp #9, so book your ticket for November 8 and 9!
This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..