KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Cyber attackers continue to be successful in gaining access to many different organizations, often by exploiting identities and weak authentication. To ensure they are protected, organizations should consider modern Adaptive Authentication techniques to increase identity security and thwart attacks.
Cyber attackers continue to be successful in gaining access to many different organizations, often by exploiting identities and weak authentication. To ensure they are protected, organizations should consider modern Adaptive Authentication techniques to increase identity security and thwart attacks.
Welcome everyone. Today's webinar is on mitigating identity related breaches in the era of digital transformation. I'm John Tolbert from and joining me today is Steven Cox, vice president and chief security architect from, so before we begin a little bit about us Cooper, your coal was founded in 2004. We're an independent Analyst firm with offices around the globe. We offer vendor neutral guidance, technical expertise, and thought leadership.
We support lots of different kinds of organizations, end user organizations, and many different industries, as well as system integrators and software vendors with their product roadmaps. We specialize in information in cybersecurity and identity management types of topics with some GRC in anything around the digital transformation. We have three major business areas. Research. We write research on all the major IEM and cybersecurity information, security topics, we're vendor neutral. So we can provide objective advice and stay up to date.
We also do events like this webinar, as well as conferences. And here we cover all the relevant and leading edge topics. The conferences are really good networking opportunities where you can meet the experts and then advisory by advisory. We mean like high level consulting, not staff augmentation or, or doing implementations, but helping end user organizations do RFP short listing or helping with the product roadmaps for vendors a little bit more about the advisory. We offer some standard services, benchmarking and optimization, comparing where you are against the rest of the industry.
High level project guidance, strategy support, helping you to develop your technology and security and IAM strategies as well as detailed architecture and technology support. And about our conferences. We have the big EIC European identity and cloud conference coming up in may and Munich.
We'll also have several other events later this year, blockchain enterprise days, and digital finance world in Frankfurt, consumer identity in Seattle and September and Amsterdam in October cyber next summit in Washington, DC in October, the cybersecurity leadership summit and cyber access summit in Berlin in November. So about the webinar itself, everybody's muted. You don't have to mute or UN mute yourself. We'll take care of that. The webinar is recorded and the recording should be available tomorrow. And then we'll do Q and a.
At the end, you'll see a, a blank in or a tab in the go to webinar control panel. You can enter questions in there at any time, and we'll take those at the end. So I'll start off and kind of talk about adaptive authentication and then go over the results from the leadership compass I'm published on adaptive authentication, I think back in about September or October of last year. So it's pretty fresh. And then Steven will take over and talk about risk analysis and adaptive authentication.
So looking at in the need for adaptive authentication, the probably one of the primary drivers for it is, is a way to combat cyber crime. In 2015, the global cost was estimated at a staggering 3 trillion, and it's estimated to grow to 6 trillion by 2021, which just to put it in perspective is about the size of the GDP of Japan, unauthorized access to accounts accounts for 11% of those breaches. And that increases annually. There are four major kinds of fraud.
We want to look at today, compromised credentials, probably the easiest thing to think of there as a stolen password or guest password, insider error or fraud. That's one of probably the more traditional kind of fraud you might think of, but also account takeover and new account fraud and on account takeover, you know, the problem there's with phishing emails, trying to get access to people's credentials, get them to come to a fraudulent webpage and give up information so that, you know, the bad guys can grab ahold of that and, and get money. But new account fraud is absolutely huge too.
Some of our I vendors have said in the recent past the, I think it's one out of every 29 attempts to register a new account is legitimate with a real user behind it. The others are bots or some sort of fraud. So it's just the numbers are, are mind boggling, how much, you know, malicious activities taking place online or trying to take place. So definition wise, adaptive authentication, you know, let's put policies around what kinds of authenticators should be used for what kinds of use cases and also includes authorization.
You know, maybe you've authenticated, but maybe you wanna do something like transfer large sum of money to someone else in a case like that you might want, it often gets referred to a step up authentication, but really it's an authorization event, the inclusion of threat and fraud intelligence, and these risk decisions, very important known patterns of fraudulent activity, or being able to, you know, block let's say known bad URLs or IP addresses, which change, you know, extremely frequently, we wanna be able to do runtime or transaction time risk analysis on every transaction.
It should also tie into identity governance and life cycle management. If somebody's left the company, let's think in a B to E kind of use case, you know, they should be deprovision in their access cutoff and then interoperability with other security services such as SIM or security analytics. If you've got an authentication or IAM system, it really needs to be plumed into your overall security infrastructure. So adaptive authentication is also really about authenticator choices, you know, on the top left, we're all we've seen passwords for decades. We're all tired of them.
We know that they're a huge risk. If you look at the Verizon data breach incident report, you know, it's always a significant percentage, 70 or 80% breaches start that way.
But then, you know, there's the, the knowledge base authentication or security questions that's even worse because a lot of the questions that they typically ask, a lot of that information is available online. You know, where were you born, or mother's maiden name, things like that, and not really suitable for any form of authentication.
Then we see things like smart cards, biometrics, USBs, you know, those are great for strong authentication, and they're pretty easy to deploy, let's say smart cards or USBs for BTE business to employ kinds of use cases, a little less common of course, with consumer facing cases and then their social logins. And then, you know, there's a real strong emphasis these days on mobile. And here you see an example of SMS OTP or some sort of mobile application for authentication.
The trends we see are towards stronger authentication, again, with an emphasis on mobile, sometimes social for B2C business to consumer use cases last year did learn of one, one BDE case that allowed people to log in with their social network credentials, but that's very uncommon and then risk adaptive taking those different factors into account it runtime and continuous.
So we'll look at those in a little more detail on the mobile side, we're pretty familiar with SMS OTP, even though it's been deprecated by N a lot of, a lot of online services use that many banks still use it, mobile push notifications. I think of that as the authorization use case where you're trying to do a high value transaction, and you gotta pop up to acknowledge it on your phone.
Many of the risk adaptive authentication solution providers write SDKs that allow their customers to create secure mobile apps and the most secure options here are for those that allow global platform, trusted execution environment and secure elements for Android, or make use of the secure enclave for key storage on iOS and for mobile biometrics. I think two major categories here, there are the device native touch ID face ID on apple, Samsung, fingerprint, and others like that. Things that are directly integrated with the device itself.
Very common now for some of the more sophisticated risk adaptive authentication solutions to support those. They're also third party mobile biometric makers like day on knock, knock labs, sensory, and most of these are now using Fido fast identity online. The mobile spec is UAF and also two point OHS been out now and there about, I think, 50 or more products that are Fido two certified and then allows for some standardization on how the biometrics can be used and also enhances security and privacy with the pair wise key connections there. So why mobile is important?
Well, we define strong authentication as a two or more of the something. You have something, you know, and something you are so mobile with. Let's say just entering a pin covers something you have and you know, and something you are and have is mobile plus biometric social logins. Everyone's probably familiar with these, the different social network providers on the good side, they're based on standards like open ID or IDC, they can be used for registration.
And in some cases it allows you to select which attributes you wanna pass, you know, on consumer facing examples, easy to use, not really use that much for BDE. Most vendors are reporting that the use of social logins has been down a bit, probably with all the news in the last year or so factors that can be evaluated.
These, I think are some of the most important things that you would want to build into your policies for risk adaptive, authentication, and geolocation where's request originating from geo velocity. By that, I mean, you know, you shouldn't be able to log in from Chile and then turn around an hour later and log in from China. That's kind of a basic thing. And it was surprising in doing the leadership compass research, not all the vendors have that capability baked in yet geofencing time of day or week device ID or fingerprint.
It could be a built in device ID, or it could be a fingerprinting method that the risk adaptive authentication solution has device health assessment that could be making sure that your, your devices are patched. Are they running some sort of endpoint anti-malware?
And if so, is it up to date? Are, are the requests coming from known bad IPS or networks, user attributes, user history, behavioral analysis, increasingly important, trying to put the current request in the context of, of past behavior and see if it fits within the baseline. And then other things around the device known compromised credential checks, think of that as you know, checking, have I been POed to see if the, the credential that's being presented is, is known to have been breached somewhere before and then patterns of fraud activity.
I thought I'd show this as just, you know, a few different scenarios and how risk adaptive authentication works. So let's just start at the top. And let's say, this is a business to employee kind of use case somebody's logged in with their smart card. They wanna look at the company financials, the policy associated with that resource says you need an authentication assurance level of 80 or more to get into it. When it's evaluated.
We see, well, the smart card's actually equal to 90, so there's no additional action required and they're allowed to look at it, but then let's say use case number two, maybe they, the employees just logged in with username and password, but they're trying to work on employee PII, maybe they're in HR or something. And the, the risk policy says you've gotta have, you know, 50 or grade or authentication insurance level.
Well, a user ID and passwords really weak, only 10. So let's use the, the mobile app authenticator.
And, and if that passes, then they can get access to their HR data. Or just one more, let's say you've logged in internally with a borough's ticket. You're trying to get access to some trade secret.
The, the policy says you've gotta have an 85 or better assurance level borough's ticket may only be equal to 60. So it's gonna ask you to use your USB key, to get in, to look at the trade secret information.
And again, these are just samples of, you know, what you can do with risk-based adaptive authentication. There's a lot of flexibility in most of these solutions where you can define, you know, pretty granularly, what level of authentication assurance is required, and then write policies to, you know, what action will be required. What kind of step up authentication or authorization might be required to allow the transaction to go forward continuous authentication. It's just applying these risk adaptive techniques over time.
So maybe you start off and, you know, really wanna verify that the, the correct user is behind the device in the beginning, but as time goes on, you know, you can reduce friction for the user and just look at these different risk factors and, you know, not necessarily force another step up or another authentication event, unless there are major environmental changes, you know, maybe they change location, or maybe you're doing user behavioral analysis and you notice something, you know, kind of anomalous.
Then you might introduce friction and require some secondary authentication, but once the behavior returns to normal, then you sort of stay out of the user's way. And you just look at all these factors and make risk-based decisions as you go in an automated way. So about the leadership compass itself thought I'd start off with a little discussion of the methodology and what we look at. So this one was again on adaptive authentication on premises solutions. We start off by identifying the criteria and then that we wanna evaluate.
And then also looking for the vendors, we write a big technical questionnaire with lots and lots of questions and send it out, invite the vendors to participate. We get their answers back objectively, score them, talk to the vendor, also interviews to active customers. Then we prepare those ratings and write the report. There are nine major areas that we look at when we do leadership campuses. Security is the first one.
And by this, I mean, internal product or service security, this might include things like, can you require the system administrator to use multifactor authentication to get in and administer the system? Or does it support role-based administration or delegated administration are all the major data structures encrypted.
So we, we look at, you know, how secure is the product itself functionality, pretty self explanatory? Does it have all the functions that we would expect product in this space to have usability? We look at both the end user side of it, as well as the administrative user side of it.
You know, how hard is it to administer as well as how hard is it to use integration, this pertains to how well does it integrate with other products in its own suite? Interoperability is how well does it work with other products in the space products from other vendors. This is where standard support gets to be pretty important. And then innovation, you know, are, are the products taking customer requests and keeping up with the technology that's available.
And, and if so, how, how do they rate compared to all the other vendors in the space in the last three or around market position to be a global market leader, you have to really sell in many different places around the, the world. It can't just be limited to very strong in the us and not so strong everywhere else.
It has to, it has to include all the other regions. And we also measure not only number of customers, but in some cases, number of nodes or end users goes into the market position equation, too. Financial is, is financial. How well is the company doing? Is it public or is it a startup?
You know, those kinds of things factor into that evaluation. And then by ecosystem, we mean how many channel partners, resellers integrators, what's the technical support again, around the world, not merely in one or two regions. So we have four major graphics that come in the reports that pertain to product leadership. And this is, you know, a look at the overall functionality, how complete is it? Does it do everything? We would expect a product in the space to do the market leadership.
Like I was saying, kind of covers the member and geographic distribution of customers, partners and the support ecosystem innovation are they delivering new and useful features, a customer request. And lastly, overall leadership, which is conglomeration of all of the, those factors there and here, the results for the product leadership graphic from the most recent adaptive authentication leadership compass. And here we see, you know, pretty good selection of vendors with a good distribution.
You know, the space is pretty mature now and there's increasing competition. That's why you see quite a few companies in the, in the top tier, but secure off is out on top because they've got, you know, pretty much everything you can think of for adaptive authentication, they support large number of authenticators, take into account many different forms of threat intelligence, and you can write pretty sophisticated risk adaptive policies as well. Same thing with the innovation leadership. This is how it turned out a few months ago.
Again, good distribution of companies. Many companies are, you know, right there on the, the pushing the, the technical logical edge secure off, obviously one of them too.
And again, that's delivering a lot of good and useful features supporting a lot of the, the newer kinds of authentication technologies that, that people are requesting as well as, you know, being able to do pretty sophisticated policy authoring based on threat intelligence. And with that, I'm gonna turn it over to Steven. Thanks Very much, John.
Hi folks, I'm Steven Cox, I'm VP and chief security architect for secure. Thanks for spending some time wanted to share with you some thoughts, the future identity security from, from my perspective. So what's fascinating to me this year so far is that the industry and the media are really talking, starting to talk about and take notice of the importance of identity security.
The beginning of the year has seen some really unprecedented media coverage on the effectiveness of two-factor authentication, sort of discussing whether the technology is broken or ways it can be bypassed, spoil spoiler alert for you. It's not broken. It's just part of the solution. Some of the major industry reports, you know, as, as John mentioned, such as the Verizon data breach investigations report are giving sort of crystal clear and year over year evidence, that identity is being increasingly attacked and exploited within organizations.
The consensus seems to be that two, a technologies is a step in the right direction, but by itself, it's not enough to solve the epidemic of credential misuse. So these are all very encouraging events. When you look at security industry as a whole, and having spent a number of years in the identity security space, I'm very encouraged by the events of two 19 so far.
So let's, let's take a deeper look at some of the industry statistics and the problems associated with them. John talked about, you know, how sort of 80, 80% of breaches involved, stolen, or weak credentials. And this really points to, you know, not all systems having QFA or strong authentication and many groups still relying on the password. And a survey thatof did about a year ago on average organizations had 60% coverage, meaning the other 40% was only passworded. So we're still still playing a little game of, of catch here for a lot of reasons.
And here's, here's a really harrowing statistic, four out of five adults reuse passwords. And we've all been guilty of doing this or tweaking passwords where you reuse a password, but slight changes to it, sometimes tailored to the site and attackers are onto this by the way, users also pick very poor passwords. You know, lots of the funny top password lists are published every year.
Some of the most common, you know, passwords of 2018 included 1, 2, 3, 4, 5, 6 password and Cordy, you know, the default row keys on your keyboard, an additional problem is that there are literally billions of stolen passwords available on the dark web. And actually now, even on the Torrance sites on the surface web, so that a password use, you know, user used for their Yahoo account or to access your systems is really known and available to attackers also means that the, of the can come back to haunt us in the future.
And another survey we did, we discovered that of participants believe that two factor authentication would address recent data breach concerns and believe that this would protect them from unauthorized access. And this optimism is great, but we've learned that attackers can actually bypass QSA in certain circumstances, relying solely on it like any other security technology and isolation is just not good security policy. The average us breach now costs us costs around 8 million. This figure includes small businesses.
So, you know, both target and home Depot spent well over a hundred million on their breach aftermath. And despite these rising costs and the mounting evidence, that identity is being attacked. We're still lagging behind and deploying modern access control and organizations are telling us that they're concerned about the user experience during authentications authentication disruptions for passwords. And two factor authentication to every system is really annoying. It causes productivity loss, and it drives up admin and help desk costs.
But I'll, I'll talk about how looking at multiple risk factors around every access request can provide the confidence to remove authentication disruptions for users with very high trust. So we're also in a period of unprecedented challenges in the, in the identity security space and within our organization. So we're experiencing what we, what we refer to as identity sprawl. And it happens, you know, faster than, than you think it does. As companies start expanding out of the cloud, you know, moving their business processes to the cloud building consumer portals.
This comes with a difficult balancing act of managing those associated identities within those services. And one of the challenges is, you know, oftentimes we're looking at multiple solutions to complete coverage.
Let's be, most of us are in hybrid situations where our infrastructure spans on and cloud many, two FA products have limitations. And therefore some of the organizations have, you know, implemented different solutions to cover all of those, those use cases, the cloud based on premise or the legacy applications, they have more modern approaches and vendors allow you to service all of the systems, regardless of you know, where it is within your environment. It's gonna cut expenses, simplify administration, and reduce complexity by consolidating on a single product or vendor.
And customers are telling us that passwords are, are just no longer acceptable. They're no longer a secret. They provide little resistance to attackers.
So what, what lives beyond tofa customers and prospects are, are, are engaging with us and asking at this, and it's a great start, but attackers are increasingly bypassing two FA and, and better breach protection expands beyond just passwords. So I really wanna emphasize this challenge that we're facing around digital transformation.
You know, it's not just a buzzword, it's something that we're very much experiencing in modern business. And if you don't believe me, like look at the skyrocketing revenues of the major cloud service companies, you know, just over the past two years, we often remember that many modern organizations are and will be for, you know, some time hybrid organizations spanning on premise and cloud and identity becomes with a glue that, that binds modern organizations together. And it becomes extremely important to your, to your security programs.
So as our infrastructure and our, and our business processes and our customer experiences evolve, the threats evolve to example of a threat our customers are facing and fighting with right now is called a credential stuffing attack. And I'll cover more of that in a, in a minute.
But I, I know we always talk about how our attackers are evolving, but it's the truth. We're seeing their methodology become more sophisticated right before our eyes. We're in a period where attackers have access to extremely powerful tools in the open source community, combined with the ability to collect and weaponize social media platforms to use for even more effective phishing campaigns.
And, and we're also seeing, you know, as you saw in the opening slide, that attackers are increasingly finding ways to attack to a FA itself. We've, we've seen, you know, a number of different ways they can do this. Of course, you know, the old hat is fishing.
You know, an attacker represents themselves as someone familiar or an authority figure, you know, could be like the help desk requesting credentials to verify the user. They might set up a fake website that looks exactly like a site familiar to the user. Then the attacker simply takes the inputs provided by the fist user and then uses them on the real website or access point. And this tactic goes way back in time.
You know, even to the early hard token days, I remember stories of users of popular online services being exploited this way, you know, back in the early two thousands, it's, it's starting to find footing again, as, as more organizations are deploying to at bay, there's a concept called text or call interception where attackers can get around to a FA by intercepting text or calls. This, this issue exists with the protocol used by phone carriers to communicate the, the protocols known as signaling system number seven or SF seven. It was developed back in 1975.
And it has a glitch that allows users or allows attackers to intercept cell cell signals in which you know, which they can use to monitor movements, listen to calls or read and forward text messages or voice calls. There's also the malware issue. We're talking about malware on the phone here, attackers, get the malware on the phone by typically, you know, sending an email or it could be via text. Their message looks like it comes from a well known or frequent in business of the user. The user is asked to click on a link, you know, for some important reason.
And then the malware downloads installs. It can change settings, it can install certificates. And once the, you know, once on the device, they can do anything, including intercepting text messages, phone fraud is ano is one that goes by many different names. You know, phone number, porting fraud, SIM swap, port out scam or SIM splitting, regardless of the name, it represents a pretty big vulnerability to popular phone based authentication methods.
It works by an attacker using social engineering, collecting data on the victim, and then calling the victim's mobile phone carrier and convincing them to move the phone SIM card to a new phone under the attackers control. And one of the last examples here is what we call notifications fatigue. It happens when, you know, attacker overwhelms a user with multiple authentication requests until they allow access.
This is, this works well for like push to accept type authentication methods where users simply hit accept or approve if authenticating and deny when they're not, when they don't wanna authenticate the problem arises when users want the notification to simply go away and they hit accept or, you know, to sort of make it do so. So I talked about credential stuffing.
This is definitely an attack trend we're seeing with our customers right now, attackers, you know, will typically obtain a, a cash of credentials, you know, either on the dark web or on a bit to site, like I mentioned, they'll train their attack tools on a website or a set of websites, and they just keep trying credentials until, you know, sort of a set of them work. And you'll see this a lot with consumer style portals, you know, run by companies.
And we've had prospects engaged with us purely on the fact that they're having massive issues with this, with this type of attack right now, you know, it results in accounts being breached, or even down to the level of accounts lock account lockouts, as they're continually accessed. It's a massive headache for organizations right now with real implications. And it relies on the Pinchon of users to share passwords or in some cases, email addresses among multiple websites. So attackers, you know, have even developed algorithms to tweak commonly used passwords.
So like changing the a in a, in a password to the, at symbol, making the tools very effective and another throwback to a long existing attack that distributed denial of service attack. These credential stuffing attacks are often highly distributed. An attacker will build an army, a bot, or simply rent space on an existing botnet to undertake their attack.
So it can become very difficult to defend purely from a network level, without help from the identity layer and combined with the fact that I spoke about, you know, sort of being in a hybrid situation, spanning multiple cloud services and across a variety of Federation techniques, it really speaks to the need to centralize identity and have a common approach across all resources. This is definitely something many of our customers and prospects in the consumer IM space are struggling with and something you need to consider when expanding to the cloud.
So let's talk a little bit about risk analysis in the context of identity security. John, you know, sort of gave a little, little bit of an intro to this, and I'll, I'll dig in a little bit more, an adaptive engine, adaptive authentication engine would look at multiple attributes and then the authentication, like the device attributes, the location, the IP address, and the user's behavior for clues to the attack to attacker presence, you know, sort of each of them serve as a protective layer.
You, you ideally answer the following questions around those seeking access to protected systems. Do you recognize the device? Have you seen this device before associated with this user and you know, is it, has it been used once they've successfully passed authentication in the past? Is this access request coming from a known location, like somewhere you have employees, partners or customers you analyze whether an impossible travel event has taken place. You know, John talked about this a little bit.
If you, if you look, if you log in from New York and then an hour later, you're attempting to log in from California, we'll know something isn't right, because it's impossible to travel that distance in an hour, you can check group membership and attributes for every user. So they do, they have access to this system. Is this a blank? Is there a blank field in their profile or does the field have data in it when it shouldn't?
These are the checks to see if an attacker's already gotten in by some other way and created a profile and given themselves access often not following it, processes or standards, you know, set up by your admin team. You can check to see if the IP addresses in a wider blacklist, a whitelist typically catalogs, good IP addresses like corporate IP ranges and a blacklist collects, known bad IPS. You can check to see if the IP address is coming from an anonymous proxy, like tour. Like what would, why would a customer partner employee, you know, be trying to hide their IP address?
If something wasn't right, you can absorb, you know, other risk scores from third party products and use them in the authentication process. You know, if you have an IGA product, you can look at, I, you know, entitlement risk. If you have a U EBA product you can, you know, or, or other solutions that provide a risk score, you can just consume it and use it in the authentication process. If you're using phone based off, you can block access from phone carriers in locations that you don't have partners, customers or employees, if you, you can block access to certain phone types.
For example, attackers prefer voiceover IP phones for, for convenience. So we can block those phone types for use in the authentication process. You can also tell the phone number has been recently reported. So if the SIM card has been changed to a different phone and we can block access until the new phone can be verified, you can check the IP address against multiple continually updated threat databases of known bad IP addresses that have been used in malicious acts in the past. And lastly, you can check user behavior against a baseline for every individual.
For instance, Tom usually logs in between seven to 9:00 AM and logs out between four and every weekday and rarely logs ONM logging on a talking about machine learning in the context of identity security. I know that machine learning has kind of been all the buzz in, in recent months. If you were out at RSA this year, it's kind of hard not to walk a few feet without seeing it mentioned or discussed and, and you know, no, it's not gonna solve all our problems. We're not gonna be Homer Simpsons snoozing off in the control room, you know, while all the work is is done for us.
But the truth is machine learning is a super powerful tool and it will contribute a great deal to the security problem. There will never be a time where it takes over completely. It will always be a tool amongst the well organized set of tools used by advanced security teams. I had a really interesting conversation with a previous colleague as to whether machine learning based analytics would be a standalone product or a feature of a product.
And it, and it ended up being a really important conversation to me because it kind of hit me that when it's a feature it's typically being leveraged to solve a specific use case. And that's, what's really important. We've found some really good use cases from machine learning and security so far, particularly around behavior type use cases like anomalous anomalous user activity. As I talked about sort of understanding what's normal within your environment, and then checking for anomalies, understanding how your users, peers behave and looking for deviations from that.
And you can break that out into other types of entities like IP addresses to look for suspicious activity and other models you could build, you know, are around time of day analysis, the resource being access, the location of the users. There's, there's just a lot of different options you can take. So lemme walk through a very specific example of a, of an adaptive authentication request.
Normally, if you have two, a in place, you know, an accurate, an attacker would need to, would need access to the credentials, the, the username and password, they would've needed to, you know, figure out a way to bypass the two a, but regardless of how they're accessing your systems, they still attempt access from, you know, their own computer or bot location, IP address, phone, and, and they, they have a unique behavior. And that's why we check all these things. So let's assume the attacker has legitimate credentials.
They fish from a user, the attacker would then, you know, would still be unknown. And we would still flag in the adaptive engine as a new or never seen, never before the scene device, the attacker's location could be the same place. Your organization has no users, but it also could be coming from a location where you do. So it's very important to check that the attacker doesn't know when the legitimate user last logged in or when they may already be logged in. So this is why we would apply some logic to the authentication events.
If, if legitimate user logs in, from Ohio, then an hour later, they're logging in to use the same credentials from a location further than an hour away. It triggers a, a response. The attackers IP address is unlikely to be on a white list of approved IPS and likely not that their IP will be in some black list of known bad ones, but it's also, it's, it's very worth checking this as well, more often than not an attacker's going to hide their actual IP address using an anonymous proxy, which hides their, their real IP.
So we check for each of these to see, and, and we can deny access if detected the attacker doesn't use an anonymizer. We can check their IP against the multiple industry threat feeds of known bad IP addresses used in previous malicious activity. Assuming our, our organization as identities are, are using phone based authentication, the attacker would, will be using their own phone during the authentication. Hence why we check the phone carrier. Perhaps we have no users in Korea, Brazil, or Ukraine that no one from those regions should be using a phone to authenticate to your systems.
As mentioned before the phone may be VoIP and the organization may have a policy against these types of phones. So we check the phone number as well to see if it's been recently reported to another phone. This actually doesn't mean the phone has been hacked, legitimate users upgrade phones all the time, but it's ano another piece of the puzzle to consider. We're looking at all these risk checks together.
Lastly, we evaluate behavior, is this, is this behavior consistent with the baseline behavior for this particular user? If an attacker assumes the identity of legitimate user, it's highly unlikely.
They, they will act the same as, as our real user. So the bottom line here is that you need to know more about the identities accessing your systems. The more characteristics you can, the more clear that user is to you, you know, as known or unknown characteristic is conceptually a layer of security and the more layers of security you have, the harder it is for attackers to get past them all more likely or not. They're gonna move on to an easier target.
If you don't look, you won't find so you, you know, if you don't analyze the device, the location, the IP address, the behavior and all the attributes you can get at you're really ever gonna find problems, inconsistency, or anomalies, that signal attacker presence, the more characteristics you evaluate, the more confident you're gonna be, that the access, you know, the access of requesting identity is who they claim to be or not the higher, the confidence and trust. The more likely you can remove authentication disruptions for, for users.
So you could automate, you know, the ensuing action you could say for users with little or no risk where you can remove two FA and give them immediate access for, for users with, you know, some low risk, but not very much. You could require a two FFA step up for those with high risk, you could force a password reset or redirect to a honeypot for those with very extremely high risk. You could deny access altogether.
And these, these are decisions that you would make as an administrator of your adaptive authentication platform. So from my last slide here, I wanted to really emphasize how important user experience is in identity security. It really comes from a recognition that not all users are created equal, but everyone resists additional authentication steps. You really have to get beyond this old school multi-step multi interruption process to provide a good user experience, a clean authentication experience enhances user adoption and reduces complaints for the security team.
So the multi, multiple layered risk checks that we just talked about, allow your organization to identify and deny bad access requests or challenge risky ones, or allow low risk ones through without even, you know, putting up an MFA step at all. And now you can balance security needs with, with your users experience and you don't have to compromise security or user experience. You can get the best of both worlds and really how many security technologies can you say that about?
You can also reduce the number of daily interruptions when accessing organization resources with technologies like single sign on improving productivity, by enabling fast and seamless access to your things your people need to do to, to do their jobs. And you can also empower users to help themselves when the need arises, you know, via self-service tools like password reset account, unlocking enrollment, updating personal info, you know, all saving your users and on your it team's time. So with that, I will pass the ball back to John so that we can take some questions.
Thank you very much for your time. Thanks, Steven.
Okay, so let's take a look at the questions we have. First one. Can I use biometrics with adaptive authentication? How does that work? Cool.
Yeah, I could take that one. You, you could most definitely use biometrics in the context of adaptive authentication.
In fact, that's our recommended model. You know, the, you, you talked about this a little bit, John, the biometric takes the place of one of the factors of authentication. So instead of using the, the old paradigm of something, you know, you know, the password and something, you have the device, you move to something, you have the device and something, you are a biometric. So just a note about the, the biometric you use, it has to be very easy to provision or register users hate lengthy or clunky registration processes.
So, and it has to be accurate. So too many false positives or false negatives make for a very unusable system.
So, you know, you mentioned most modern smartphones give you some pretty good options for a biometric. Yeah. If it feels like you're being booked in at the local precinct, people don't really enjoy that experience. I was just thinking while you were talking earlier too, you know, some of these behaviors that we see where maybe people are tired of push notifications, so they're just like, yeah, yeah. Whatever it is to make it go away.
Well, I think the same thing implies when people choose poor passwords. I think, you know, people have dozens and dozens of passwords they're supposed to remember.
And, you know, the conventional wisdom of 15 years ago was tell 'em to use strong passwords quote, passages from books and, you know, and all that. And really it doesn't help.
I mean, they're, they're still susceptible to being captured and sold on the, on the dark web or, you know, password guessing rainbow tables. So, I mean, I think people are just tired of password. Is it some of the bad behavior that maybe we see on the part of users is pushback because of the lack of usability? Yeah. Yeah. One of the, one of the things you mentioned about notification fatigue is, is why we created a, a method called symbol to accept.
So where you actually get a symbol on the screen, and then on your mobile app, you have to press the same symbol so that you you're sort of injecting a little bit of a thought process there in between, you know, the, of acceptor to die. So just an example of something. Yep. Next question is how does pH 2.0 fit in?
You know, I think it was right before our essay. They announced the completion of the web often specification, I think photo 2.0 will be plus the web often specification will be what's needed to help spur on adoption of Fido.
And, and by that, I mean, you know, both on the mobile side, some of the U two F kinds of authenticators, you know, 2.0 was designed to sort of bring UAF and U two F a bit closer together. It's still a little more heavy on the U two F side, but web authentic, being able to move from just authenticating, say from, with UAF to an app on the phone to being able to authenticate to something on the back end web. I think that that bridge is a big gap that had been there before with just UAF and U two F you have any thoughts on that one, Steven?
Yeah, no, I agree. I mean, I think it's the, I think it's an adoption problem, you know, but you are starting to see some vendor uptake on, on, on Fido too.
And, and, you know, the whole, the whole question of us, the usability of biometrics plays into this too. Right? Cause that's, that's, if you make a very usable authenticator, people are more, are more likely to, so I agree with what you said. Okay. Next one is, can I a zero trust model using adaptive authentication?
Well, I'll just start off by saying, yeah. You know, I think zero trust is another one of those terms. We've probably heard a million times.
And, you know, I think it gets sometimes incorrectly associated with only network level stuff, you know, and really it's about identity and authenticating and authorizing every session that goes across the network. So for that, I think, you know, adaptive authentication is actually a prerequisite for being able to move to a true zero trust architecture. Yeah.
I, I completely agree. I mean, it's, I've always called it an enabler for, for zero trust.
You know, assuming you're, you're able to, to centralize your, your authentication on a, on a platform, you can use that adaptive authentication engine as a gatekeeper, right. To decide whether you, you, you give a user access or not.
And the, the, the benefits of the risk based analysis really come into play here, cuz you, you can reduce the friction of effectively pushing everyone out right. And requiring authenticate every time. You know, and another thing about zero trust and adaptive often is that it's more than just user identity. This way you can bring in device identity, you know, whether it's the mobile, whether it's their PC on the network, you can consider both the user identity and the device identity. Yeah. Okay. Next question is a lot of vendors seem to be talking about machine learning.
How is yours any different than the others? Yeah.
So two, two big differentiators come to mind for us. I talked, I talked a little bit about, you know, sort of the use cases that you're trying to solve in, in my presentation. And you know, one of the big differentiators I think for, for us is ease of use.
So, you know, you just sort of enable the feature and your authentications will start building towards a model for your users and triggering when, when detected, you know, when did, when, when detect, when, you know, detective activity actually deviates, you know, so many, many of the sort of behavior analytics, ML products require extensive data collection and integration. So I think there's a little, we have a little bit of a differentiator there.
Also the, the number of, of data points we collect are, are, are really interesting because of our risk analysis engine. You know, we sort of pick apart the transaction at a really granular, granular level. So we have a lot to work with right now and in the future in terms of, you know, building models that we can use with, with machine learning. Speaking of RSA, I did a presentation about machine learning and zero trust, you know, and I think the, the place where it really comes into play is when you've got so much data.
I mean, you can't to do user behavioral analysis in a modern enterprise. You know, you just can't have enough people looking at all the different data points and trying to decide if it's, you know, good legitimate activity or not. So machine learning, I think, you know, there about 50 or 60 major algorithms that can be used, there's, you know, supervised unsupervised semi-supervised and it's great for catching a categorized behavior.
So in this context for adaptive authentication, there are several algorithms that are, are great at helping to sort, you know, what's baseline activity and then leave the anomalous things for perhaps further analysis, maybe involving humans too, you know, in, in cybersecurity, in general, there are different kinds of use cases that, that are not just augmented by the use of machine learning algorithms, but actually requiring them again because of the volume of data. It's just not, not humanly possible to look at all the different kinds of data.
You know, malware analysis is another one, I mean, cybersecurity, but again, you know, there are different kinds of algorithms that are suitable for different kinds of use cases. Do you think there are ways to get better adoption from consumers? I use M MFA everywhere it is offered, but that's few and far between. Yeah.
So I mean, I, I, and that, that, that question makes my gain, my, my brain go back to the user experience, you know, the user experience challenge, you know, if you make, if you make the user experience cool and fun, and you put delighters into your, you know, your user experience, then your users are gonna be more, you know, there's gonna be more chance that your, that your users are gonna pick up the product and, and continue to use it.
You know, if you, if you get in their way too often and you make a clunky user experience that everybody hates, then you're, you know, they're gonna cast at a funder with great, you know, with great pride. So there's, there's a really kind of makes me think of it from the, from the user experience perspective. Yeah.
You know, I hate to say it, but I mean, even, even contacting, you know, we get pestered for online surveys about everything. I mean, if you've got the time take 'em and tell 'em that you want better authentication methods, you know, sometimes I think a lot of companies may be unaware of the burdens. They're imposing.
I mean, especially if you've got, let's say some sort of online service provider that you only use once or twice a year at that point, you're not even really using passwords, cuz some people just don't even bother to write 'em down and they go through the password reset thing every time, which generally involves knowledge based authentication, you know? So I would, I would say, you know, it has to be communicated to the proper people who are in a position to, you know, actually do something about it.
Well, that's all the questions I see for now. So thanks to everyone for attending Stephen.
Any, any parting thoughts? No, I'm good.
I think, you know, I'm just saying, I just wanna leave everybody with user experience is important and identity security. So, you know, ask for it from your vendors. Great.
Well, yep. Thanks for attending and thanks Steven for the content and this will be made available in webcast probably by tomorrow. So have a good day.
