Hello, everybody. I'm John Tolbert, Director of Research here at KuppingerCole, and today in the webinar, I'm joined by Harsh Lale, VP of Business Development at Arcon. Welcome.
Today, I'm... Yeah, go ahead.
Yeah, I just said thank you. It is pretty exciting to be here in the seminar with you, looking forward to a wonderful session. Thanks. We feel the same way.
Well, today, our topic is on ITDR, Identity Threat Detection and Response. So, our title is IAM meets ITDR, A Recipe for Robust Cybersecurity Posture.
So, a little bit of logistics before we begin. Everybody's muted. There's no need to mute or unmute yourself. We're going to do a couple of poll questions near the end of my section, and then we'll take a look at the results after Q&A. And we will be doing Q&A, so feel free to enter questions into the CVET control panel at any time. And then lastly, we're recording the webinar, and both the recording and the slides should be available in a couple of days.
And I've packed a lot of material in here, so I'm going to go pretty quickly through this, so feel free to go back and take a look at the slides later. So, I'll start off, and then I'll turn it over to Harsh, and then we'll do the Q&A and poll results at the end.
So, let's start off by talking about the identity threat landscape. We're all probably very familiar with account takeovers and things like that that happen to individual user accounts, but there are attacks against IAM systems, and ITDR can help with that.
So, we've been hearing forever that identity is the new perimeter. Well, I'd say it is definitely a perimeter.
ATOs, account takeovers, just continue to rise year after year, both on the consumer-facing side as well as the workforce side. And as you've probably seen statistics over the years that show somewhere in the neighborhood of 80 percent or more cyberattacks involve a compromised credential. And attackers can get these compromised credentials on the dark web. There are threat actors that go out and breach companies, get their credentials, and then sell them on marketplaces, unfortunately.
And now, some ransomware operators don't even bother with malware. If they can get a legitimate credential through one of these credential brokers on the dark web, then they'll get into your environment, look for your data, steal it, and then threaten to release it all without actually deploying encrypting ransomware.
So, there's a lot of different twists on the threats in the cybersecurity landscape today. You know, and we see the usual threats.
ATOs, they've been around for a while. Like I said, they're continuing to increase. We still have insider threats and unusual behavior that needs to be understood so that we can figure out if these are malicious activities or not.
So, you may be familiar with MITRE ATT&CK Matrix. What I've done here is pull out the things that I see that are really identity-related.
So, the MITRE ATT&CK Matrix is much larger than this, and I certainly encourage you to go take a look at it at the MITRE website. It's fascinating. It's the result of a lot of good work.
But here, you know, you kind of look at, you know, what we've, you know, in olden days we had called the kill chain. You start on the left here with recon. That can involve things like phishing or getting victim IDs. And then over here on the other side, on the right, you see things like exfiltration, which is generally the goal. But there are so many steps in between, and what the MITRE ATT&CK Matrix does is show you the details of the tactics, techniques, and procedures that attackers use.
And again, these are the ones that are just identity-related. So, let's take a look at, you know, the major types of attacks we see against IAM systems, keeping in mind that often Active Directory or Azure Active Directory is one of the common targets. There's credential harvesting, privilege escalation, discovery, persistence, because once they get in, they're going to want to stay there. Using Active Directory domain service exploits. These are features that are built into Active Directory. Lateral movement, and then denial of service.
So, let's say you're in the recovery phase or trying to remediate an attack. Often attackers will try to take down your authentication services because that makes it much harder for your forensic investigators and system administrators to try to recover.
So, these are some of the things that we see that are attacks directly against IAM systems. So, how do they harvest credentials?
Well, there's a couple of older methods here that still are in use. There's password spraying, brute force guessing, LSAS dumping, you know, getting the database of users and passwords. Then there are sophisticated techniques that state actors use that now are, you know, more commonly used by other kinds of threat actors.
You know, curb roasting, pass the hash. I won't go through each and every one of these.
But, you know, one of them that's notable here is MFA fatigue. We've been using increasingly MFA, hopefully, you know, for a number of years. And that might involve getting an SMS text or, you know, maybe an application sending a pop-up to the phone, a push notification. Some of these bad guys, once they get in, they'll start sending out tons and tons of these push notifications or SMS to try to get an admin to simply, you know, get tired of it and say yes. And believe it or not, unfortunately, that works quite often. Privilege escalation.
You know, once they get in as a user, in order to really be able to do nefarious things, they need to escalate their privileges. There's a number of different ways that they can do that. In addition to, you know, compromised credential databases on the dark web, now it seems that session tokens or session cookies that can be used, intercepted, and then be reused to take over an existing session, these too are for sale on the dark web.
So, getting a hold of tokens is another way that they're able to escalate their privileges. So, it's worthwhile thinking about, you know, your session timeout limits for your various applications and particularly things that require administrative access because a valid token used by a bad actor will get them access to things that they shouldn't have. And then once they escalate privileges, they're going to want to do things like add other users, particularly admin users, maybe in your SaaS applications, and then add other devices that can do MFA.
This would allow them to redirect where those SMS texts or push notifications go to so that it goes to their own phone rather than your legitimate administrators. Discovery.
So, again, thinking about the MITRE ATT&CK matrix, this is a little farther over on the left side. So, they're trying to figure out what you've got. How do they do that? They'll look at DMS. They'll try to map out all the things that you've got in your environment. They'll use tools like Bloodhound to do that. And here they can get, you know, really interesting detailed information about your Active Directory trust relationships or privileges.
So, there's a number of techniques and tools that they use to map out and understand your particular environment. Persistence.
So, ticket forging, trust ticket forging between different domains. They might create a skeleton or a master key that allows them to get in and sort of supplants the security features that you've already put in place. They often edit ACLs, access control lists, and they're going to want to create more accounts, going to create more cloud accounts, you know, for your SaaS. They'll create new roles that have, you know, high privileges.
And, again, if you're not looking for this in your Active Directory or other IAM systems or the SaaS applications that you've got, and a lot of times you're not because you're not thinking that somebody's going to be out there creating new roles that have, you know, extensive powers over your environment. This is another thing that ITDR can help with.
Then, lastly here, you know, modifying the boot process on individual machines or, you know, changing logon scripts so that they can, again, persist through, let's say, a reboot cycle. AD directory service exploits.
These are, you know, using APIs or, you know, in the case of like ntds.dip, you know, files that contain information. This is just how things in Active Directory work.
So, when we talk about attackers using living off the land techniques, they're using things like this. And the idea, again, is to fully understand everything in your environment, change user privileges, add user privileges, add accounts, and these are just a few of the techniques that they can use to do this. Then we have lateral movement.
Again, once they establish a base of operations inside your environment, they're going to want to see what else you've got and take over other assets. You know, a key way they do that is internal spear phishing. They will take a look at your AD, look at your user accounts, figure out what those roles are, who are the people, the actual users that legitimately have access to things like financial information or sensitive, you know, corporate confidential information.
And then they will, you know, send a spear phishing message, try to take over their accounts, get access to their email, or get access to the resources that they, again, legitimately can get access to. They will re-enable RDP, even if you've turned it off, which, you know, a lot of organizations will do that, particularly in very sensitive environments.
And, you know, you might not be watching for that. Again, that's another thing that you need a tool like ITDR to help with watching for RDP enablement. They'll use Windows Remote Management. They'll use GPO. GPOs have been used to distribute malware to other machines or make config changes around your organization.
And then, you know, spreading out between, you know, from an initial organization, maybe you're a large company, a conglomerate, you've got lots of different business units or independent businesses, you know, and they will want to try to abuse those trusts between those different domains or different forests. And they'll do things like cross-domain Kerberos ticket forging to do that. So that's kind of the, you know, the identity threat landscape in a nutshell. Now let's talk about what ITDR can do to help prevent some of these.
So, you know, a list of requirements would be things like collecting telemetry from around your entire enterprise. And you might think, well, you know, we've got a SIM for that.
But, yeah, do you have everything plugged into the SIM? And is it able to make sense of all the information that it's getting?
You know, again, if you're a large organization, you may have multiple business units. You may not, you might have multiple AD setups. You might have other IM systems altogether. You're probably using some IDES identity as a service.
And then, you know, studies show that many organizations have somewhere between 800 and 1,000 different applications, both internal and SAS. So that's a lot of information. And you really need to centralize the, not necessarily collection, but, you know, for ITDR, but centralized analysis for that. So you can do things like real-time threat detection, looking for unusual behavior, looking for, you know, failed logins, patterns of failed logins, unusual patterns of privilege escalation.
Maybe you've got, you know, admins that use administrative privileges occasionally, but, you know, suddenly, you know, a sign of an attack might be a particular admin user that's, you know, escalating privilege all over the place, you know, in a short period of time. And then, you know, those identity trust relationships, can you tell if any of those are being abused? Then you have all this information. How do you correlate the events?
I mean, again, with, let's say, 1,000 applications, it would be, you know, a voluminous amount of data to have to sift through to figure out, you know, which of these events are actually connected, and then alert on them, and then analyze it. Attack path visualization, you know, this is sort of related to another field that's been called identity security posture management.
This would be looking for known vulnerabilities, misconfigurations in your identity systems, and this would be allowing you as an administrative security user to understand how an attacker might actually take over your IAM systems or individual accounts. ITDR should also help you do investigations. It should have a good, you know, forensic analyst interface, something that, you know, is intuitive, maybe uses natural language query capabilities.
And then, you know, the R part, response. There are two major kinds of responses that we see in ITDR systems today, and that is, you know, conditional access, you know, forcing MFA, or temporarily or maybe permanently disabling accounts that are suspicious or known to be doing malicious things. And oftentimes, organizations will want to choose if they want to leave those responses as a manual process, or in some cases, maybe say they need to be automated, automatically disable accounts when very malicious looking activity is occurring.
So, where does ITDR fit into your overall IAM and security architecture? So, starting over here on the left, let's look at, you know, what a typical IAM infrastructure might include.
Again, this is really high level, not a whole lot of detail, but, you know, you may have some on-prem IAM systems. Maybe you've got some legacy IAM systems from acquisitions from a while ago. You may have AD. You might have Azure AD. You might be using other IDaaS services. These days, these tend to be, you know, exposed via microservices. We call this the identity fabric model.
So, you may have individual authentication or authorization services or, you know, governance services. All these then, you know, are probably already outputting this telemetry into your SIEM. Same thing with your SaaS applications.
Hopefully, you've got a cloud-based SIEM or a SIEM that can accept that so you can centralize all the data collection. You might have a SOAR, security orchestration automation and response solution that allows it to operate on, look at the data in SIEM, and then, you know, do responses to the back-end IAM systems or even SaaS. ITDR is kind of an adjunct here. You'll want to pull information directly from, you know, those identity fabric services, the back-end IAM infrastructure, SaaS.
And, you know, here at the bottom, I've kind of highlighted two, EPDR, Endpoint Protection Detection and Response, or XDR, Extended Detection and Response. The reason being is if you know or you suspect that a given endpoint in your organization has been compromised, then you certainly would want to raise the risk level when you see an authentication attempt come in from that device.
So, here, you know, ITDR can be a place that looks at all of the data, does the analysis, provides you with a proper interface to be able to take action, and then, you know, operate back on all of these components as well. So, the communication flow has to be bidirectional.
So, what are the main use cases that we see for ITDR? Well, it's pretty straightforward.
You know, protect your Active Directory, protect your IDaaS services, your SaaS services, prevent workforce account takeovers, look for and stop insider threats. And then, you know, going back to that MFA fatigue or MFA bypass, you know, make sure that that cannot be bypassed.
You know, attackers are getting more and more advanced in their techniques and, you know, some MFA methods have been bypassed. So, you'll want to have something like ITDR that can detect that.
So, let's take our first poll question, and I'm just curious. So, of those five use cases I just listed, which of these do you think is most important for your organization? We'll give you a few seconds to select one.
So, while you're thinking about that, I'll dive into ITDR technical requirements. So, how do these things work?
Well, like every other security solution out there today, it requires API connectivity. Generally, REST is available. Some have GraphQL. Some do webhooks. It's a definite must. It's just how they operate. It's also best, in addition to having good API exposure, but ITDR systems that have pre-built integrations for common IAM and IDaaS services. Think about that when you're doing an RFP, you know, look at the vendors that are out there. Who's already got a pre-built connector for the IAM systems or IDaaS systems that you're using?
That will probably push it a little closer to the top of the list for you. You need to look for ones that do credential intelligence across your entire organization, you know, and again, think maybe you have, you know, business relationships with contractors. You'll want to be able to collect information from other business units and do credential intel there.
UBA, user behavioral analysis, I've kind of hinted about this already. You need to understand what's normal for a given user, particularly administrative users, and be able to detect when abnormal behavior is happening. Access analytics, you know, understanding patterns of access, figuring out what a user's been poking around, trying to get more information than maybe what they should have.
You know, this could be a sign that their account has been taken over, it could be a sign of a potential insider threat. And as I mentioned earlier too, I mean, the volume of this data is enormous. So we really need machine learning detection models to figure out what is anomalous and then classify it as, you know, a potential threat. There's just no way that, you know, even a large security workforce would be able to sift through the thousands and thousands of log files that, you know, large organizations have.
ITDR needs a good investigative interface and then it needs to be able to do those responses too. The responses are really key. That separates, you know, ITDR from ISP and identity security posture management. I'll just briefly mention deception. This is something that a few ITDR solutions do.
This is, you know, allowing you to sort of programmatically and through a dedicated interface set up fake accounts of all kinds or other fake assets, you know, like certificates or RDP sessions or things like that. The idea here is if an attacker gets in and touches any of these assets, your ITDR system would immediately alert you because nobody is really supposed to be using these assets, so you know you've got an attacker in your environment. So we count this as kind of innovative and, like I said, not many ITDR solutions do this yet. So challenges.
I mean, all this sounds good because it's an absolute necessity in today's complex IT infrastructure that we have, but, you know, it may not be all that easy to deploy. Why is that?
Well, you've got, you know, AD or AAD that, you know, is pretty complex on its own, but then you mix in, you know, other IDAS services, you know, trying to deal with the last mile problem of getting identity information into proprietary authorization solutions. You know, some big line of business or legacy applications have very complex built-in authorization schemas. It can be difficult to work with that.
And then, you know, all those SaaS apps that you're using. And then it needs integration with the tools I've already talked about, the EPDRs or the XDRs and, of course, SIEM and SOAR, if you haven't. So wrapping up here, the future of ITDR, you know, some of the smaller vendors have already been acquired by larger vendors. I would imagine this will continue. And then where will it go? Will ITDR become just part of XDR?
Well, we're seeing that in a few vendors. And, you know, we also see IAM solution providers trying to roll in some, at least ISPM, if not outright, ISPM, if not outright ITDR capabilities into their products. So let's take our second poll question. This is just kind of gauging your interest level in ITDR as a solution. Are you looking for ITDR now?
You know, option one, yeah, we've already got that. Option two, yeah, we're interested. We're looking for it. Or option three, it's not really on our radar yet. And feel free to enter your answers. And just a reminder, feel free to submit questions in the CMIT control panel and the questions blank, and we will take those at the end. And at this point, I'd like to turn it over to Harsh. So I would like to first start with basics.
You know, I love going back to the basics. So different types of identities, you know, we've always been exposed to different types of identities, be it human identities, privilege identities, bot identities, machine identities, application identities, API identities. But what's the real crux in today's world is that identities are the weakest link, right? The security of your entire organization actually rests on how strong the identities are within your organization.
Now, though, you know, there has been an evolution with identities and the evolution really takes you to the concept of digital identity, right? So it's now everything is converging. So we are not talking about, you know, dedicated bot identities or machine identities. All these are really transforming into digital identities for us. And that's making things pretty complex for us because now we're talking about machine-to-machine identities. We're talking about service accounts, we're talking about bot identities, and all of these converging into digital identities.
So that's really making the space pretty complex for us. About the identity convergence, the, you know, the holistic perspective of all things IAM is one-stop shop for IAM solutions. And people, that's what people are really looking for.
The, I believe that all of you would agree with me when I make the statement that use cases or feature consolidations is one thing that everybody is looking at from an IAM perspective, right? So we are saying, because of all the complex issues that John mentioned, you know, we are looking at his presentation. We are all trying to look at features and functionalities which can actually help us overcome all these various kinds of threats that IAM, the traditional IAM is facing today.
So we're talking about integrated access controls, we're talking about authentications, we're talking about unified identities, we're talking about generally the life cycle management, centralized auditing and analytics. These are the crux of today's business. And we are looking at consolidation from that perspective. We're also looking at functional consolidation. So we're talking about all of this, really, if you put it into functional consolidation, we're talking about IGA, we're talking about IAM, we're talking about PAM.
So these are the three pillars, so to say, of the access management world. And the third important thing is vendor consolidation, because there's so many vendors across. We're trying to get all of them as part of one single sign-on or things like that, right? So the IAM would be able to talk to different vendors, different products, your active directories, and all of that are looking at vendor consolidation. I believe that these are typical challenges with identities. We've typically seen various kinds of identities.
The basic problem that almost every organization is dealing today would be with lack of detailed password policies. Even if there are, how do you really enforce those across the organization? And this is not only for the privileged accounts, we're talking about business accounts, we're talking about digital assets, we're talking about business assets, we're talking about all of that. And how do you really enforce these password policies?
We generally see that, if you leave it to the individuals, if you leave it to the team members in the organization, they would want to have passwords, which are very common, right? So they want to have passwords, which are probably their spouse's name, their birth dates, their kids' things, things which are very easy for them to relate, and they try to reuse those.
Typically, we have seen that if you have no password history or a password history of, if you maintain a password history for the last five times, people would have six passwords and they would be able to keep rotating those. So there are these typical challenges that we see with identities today. Poor role management that happens across the organizations, people find it very difficult to really implement the RBAC systems, and that really becomes a challenge for the identities. A basic thing, there are too many admin accounts.
You would see that people create local accounts, local admin accounts, multiple of them. People have, I would have an admin one, somebody would have an admin two, other person would have an admin three, so on and so forth. And we are trying to unnecessarily complicate things because we are trying to add too many of these privileged IDs into the ecosystem and nurturing them and having an overall ecosystem around that becomes a challenge for us. Auditing and compliance is another problem, and most importantly, in today's world, we're talking about multiple devices per user, right?
So every user would have multiple, you know, typically in the development setups, you would see, or in fact, even in the SOCs and the NOCs, you will see that every user would have multiple devices, and there would be multiple accounts that they would use to access multiple things. And these are all typical challenges that are associated with identities.
Now, what do these challenges really lead to? These challenges really lead to the different attacks, and we heard John speak about a few of these attacks in depth, and I would like to touch upon a few of them again, you know, credential harvesting. If you have weak passwords, it's pretty easy for somebody to really get into your organization and get access to any of those credentials. Once they have access to those credentials, they can do lateral movements and they can do a lot of stuff there.
Credential stuffing, once they have access, they know how to really bombard that, how do you try that in the brute force or whichever method, but then they will try to use these various identities that they would have gotten access to, really gain access to the things. Social engineering, phishing attacks, most common, right? So we know where does the ransomware, malware really stem from. There are typically password-based attacks, attacks on ADs, again, something that John spoke in depth. Kerberosting, that's one.
Pass the hash, you know, it's a pretty unique way where people are able to capture the hash from your URLs and put that to use in order to gain access to your systems there. So these are the typical kinds of attacks that we see which are occurring on the identities. Everybody wants to have identity first, that's the access control strategy that everybody has. Everybody wants to improve and implement a zero trust where we're talking about how do you implement a zero trust for your users?
You know, the basic thing is I don't trust anybody, you know, I don't trust the user, I don't trust the device, I don't trust anything, right? So I would want to validate each one of that. So we're trying to build that zero trust, but at the root of everything is really the identity and that's what we're talking about because across all these organizations, across all these applications, automations, analytics, everything, the crux is really a digital identity that we're talking about. So what's the need for access management, right?
So we saw that there are identities, we saw that there are challenges with the identities, we saw that there are attacks on identities, and the reasons for that are pretty simple, right? The world is becoming complex, we are getting into distributed enterprises, so it's no more the single network that you would have, it's not a single location that you would have. So the organization is spread across multiple locations, multiple geographies, multiple continents, so to say, right?
And that kind of creates a lot of complexity because you would have ADs, you would have, you know, OUs created, you could have child ADs and all of that, but that's kind of creating a lot of, you know, complex environments. To add to the story, we have now cloud, which is becoming a critical component of your organization. So everything is now spreading onto cloud, and that's where things are really moving now.
So it's becoming cloud, it's becoming on-premise, and thus it's leading to really hybrid environments, and we're talking about how do you manage these complexities, because on the cloud, you know, if you're trying to spin workloads on AWS Azure, you could be using Entra or those kinds of, you know, tools there, but there are a lot of other environments, you know, majorly if you see AWS, GCPs, and the likes of them, they don't really have an IAM solution, and that's where things become complex because then you are not really implementing the same policies that you would have on-premise onto the cloud environment there.
We also have, you know, since the corona period, we have seen that there are a lot of acquisitions, you know, people are coming, going, that's becoming quite frequent, and people entering and exiting your organizations is becoming a pretty complex situation to manage, both for your IT teams and for your HR resources. Privileges today are built into the critical infrastructure itself, right?
So it could be your operating systems, file systems, applications, cloud management, your hypervisors, your VMs, your dev tools today, which is one of the very critical solutions that we are looking at, automations and stuff like that. So that's becoming the basis of the bigger challenge that we have. Cybercriminals, COVID privileges, right? They are eyeing or they are prying for these critical privileges that they can gain access to. Cyberattackers today are basically because they gain access to your identities, it is sort of an insider threat then, right?
Because you compromise an identity which is internal to your organization, and this identity is then trying to do a lateral movement, infiltrate, do exfiltration and things like that, right? So that's the new data in exfiltration, which is a bigger risk for all the organizations.
So yes, IAM can come to the rescue. We've been talking about identities, we've been talking about threats there, but how can IAM really help us? So we're talking about how can we enforce strong password policies? I just mentioned that typically in the organizations in the past, definitely a majority of the organizations today would have implemented stronger password policies, but if you want to really enforce that in an automated way, IAM is a major way of doing that. Multifactor authentications is inbuilt into the IAMs today.
So you're talking about either applications are web-based, they are agent-based, deployed on our desktops, whichever way you would need multifactor authentication. In fact, we've seen a lot of cases where customers are now asking us for MFAs even when the system would boot up, right? So when your desktops or your laptops would boot up and after you punch in your username and password, people are, organizations are saying that we want to throw a challenge to our users to see whether multifactor, you know, verify or validate because it's a zero-trust policy.
So we want to ensure that the, you know, that the identities are not compromised, that the passwords are not, you know, leaked out. And so multifactor authentication becomes important and typically IAMs would have that. Single sign-ons, access controls, identity verification, service account management, I mentioned to you sometime back, that's pretty important. And when I'm talking about IAM, I'm not restricting myself only to identity and access management. It's really IGA, it's PAM, it's IAM, or it's CIAM all put together.
And third, intelligence integration is becoming very important today. So if you look at IAM, and I just mentioned that we're talking about IGA, access management, PAM, and CIAM, typically when we talk about IGA, we're looking at management of user identities, right? So I want to ensure whether the intended recipient or the incumbent really has the rights that are necessary for them. So how do we really validate those? How do I audit those? How do I ensure that I can take away certain roles and responsibilities given to this particular end user? And that becomes a big challenge.
That is something that we can look at IGA to really help us. Access management is typical to ensure team members can access what they're entitled for, right? So nobody should really have access to everything in the organization. In the past, we've seen probably when I started my career, IAM was pretty nascent. And it was in a very old avatar, if I were to say that. So we had access to a lot of things, which we probably did not really have a need for. But we used to have that access.
Today, with a strong access management implemented, we can ensure that team members can access only what they are entitled for, right? So even in case of any threat that we discussed on identities, John mentioned, I mentioned, even with that, you're at least trying to mitigate or minimize the attack surface that exists in our organizations.
With PAM, you would ensure that at least on the critical infrastructure where you have privileged accounts, you are only allowing users to access those critical infrastructure just in time with just enough access, right? So we're saying, if Harsh needs access for two hours on 17th of October, he should only get access for, say, 6 p.m. to 8 p.m. in the evening for those two hours and nothing beyond. That's something that we can enforce.
In fact, with PAM now, we're talking about ephemeral access, right? So we're saying that I would not necessarily create these users on the PAM, on the end target devices. I would rather generate them with ephemeral certificates or ephemeral accounts. I will give them access just in time with just enough access and ensure that I can take away their rights once the session is disconnected. We do session monitoring and things like those with PAM. And also CIM, because if you see, e-commerce is a booming industry today. And it's not just e-commerce, right?
Everywhere, customer is becoming the, customer was always the king, customer was the god, and customer continues to be the center of our existence, right? So we're talking about how do we control the access to our customers' data? It could be their PII information, it could be their privacy information, it could be many other things. And all these things can actually be managed and monitored by using the IAM, IAM Access Management or Access Management. So what can we really achieve with an access, with Access Management? We're talking about lifecycle systems.
So we're talking about right from joining the organization to leaving the organization, whether the resource continues to be in the same role, they move roles, whatever they do, I should be able to manage the entire lifecycle. And this is not only for human identities. This is also important for non-human identities, bot identities, API identities. These are becoming critical for us and crucial for us. So managing the entire lifecycle for these identities is becoming very important. We can achieve that through Access Management.
Rollback, role-based access management, that's today the basics of identity and access management. We want to track and monitor who has access to what, when and where. That's again, you need it for audit purpose, you need it for forensic purpose, you need it for monitoring, for enforcing policies and all of that. We most importantly want to prevent sharing of credentials. So in the earlier days, people used to share their credentials with their colleagues, with people in the organization.
But that led to a lot of challenges and it becomes very difficult to pinpoint who the actual initiator of a particular activity is. And thus, we want to really prevent sharing of credentials, which is why, again, access management becomes very crucial for us. There are a lot of addendums to the regulatory and compliance, and we want to ensure that we manage and mitigate risk pertaining to privileged user credentials.
John, again, spoke a lot about elevated access and how people can exploit or cyber security vultures can really gain access to the elevated permissions and cause havoc in the organization. So how do you really manage and mitigate the risk? All of this can actually be achieved using access management. So in a way, the threats that we spoke about for identity can really be taken care of with the new age access management that we're talking about.
Coming to the need for IDTR, John spoke about it at length, but I would like to state that identity is fundamental to the business today and is the foundational aspect of cyber security. Because like I mentioned to you sometime back, identity is the new oil today. It's the crux of the business today. If the identities can be compromised, potentially the organization or the entire business can be at threat. Organizations rely on their identity infrastructure to enable collaboration, all kinds of collaboration. We're talking about non-human collaboration, human collaboration.
All of that is today done through the identity infrastructure. The process of managing and granting access to resources becomes complex with the complexities. We mentioned about human identities, we mentioned about non-human identities, the cloud environment, the overall hybrid infrastructure. All of these complexities are really creating a big complex environment for us. Non-human identities and BYODs create further complexities for us. In a lot of the organizations today, you will see that the devices are owned by the employees and they bring the devices.
There is a lot of enforcement, there's MDM. There are a lot of other things that are enforced on these devices to ensure that we can manage and control the access to organizations' data. But all of this is really adding to the need for identity threat detection and respond. With all of this, if you see the crux of everything really is that identity and we need to ensure that we are able to identify the threat and we can minimize the threat and we are able to ensure that we can recover out of any challenges that happen. SAS account inventory is a bigger challenge.
I'm sure each one of you would have experienced that there are zombie SAS accounts that have been created which people don't have information about because we are using cloud platforms to really create these accounts and nobody is the owner of them and that becomes a challenge. Excessive pass and IAS privileges. But what all this is really leading to is an increased credential breach and almost 40% of the security breaches today involve identities. So that's a bigger threat and therefore identity threat detection and response becomes the key for everybody.
So these are, if you see in a nutshell, what I've mentioned on the left hand side are all the capabilities. Now the ITDR capability matrix. So this is Aspergarten. So these are all the various capabilities that they have listed. And if you see, I've tried to list all the ARPAN components and feature solution capabilities. So we're pretty proud to say that from an ITDR perspective, we are able to achieve the threat detection and response for be it business identities, be it privileged identities, be it business assets, be it critical assets, any kind of identities or assets that you would have.
We are able to actually help you deliver the robust ITDR capabilities there. Quickly coming to the access management component that ARPAN has, the tool has the capabilities for provisioning, deprovisioning and reprovisioning. We have single sign-on, password management, password rotation, session management, privileged elevation and delegation, access control with workflows. We have our own MFA where we compete with the likes of the Google Authenticators, Microsoft Authenticators.
I mentioned sometime back that it's not only for the web applications, but even for big client-based applications, we have our own MFAs that we have. We have IGA, which is a critical component for auditing and ensuring that there is regulatory compliance there. We have a highly matured password wall, be it PAM, be it IAM. We also have endpoint privilege management where we can do a lot of management of the local admin credentials of your endpoint. So be it desktop, be it laptop, we are able to achieve all of that. We can do secrets management for your DevOps.
So like I mentioned sometime back, it's not only human identity, it's also non-human identity. So it could be your keys, it could be your hashes, it could be your SSH certificates, it could be ephemeral accounts, it could be anything that you're talking about. We are able to manage all of that with the access management component that we have. What we've really done to really provide a converged identity platform, we have really brought all these different tools together. So we have MFA, single sign-on, we have IAM, IGA, PAM.
All of these are available to you as a single code base through our product. So right from the initiation of an identity to the retirement of the identity, the birth of the identity to the retirement of the identity, we are able to manage any kind of identity. All the identities that I mentioned to you about, be it human identities, non-human identities, we can manage all of that through the converged identity platform, which is one of the unique solutions that we offer.
So this is an identity-centric solution, a security solution, which has inbuilt IAM, PAM, and IGA with contextual data models. That's the crux of the converged identity platform that we have in the market.
Quickly, something about Archon. We were founded in London. We have our R&D center based in Mumbai. We are international. We sell to more than 90-plus countries. We have more than 1,500 customers. We work with the majority of the global system integrators across the world. We have channel partners. We have been consistently profitable since the inception with a very strong top line. The most important thing is we are 100% bootstrap. So we really work from the heart. We are developing this product because our passion is in identity and access management.
And in the next slide, I'm going to talk to you about multiple other product lines that we have. Happy to state that all these product lines that you see here are homegrown. They are all organic. Everything built from scratch within Archon and very well integrated with each other. So we have a privileged access management. We have our own single sign-on. In the privileged access management world, we compete with the best in the industry. Same for the case of single sign-on.
Converged identity, we believe that we really don't have a competition there because, like I mentioned, we have converged all kinds of identities. So today, you would have multiple tools. You would have an IAM. You would have PAM. You would have IGA. You could have multiple tools. And then integrating these tools and trying to get a single holistic view about digital identities becomes a challenge. But with the converged identity platform, we are happy that we will be able to share that.
With cloud access governance, we are able to give you a single window view of the entire real estate that you could have across your multiple cloud service providers. So we can go to the level of saying which workloads are there. How many workloads are there? What is there on those workloads? How many users are configured? What are the responsibilities given to the users on those workloads? Whether those workloads are being consumed, not consumed? Can you repurpose the licenses? It's like a CIEM. So it's a cloud infrastructure and internal management component that is deployed there.
We have another very beautiful component, which is the security compliance management. This is slightly sitting outside of the identity and access management space. But this is where we can help you manage your entire infrastructure for looking at gaps from the identity, from the hardening perspective. And we can tell you exactly where, what are the gaps there. And we can also help you mitigate those. We also have endpoint privilege management. So I mentioned some time back that we can even rotate the password. We can do elevation. We can do a bunch of things.
We have file integrity monitoring, GRA, MyWord. And we also have surveillance access management. So I would quickly browse through this because I'm sure a lot of you would know about these products. And if not, at the end of the session, I will share my details. And I would appreciate if you would connect with me for any details that you would love to. Quickly moving on, these are all the industry verticals that we cater to. So we are industry agnostic. All the products that we have are industry agnostic.
They can be implemented across all the use cases for these tools in every industry vertical that you can think about. And we have done the implementation. So I'm happy to discuss with you about what we've done, what are the use cases, how we can do it, how we can better it. Skipping it. So we have all kinds of certifications. So we offer both SAS and on-premise licenses. So we have our SOC 2 type 2 compliances. We have ISO 27001, 27,018, and all of that. We have all kinds of affiliations with different industry bodies across the world.
Most importantly, we have been consistently rated very high in the Gartner's clear insight. So this is the customer feedback that we have. This is what the customers have to say. Coppinger pool leadership compass is where in the access management space, we have been recognized as the overall leader and innovation leader. That was even for the year 2023 and now for 2024 as well. So Coppinger pool, we have been associated with Coppinger pool for a very long time. And we are happy to state that they have rated us pretty high as against the competition that we have. Same goes for Gartner.
We are part of the magic quadrant. We are there again in Coppinger pool leadership compass for cloud infrastructure and entitlement management. We are present there. We are also present in the forest wave. So that's all that I wanted to discuss here. Thank you for patiently listening to me. And I would like to open this for any question and answer session.
John, over to you. Thanks. A lot of good info in there. And I want to follow up on a point you made where you said that if an attacker gets access to an internal account, then every attack is an insider threat attack. That was a really good point. Thank you.
Yeah, we've got some questions. I want to make sure we leave enough time for these questions. First one here. I would expect ITDR to be an adjunct of my SIM or SOAR solution, especially as we begin to enhance SIM and SOAR with AI analytics. Do you see ITDR as being a separate software solution? What software solutions do you think ITR does well today?
Yeah, you know, I definitely see this as a new emerging market. They often, ITDR solutions do generally have the ability to look into your SIM, sort of work along with it. But I think it's actually sort of addressing some of the shortfalls that we see in SIM today.
You know, it may not be totally identity aware. So I see ITDR as a growing market. And I think it's going to grow, like I said, in different ways. There are specialist vendors that are doing it today. Some of those have been acquired by larger security stack vendors. They're rolling that into, you know, their overall offering. And I think IAM systems are going to be building in some ITDR type capabilities if they don't already. I think it's something that they're going to have to do. SIM and SOAR, you know, many of the SOAR solutions that are out there have ITDR-like response capabilities.
They can go in and say, turn off accounts in IS systems or even some SAS systems. But yeah, they're not really all the way there. I think the capabilities that we've talked about as ITDR are going to persist in a separate market at least for a while. But then you're going to see other vendors in the security and identity space build that kind of capability in. What do you think, Harsh? I totally subscribe to what you said, John. And I think somewhere I was doing, again, the Kappinger Poll report where it said that probably tomorrow the term ITDR might be replaced with something else.
But I strongly believe that a lot of these IAM vendors would be building, if they don't really have it, they would be building the ITDR capabilities within the component because this is important, right? So, detection and response, I think response is going to be the key. It's not only about provisioning. It's not only about reprovisioning or deprovisioning. It's also about ensuring the security of these identities. That's the key that the IAM vendors would really have to focus on and deliver.
And that's where I believe that majority of the IAM vendors will in the near future, if they're not, invest heavily in building the ITDR capabilities or whatever it turns up in the future. I'm told that probably by 2025 or 2026, 2025, 2026, the ITDR term might undergo change. And John can talk about it because I believe Kappinger Poll is saying that there would be a new terminology for that as well.
So, it's going to be an old wine in a new altar, if I were to put that. But that's something that all of us would really have to look at. And there are tools there. I believe very strongly that you could have EDRs, XDRs, all of it. But aside from that, you would still need an ITDR functionality to be there because identity is going to be the foremost reason for worry for any CIO or CEO or CFO. Yeah.
And again, thinking about SaaS application utilization, we've said identity is the new parameter for a long time. But in many cases, as a SaaS customer, identity is really the only parameter that you have as an organization because you're not in control of the underlying hardware and the operating system. You're just an administrative user of somebody else's application.
So, identity is the only way that you can control what happens to the data or the applications that you're running in SaaS. So, let's see. Next question. In the way you ask whether we have acquired ITDR, you make it sound like a single product can cover the entire identity security space. Is that really the case today?
You know, it is, like I said, an emerging market. We did a leadership campus on ITDR earlier this year. It was quite popular in terms of readership.
So, we are going to be renewing that research sooner rather than later. Many other vendors have come to light who have capabilities in this area. Can you do it in a single product?
Well, what I've learned even recently, you know, going to conferences and seeing what's on the show floor, you know, there's kind of a wide variety of what people are calling ITDR today. So, you'll see some solutions that are totally focused on SaaS. They don't really have any capabilities in looking at, you know, your on-prem components, whether it's, you know, a legacy IAM system or, you know, your active directory.
So, it can't really cover everything. There are some that, you know, look at the big picture from on-prem to cloud and everything in between.
So, yeah, there are solutions out there that can do that. They are, in many cases, standalone. And in other cases, they're part of a full security stack solution.
Harsh, do you have anything to add? I agree with you, John. I think one of the things that I would also like to add is it's not just the AD or the AAD that we're talking about. It's also about AD Bridging, right?
So, we're talking about how do you really, you know, take it beyond the Windows system, because that's going to be the key here. You know, when you're talking about identity, it's not only with the perimeter of networking devices or really the Windows ecosystem. It's going to be beyond that as well.
So, yes, this space will evolve. But like I said, I strongly believe that a lot of the vendors in the access management space would be forced to really come up with a tool which would include all of this, because having multiple tools may or may not really be something that the overall industry would really be happy with.
So, there is eventually a consolidation, like John mentioned some time back. There is also, you know, consolidation within the ITDR industry.
So, the small fishes are being taken over by the bigger ones. So, I believe that there would be ITDR solutions, which would be very targeted ITDR solutions, and there will also be IAM vendors building it.
So, both these will exist. We would need independent bodies to do that.
So, yeah, I believe that will stay there. Okay. We're almost out of time, but let's take a look at the poll results.
So, first question, which are the use cases are the most important? Looks like prevent workforce ATO came out on top with ProtectAD and look for MFA bypass. That's pretty cool. It's a good split between all of these. Yeah. Interesting one. Yeah. Okay. The next one is your organization pursuing ITDR? More than half say no, but about a quarter say they already have some ITDR capabilities.
So, that's great. It's interesting statistics to have.
I mean, I'm sure that people who have already acquired ITDR solutions are thinking ahead of the curve, and they're investing in the right places. I'm sure that others would eventually be considering these solutions, and one should look at, you know, if not dedicated ITDR, at least solutions with the ITDR capabilities.
Well, great. That's all the time we've got for today, but thanks, Harsh, for your participation. A lot of good insights there. And here are a few links to our research on ITDR-related topics. Any closing comments?
No, thanks a lot, John. I think it was a wonderful session. I hope that our audience and our listeners enjoyed it. And if you have any questions, I hope that your audience would have benefited from the overall conversation about IAM and ITDR. It's an upcoming field, like you rightly said. The real definition of the term ITDR is not really established within the industry. People are still trying to find the right one.
But, you know, I believe that identity being the key aspect of cybersecurity, everybody should feel concerned and look towards it. So, I hope that we at Archon would be able to help a few of the people within the audience to really take it forward. And I would really like to thank Kapil Kapur for organizing this entire one. Thank you for that. Really appreciate you having us there, John. Thanks again, everyone. Have a good rest of your day.
