Welcome to our KuppingerCole Analysts webinar, the Future of Identity Security: PAM (privileged Access Management), CIEM (Cloud Infrastructure Entitlement Management), and ITDR (Identity Threat Detection Response). This webinar is supported by BeyondTrust and speakers today are Marc Maiffret, who is CTO at BeyondTrust and me Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts. Before we jump into our topic, a little bit of housekeeping and look at the agenda. So for housekeeping is very straightforward. We are controlling the audio, you are muted. Nothing to do you from your end.
We will run two polls during the webinar, one right after that slide and before the agenda. And one a little later there will be AQ and a session. So if you have questions, you can enter the questions at any time. It's not a go to webinar control panel anymore, but it's on the right hand side of the event platform.
You'll find the q and a and there you can enter questions as usual, be active. The more questions you have, the more lively and it gives you the opportunity to directly ask Mark and me about things you'd like to learn from us. So use this opportunity and enter your questions.
Finally, there's a recording and we will, we are recording the webinar and we will make the recording as well as the slidex available soon after the webinar. So before we start, and I, I quickly already sort of read out these terms, the first question to bring up here is, which solutions do you already have in place of these three actual acronyms? So is it Pam, bridge access Management only? Is it privilege access management and team, the cloud infrastructure entitlement management, or is it all three or none or other combinations? So looking forward to your responses.
Please make your selection relief this Palo for whatever, 30, 40 seconds. Looking forward to where you stand with that.
10 more seconds and then we'll close that poll.
Okay, so let's move forward and have a look at the agenda slide. So as for many of our webinars, the agenda is split into three parts. We'll have two presentations, both will be kept relatively short, and then we go into a discussion which sort of speak directly continues into the q and a.
So we, during the discussion, we already will starting responding to questions you already have entered by them, and this will be more a continuous flow. So the first part, I'll, I'll give a quick, very high level and, and rapid overview about Pam and Keem and ITDR in the identity fabrics context and why we feel that this is so super essential these days to look at these technologies. In the second part, then Mark, we'll talk about identity first strategies and the OD role of privileged access management.
And so what does it mean from his perspective?
And this then, as I've said, then we will look at or move into the discussion and you have the opportunity to enter your questions and we will try to bring up good answers on these. So again, if there are any questions around this topic already, now feel free to enter them. If they pop up during the webinar, enter them them, then the more questions, the better it is.
So where, where I'd like to start is, I won't read out the slide be assured, but where I wanna start is with this slide. My colleague has constructed this a while ago and it looks at identity across the Mitre attack metrics. And when we look at this then it becomes very clear that in this metrics there's a lot of elements.
Identity is ubiquitous, the threats are there from phishing to malicious, dealing with accounts to abuse of privileges, adding rogue domain controls. All these things are related in some way or another to identity.
And very frequently they are related to privileged identities. So what we have here is a clear picture of identity is very essential for our cybersecurity poster. And I think there's a good reason that a lot of people in this market nowadays speak about identity security because there's a very close relation, there are elements of identity which are more about business enablement, et cetera. There are security elements which are not directly related to security, but there's a huge overlap.
And so what this faculty shows, I said I won't read it out, is identity plays a very important role in many areas of the marrie attack matrix. And that also means we need means to identify identity threats.
And this is where identity threat detection response comes into play. A lot of what we did so far in the past in identity management is, is really about controlling acts as entitlements. This is about the could do.
It says, okay, marketing could do that and because of that there's a potential whatever segregation of duties or whatever. But the other part is what is Martin doing? So what has Martin done or what is Martin doing has done is doing, it's a different perspective on that. So is Martin abusing the privileges? Is he trying to do things he's not entitled for, et cetera? Are there accounts acting in a, in an sort of an unknown uncommon manner? So do we have these outliers?
Do we have these anomalies, identity threat detection responses about looking at this, monitoring what is happening, detecting against baselines, responding with additional measures, deceiving sort of deception part was proving is this really the right identity and all these things around it like device intelligence.
So identity threat detection response is something which adds an angle to what we have been doing in the past. The case was identity and access management by adding a perspective that is real, what is actually happening. It's not entirely new.
We had this term of UBA user behavior analytics for, for quite a while and ITDR definitely has some strong relationships to UBA, it goes beyond that. And so not only sort of the monitoring, but but really more of detection, response, deception, et cetera. But the roots are surely in that space. We just don't have it implemented. Maybe also ITDR has the advantage that it has a better name because UBA will carry your workers' council, ITDR is about security. So the naming is probably the better one.
Then we have this area of team or, or we tended to call it ream, dynamic resource entitlement and access management because to our perspective team is a bit narrow.
It's not only the cloud, it's every agile infrastructure, everything, which is sort of having a high level of automation where we have our sort of agile in a agile manner developed solutions running. So it also involves to a certain extent your could beita cluster.
You're, you're running in your virtual private cloud, et cetera, and it's, it's modern infrastructure. It's really about everything related to modern digital applications and applications we're running quickly. The idea here is, and the learning is we, we have some good control or maybe we haven't, but we, we could have some good control at least about humans and their entitlements. But here we are talking about services, for instance in AWS Azure, whatever and resources they're accessing.
And we talk about a lot of things that are configured today by developers and as part of, of infrastructures code or everything as code, we talking about something which is permanently changing, which is really volatile, which is also about way more instances frequently.
So we have an issue about what can happen there and we have sort of super services that are a bit like the super admin, the super users of the past. We need to get a crib on it. What does it mean, what happens there, et cetera. We need to look at this part as well.
So to so to speak, the silicon identities and not new identities. And what I can do in with, with all these new environments or relatively new environments, we're running workloads and we have privileged access management, a very good old traditional privileged access management, which has evolved over the time. So when I look at the, the, the roots of that and look at where, where vendors stand data and a lot of things have happened, and all of these are part of what we need in our organizations. We need a modern identity fabric.
So we need this integrated perspective on what we do in identity management and we need to deliver the services like in a fabric. So fabric as an a mesh connect, all these services, fabric ligand production, delivering the services. And we've come up with this paradigm a couple of years ago.
It's, I see quite some popularity here. And basically it's really about how do we bring together these capabilities to serve use cases beyond sort of the workforce to our own services access. It's about every type of identity, every service from the human to the service that is, for instance, accessing a resource on G-C-P-A-W-S, Azure, you name it. So all identities, API based supporting legacy, IM supporting SaaS delivered from the cloud, but also supporting the hybrid it. And when we look at where do these technologies come into play, we are talking about, and we see there's a lot here.
Oh yes, it's also the human, but it's specifically services. And then we have this access part about privileged access, about access to cloud resources. We have the risk part where we look at ITDR and UBA, we have the integration to scene and we need services that deliver these capabilities in a well sought out and integrated manner. And that is where with the privilege to access with the technologies we have from the past, our in access management and controlling high risk access with this need to do things for, for at the services to resource level as well.
And the need to, to detect and respond to that, we need, you have an area where it's very logical to consider a deeper integration and this is where, where we started. So my high level intro mark will soon follow up on that. I have just one poll before I hand over to him and then we will exchange a bit about this.
As I said, very happy to take your questions, so if you have any questions, please enter them right hand side of the event platform. You'll find the q and a where you can enter your questions. My second poll for today.
So, and this is, I think also when we look at all these things, AI also is a bit ubiquitous these days and we are a bit curious about what is the area where you believe the AI adoption so will have the biggest impact on cybersecurity or where, where we will see the biggest increase in AI adoption in cybersecurity within the next two years. So is it more on MDR managed detection response capabilities or XDR ex extended detection response? Is it about the attacker side, them using AI to automate?
Is it about better vulnerability identification or, and this includes ITDR and the responses, or is it really complex? So less of the automation, but the complexity of text looking forward to responses began. Leave it open for some 30 to 40 seconds.
Okay, some 10 seconds more and the more people enter their response, the better it is and if time allows, we click. So finally, finally, is my part handing over to Mark, mark will talk about identify first strategies in the pivotal role of Pam.
So, you know, Martin raised a lot of great points about the evolving identity landscape and, and really the, the kind of complexity inherent in it, you know, very much the, the need to kind of think of identity as this new security perimeter, right?
And you know, one of the things I wanted to touch on this morning, you know, following on from what Martin was sharing is, is some, some very real world examples of where everything that Martin was describing about the, the complexity, the need to focus in this area, how we've seen that play out in a variety of real world attacks e even over the last several months.
And so if we dive into things, you know, when, when we think about the complexity of the identity estate and kind of what needs to be protected in modern environments where identity crosses from kind of on tr on-prem, traditional IT to cloud to sas, to everything in between, you know, OO over 80% of organizations have just on the end of your IDPs your your kind of primary authentication systems having multiple to manage, right?
And we, and we've seen the complexity inherent and just what actually needs to get managed there.
You know, when we look in terms of things like cloud having 40,000 types of cloud permissions to manage, I, I mean, I think the more simplistic way to put that is anybody who's ever attempted to dive deep on something like A-W-S-I-A-M, you know, it's, it's really hard to figure out where do you begin, where do you end the nuance of it all? And so there's a variety of different ways that we kind of understand the complexity, but one of the things I think is really important is that a lot of organizations struggle really from the security silos that exist, right?
There's typically your IAM team or IT team separate than your maybe information security engineering team separate than your security operations team and across the different types of technology you'll see differences in kind of who might be managing traditional IT versus cloud and so forth.
And so all these silos that exist create, you know, very, very large visibility gaps on what is the overall under understanding of identity and the security of identities at a company, right?
And I think most importantly is that the security gaps and the silos that exist are not ones that exist for attackers, right? The, the, those, those gaps, those silos that exist in most IT and, and security teams are something very much that attackers actually take advantage of. And we'll kind of get into that in a minute. And so as Martin mentioned, when we think about the kind of holistic process of how do you actually think about identity security, you know, the first and foremost part that you need to make inroads on is really around the visibility, right?
So how do you have total visibility of your entire identity estate across all these different IT domain areas?
How do you bring that information together in a centralized way so that you have shared understanding so that you can break down some of those silos that we were talking about by having that sort of single source of truth across your entire estate. And then most importantly is as you have that visibility into the problem space, right? How do you add the preventative capabilities? So how do you lock down your attack surface, right?
How do you limit the ability for your, for your environment to be attacked? How do you make it harder so that you're not the easy target from a identity security perspective? And then obviously a, as you've kind of moved beyond locking down your attack surface and locking down your environment from an identity security perspective, then it becomes important to detect what's left over, right? So the attacks that are still possible, the different threats that are still gonna exist, how do you have a great detective capability to be able to look for those things across your entire state?
And what's the process in which you actually triage those, right? It's very common that when you think in terms of kind of traditional areas of security operations and threat detection, that there's u usually better processes around kind of how do you respond to endpoint based threats and so forth. A lot of companies don't have great process tooling understanding of how do you respond to identity centric threats, right? Where there is ne where there isn't necessarily any endpoint to be responding to in the first place.
And so that obviously leads into the very much importance of the response capability itself. And so kind of re-imagining what does that actually look like? What does it mean to lock down an identity? What does it mean to respond to an identity threat in real time? And to be able to, excuse me, sandbox that identity to limit impact.
How do you do that in a way that you're, your kind of outcomes are very clear where you're not gonna break anything in your environment. So there's a lot to think through. Those are kind of the, the four primary areas of how you wanna think about it.
And definitely you wanna think about it through an identity centric lens, but jumping into it, you know, as, as I mentioned, the importance of understanding that none of this is theoretical, right? All these things that we're talking about that are the kind of challenges of complexity, how you need visibility and how you need kind of a more mature process around how you think about identity security are, are very much in response to what's already happening in the world, right?
So we can go e even just recently there's been threat actors that have very specifically been been targeting identity infrastructure at various companies.
And I wanted to walk you through one one example, although the example I'll give here is, is very relevant to many types of identity systems.
And so in the case of some of the recent threat actors targeting Okta deployments at customers, typically the threat actor will start by first capturing through things like social engineering and so forth, capturing either an employee or in a lot of cases actually directly to a, in this case an Okta administrative account. They'll actually perform social further social engineering to actually disable MFA. So essentially they might social engineer to help desk. Obviously a lot of companies have been adopting MFA.
You know, I think one of the important things there when you think about MFA and multifactor authentication usage at your company is that there's various forms of MFA, right? There's push authentication via your phone, there's SMS and, and a lot of those are kind of considered, especially for your privileged accounts at this point, kind of weaker forms of MFA that are prone to things like, so social engineering, other tactics versus things like Fido two, you know, maybe rolling out UB keys and so forth, right?
Which are a lot harder to kind of fish in this in the specific way that we're talking about. And then some of the attacks we've actually seen where once they've compromised and kind of gained access to this privilege identity infrastructure, in the case of this attack here, they'll actually add another identity provider to Okta that'll allow them to then impersonate and masquerade it as other users.
And they're doing this to be able to kind of further and kind of do an identity based or an identity centric form of lateral movement to be able to move into potentially your cloud environment, your SaaS applications and so forth. And a lot of times when we're talking in terms of identity, you know, there's a lot of, I'd say newer systems when we think in terms of cloud and SaaS infrastructure that can be very kind of commonly tied to modern identity infrastructure.
But as most all of us know, we have large deployments of active directory and a variety of traditional and on-prem identity and systems management. And so for many of these systems as the example here with Okta, there is an on-prem component where you might be synchronizing your on-prem active directory to your cloud-based directory and vice versa.
And so we've seen attackers that will start from the cloud end up in on-prem and within active directory we'll see attackers that will start from on-prem compromise, something like your Okta or or Azure AD synchronization agent, they'll use that to be able to grab a synchronized user account that they can then use for lateral movement at that point. And so it's a great example here when we talk about the need to not have the kind of disconnected silos, right?
Where for a lot of companies there's your identity and kind of security folks working from a cloud perspective, there's maybe your traditional on-prem active directory folks, attackers don't care about these silos, they move in between these different areas typically with ease.
And that kinda lack of a a cohesive strategy and understanding here becomes critical.
Going back to a lot of what Mark Martin was talking about earlier, and obviously when we talk about these types of attacks, you know, some of the recent ones have been related to Okta as I was showing earlier, but this is all, all types of identity infrastructure, right? So it's no different when we think in terms of things like Azure ad very much similar processes, the the on-premise synchronization agents that can be attacked, how that actually lines up to what you're doing from a cloud and SaaS perspective.
You know, a lot of, a lot of folks that I talked to that maybe are coming from the PAM space, you know, they're very aware of what does it mean to manage service accounts in an on-prem active directory environment, right? The importance of managing these non-human machine identities within active directory is kind of a well-known and well-treated thing from a PAM perspective.
A lot of the companies are unaware when we think in terms of things like Azure ad where now you have the concept of service principles and you have OAuth applications with a variety of principles, or excuse me, with a variety of entitlements and these different types of service principles and OAuth applications and registrations, app registrations, et cetera. They all have privileges assigned to them. And so it's very similar kind of threat threat characteristics as far how you actually need to lock those things down.
And so I'm kind of scratching the surface from an attacker perspective here, but it's really, really important that you're thinking more holistically about not just kind of the traditional, you know, maybe service account lockdown and the on-prem world, but what does that mean from a, a cloud SaaS et cetera perspective right now you have a centralized view of that.
And the very last one that I wanted to share, which was very timely from a a news perspective is at BeyondTrust we recently had actually discovered that Okta's support organization had been compromised.
And it was a very sophisticated attack that was actually done by attackers where essentially they were in, in a position to have compromised Okta support organization. They were then able to look at any Okta customer support data. What they were looking for in that customer support data was any customer that was uploading browser har files or essentially browser recordings typically used for troubleshooting bugs and issues with a web-based platform. And then they were looking for actual authentication cookies and tokens to then go hijack those different companies accounts.
We have a much, much more in-depth technical blog on our website that you can read, but this is a very important thing where sometimes attacks are not directly to your environment, right? Attacks will actually originate via third parties.
And so there's kind of an interesting identity focused, you know, kind of a supply chain type of attack here that took place and is very much worth the read in terms of how you think about your own environment, how do you defend, and most importantly just how do you begin to get visibility into this problem, as I've only touched on a few short areas here, but with that Martin, I think mo most importantly, I'd love to hear from folks and answer any questions that we could.
Mark, thank you very much for your insightful presentation and really going into some of these concrete challenge we've been facing in the past couple of weeks and months. And I think we all know it's not stopping, it's may, maybe as sometimes that impression it's more, more we, we are, we're still still at at the start and not at the end of this.
And, and I just read someone being quoted saying 2024 maybe, or possibly 2023. Anyway, it may be the, the, the, the se the the zero day attack year, so to speak. So more than ever than, so we have, we have a lot of threats and, and this includes cybersecurity, but I think hopefully we, we were able to communicate to the audience that many, many of these, most of these I think when we take, whichever number we take, are related in some way to identities and so to identities threats.
And so I think it's very clear that we need to to, to tackle this.
And, and I think what also is very important to understand is this is part of this intersection. So, so we have this new field of keen like resources to services, services to resources. We have this ITDR field, so really the detection angle.
So not only saying, okay, we have set certain entitlements and probably they are okay, but really constantly continuously looking at what is happening, identifying anomalies, spotting what is going wrong, and then we have the, we have the PAM part and I think this PAM thing, it, it sounds a bit, okay, this is the old part amongst these new technologies, but I, I believe in maybe this is a good starting point.
I believe it's more because at the end of the day, what we have learned in the past years is when it comes to, and I think we need to distinguish first between the, the automated attacks and the targeted attacks.
So we have this high degree of automation prominently coming in, which fre frequently is just a door opener for something that follows. And part of what follows are really targeted attacks where the attackers try to go for certain types of data, certain types of information in the systems of the attack organization. And where we talk about is targeted attacks.
There's one thing in common that is these attackers always go for elevating their privileges, becoming an as privileged sort of, or gaining access to US privileged accounts as possible to do the next steps. And so this privileged access management element to my understanding, remains extremely relevant in this broader context. What's your perspective on that? And also with the intersection for all the three technologies?
Yeah, I I think you're exactly right. I mean, when we, when we think in terms of, you know, kind of broader i identity security and kind of how the world's changing out there, I mean PR privilege access management has always been about identity security, right? It's about protecting the things that give identities their superpowers, right? The entitlements, the permissions, the privileges and so forth.
So, you know, first and foremost, exactly what you said, where attackers are almost always gonna look at how do you gain further privileges, how do you kind of elevate yourself? And so the work that you've done, you know, via PAM and other technologies to lock that down to make that harder to obtain is really, really important.
You know, I think that the, the other important shift that you were highlighting, at least the way that I think about it in terms of, you know, being a, a, a vendor in the PAM space is that, you know, just the traditional approach to only locking down entitlements, privileges, et cetera, is not enough. You need the active monitoring to be able to alert people to be able to detect the misuse and abuse of privileges of attackers that are trying to, to gain these things.
And I, I think those two things, it's the, the kind of interplay of, you know, locking down your attack surface, you know, having a good security posture that makes it harder to kind of be compromised or further compromised in the first place, but also that detective capability of being able to alert you when things are going wrong. Yeah,
Full agree. I think we are from an in full agreement here, and I think it's really important to understand these things are closely related and we, we must not go for a sort of isolated approaches.
We must think about how do these things really relate to each other and how can we make it work sort of in conjunction. So we are already receiving a couple of questions here and, and the, the one I want to pick because I think it fits very well into the flow here, that is, so for the average client, this appears like a mountain to climb. So which areas should they address first?
Yeah, it's a great question and, and it is, I mean you mentioned it earlier Martin about like, you know, in some ways some of this is, is just beginning and you know, I always like to to mention that security is this, you know, kind of crazy race without a finish line, right? It's always, always evolving something different.
I, I think whenever, you know, in the last 20 plus years have been in security when, whenever I think about a new area of risk domain or focus, like the, the most key kind of important thing is, is how do you get visibility first and foremost? I I think some, sometimes companies will start to kind of react to a new security domain area.
So, you know, how do I secure all my identities? And so definitely things like, you know, threat detection and so forth are important, but getting visibility is, is the most important starting point.
And so definitely, you know, it's gonna vary from company to company depending on the kind of technologies that you use, but trying to get a platform or how you bring your own data together to bring that initial visibility into your kind of identity landscape, how do you get visibility into the fabric, as you well described earlier to me is the most important starting point o otherwise you have no kind of foundation to, to move forward from.
And, and I think that's, that's a fair point.
So when we look at many of the evolutions we've, we've seen in around identity in other areas at, at the end it, it frequently very frequently started with visibility. So when I take, go back a bit and, and when excess governance came into play, the first thing was about understanding which entitlements do people have in the systems and are there conflicts? I think the other part is, and this is very important not to end, stop here, but to make it actionable.
So, so when, when I go back to that time, I, I said from the very beginning, okay, the next step is so to speak, closing the loop. So, so the fir we first need to understand what are the things we need to fix, but then we need to go to automation as much as we can to fix it.
And I think this is what where we, when we look at ITDR are already a bit more mature, but it's definitely a very important aspect to look at that we are, we, we become capable of understanding what is going on the inside and this is detection. Yes.
What is happening, where are the anomalies as well as, as in other areas. And then we need to to, to have as much automation to fix that as we, as we can. I think there, there, there are two directly related questions which we may grab here.
So, so the one, the one is about what are the core elements for an effective identity first security strategy. And the second is, is is there a good framework for beginning with them, sort of minimal viable product? And then growing out, I, I think these are, these are, are, are absolutely fair questions and I, I could bring up our, and it's available on, on our website, our reference architecture for instance, which looks at all the different building blocks, but there are really many building blocks.
And the question always is where to start may maybe I start and you, you proceed from there. So please. What I also believe in, I think this also very important in in the context of this, this mountain, one of the things you definitely should do is create your bigger picture. And this is not as much work as it sometimes sounds.
So, so building your own identity fabric picture is something which is doable relatively fast in weeks, not months or years. And which is very helpful to, to structure it. And this goes also into where to start. What what I recommend is always to look at what is your gap you have, so what, what do you have? What is lacking? That is one, one aspect.
So, and the other is, and then you can take two perspectives and, and maybe you do two exercises. So the gap is always thing what is lacking and the other is how critical is it for you to fix this?
And then the other perspective is how complex is it to fix it? And so unfortunately three D dimensions are hard to display, but you can just build two metricses gaps with the other two dimensions and then look at it and, and then if you construct them right and at the upper right edge the things which are most relevant will, will display.
And then you can say, based on that, this helps me already identifying where I should start with all the different initiatives depending on where I stand, where my sort of my, my risk posture is. And this is the way I, I would look at it conceptually, may maybe mark what, what you would you'd like to add here.
I I think that is a, a great overview for, for it.
I mean I, I think the only thing I would add is, you know, as you're, you're building out that kind of, you know, model and understanding things there, you know, is always bringing that, that, that risk-based approach where I, I I think one of the things that when people are thinking about, you know, kind of security risk, we typically still have a lot of thoughts in terms of kind of the traditional IT space. So it's like, where is the, where does the data exist in our environment that's kind of the most important to the company that we should lock down.
I think sometimes we don't think of, you know, what is that, you know, OAuth application that you know, truly can end up being the, the keys to the kingdom for the business. 'cause you know, now everything's controlled from this SaaS app and is that lockdown is that least privileged and so forth.
So yeah, I think, I think your recommendation's fantastic. And then just layering on top, you know, try to understand, you know, what are those kind of keys to the kingdom, if you will, which are, are very, very, can be very different things company to company just in the kind of modern IT landscape.
Yeah,
And I think you brought up one important point at the end, key to the kingdom. Yeah.
So we, we need to always look at how can we close the door as good as we can, okay? There are still other ways they can, can come in or they, they, they gain access to to our sort of our key to the door, the attackers. But at the end, authentication, modern authentication definitely is a very important element for everything by the way. It's also essential for, for PAM and, and other things. And when we look at ITDR, it's about understanding also where, where are the things that are, that the potential app uses the attacks on, on our authentication in the end.
This, this is really a, a front door thing, having a really a modern authentication and, and we have have learned I think the hard way in, in the last two years or so, MFA may be good enough or not.
Not every MFA is good enough.
And so we, we need to, to understand the context and we need to analyze, we need to bring in the visibility like you said. So what is really happening here is, is this going wrong?
And then, then we have some, some very, very obvious other elements we need approached access management. Also, when we look at take, take an ISO 20,007 take, take a ties the automotive internal type of enhancement adoption of is 27,000, et cetera. Privileged access management is, and we need to look for sure at the things that protect our prone tools at a high risk access. And this is not only about shared accounts, it's about privileged and high risk access also of individual accounts. These are some of the elements we, we definitely need to tackle.
And at the end, I think this is a bit of the difficult message.
Yes, you need quite some elements, technology and around all the processes, the policies, the organization, but it's not with, there's not the one silver bullet you you can use. The point is you need multiple elements. The only question is in which order do you do it? And this is where, where I believe looking at what is your gap and what is your, your need, what helps you most in, in mitigating risk or what is, where's the pressure the highest and what can you do in a reasonable time.
This is a good starting point to shape your program and look at our identity fabrics. I think this is very helpful to to to on how to create a bigger picture here.
Mark, back to you. Any additions here?
No, I mean I thi I think you're, you're spot on Martin and yeah, it's, I, you know, the thing I always like to, to call out for folks is that, you know, I realize for, for something like me sitting here and kind of making some of these recommendations, like I, I think there just is the realization that this, this is a hard problem, very hard problems to solve.
And you know, I think, I think the, the other thing of why we try to bring awareness to a lot of this is that it's, you know, it's very important for leadership of it, of, of security teams to be, to be thinking in this way and kind of, you know, doing that first door opening, right?
Allowing the kind of space to kind of bring this kind of identity centric security thinking that I think, you know, the kind of early adopter type of security teams are already well working on, I think there's many, many other folks to your point that are trying to figure out, you know, what is gonna be the approach to the strategy. And I think next year we're gonna see a lot more of it and just looking forward to helping anybody.
Okay. We have a couple other questions here. So one is could you please expand on the role of a verified identity as core element in zero trust?
Mark, do you wanna start?
Sure. So I mean it's, it's interesting 'cause there's, there's a few different kind of plays related to verified identities. So there's everything from, you know, variety of services to integrate with that actually do you know, quote unquote human verification that, you know, this, this, that Mark really is, is Mark maybe down to the, you know, my being here in California driver's license level if you will. I I think one of the, one of the things that's always hard is that there's so many facets of how identities can be hijacked these days.
You know, even if you look at some of the newer areas of AI and what's been happening and the ability, whether video voice or or everything in between to to simulate identities creates very interesting attacks and challenges. And so I I think what you mentioned earlier about, you know, one of, one of the most important things is how you think about the authentication and verification of identities and whether that's on kind of the human level verification that that might be needed or, or whether that's on the kind of authentication mechanisms, right?
The kind of difference of, you know, stronger weaker versions of MFA and things of that nature. For sure.
Yeah.
So, so, so when I look at zero trust, I always say, you know, look at what is happening and, and that also think tells a, the story about why identity is so central to zero trusts. It all starts with Martin or whomever authenticating using a device.
And so, so we have the identity, the authentication, we have the device binding, you know, modern authentication, then we go over the network, but it's identity first, then we go with the network, whichever network. Ideally we do this in a, by a, an encrypted channel, so not much to care about. And then we end up at a service and that's about authorization. It's again about the access controls, what is margin, doing the monitoring of what this margin doing, ideally in context with all of the stuff that is happening at the network level, et cetera.
And then we go to data, ideally we also look at smart and entitled to access this data.
So this is the way we look at it, but identity is very, very central and in many places of the entire zero trust. And so that means we need a good identity, we need an identity that is verified, an identity that is proven. And I think as a part of spending a lot of time in organizations to, for onboarding process, we can save money. So it's really a process cost aspect. But the other aspect we have is we also can use this to increase the knowledge about the identity.
So if there's a strong identity proof and then the association to the device and the authentic cases, et cetera, we we're more on the safe side, not only for the workforce by the way, I think for every type of identity. Okay. So let's look at some of the other questions. We see other questions come in. So what are, that's a good question to you, mark, what are some of the trends you see in identity centric sec identity centric security? What should we keep in mind when we are evaluating solutions for the future?
Yeah, I mean, you know, it's interesting on the back of talking about some of the kind of, you know, maybe human verification and so forth, the, the explosion in machine identity in, in a way that, you know, there's a lot of companies that we, that we meet with. There's so many different systems where machine identities end up being used that are central to how you're actually securing those systems.
You know, I gave kind of the, the quick example earlier of something like Azure ad, right? Where you can have a company that they, they're doing something benign, for example, using a third party to do like Office 365, you know, email migration, right?
And they don't realize that under the hood, what essentially is allowing that service to do Office 365 migration is actually leveraging a, a machine identity with very, very high privilege that that machine identity and privilege can be left behind kind of when your IT project, you know, to finish this migration is done, that privileged account essentially can be left behind.
And so this is just one of, you know, the hundreds of examples of where machine machine identity and the kind of real risk risk related to them is, is very critical, very core.
And so that sort of visibility into machine identities, and the reason I kind of highlight that as a, as a trend is to me the most important trends are where, where attacks going and where are attackers going. 'cause that's what we're trying to prevent at the end of the day. And I think attackers are, are very ahead in some of their thinking on kind of these systems, how to leverage machine identities, the weaknesses, the, the lack of kind of visibility and understanding and a lot of it and InfoSec teams for these sort of examples.
So that's one area I would, I would highlight as both a, a trend in the area to kind of focus on getting better visibility and controls into,
Yeah, and, and I, and I think this, what what you're saying is we need, and I think this is already happening and it'll continue to think beyond the workforce, to think beyond the human into. So everything has some sort of identity or at is we, we can discuss with original identity and you can say philosophically an identity has some sort of a consciousness or conscience.
But, but at the end, let's talk about the identity of things, the identity of services, all the other things. And we need to, to understand also that so you, that this is way more volatile, way more agile than when we look at, at the humans. And so we need more automation and I think this automation aspect is a very important thing to look at as well when we look at the trends. And so aside of that, when I look at evaluating solutions, I'm a big friend of saying they, they must have a modern architecture, they must support APIs, stuff like that.
So make it work everywhere, flexible deployments, things like that.
Yeah, a a hundred percent can't stress enough.
The, the openness, I, I mean it essentially comes down to what you talked about earlier of the, the kind of identity fabric and the ability for the different technology and solutions that you have to work in the fabric. I mean, one of the, one of the core foundational pieces of that is the kind of openness modernity of the architecture, APIs and so forth, right? So how do you actually get these things interconnected? How do you automate things and so forth is absolutely key and a very important requirement of kind of any, anything in this space.
Okay.
So let's look at maybe one more question here. Why is it so hard to get the visibility and context that organizations need to prevent attack and response to identity driven threats?
I mean, this might be more, you know, for me, kind of more of a philosophical thing that, you know, it's, it's, it's the age old problem of, of, you know, information security where, you know, I get asked all the time, you know, where do you think security's going and where do you think threats are going? And, and the best way to understand where security and threats are going is to, is to really understand where businesses are going and, and the technology choices that they're gonna make.
The the reality is businesses are always building, always innovating, always moving kind of faster in some sense than the, you know, IT and InfoSec teams e ever will. And so it, it's really important as a security practitioner that you understand, you know, where's the business evolving to, what are the technological choices that might support those business evolutions and making sure that you can kind of stay ahead of your thinking and security.
You know, I I give the example there of, you know, you can go back so many years time where for example, very popular technologies now in, in the kind of cloud native space like Kubernetes and so forth weren't really being thought about from a security perspective, but companies were running fast to adopt, migrate, move, et cetera. So I think that's one of the key things I always kind of recommend to anybody in the, in the security space, right? Is that kind of deep connection to the business. Where's the business moving towards?
How's the technology choices of the business gonna evolve so they can be thinking ahead of what the implications might be from a security perspective versus a lot of times you have to play the kind of reactive catch up to those, to those changes, right? To that kind of business innovation. But it's just, it's a hard balance, right? Like it's just, it's hard to do.
Yeah. And part part of what we're discussing today, the ITDR part, in fact it's such a reaction of something that came up.
So we, we, we move forward and say, oh, we utilize IAS and PAS services on the cloud. We develop applications, we have to developers using infrastructure as a code to automate things and then we learn, maybe not every developer is the very best security person in thinking about what does it mean from a broader security perspective.
So we, we, we learned that, that we need to bring in the visibility here, the angle of understanding, analyzing all that. And this is, I think really getting the crip on new worlds and correlating it in a correct manner to understand what is the, what is the risk. And when we understand risk, then we can, like you said earlier, then we can start taking actions.
But we need this visibility first and this understanding of what are the things that can really can go, so to speak, really, really wrong in, in, in security.
And I think also by, by the way, it sounds totally boring, but one of the things which are also very important to my understanding is we're running things like a business impact analysis where we really look at what, what are, from a business process perspective, the things that hurt us most, what are the systems involved? And then we can look at how can we protect this?
And when you look for instance at manufacturing, then it may be that you're, you're automated storage system, your high bay racking system may turn out as the most critical system because if this system is attacked or if it just fails, not even necessarily to an attack, then everything stops. And the worst thing in manufacturing, we always know as production outage, and this is highly related here, so we need to do these exercises.
In addition, I believe it's that it's really understanding what, what can break and how will it hurt us. So we we're don't have that much time anymore.
Maybe in the interest of time, have a look at the fir at least at the result of the first poll quickly. So my colleague Shirley is able to, to display them where we ask about which solutions you already have in place. And it's interesting to see that we, we see it quite, quite a mix.
So, so we say only 15% saying we have none, none of Pam of of all the other things.
We see very few that already have ITDR in place in addition to Pam and Keem, we see a couple of other combinations, which would mean PAM plus ITDR or KEEM plus IDR probably more Pam with, with some type of analytics mostly.
So it, it's a, it's a mixed scenario, but it also shows that whatever, three out of four still have some gaps here. So thank you for displaying this.
What what, what I think we'll do right now is wrapping it up. So I think our, our learning hopefully from business, we need various technologies. We need to get better in understanding what is going on. We need to have a very strong focus on the ground tools on the most, and we need to understand what it is, what is this, what can break, what is it, what is at the highest risk, and we need to take appropriate action. This requires investments.
And yes, this is a journey, it's a big rock to move at least, but you can split it into parts and you need to split it into parts and then do one after the other and it starts with visibility. Mark, anything to add on this summary to the, to the summary?
I mean, I think it's, I think it's a great summary. You know, everything we're talking about is our, you know, central focus of what we're trying to evolve to and, and work towards at, at BeyondTrust. And you know, I definitely just recommend some of the recent kind of identity security related blogs that we have to go, go into some kind of great technical detail and giving examples so that they can hopefully kind of spark the imagination of, you know, what, what might be possible from an attacker perspective and what you might need to think about for your own business.
Yeah, and we need, we need, I think we need to understand what is possible to take the right actions. So Mark, cool. Thank you very much for all your insights. Thank you very much to BeyondTrust for supporting this co call Analysts webinar. Thank you very much for everyone joining, participating in the poll asking questions. Hope to have you soon back at one of our other webinars at one of our events. So thank you very much and have a nice day.
Thanks so much.
