KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar. Mitigate targeted attacks with privileged account analytics. This webinar is supported by cyber a, the speakers today are me Martin Koman, founder and principal Analyst at Ko Cole and yo regional director, da that's cyber arc. Our topic today is around privilege management, which is one of the most challenging topics these days. So how to deal with privilege uses, but more on the perspective of what does it mean from the increasing attack surface.
We are facing the number increasing number of texts, the more attacks, and why do we need strong analytics of the behavior of privileged users in that context, colas Analyst company, we are providing enterprise it research advisory services, decision support, and networking for it professionals through our research services, our advisory services and our events. The main event we are doing is European identity and cloud conference, which will be held next time in may in Munich. It's an attempt you should not miss.
So have a look at our website and look at what we are, provide what we are delivering at EIC this year. I think it's definitely, it went very worse to attend, covering a broad range of topics, including the increasing cybersecurity challenges, including privilege management, but also a lot of down toward identity, access management, cloud security and other topics. So this is, as I said, guidelines for the webinar, you are muted centralist. You don't have to mute or unmute yourself. You're controlling these features.
We will record the webinar and the podcast recording will be available latest tomorrow. And the question and answers as session will be at the end, but you can enter questions at any time and go to webinar control panel. So that will allow us to pick these questions.
Once, once we are finished with our two presentations. So looking at the agenda, there are two parts today. The first part of the agenda will be done by me. I will talk about privilege access analytics as part of realtime security, intelligence, and cybersecurity resilience. And the second part on your ation original director of cyber talk about today's attack scenarios and how to intercept them with targeted privilege account analytics.
So he will dive them more deeper into detail, really looking very specifically on why you need privilege management to deal with today's attacks and to improve your cybersecurity resilience. The third part as I management will be the Q and a part then. So I'll direct to start right now with my presentation, let's start with the sources of risk. So what are the sources of risk we are facing? It are sort of the 3m, which are malicious activity, misuse and mistakes.
So all of them in fact are related to privileged management because simply said, if someone has more privileges, it can cause more harm. This is basically the starting point.
However, there's some malicious activities. So coordinated act tax, which became far more frequent, far more prominent over the last two or three years hacking. So really the classical hacking stuff, data theft, another, I think very important thing we should not underestimate. So if you look at text data theft and so data that has been done sold to the German data, cetera, this is I think a pretty good example, denial of access and other things we have to MIS misuse area app use of privilege, curiosity, etcetera.
We have the mistakes and, and all of them, as I said, are sources of risks and all of them are related to attacks. And when we look at the attack specifically, so more the area of external attackers than we have various attackers and we have various targets. And the point is, and I think this is something everyone must be aware of. There's no such situation anymore as that, that any organization is safe. So I still have conversations with sort of more with the small and medium slash businesses claiming who, who should attack us. I think there, there, there are enough potential attackers.
And even if you're only the intermediary targets in a more complex attack, you might be a target side of that. If I go to my, my home, which was the south of Germany, Martin Eck, where we have a mass automotive manufacturers and suppliers, and many of the suppliers are, are medium businesses, they're valued or corporate value used based on their intellectual properties. So they're clearly a potential target of interest. Really. So looking at the attackers, we have this amateur hackers still, we have organized hackers with the political agenda, which relevant to various industries.
We have to organize crime. We have nation state attacks and Canada terrorism. So some of those things around cetera, they have been in that area. We have nations data tax for military political and industrial SP. And I think when we look at the, the news over the last 12 to 18 months in this let's call it, it post not era. It became very, very clear that there's a lot of sort of activity driven by states, which are looking for information for various reasons, including industrially, spew the targets. On the other hand, we have private individuals. So this is about fishing identity bots.
We have the enterprises, we have cloud services, we have governments, we have critical infrastructures for various reasons. So it's an increasingly complex situation we are facing. And in this world, we, we need to get better in understanding, are we attacked and mitigating these attacks and getting more resilient regarding that type of, or the various types of attacks? What we have also is I think an interesting evolution. So when we go back in the history of computer crime, then for a pretty long time, the most incidents all have been insider attacks.
So things run by internals or supported by internals through malicious code, etcetera just remains at a high level. So inside our tax still are a challenge. And several of the recent let's say most prominent cases of computer crime have been around inside our tax. Also in the credit card area, credit card fraud based on malicious code of some of the intermediary processing companies, cetera, all of these things are, have happened with insiders. On the other hand, we have a massive uptake, massive increase in outside attacks.
The other thing we shouldn't underestimate is these things are becoming increasingly professional. So we are not dealing with the amateur hackers anymore. We dealing with organized ground with nation states. Etcetera was very well sought out very professional, well funded types of attacks. And there we have basis things based on zero day attacks, bots, etcetera, where an entire, let's say, quota businesses. If you combine these things, we advanced attacks which have multiple stages, which are very sophisticated.
So this is the advanced part, which are long running, which are sort of persistent. So there's this term of advanced persistence threat, which is long running. So in general, looking at such advanced persistence threat, since for instance happen, there are various types of it. And if you, and for some of the more well known effects, such as SNET etcetera UQ and so on, it's pretty well documented. You will find a lot of information on the internet, but basically what happens is emails are sent to internal users with link or attachment that activates local attack.
So this is the start of the phishing. Some users click or link, click link, or open the attachment and install the malware, the malware scans network for vulnerable systems. So looks around, spreads out installs auto malware looks at weaknesses which allow elevation of privileges and so on. And if you look at all the UNEC securities we have in the network.
So all the, the, the lack of patches in hardware, devices, rooters, etcetera, unpatched systems in many areas and so on, then it's relative simply once you're in to find other insecure unpatched systems where you can put on some, some malware and then potentially end up with elevated privileges, running as an administrator, or, or finding one of the, the, the, the box where you can elevate privileges of a standard user, etcetera, acting on behalf of privileged accounts. That's the target. So whether it's an individual account such as an administrator, a system, or a service account.
So the attackers in that case always try to end up acting on behalf of one of these privileged accounts and doing things using that account in the background, allegedly to do what they, whatever they want to do. And finally, then it's about sending data back to typically varying servers. Certain servers are, are changing usually in a difficult track locations, cetera. So this is really well sort of thing that takes a while various steps involved. Cetera.
So I took one example, and this is sort of the, the short version of it and anatomy of an attack, which has been published by one of the companies. So what happened there?
In fact, it's basically the same. It started with searching social networks. So using the social networks to identify for instance, who are employees, who are employees and particular departments, and then running a spear Fisher attack next up zero day exploit, and this XLS file through a vector and or vector through an Adobe slash vulnerability. And then what they did is they installed a remote control tool, this reverse connect. So what they did is they installed a tool, which in fact, them went out and, and asked for getting remotely controlled.
So no access from external to internal, but sort of dialing out to the attackers and asking them to take control shoulder, serving, searching for accounts with sufficient privileges. And again, accessed further accounts, data gathering, sending information back.
And, and the thing really got critical once or one thing. And this is one part of the privilege thing. Once someone could install something critical and it became even more critical when they had access to accounts with sufficient privileges and what is shows us, and this is where we really come to the privilege management part right now, and why it's so important to do the, the privilege account is a key element in ATEX.
So when we look at this is the privilege accounts are accounts with elevated privileges, more access, right than an average user that might be individual accounts might be system accounts that might be service accounts. There are key element because they are required for really the, the harmful Etex. At some point eters want to get access, gain access to one of these accounts. And this is really where things come into bla looking for all types of sort of privileged accounts. So both technical shared accounts, but, and things like rude, but also standard user accounts.
So individual accounts, such a windows operator or other more elevated accounts, which you need to deal with. And all of these accounts are potentially tech services. We need to understand what is happening there. And they're maybe to, to, to give a quick introduction, privileged accounts itself.
So, so which types of accounts we have here, we have the personal situation of technical accounts. So we have a personal account with specific entitlements. We are accessing a system and the system use than a technical account or functional account to access further systems with specific, usually higher entitlements elevated privileges. And then this technical account for instance, is an interesting target.
And, and once you are in network and have sufficient rights, it might be one of the approaches you take to just screen first scripts with clear text credentials, etcetera, to gain access to some types of these accounts and do things with them, perform with them. You're usually not allowed to do you have to shared accounts themselves. Some of them are not that highly privileged. Others are very highly privileged. So the route or the building administrator in windows systems, etcetera, and you also have individual accounts with elevated privileges.
So the operators cetera, and, and all these are the typical targets Forex. So attackers always are looking for, for this. And what we need to do to do is to understand that we are in danger, that we have these accounts. We need to understand which accounts do we have. And we need to understand on a broad scale, what is happening if we take the, the very big picture, and this is probably more the, the, the midterm evolution, then we see a tendency towards what we call real time security intelligence. This is really getting data from a variety of sources and bringing them together.
So we have traditional cm security information event management. We have the privilege management activity monitoring, which might be also sort of pretty tightly integrated. We have analogs, etcetera. We put this together into our, our solution. We add the realtime strength information. So the information about new bots, new zero date tax, big data analytics, rules, and patterns, manage services for configuration analytics to identify where are things happening that we, we can't manage. And one important element dealing in there is to understand which P council we have, what are they doing?
Is there something which is done that is uncommon, are less things going on? We don't want to, or we don't expect to see. So are there, there, there patterns of behavior, are there situations, are there incidents which show or there's something going on with some privileged account, which shouldn't go on.
As I said, privileged accounts are a key element in this entire strategy. And then we, we use it to, in our it GRC tools, we might provide information to service staff that they need to change something, or maybe in not too far future, we might automatically reconfigure our computing infrastructure or networks, storage, virtualization, infrastructure, or software defined computing infrastructures based on, on current incidents to mitigate at least some part of the attack surface. So think about, you know, okay, this attack goes through untouched network hardware.
Then you might reconfigure your firewall so that they automatically, and on the fly so that they avoid some of these traffic, which could, which could leverage this attack. So this realtime security intelligence is sort of the, the longer story. And to start with, we should look at the various areas. And one of the most important areas here is privilege management. That will be the topic where you computer and dives in deeper in the next part of the session.
So for cyber attack resilience, there are, from my perspective, first things to do understand your risks and accept that you are at risk. Everyone is at risk, understand your attack surface. So what are the things someone might be interested in? Clearly the intellectual property you have as an organization, clearly everything which is around financials, but it might be also your private keys, your certificates, if they're used for designs software.
So if you look at DQ as one of the attacks in the critical infrastructure space, there was an Asian company, a smaller one, attacked them just because they needed a certificate for code signing so that it appeared to be wallet code that has done be used in the next step of the attack. So you are at risk. You might have attack surfaces. You don't see it sort of initially, but you need to understand. You need to look at how can you put realtime security intelligence in place over time.
And the very first step you need to put specific emphasis on privilege accounts, because if someone wants to attack you, he always will go for the privileged accounts. And this is done the topic of your hon now. So I will hand over to your hun. He will talk about today's accent scenarios and how to intercept them, just targeted privileged account analytics. So how is to address challenge right now and over to qui. Now it's your term? So thank you very much for everybody who is still there after the introduction by Martin, I assume everybody is.
I heard the term real time, many times in the last slide, and this is effectively what I will end with with that presentation. I won't start with it, but I will end with it. So you rather also stay until the end when you, when you get back to that topic and you hear that realtime secure intelligence, because this is exactly what it is about. I can fully confirm without Martin been talking about over the last couple of minutes. Once we have ways to control activities, we need to find out whenever something is going in a different way.
If something is abnormal, if something is suspicious, that's where I would get to at the end of my presentation, title, mitigate targeted attacks with privileged account analytics and starting with my favorite picture that I use in every, every slide. It's not that one, but it's this one.
It's the must that you have in all your enterprises to have people become privileged, privileged in terms of it, activities, it administration it operation, no matter if it's an internal user, or if it's a contractor, somebody who is outside your enterprise, which is a service provider, something in the cloud where you have your applications run or where your, it is simply being outsourced or offshore in order to be competitive with your business, you have to ease operation. And the whole operation can only be successful.
If those people have the appropriate privileged success to your systems, of course, in return, that means they have privileged success to too much of your enterprise. That means they can see data, which they should not be supposed to see. They can configure things, which they may not need for their business. So the truth is while giving them all the privileges they need, you give them too many privileges that here's the heck you can't prevent from that.
So what your biggest challenge is, you need to know who of those people in the internal it in the providers is authorized and who is not, and that's where we are in. And that's where cyber a is getting into the whole story.
I, I, I called, I renamed that slide just this morning. I liked that because in, in the beginning of the year, I, I was in a, in an event and with this Kevin Hunt and I, I called that slide, the privilege to count Kevin Hunt, because what heck are doing typically in Martin described in a pretty different way, but with the, with the same target in the end, in order to get to critical data, to addressing information, to assets of your company, to the crown jewel, they will to find ways. And the easiest way to get there is extra by exploiting privileged accounts.
It's so easy either you are already inside the network or you are easily getting inside. I remember from many years ago where I was discussing with big automotive companies in Germany about the idea of not having any internal network definition anymore, everything became DMZ ized zones. So what's really internal. It doesn't matter in the end for us, it doesn't matter at all because it's about the privileged access that can be exploited. Or if you use the appropriate counter measures cannot be exploited. What's for sure is that in every advanced attack, there were stone credentials involved.
That's something which is for sure. And that can be read in so many different articles.
And it's, there's no doubt that the attackers are successful. They are more and more successful. It's it's not a rumor that it's easy to exploit privileged accounts.
It's not a rumor that those privileged accounts being the most critical in your enterprise are still not being managed in an appropriate way, which means a secure way where you change your passwords every once in a while, if not after every usage where you have very good password policies in place where you define the criticalities of your passwords, I think I don't need to teach you that you, you know, how the truth in your company really looks like, and what's worse in the end is that there's not just two or three privileged accounts that you need to secure the access for.
It's so many accounts in your environment. Just for an example, I displayed desktops here. Every of your employee's desktop has the local administrator account, for example, which is a very privileged account, which offers people, but also a hack technology very often, a very easy way to be exploited and to get into your enterprises network. And of course you have the same accounts in network devices in, in, in, in switches and routers.
You have these in servers, operating systems, remote management bots to, to get in site bend accessible to these service, which many people don't even realize there are passwords that could be set and changed on a regular basis. And last one, at least you have the databases. I put the database here deliberately in the middle of the picture, because that's where your crowd tools are allocated. That's where the attacker ultimately wants to arrive. And as this picture is showing to you, he's got a lot of opportunities to get to that target Martin defined three different types of privilege.
We, we, it's not exactly similar what we have here, but the shared admin accounts are very obvious to all of us. These are the root accounts, the SAP star accounts, the local administrator and windows, the enable on the Cisco side, etcetera, etcetera. And there are the technical accounts which we call the application duplication accounts very often. They are not so obvious to the companies. But once you think about how does your server connect to a database, how does the application running on your server connect to a database? How does this authenticate to the database?
You suddenly realize there's an account of the database. And if you're ever being asked, why you don't change that account on regular basis, you probably, you answer was probably I can't because I would have to change the coding application. And that's true. And that's exactly what, what our aims to do to also have applications work in, in a way that parcels can be automatically changed in a regular basis that are come to that later. And then we have to what we call cloud accounts, cloud accounts are any type of accounts of an web based application. Sure.
It can be a cloud in your company, but it can often also be a cloud outside your enterprise, which is, I think the most prominent case Facebook, you have one shared account for the whole of your marketing department. All those people will be easily able to access Facebook anonymously as an administrator, as someone who can change your presence on Facebook. And Facebook is just an example.
If somebody is really on the way to do something mean for your enterprise, but there are for sure, so many other applications out there that you're using, where you store data, where you use any type of service and those cloud accounts, they typically lack of some user management capabilities. So we are again talking about shared accounts and although it's not it admins that are using these accounts, it's people that are very relevant to your business as well. I would love to say we define for critical steps, but in the end, they are very natural. Those critical steps.
It's four critical steps to stopping advanced attacks in a professional way. And it all starts with knowing where these leaks are. Know that's what Martin also said. Try to find your leaks, knowing where are your privileged accounts. If somebody wants to exploit your privileged accounts, you have to secure them. But if you don't know where your doors are, you can't lock them up and you can't change the keys every once in a while.
So initially you have to discover all of your privilege accounts, and that's where I'm trying to, to get into the second part of my presentation, which is a bit more product related than topic related, where you can see what cyber can offer you as a help to get to. For example, discovering your privileged account. We call that discovery and audit it's abbreviation.
It's called DNA with an end in the middle, which we are trying to, to find enterprises DNA, which means finding every target device, every type of target device and accounts that are established on those devices, which offer you privileged success in the, in the best way, we are able to easily detect all your machines, scan those machines. And in the end present to you a status quo where you are right now with a management of your privileged accounts. Unfortunately, most of our enterprises that we've funded with were very surprised.
Unfortunately, for them, for us, it was good because it just proved what we, what we were telling them in advance. I would say that the, the, the majority of the enterprises were very astonished. First of all, about how many privileged accounts they would have on the target devices. Many of those have been applied locally and, and nobody even not about was knowing about them.
And then of course, how badly they were managed in the past, how seldomly the passwords have been changed, although the accounts are being accessed in a big way, cuz often we also hear, yeah, we have those accounts for sure, but they're not being accessible standard operations. Suddenly you have to ask yourself if such accounts are being accessed 15 times a day.
What if this is not for operations, this is being followed by also discovering your whole network to find all your virtual, to detect within your virtual environments, which in all your server, your desktops, your database, et cetera, etcetera, this picture pretty much showing ways, how to automatically on one side, but also operationally on the other side, you have to detect all machines, all accounts or privileged accounts in your environment before you can protect them. It's about the discovery. The second step, of course protecting them.
What, what does it mean? Protecting them a very initial step is to centrally store them, to have a central secure storage repository where you can make sure that only people that are supposed to access these accounts would be able to, would be authorized to access these accounts. This is something what we are doing for many, many years in the meantime. And those of, of you who have seen presentations of cyber a in the, in the older past, let's say 2000 5, 6, 7, they are still familiar with the term enterprise password world.
Those of you who only know us for a couple of years, they may be knowing the privileged identity or privileged account security suite privileged identity management suite.
And although we are continuously developing that core product set of cyber a it's still basis on the secure digital world, which you see in the bottom or in the middle of the secure digital world, which is exactly the secure repository store, all your privileged credentials in you store them, but in one central place, but in several different what we call faith, where you then authorize people, administrators, users, or group of those individuals to access the passwords, which are relevant for their work.
It's very obvious that a Unix administrator typically does not need to have access to any windows administrative passwords. So by, by this delegation of the different or separation of these account information into different safes and the authorization concept that we have developed into the secure digital world, it's very easy for you to, to maintain a very secure central repository, of course, in a high available way, which is still only allowing the right people to access the right information within this account security suite. There are several applications.
One is the enterprise password world, which I'm not showing you in detail. I'm pretty sure most of you know it anyway. And if not, you are very welcome to contact coping or cyber after this webinar to get a more detailed presentation, more in depth presentation, or maybe also demonstration of our technology. But the password vault is exactly that system, which is taken care for randomly, automatically changing your passwords according to your policy settings.
So if you say our passwords have to be changed every 60 days in the environment, we'll do it for you automatically on any target device. If you say there are specific systems and the passwords have to be changed after every usage, we do exactly that for you in automatic way, according to your policy definitions again. And that means in the end that every privileged user, every privileged success will start in the management. Porwal in the web access Porwal of cyber, because unless you have a password, you can't log in.
And since we manage this password for the critical accounts for you, those users, those administrators will all have to first authenticate, maybe strongly even authenticate to our central Porwal. And from then they will be able, depending on the authorization level to access systems in the background privileged session manager, I will show in the slide. And a second, the application at identity manager is exactly what I already mentioned in very briefly to teach applications, to also being able to retrieve such change parts such automatically changed parcel style solution from the vault.
That means in future. Remember what I told you a couple of slides ago, concerning databases and passwords on accounts that can never be changed in future. You will be able to also teach applications that they no longer have to work with static passwords, maybe even clear text passwords and scripts. And so from batch shops, what we see everyone from dining customers, but to securely retrieve a newly changed password from our security world, use that dynamic password to authentic to the database. And ideally with an authentication process, there will be a new password in place already.
And the application at the manager will deal with that automatically on your behalf. No manual password change needed last but not least on demand promoters managers, just in one sentence to complete that security suite description here, you are able to define granular access permissions on systems on windows systems to have your administrators work in accordance to the need to know or least privileged principle.
That means an administrator will always only be able to execute commands that he is supposed to do for his job and will not have to be the rule of the administrator on the target device. Being able to do much small than his typically day to day work would require from him one slide further, sorry for that. I'm skipping this slide because I would explain in detail how exactly the password changes are being performed. But one slide further. I mentioned the privilege session manager pretty much shows exactly how a user will work in the future.
The user will not be available to log onto the target device automatically or on his own anymore. He will first have to authenticate to the cyber environment, the privilege account security suite, this authentication I mentioned it briefly can be done in a very secure way with two factor authentication with certificates, for example, or any other radio space authentication or security, whatever you can imagine.
And once you're being authenticated and authorized to access specific systems in the background, you will then establish another connection to a jump server farm, which only this farm will be able to retrieve the credentials from all secure wall anymore, and then automatically establish a connection on the appropriate target device for you.
That means you are experiencing your user experiencing a privileged single signon while the session is fully being isolated from the PC, from the workstation of the administrator, and will only be established through our privileged session manager firm by that being isolated on one side in terms of security, but fully monitored and under control on the other side, which means once we are in that session, we can, of course also do a full logging full recording of that session and bring that to the attention of auditors later on, if they are in a situation where they have to examine on an incident, for example, important to know once they have that picture on the screen, and you also see that right now, there is not the need for any change on the left side, which is the users as well as on the right side, which is the target devices in order to establish that type of solution in your enterprise, you don't need to apply any changes on any of the target devices.
You don't need to add specific accounts to those. You don't need to install any type of agent. The only thing you need to have if a network connectivity from the cyber ag thing in the middle, which is our system, our privilege account security suite, a network connection with the appropriate protocols to the target devices, to being able to change passwords in there and to being able to establish connections that are then being monitor solution, the user is using web Porwal. And this is in today's time, very much straightforward for every user to be comfortable with.
So if we have this in place and getting back to one of those slides, I showed you earlier, the four critical steps. If you have those three steps in place, so you discovered your privilege accounts, you protect and manage them appropriate. You control either the monitor, your privileged sessions to any target device. Then you have a very good level of control. What you do not have. And still won't have, is to understand are all those people who are now allowed to access, to manage, to do activities and a privileged way, are they really allowed to do that? And are they work?
Are they always continuously working in a good way for your company in order to find that out? Now, I'm coming back to the word realtime. I've added the word privileged account in here. Use realtime privileged account intelligence to detect and respondent progress of text. Because if we get back to the belief that any type of advanced threat contains the exploit of a privileged account of several privileged accounts, which is not a belief that cyber a thinks it is, it's a belief that all the incident handling of existing attacks and all the reports of testing attempts have unveiled.
Then you are very much interested and should be very much interested into whenever a suspicious activity in a privileged session would appear is being alerted maybe to your set operating center, maybe to your it security team, to your risk management team, which means anytime somebody is working in a way that's not supposed to work, how can we find that out?
Because easy to say, a user, when he will access the system before eight in the morning or after five in the evening, that's quite easy to say it's a static definition, but the trick here is to find a way to put intelligence into the usage.
What cyber is doing with this privileged threat analytics is taking all that data from the privileged account security suite, which has full control over your privileged success and will then apply its intelligence to it and learn the way how an administrator is typically using is to be working, sorry, but not only a, a full team of administrators, but every individual will have its own profile of his normal behavior. And once we have that, which is an easy task by taking our data from our solution, once we have that, we can apply those. I wouldn't call the rules.
I'm I like to call this intelligence and we'll detect anomalies whenever user that is used to work to access privilege accounts in a specific time or in a specific frequency over a period of time is doing that in a different way. For ones clients. For three times, maybe we will highlight that we will know that immediately. We will know that real time.
And we will alert that alert that if the user, for example, you can see it here if outside of the business hours, or if the user is going to be in a very frequent mode, retrieving a lot of passwords, which he typically is not doing that may even either be an incident, which I still would want to know and probably ask him what's going on. Or this can be a situation where we might want to see the alert because there's an attack going.
The standard attack in those area is not a one off one tech where somebody accesses a privileged account will exploit it immediately and then get to the next account. That's still be a combination of several hours, days, weeks, if not months work.
And again, this as well, you can read very much in detail in many reports of, of recent or older breaches as well that those have been in the enterprise for more than weeks and months already before something really happened. So that means you have a good chance by using that solution to get to, to get to know when something happens before you would with any other solution.
What you see here as a last slide is the privileged path nalytics dashboard, which will highlight the operating center what's going on, on the privileged way in your so last slide from my side is what company, some of you know, some don't just to repeat it. What cyber is doing is privileged account security. We have the trusted experts in that area. We have nearly 1500 customers and not just customers, it's privileged account security customers. That's very important to emphasize that's our business. That's what we do our homework for many, many years.
That's where I, as a person am in for more than six years now, responsible for the German market for the dark territory. And this is what Tidemark is doing. And that's what our customers are benefiting from that we are not doing this and that.
And I, I have the German version, but nobody will understand out loud in English, we are taking care of your privileged security. We see that as security challenge, not just as a compliance thing, it's business problem solving and security challenge. You don't have to just see, I can make my check mark. Now I'm compliant for the next audit.
Of course, it's a driver and it's also, I would lie to you if I wouldn't say it's an important driver for all business as well, but in the end, it's about preventing attack, preventing target attacks, like Martin said, like that very much preventing smart attacks by people that are really happening and that are no longer on, on a script key level by far not. Yeah, that's pretty much it from my side, Martin. I'm happy to answer any question that might have come up in the, in the last couple of minutes during my presentation, Feel free to challenge me.
Thank you very much for listening until here, Johan. Thank you very much for your presentation. I think this was very interesting and yes, I think we are a situation where we need privilege management and we need to understand what's happening with privilege.
So again, if there are any questions, please end them now so that we can pick these questions. One of the questions I have from, from what you see in the market, or in fact two questions, one is what do you see as strengths regarding sort of, of the industry? So when you look at the history of the privilege management market, it was very much driven, driven from the finance industry. So do you see that this is changing, getting broader affecting every industry? I personally think every so there's no single industry, which does not need, if you're manufacturing, you need it.
If you're critical infrastructure, whichever part you need. So what is your experience from the market here?
Yeah, I, I think I have to give two answers here because one, one is the global answer. And one is the answer for, especially the territory, the territory that I'm responsible for the global answer is absolutely right.
And, and still today, I would say that over 50% of our customer base have to do with the financial sector. That's good on one side, but of course we like to see all those other customers as well, which we do in the meantime with the energy sector, with the manufacturing sector, but travel sector, like you said, Martin, it's, it's not at all relevant in, in what vertical you are in. If you have a, an it, which is not very small.
And if you have a group of administrators running, that it you're in the same situation, no matter if you're a bank or if you're a bakery chain, for example, in, in the best territory, when I started to approach prospects and customers about this and topic and the solution of the problem, I, I was very open to the verticals and also the, the verticals are very open. And I would say here we have at least two thirds of our customers, which are non-financial related.
I mean, Germany is the world of automotive suppliers, but also manufacturers. So it's very, very likely that that those customers are at least try to be as secure as banks as well. And that's what we achieved in the past.
And I, I would even go once, step first, if you look at industrial control systems, if you look at the it, and then the manufacturing environments, etcetera, then this is usually less, less well protect than the business. It, so there's, there's a significant potential. There are a lot of systems. So if you look at all the, the various devices, many of them trust, run privilege account versus standard administrator standard password to set run. So this is absolutely a very logical area. So do you see customers moving really look and looking at these more tactical environments?
We do see those customers. So when, when you, when we get back to the application application account management, this is pretty much about that same thing.
Of course, it's a bit harder for everybody to, to imagine what is it like rather than having a person access system, having, having applied a change to an application or to a system, which is, which is run as an appliance or as an embedded system. That's always hard for everybody to imagine.
And, and nobody really wants to touch such systems, but given all the press and given all the, not only the press, but of course, for sure, also the hacks in these environments, when you mention critical infrastructure protection, that's a big topic. I have to say that at the moment, most customers are in discussions about that. Very few have done something, but they all know they will have to.
And I would say that's, that's one of the hot markets for the next two or three years also for cyber a where we can help a lot of those energy companies or others that run a critical infrastructure, telco providers, et cetera, to help them a lot also in these specific areas. Yeah. I also would say, this is a cross area. I have another question here, going back to really the analytics part, how long does it last or take to do a baseline setup when you already developed the right policy before?
It's a, I, I, I like that question very much. You know, why it's very important to understand here that it's, you don't define a policy when I understand the correction in the right way. It is.
How, how much time does it take to, to, to get a baseline of this normal user behavior? Yes. The nice thing is once you're using our solution, we will collect the locks anyway. So we will know exactly which person will have accessed which system, which account of which system at what time, how often, and what's his normal behavior in accessing these accounts over a period of, let's say, six months, the typical send the definition of the lock event. Lock retention is six months. You can do that for longer, of course, and also for shorter.
But once we implement our privileged analytics appliance to our event lock database, it will take hours, maybe minutes, depending on, on the amount of users that you run in our system. But we're talking about minutes or hours to really have that baseline. And from the next day on, you will have a, a sharp system that will automatically alert on any abnormal UN normal or suspicious behavior.
However, you find that and there to, to reemphasize. And to repeat that once more, you do not have to set a policy for it. That's exactly the intentions we bring to you to have a set of anomalies that we are detecting without you having to define complex rules. Like you have to do in cm tools, for example, that's exactly what it is not want to know. Okay. If there are any further questions from the audience, please ask them.
Now, I, I think one, one other thing I'd like to ask you, you brought up the point of sort of do that work to the audit work for, for security work for sort of a real improvement of your security. Yeah.
So I, I think it's a very important statement that it's not about doing trackless it's about, and that's what I said, understanding your risks at understanding your, your potential surface and working towards sustainable solution, which, which is there to last, instead of saying, okay, I try to, to fix the problem here. I try to address another audit finding here.
So, so how do you see the evolution on the customer side when you look at it? So see, do you see that customers always have been looking for a long term sustainable thing or is there a tendency towards it? So what's your experience with that?
I, I think it's really a development that also I have made in the last six years when I, when I started to, to look at this topic, I have to admit it was all about compliance people, people wouldn't, I mean, I think six years ago, they had some other things on the agenda. They had other topics to solve. And also to be honest, if you look also into the world, the attacks, which based on, on, on exploring privileged accounts, they came up in, in, in a big way, only the last three years.
So until then it was really compliance to make sure, to convince people that before something can happen before you are uncompliant, do something. In the meantime, there's for sure development, which is very much related to security. Have I been talking to it operations in the first three years of my time in cyber arc, then I would say the majority, majority of, of meetings in the last two years have been with security or risk related people.
So there's for sure development and people are trying to really get to a point where they don't just buy any type of solution, but where they really try to protect their core assets.
And that's why I also feel that we are in a very good position because we can exactly protect these core assets by not building a huge role around the network again and again and again, what you've been doing in the, in the, in the past already, but to really focus on that area where you can easily be exploited, but as, as well, where you can easily apply a protection, that's probably a very important last message. It's so easy to apply that protection. If you know where these accounts are, that may be exploited at some point. Yeah.
It less absolutely to knowing a lot about, or learning a lot about your tech service. Because as I've said, elevated privileged accounts are part of your service very important, but we have to add questions here. What's your statistics and experience from the field with false positive and false negatives.
When we, that Analyst, That's a very good point. Of course, there are always, always what's what is normally called a false negative or false positive that if you imagine again, you have probably compared to a C system where you, where you can configure some static rules. It's very obvious that you will get a lot of false positives, such environment. When you run that privileged analytics from cyber a, you will, first of all, only get the information from privileged success. That's very important to know.
You will only will only focus on the privileged accounts, which are still maybe a couple of thousands or you in some more in your environment, depending on the size of your enterprise, that this is the focus. And then we focus on the usage of this privileged success as this has been done in the last, like I said, week, months, six months, whatever we've been able to collect, to learn. And by the way, we're continuously learning as well. I want to really start to go live with that solution.
And the experience here is that any type of suspicious behavior is not being considered a false positive, but it's considered an important need to know message. It does not mean that every of this alerts is being an attack, but the feedback from the customers, and we've been working with a solution for almost a year now.
So yeah, three, three quarters of a year now is that all those alerts are relevant. When I say all of course, there will be people that say, no, no, not all, but most of them are relevant because if somebody is accessing a critical database at four in the morning and normally is not doing that, I want to know that. And if the answer is I had to, because something got stuck and I had to restart it, I still want to know it. I think that's an important mindset that you have to get when you think of privilege, threat analytics, rather than standard cm alerts, which will unle everything.
What happens in your enterprise that you want to know about any irregular behavior, any suspicious behavior of your privileged success. Okay, perfect. So I think we've answered all the answer, all the questions. So thank you very much to the attendees of the scooping, our call webinar. Thank you very much for cyber and supporting us. Thank you very much. Your for your presentation on the answers to the variety of questions we had, and as Han kudo said, we will put up, we are available for your questions. You can send us emails, the podcast will be available latest tomorrow.
And I hope to see you at the European identity conference in some weeks from now. Thank you. If you are then have a nice day. Thank you though. Okay. Bye-bye bye.