Hello, everybody. My name is Mike Neuenschwander. I'm the research director with KuppingerCole Analysts. And today we're going to talk a little bit about ITDR.
So, and talking about how identity is the new security perimeter, which I think is not news to most people. But we have a few things to say about that. Andrea Rossi is the president and co-founder of Sherlock, who should be joining us soon.
And yeah, let's get started. A couple of things. First of all, audio control. You've all been muted.
You can, of course, join the conversation through asking questions through our chat session. So, I encourage you to start doing that as soon as possible. And we'll take care of those. We will be running a poll. We have two poll questions like we normally do. And some of these are related to today's topic, but it's just kind of something that we do during every webinar.
So, you'll have an opportunity when you see the poll slides to answer the poll, and then we'll collect all that information. Again, there's a Q&A session at the end.
So, you know, you can start at any time to start asking questions and we'll get to them as soon as we can. And then the recording will be available and the slides will be available following this call.
So, I'm going to speak a little bit about a report that is about to get published very soon about the ITDR market. That's the Identity Threat Detection and Response market. And it's going to, I'll explain this a little bit more later, but it's an interesting hybrid of administration for identity and sort of SOC solutions. Then Andrea Rossi is going to speak about new approaches to ITDR, and then we'll get to some questions. All right.
So, before we begin, let's start with a poll question. Which of these technologies will have the biggest impact on IEM in the next three years, at least for your organization? Passwordless authentication, decentralized identity, consumer identity and access management, identity fabrics, and identity threat detection and response.
Now, unfortunately, you only get to choose one of these. So, pick one and go on from there. We'll give it another 30 seconds or so. All right.
So, just to start out, I'm going to give kind of a summary of the information that we got from the Identity Threat Detection and Response report. It is a very fast-growing market, and there's lots of different approaches.
So, it made it somewhat difficult to, it made it fairly difficult to quantify what every vendor is doing, because in fact, they're all quite different. But at a high level, what we're talking about when we say identity threat detection and response, it has kind of a breadth. At the beginning, it's about discovery and visibility of identities, but then also threat prevention and posture management, and then obviously threat detection and investigation, and then the response for these identity systems.
So, the breadth of this type of technology spans everything from what we used to think of as just the IT administration of identity and security operations teams. So, these historically have been separate products, and very different threat hunting is way different from sort of posture management.
So, threat actors have, as we mentioned, as I mentioned in the title of this presentation, when we talk about identity being the perimeter, it's a much different kind of perimeter. You know, you don't, you know, when it was just endpoint detection or virus detection or whatever it was, you had an endpoint you could deal with, and you could close down the port or the, you know, whatever it was that the threat actor was going through. But they've discovered now, as you've seen, that the front door is the best way in.
And so, we're not really protecting the back door anymore. Identity is basically front and center.
You know, you have to, how do you protect identity systems in this scenario? So, I think that ITDR, in this case, it's a, it's part of a much broader offering. In other words, ITDR doesn't stand on its own. It's part of an entire project that you have, your organization.
And, you know, and it includes things like workload detection as well. So, I've come up with this thing I call identity defense in depth, which is I did, or it's IDID, which is even funnier. But I think that at least this kind of helps us get outside of the definition of just talking about threat detection and response. Because really, there's a whole program that needs to be put in place to have identity defense in depth.
So, as I mentioned earlier, the products in this market represent different strategic approaches. Everybody kind of sees it differently.
And so, hopefully our research will help you navigate some of those differences. So, just kind of going back, like I think it's kind of funny that we put DR on top of anything that we need to fix. But I think it's important to review that when you talk about network detection, endpoint detection, extended, you know, whatever it ends up being, there's a DR at the end. And that's a reaction. Okay.
So, it's not, you know, who invented the DR market, as it were, you know, detection and response. Well, the ITDR market is really a creation of threat actors, not the cybersecurity industry. It's a reaction. Okay.
So, it's a response after all. Right.
So, you know, it doesn't make sense sometimes to talk about when you're talking about a human being or an identity, you know, how do you block a port or scan an identity? So, it's a whole new ballgame. Once we start talking about the front door and identities being needed to be guarded and identity systems needed to be guarded, it actually changes the game quite a lot.
And so, hopefully this webinar will help you with that. I just wanted to put in here a little bit of somewhat of an architecture. And there's really two main activities that go on simultaneously. On the left-hand side, you see kind of this circular pattern, where it's like you're continuously trying to discover identities, have really good visibility into the user accounts, system accounts, and other kinds of accounts that you have in your identity system.
And then, you know, doing all kinds of risk assessment and then improving the posture to avoid any kind of problem. But then, when the problem does happen, you need to get the right events, hopefully not too many, just the right ones.
And then, you know, then you have to do some threat investigation. And that's a whole SOC sort of exercise.
So, these things work together in ITDR. They sort of come together using the same identity data lake or, you know, playbooks and other kinds of things. But really, you know, these activities, even though they need to be coordinated, they go on essentially independently. All right.
So, let's talk about discovery and visibility and posture management. The one thing that I've noticed when I've talked to enterprises and other companies that use these products is that there is a certain kind of shock that happens once they start to get real visibility into their identity systems, okay? Because they think that they have it all administered and they think they understand, you know, they get a feed out of HR or something and they think that they've got it all covered. But there's all kinds of dormant accounts out there. And there's, you know, system accounts.
And some of these accounts don't really have authentication. They haven't been logged into for a while. They don't have strong authentication.
Well, this is the way attackers get in, right? So, the other thing to consider as well in terms of visibility is security groups and roles can also be compromised, okay?
So, it's not just the accounts that you have to look at. You have to basically understand how groups and roles and other kind of permissions all play into that picture.
Now, what are we guarding against when we talk about identity attacks, okay? So, I just put a bunch out here. They're sort of, some of them are sort of platform specific if you're using Active Directory, for example. And there are some well-known attacks that basically can be covered by this, all right? But there's also just some, you know, man in the middle attack that's kind of general. Looks like I misspelled Sass on there. Sorry. That's Session.
Actually, that's what that means. So, but these are the kinds of attacks that we're trying to avoid and certainly fix when they happen. And they're very specific in some cases to a platform, like I mentioned. But all identity systems can fall to any of these attacks. And there are quite a few more. But I just thought I would share with you some of the very specific attacks that the ITDR products actually focus on.
Also, the other thing is that, so if there's a well-known attack, okay, that's, then you can defend against that pretty well, okay? But what happens when, you know, it's not a well-known attack? What happens if it's just user behavior, right? And this is where a lot of products are distinguishing themselves, is to say, you know, like, well, we can't predict where the next identity attack is coming from.
But what we can do is train a model, or we can create some sort of pattern recognition, so that once we understand that something's out of place, then we have an alert, and we can go do some work on that from a SOC's point of view, right? So, this could also be non-human entities.
So, is it usual for a service account to be behaving in a certain fashion, right? So, even though we talk about user behavior, it could be entity monitoring as well.
So, this is another approach that gives us opportunities to basically set a baseline, and then learn, and have the system learn over time what's not normal, right? What's against that, and then kind of create some new.
So, all right. So, this is a lot to read. You'll have to This is a lot to read. You'll have to look at it in the report to really read it well. But what I'm trying to point out is that there's these five pillars to identity threat detection and response. There's probably six or seven pillars, but we're just focused on these five. But what I want to point out is at the bottom, you can see at the very bottom there, the user administration part is kind of carrying those two pillars.
And then on the right side, you can see that the SOC is getting involved in the normal kind of activities that you would have at a SOC, like threat hunting, that sort of thing. But in the middle, there is this important place where a SOC analyst and an identity administrator need to sort of come together and work together on some things. This is somewhat rare because knowing about identity and security, those things aren't always connected. It's not always the same person who gets to do all that stuff.
So, I think one thing that's happening with ITDR is that we are bringing the SOC analyst and the IT administrator closer together to cooperate on these things. We made a bit of an estimation of the market size, which is over a billion dollars, as I said. But I think that what I would really like to point out here is that when you think about how much money is in the ITDR market, you can't just think about how much the vendors are making, right? How much you have to spend on services and labor and lawsuits and fines and ransom payments.
I know a lot of companies basically make a lot of ransom payments. So, you have to think about how much make a lot of ransom payments.
So, all of that adds up into some kind of market size. So, it's important for us to remember how extremely important the ITDR market is, because if you're not setting yourself up to succeed with ITDR, then there's still a lot of money out there you're going to have to pay, right?
So, I think that's mainly what I wanted to say about the market size is that we need to entertain all of those numbers and not just what the software costs. All right.
So, just in conclusion, a couple of recommendations. I think that what we're really trying to do is just say, look, you need to understand your organization's use model. Look for a solution that your organization's practices, systems, skills, and culture will actually support, right? How well do your security analysts and identity people work together?
I mean, this is an important consideration, right? How well do your security analysts even understand identity systems? Are you a cloud-first company or are you relying heavily on ID, right? These are the things that are going to inform what you do about ITDR, right? And these are, to me, the most important considerations. In addition, I'd recommend broadening the view of ITDR in general. Protecting identity systems requires a lot of disciplines and activities. That's why I call it defense in depth.
And then, how much integration do you want? Because some ITDR solutions provide everything. Nearly. And some integrate with the systems you already have.
So, that's an important consideration as well. And then, obviously, stay current on identity threats as they happen. Okay.
So, I have another poll question before we turn it over to Andre. Which cyber attacks are you most concerned about?
Phishing, identity spoofing, identity-based attacks, and business email compromise. I'd like to introduce you all to a good friend, Andrea Rossi from Sherlock. And he's here to talk to you about some very important things concerning ITDR. All right.
Thank you, Mike. Good morning or good afternoon, depending who we're connecting from. Andrea Rossi, Sherlock. And I'll be taking you through the journey of our interpretation of what we mean by Sherlock as an identity security platform.
So, in a way, we're combining acronyms, components of this market offering. So, I'll try to make it as visual as I can.
So, first of all, a bit of history. The team of Sherlock, it's sort of 60%, 70% made of people who established, founded, and sold to IBM Pros Ideas.
So, we have an identity background. So, we brought our identity background into a realm which is connecting what we do to the cyber traditional domain.
Well, we probably own the mission, but in a nutshell, what we do is on the interpretation of ITDR in posture management versus detect and response, we are more into the latter. So, we collected what we call telemetry, human and application. And essentially, we do anomaly detection. All the anomaly detection gets correlated and interpreted and understood under the eyes of an identity-centric threat or ITDR, as we might still call it for, well, Mike, a few weeks until the IDIT terminology comes up.
So, first of all, I'll give you my quick interpretation of ITDR in my very simple words, and then I'll take you in a quick journey from I to D to R, from identity to detect and respond into the ITDR domain, and I'll come to conclusions. So, I think that ITDR has two, it's a word with two sides. There is the prevention side.
So, the prevention side is essentially checking configuration of systems, AD, a lot, IAM system in general, and find wrong risk of configuration. The thing is, in order to do that, you typically need to know what you have to find.
So, the downside of it, it's how do you manage the unknown? And keep in mind security, it's all about the bad guys finding extravagant ways to attack you in a way that you were not expecting.
So, here we come with detect and responding to the unknown. And in order to do that, the only way it's really to find, to look at patterns, understand the baseline of patterns or behaviors, and understand deviations. From those deviations that you might understand semantically a little, you can basically correlate a number of information and find the unknown. What is the downside? As I think Mike was pointing out, I mean, we need log data, we need data, okay? And that's, of course, it's a foundational component of every product that works on machine learning components.
You need data to interpret it. So, whose benefit?
So, it's been a few years since we went out in the market and we started pitching to cyber guys and identity guys. And you, Mike, said the things are coming together.
Yes, it's way better than the past, but still, you know, within the companies, there is the identity department and the security department, they barely speak, they talk to each other. But so, essentially, the benefits of IAM cleansing, it's really reducing the attack surface. If you keep an IGN into your system, I mean, it's all about reducing your attack surface. But when you get into the SecOps world, most of the cyber people, they're just looking to network, devices.
The identity side has always been neglected, not because they don't realize the threat coming from that side, but because it was built on different components. So, the value for the security operation is really to be able to remediate identity-centric threats, where you can correlate a threat to either an account or an identity as accumulation of accounts.
Now, this is one of my preferred, there is a debate whether this is a proper message or not, but to me, ITDR, it's a Rosetta Stone between two words. Up until ITDR, you know, in theory, on paper, we were talking about, you know, the SOC people and detector response team talking to managing the data that were resulting out of the identity management platform and the surrounding business obligations. But the reality is, until ITDR came out in a way to distill a common alphabet, it was hard.
So, as Rosetta Stone paved the way to translating geroglyphics into Latin and Greek at the age of Napoleon, in a way, ITDR today can really make two teams talking to each other with a common alphabet. And that's not a little thing, because you know it well, the attackers are attacking you exactly in the creeps of your silo-based architecture, and we're trying to put some defending glue among the components.
So, that's a simple introduction, just to, you know, in simple words, try to interpret what ITDR is in terms of benefits and definitions. Now, I'd like to take you through a quick journey on the way we do, okay?
So, it's not a journey, it's a shallow journey from identity to detector and respond. Of course, I'm missing the T, the threat, which I gave it sort of for granted.
So, how we deal with the E, or sorry, with the I, I was just telling that in Italian. So, we consume a lot of user activity data and system activity data.
So, that's the part that you were referring to. We monitor people, but we also monitor other, not just the identity, but other attributes.
So, an SAP transaction, a given directory, active directory group, or just attributes that can have their own baseline, okay? Processing with the user activities.
So, we ingest that part, and in a nutshell, we find habits, and upon those habits, we detect anomaly, and we do a correlation of the many anomaly into a threat. That's very important. You need to filter out the false positives, and anomalies per se are just false positives. It's a correlation of many anomalies occurring maybe on a time window, which makes a difference. And then there is a response and a playbook.
An important component, and you shouldn't be surprised with our background, is we get a lot of identity context out of the IAM system in general, not just from a data ingestion, but from a posture side, because this allows us to enrich the data to a level that is unimaginable. And of course, there is the later part. If we find an identity-based threat, the obvious remediation, it's not the obvious, but the first, the easiest, the most immediate, it's remediating into the identity management platform. Example number one, you just log, terminate the session for the access management.
Example number two, there might be a gray area where a user has suspicious activities, and you want to not terminate the account or block the account immediately, but maybe ask the manager. So there is a variety of gray colors that goes from deep black, I'm sure, it's a sure threat, let's cut the session off, to milder interpretation of what it means, a remediation.
And that's very important, I'll touch on that point on the way we should enlarge the security teams with more involvement from what I call the human firewall, not technical people should contribute to a security posture, and I think ITDR can offer that as well. That's the I component.
Now let's, there is an interesting piece which goes into the anomaly detection and MITRE. You know, up until, I would say a few months ago, all the MITRE techniques were very prescriptive, and we're basically not using the word of anomalous baseline knowledge. This is an Office 365 matrix, and especially when you get into the world of protecting, not a server, but the business application which is sitting on top of it, well that's used by business user and the only way to start observing behavior.
So additional comment, traditional reference coming from traditional orthodox, I should say, MITRE grammar is starting to include this terminology of anomaly detection over a baseline.
The other component that you might rightly point out, it's, you know, when we detect a threat, it's not just about the user, it's combining anomalies of users to anomalies of entities, and the entity for us, it's a very broad definition, can be the application behavior, can be a transaction behavior, could be an Active Directory group behavior, in terms of, for example, what's the frequency of access to that given record, or to that given folder, it's also baseline.
So that's very important to combine the two things, and everybody says, of course we do entities, but the reality is, you need to do that to a very granular level where you can monitor like this analogy, okay? You can monitor what the people are doing, but also monitor the way the doors are opening, and you will understand things much better.
Now, when it comes to response and remediation, I think this is one of the most immediate answer that I give to user when they say, all right, you're talking about user behavior, but okay, but what else? Okay, listen, you know, the what else is that the ability to respond and remediate with a playbook is key. So for whatever we do, it's not about giving you a bunch of indicator of behavior, it's about giving you a bunch of threat, refined threat catalog that have a remediation attached according to a playbook.
A very important part of the playbook, it's the way you remediate, and in simple terms, there are three ways to remediate. You self-remediate, you ask the user whether it was them being anomalous in some way.
If he, she, he, them say, no, it's not me, then you need to take a different action. The other part is the I am remediation, and there are possibilities like what I call soft remediation. So say Andrea is a manager of Mike, I do something weird that might be, you know, identity theft, but also a personal attempt to fraud the company.
Well, that's combination of anomalies resulting in a threat gets to Mike and Mike says, well, I don't believe it's been him. So it must be someone else who has stolen his accounts. So that's what I call the soft remediation. And that involves people that are not traditionally involved in the perimeter of remediation. And then there is a more traditional SOC remediation, where you do the integration with the SOC SOAR platform, which that the cyber guys are using. So we enable all these type of integration.
And of course, the identity remediation, it's how we should say it's one, it's the, it would be the Eden for us. That is going to be the day where the IAM platform also become the place where you can remediate threats that are originated with an identity centric ingredient. So that was a very quick journey about some highlights on the way we do and let you understand that we're blending a number of terminology, but keep in mind, it's an obsession to find threats that are linked to either an account or an identity.
So we always point to an identity and that's not so common in most of the ITDR platform out there. All right, jumping to conclusion. More the conclusion, it's a recommendation, somewhere personal as well. Please use the human firewall. And this is an example, dear business manager, security here, we detected this abnormal perimeter, is this okay? Your security, the business manager, the human firewall here, I know that's not normal.
There is a bunch of situations that could be as even in the world of ransomware, that early signals given to appropriate person that can just say, well, that's unusual. Outside of the security, traditional security people can have the company really extend the power force for protecting the enterprise. And in that perspective, I think that the IM of the future, that today is very prescriptive. You describe in roles, rules, catalogs, what you can do, what can't do, it's going to be more of a coarse grain type of prescription. And then you detect and react if something goes wrong.
So I think that ITDR will contribute to in the future to an identity management, which is more balanced, based on the principle of gain trust. I trust you as much as you do good things.
In a way, it's zero trust, but not to that extreme. And last but not least, well, if on the call, there are identity and security operation people, and they think there are two departments apart, maybe sharing the same boss.
Well, you can talk now. We're not just us Sherlock, but the ITDR renderer try to give you a common alphabet where you can try to fix that. Now the Berlin Wall is down, but there is a blank zone and you need to step in and we're giving you the glue for these two side-by-side components. That is it on my side. Back to you, back to the commentator, as they say somewhere.
Thank you, Andrea. That was really great. We do have a number of questions. One of them actually is about the Rosetta Stone. I think you kind of ended with that. But we do have a question about what do you mean? Can you go into that a little bit further? How do you compare that? I think you've already answered that, but maybe you can spend a little more time on it.
Well, I'll be even more specific to the technical point. In the old ways, and even today, the only way that, and I had numerous conversation with clients, the only way that an identity guy talks to the security people, they say, well, we have a bunch of data. Just take that and do magic. And they are just overwhelmed by data that doesn't make any sense to them. So the Rosetta Stone is be able to detect what is happening within the identity world, distill it in a way, threat, identity-centric that you can just distill it and give it to the security people.
And they can combine with all the other signals that they have. So to me, that's a Rosetta Stone. It's a digesting exercise.
Yeah, I think that what you said about MITRE and kind of the way MITRE has sort of expanded over behavioral kinds of things, that's similar in concept, right? To kind of a similar language, right? Like trying to... The more you move into business obligation, the only way it's, I mean, there are no rules or within purely tech stuff. Okay. So the other thing is, we do have a question about UEBA, right? So user behavioral, and all that. How is what you're proposing different from just plain old UEBA, would you say?
Okay, that's, I would say that's a hit. Top two of questions.
Well, first of all, in the beginning of our journey, we were sort of neglecting using the word user behavior because it was tainted, like it's an old thing of the CM word. No, no, wait a second. It's just a technology, a way of approaching things.
Now, things have evolved within the UEBA domain in the way you do one thing, the way you build the baselines. In the original days of UEBA, you got a log file from SharePoint and the baseline was built on an average for all the users or the accounts in that system. That average baseline belongs to a user that does not exist. So the ability to move to personal baseline, multiple baselines, user and entities, and correlation over a time window, it's an evolution of the way you interpret the theory of user behavior. It is now coming handy today within the world of ITDR.
Yeah, I like that. The actions are also, you spent a little time talking about the three different types of actions that you can take as a result of when you detect a threat or something or there's an event. And I think that that's probably also part of it. Like it's not just behavioral monitoring, you're actually kind of trying to drive security into the response.
Yeah, the result is do something, which in the world of identity centric, it's log, block account, log it off, and these basic remediation components. You're going to like this one because I have a similar complaint. We're hearing that proliferation of terms. Okay. So it sounds like how many more acronyms do we need, do you think?
Well, that's funny because last, sorry, not last, yesterday evening, I saw a report. Well, I saw it from the cybersecurity hub. And he said, there is a new report of acronyms.
I said, I saw a number 177. I said, well, it's not too bad. Nearly 200 terms.
No, it was 177 pages. So I have nothing to do other than trying to trivialize, simplify things, and maybe just reuse good terminology of the past that was neglected because it belonged to CM. So don't talk about that because it's CM now we're identity. So people are lost out there. And in the scope of simplifying, let's call it identity centric security. That's yeah. We used to call it like that.
Sherlock, do you consider your product to be an ITDR product, would you say? Well, let's be honest.
ITDR, it's a good definition you can surf on. But the reality it's what we're trying to do, it's in a broader term, it's setting up something that does identity centric security, which is all about, you know, do what we just described. So that's why we simplified.
We said, all right, it's Sherlock identity security platform, period. Yeah. Yeah. Let's keep it. Let's try to keep it simple. But I think there's a lot of thankful people out there listening. All right. Here's another one. This is a kind of a more difficult one.
It's, you know, the sources of identity. Okay. There's a question about whether you have, you know, multiple sources or like a definitive source of identity and like what's is there a security benefit in having more than one and more than one source of identity information? I think I understand that question properly, but does that make sense to you? So if you have an HR source, right, is that an authoritative source that you only need one of them? Or are you saying that when you look at, you mentioned log files, you know, Sherlock, my understanding is you look at a lot of information, right?
A lot of sources. No, but let's be very simple. Okay. We took user activity file, user activity log file out of the IAM platforms and some of the key surrounding application.
De facto, most of the concern about security violations and attacks are a lot around MS-365 because it's over the cloud. It's not one application. It's where you keep all your hidden treasures. So in the majority of cases, it's about the access management log file, the IGA log file, and the MS-360 log file, and you combine things.
Now, the data source of identity for us, it's where it exists. It's one, and it's not typically the HR because we don't get the, you know, the user activity or what the user are changing in terms of permission and their timeline. So I think if we have two HR services, like one for contractors and one for employees, and we have activity of the two different set of personas, then we can do combined things.
But, you know, the typical scenarios where there is one identity data source, we sell to mature companies and they already have undergone a bit of identity management best practice. So at least the identity data source, it's there, at least for employees, third parties, well, evolving.
You know, I wanted to ask you a little bit more about your background because you've done a startup company before. Do you want to talk about that?
Yeah, as I said at the beginning, many of us in ShareLock are coming from a bit of serial internship and entrepreneurship. So yeah, we, in 2011, we made this funny attempt to build an identity governance company out of the country of Italy.
And, you know, keep in mind, when we started, it was 2011. And we had a number of situations around us. One was Berlusconi, that was not really easy for us to be taken seriously as, you know, a tech provider. The other one is you're coming from the country of cars, food and fashion, what the hell are you doing in software? But you know that we were, I would say, brave, good and lucky enough to make our inroad to the European market and a bit to the US market, thanks to some selected partners. And then three years after, in 2014, we sold the company to IBM.
Even today, the IBM IGI, that's how they call them, Identity Governance and Intelligence, it's still based on the cross ADS acquisition that they made out of our little, what, 27 folks out of these groups. Yeah, so, you know, but it does show that these, what was it, 27 people you said, or something, but that had such a big shadow, it cast a long shadow, as we say, right, you know, it's very effective. So I think that's pretty cool. Now with generative AI and, you know, that supporting coding, that would be an amazing number.
Tell me a little bit more about AI, because, you know, everybody wants to talk about AI and stuff, but you've implemented some machine learning, right, in your behavioral stuff, is that right? Yeah, and we did it, you know, years ago, if we compare it to the hype that AI is today. So now we are, of course, using generative AI for some, you know, ingredients into the new, especially in the interpretation of threats and other stuff. But when we started designing the company, we took some foundational decision.
Number one, we said, we can go shelfware on machine learning algorithm, okay, understanding baseline deviations. In order to be accurate, we need to design our own, a good model or algorithm that detects time deviation, frequency deviation, pattern deviation. So it was a bit of a cumbersome effort at the beginning, where you might go just API and say quick and dirty.
But it paid off, especially for one reason, because if you control the algorithm and the model, you can change its unit and be accurate, because you know the drill, in cybersecurity, it's all about accuracy and avoiding false positives. And if you do the shelfware, you have little probability of I mean, that 0.05% less accuracy, it's nothing for a machine learning developer. But for a security analyst, level one, level two is just nightmare. So it's 1000 false positives on a daily basis. So that was the foundational decision we made. And we still maintain that.
And it's, it's sort of the other 30%, 40% of the company that wasn't that cross ideas. It's coming from that domain of data science and machine learning. But does that does that algorithm improve over time, so you get fewer false positives? Not directly, okay, it's not that we read the 50. So one of the foundational decision that we had was to provide unlabeled data sets. So the customer, even back in the years, didn't have to say, all right, this is a wrong behavior, good behavior, okay, this, basically, we manage data set without being labeled.
And that's a massive benefits, because if you have to label them, well, you're just asking the client to fix what we should be able to fix. So they are unlabeled. So the retrofit of a feedback into the system happens, but not directly in the algorithm. But of course, yes, in the world of machine learning, you need to understand, we're not hitting the right target, and then, you know, tune the model constantly. So that's part of the effort, but not just for us, for everyone that does machine learning.
It's all about, you know, the more data you have, the better you become, the more aware you become, and then you tune it. Do you have any questions for me? I keep drilling it.
Well, you know, are we going to promote the IDIT acronym, which honestly, you know, I mean, I like the empathy that every acronym, you know, puts out, and I did, it's, well, I love it. I did, and I will do it. I don't know, but there's a lot of jokes lined up behind it.
But look, I'm going to promote it, but it doesn't really need to happen from my perspective. I think we have too many acronyms, like we just pointed out today. But the IDIT, you can play jokes around it, you can be funny about it. And that's the problem with security. Sometimes you're too serious. So I'll be a great supporter.
Yeah, you're going to, you're on the bus. Oh yeah, I love it.
I do, I did it, I will do, I will love you forever. I mean, that stuff, that type of jokes can be very powerful.
Yeah, I think that one thing I liked about your presentation, you know, there was a lot, but the thing I liked is that you really did try to sort of qualify things in very simple terms and try to explain, you know, I thought that, I thought that worked out very well. I think that more people need to do that with security topics, right? It's just plain and simple, you know, it's like, why can't we all just speak?
Yeah, we need a lot of that in the security space, you know, going down to what my mother and father could understand. And I do that exercise sometimes, okay, I try to explain to my parents and to normal people, when that simplification will occur, probably the budget of spending and security will dramatically go up, you know, in the lower part of the pyramid, which today is stuck because, you know, they don't trust the terminology, anything to be, I think it's a scam, basically.
Yeah, that's probably. It's not presented easily. I'm not talking about large enterprise, I'm talking, for example, in Italy, there is a wealth of company that are below the, what, 30 million revenues.
And, you know, these guys are approaching everything which is security with suspicion. And I don't blame them, because it's not designed to let them understand it.
Well, so I'm looking at the polling numbers. One of the questions we asked, which was, what's going to have the biggest impact on identity in the next three years? So passwordless authentication got 32%, okay, which I'm certainly not surprised to hear. Decentralized identity got 20. Identity threat detection response also got 20. Do you have any sort of comment on what that means to you as a security practitioner?
Well, the best is security is invisible. And, you know, the passwordless authentication and whatever goes into that, you know, making things easier. So it is no surprise that it's such a common, because it addresses a very simple pain points of making things simpler. And so I'm not surprised that that is going to, that's going to happen. The other thing that- Do you think we're really going to get passwordless authentication this time?
Like, we keep talking about doing that. I don't know. Everybody seems interested in it now, but it's always been out there. But you're right, simple and simplified.
Well, it's coming. But, you know, when the big guys, like with the past keys, I mean, with this is the standardization effort to build trust and to start, you know, I don't need to authenticate you anymore. I know where you're coming from. I knew your father, I knew your mother, I know your city. That's okay. Come in. That's the old way of doing. That's the true passwordless.
Yeah, that's good. You just need to get to that level.
Of course, the word of fake identities won't simplify that effort, because there's going to be a wave of, all right, let me check your questionnaire. Are you serious? Pronounce this in Tasmanian. I don't know Tasmanian. I need to learn in five seconds, otherwise you're out.
But, you know, that's the beauty of what we do. I mean, we try to simplify, but, you know, the pain point is always there.
So, in a way, we're keeping our wage and salaries running. Yeah, I, you know, I like that. That's what's a password after all. I think the behavioral side of that is much, much more interesting, probably more trustworthy. So that's good.
Well, okay. It's been fun discussing all these things with you today. I think that we'll go ahead and, unless you have any final thoughts, we can go ahead and dismiss everybody. I'm okay. Thank you both for attending and that is it. All right.
Well, I want to thank everybody for attending me and asking questions and attending this session, this webinar. And mostly I want to thank Andrea again for the discussion. So that'll be it for today.
Thank you, everybody.
