Welcome everyone to our KuppingerCole webinar, Shut the Door to Cyber Attackers Permanently. This webinar is supported by Beyond Identity. The speakers today are Patrick McBride, who is Chief Marketing Officer at Beyond Identity, and me, Martin Kuppinger. I'm Principal Analyst, KuppingerCole Analysts. So what we'll do today is we're looking at the, so to speak, the door, the front door, where attackers tend to come in. So what do we need to do to protect this better, to keep it shut?
So it's not avoiding every type of cyber attack, but it's really the ones that come through the doors into our organizations. Before we dive into today's subject, a little bit of housekeeping here. So you're muted centrally, nothing to do here. We will run two polls during the webinar, and if time allows, we will discuss the results during Q&A. And as I said, there will be a Q&A, and when you look at the tool you're using, then there's a Q&A part, usually the right side of the screen, where you will find the Q&A, where you also find the polls, and where you'll find the chat function.
So use them, make it interactive, always more interesting, more lively, and you have the great opportunity to raise your questions to Patrick and maybe even to me. And we are recording the webinar, and we'll make available a recording and slide decks, that little slide deck we are using today, short after the webinar. So before we dive into today's subject, I want to ask you a question that is, does your organization, this is where you can then use the poll feature on the right side, does your organization offer passwordless authentication, MFA, and or risk-based authentication for consumers?
There are different types of users in that case, a bit more to focus on the consumer side, customer-consumer, than on the workforce side. So a simple question, just yes or no. So please enter your, your vote, and the more we have, the better it is.
So, come on. We give you roughly a minute here, overall.
Okay, we see your responses coming in. 10 more seconds, and then we'll close the poll. So use the opportunity to vote right now. And it looks like most of you are already, at least when it comes to customers and consumers, beyond the password. So I think we can close the poll now. Thank you for participating.
As I said, if time allows, we'll have a look at the poll results later on during the Q&A session. So the agenda today is a bit simpler than it is most cases, because Patrick and me, we decided that we will do this more in a conversational style. So please welcome Patrick here now. And so it will be a conversation between the two of us, looking at various aspects of what do we need to do? Why do we need to do it? How do we do it? All these things and bringing our perspectives. And I'd like to start with a bit of a question.
So I think every one of you has probably an opinion on that, but maybe, Patrick, to you, what's the problem with passwords? And by the way, this is a good password. It's not one, two, three, four, five, six, three, three, two. So better than many of the other passwords here, that you tend to use, at least according to all these surveys about 10 most used passwords.
Well, the number one is password. So it's my password. True.
Yeah, there's, you know, when we look at there's two main issues with passwords. The first is simple. People hate them.
I mean, they're a pain. Let's, you know, we have to create new ones and because they're weak, we have to change them frequently, you know, based on policies. We can't use the same one because it's easy to guess that way for the bad guys, or if you get one compromise and they can use it to log into a different account.
So just, and that does lead to real cost for companies. I mean, there's, you know, there's password resets, whether you're talking, Martin, you said the workforce or the consumer side, there's both technology and cost.
Sorry, go ahead. Yeah, and I think for the consumer side also, it goes to drop off rates during registration. It goes to churn rates because you don't come back or password reset, whatever takes too long is too cumbersome. I think all these things are, I fully agree are familiar to every one of us. And I think no one really likes to use passwords because you're always in this situation also of this dichotomy between do you reuse passwords or how do you keep passwords in mind or where do you store it? Which system do you use when you use a lot of different passwords?
And none of these approaches is really appealing. Exactly.
And, you know, we do a lot of those crazy things with passwords because of problem number two, they're just insecure. I've gotten fond of saying there is no such thing as a strong password.
You know, people will tell you, well, if it's eight characters or 12 characters, it's really difficult to crack, you know, to, you know, if the password is well-kept in a, you know, in a cryptographic form or something, but at the end of the day, that's not where the bad guys steal them. So that's the big issue. They steal them when they're in the clear. And it's hard to crack unless you look under the keyboard. Yeah.
Yeah, we can find them under the keyboard or the bad guys have lots of different ways to intercept them when they're not encrypted. And so, yeah. Let me quickly share some numbers here, maybe for a second. I think that is interesting. And these are numbers you have also provided. So from external source, in this case, the Verizon 2023 Data Breach Investigations Report.
And maybe, Patrick, you want to comment on these numbers? Yeah, this is much like the 2022, the 2021, every year we find out that passwords themselves are at the top of the list for the initial attack vector for breaches. So on the left side, we call it the easy button, you know, for the bad guys.
85, in this year's report, 85% of the breaches. So not kind of attacks, things that may happen. These are breaches that actually did happen when they looked back at them. 85% of the breaches of web applications involve stolen and then reused credentials. So however the bad guys stole them, they were reused.
And the interesting, and I lost a bet on this one, Martin, but the second thing is on ransomware, I lost a bet to my CEO a couple of years ago, and he loves to remind me about it every once in a while, but my bet was, I always thought, I've been in cybersecurity for 25 years, I always thought that the main cause of ransomware was somebody clicking on a bad link, whether it's in an email or on a website that downloaded some malware onto an endpoint, and that's kind of where it started.
In fact, and if you look here, the use of stolen credentials attacking, you know, desktop sharing software, something that gives the attacker access to servers and things like that, it is the number one. You know, so they looked at all the ransomware breaches that they had data for, and, you know, people still do click links and get something downloaded, but that's the number two. So I owed my bosses a steak dinner over that, but, you know, it's, you know, I don't have to be right all the time.
Yeah, but I think that this is an important thing, and I think we always can question such numbers. So 86% being sort of password identity related, I don't know, I think we see a lot of software or supply chain types of attacks these days, et cetera. So we see the attacks using vulnerabilities, but I think we all agree on the fact that this is the simple way, and we all know that there's a ton of sort of automated types of attacks that are permanently running. So once you're connected, so to speak, then you are under attack.
We are receiving a lot of mails, and regardless of what we use in email security, et cetera, some come through and some people fall trap to them. And that is where we see that situation, that passwords are a problem. I'm also with you regarding the, no one loves passwords. And so what I brought up a while ago is I said, one of the worst sentences, so to speak, you can use in cybersecurity is balancing security and convenience. And in some way, we do that with passwords. We try to make passwords stronger, and convenience goes even further down, but convenience anyway is low with passwords.
So what we need to do is we need to bring both up. So we need to combine and not balance security and convenience, because balance always means one goes up, the other goes down, and we want to have both. We want to have security and we want to have convenience. I think this is the essential aspect here we need to look at. And I think the other point, and that is something maybe we can continue the conversation with, and let me quickly bring up another slide here, that is really the aspect of cost. So I think the next point we should look a bit in this context is cost.
And again, maybe to bring up a number to foster our conversation here, that is 4.45 million, a number just recently published by IBM. I think everyone can keep it in mind. 4.44 would have been even simpler, but I think there's a cost, in that case, a cost of data breach. And so I think we and everyone is in agreement. We need to do something. I think the interesting question we could have is, why do we still need, or why do many organizations, many CISOs, still need to ask for money? There's a business case.
Okay, you could argue that everyone is experiencing a server data breach, but if it happens, I know about organizations, whatever really prominent mid-market companies over here, for instance, in Germany, where the entire organization, including production, was out of service for three weeks or even more. And then we are talking about tens of millions sometimes.
Yeah, in the IBM report, they actually talk about some of those kinds of attacks, the super attacks that people may see. If it shuts down a refinery, for example, a plant that produces millions of dollars in goods a day, or an online service that does millions of dollars in service, it has a huge cost. And get to the revenue, get to your customer, the reputation with your customers, potential future business, and all of those things. So it's not just a convenience piece that you brought up and trying to balance them.
One thing I will say, Martin, just to go back to your convenience thing, I've been doing the cybersecurity thing for a while, and the old school CISOs, if I went back 10 years ago, it was kind of this my way or the highway. I don't really care if I make it inconvenient for you because I'm making it secure. That's not the perception these days. I've seen a market change. Every time I sit down and talk with chief information security they're saying the same thing that you're saying. We shouldn't have to make that trade-off.
We shouldn't have to put the burden on the end users, whether they're consumers or the workforce. There's different ways to do this where if you burden them too much, they're just going to make you turn it off or try to work around it anyway. So we really have to figure out that balance. Yeah. By the way, there's one of these other sentences we heard a lot, which really drives me mad, which is the human is the weakest link in security. So my point is, if so, first encourage people. They are the first line of defense. The other point is, if a user gives away a password, what's the problem?
What is the root cause of the problem? The user or the one in IT that still had a technology in place that worked with passwords. So the answer is very simple. If you don't have passwords, no one can give away a password. So why should we blame the user for something?
We, to be honest, and I'm an IT person, we, that's why I say we, we in IT didn't do perfect. So let's not blame the user, let's fix the problem. Which brings us to, I think a topic that is close to your heart, which is password-less authentication.
Right, right. I totally agree with that. And I think, again, there's really been a mind shift that I've seen in the industry of people, security professionals and IT professionals, just understanding that they have to figure out a better way to do this, a more secure way.
You know, the same goes for clicking on a link. If you click on a link and then something bad happens and maybe we haven't kind of completed our job. A quick story there. It was a couple of companies ago. There's lots of education tools out there that educate users and then test them, as we know, and, you know, send you malignant links. I had been doing business with a particular bank, and then I got a test phishing email, you know, from that bank, and I said, well, whatever. I had just closed it out.
And so even, you know, I've got a 25-year career in cybersecurity, and I looked at the URL, and it was just, it used a Cyrillic character that disguised, it looked just fine. And the red light goes up, and I just, good news was the IT director was right down the hallway from me. So I got up from my seat and walked down and walked into his room and said, I'm sorry.
But, you know, again, if, you know, people are going to make, you know, even people being very, very thoughtful are going to make mistakes. Yeah, and I just have to admit, yes. So we have this at our firm, and I'm pretty good, but I'm not perfect. So at least once, I fall trap to that.
Yeah, so the headline sort of hit the nerve, and I wasn't conscious enough in that case. So it can happen. I suppose- Well, you and I, if they fool you and I when we're being careful, they can certainly fool users who are just trying to get their work done and working hard and working fast and trying to just, you know, do their job.
Yeah, and I think that's the point. And so I'm absolutely, I think the thing I personally like with passwordless authentication is really this, it is more convenient and it is more secure. And I think that is maybe something to look a bit more in detail, because I think when you look at sort of, let's say standard baseline passwordless authentication, it basically is that you use a bit of biometrics on your device. And so the question clearly is, and that go even into the details, at least not yet into whatever phishing, or a system, et cetera, but why is it more secure?
And I think that the thing, a lot of people, I think here in that sort of virtual room, a lot are aware of, but when you take a broader community, a lot of people are not aware of, on at least most modern devices, there's some more hardware. It doesn't display here with the filter, which is some sort of a secure enclave, secure element, whatever. Maybe you can give a bit more insight into that.
Yeah, but one thing just before that, and I know you've run into this, Martin, is just the idea of, so passwords, when we got into the market, we had a certain mindset of what was passwordless, and we were thinking highly secure using cryptographic techniques, that we'll talk about here in just a second, but there's also a lot of things that are passwordless, meaning nobody uses a password, but they're not necessarily secure. So I send you a code rather than make you do a password, or I ask you other knowledge factors, which effectively are new shared secrets.
So things that are shared secrets by another name are still passwords, even if you didn't call it a password. But to your question specifically, since even before, but since the iPhone 4 came out, when we all put our fingerprint on the iPhone 4 reader, and it let us use our biometric to get into our phone, companies, we've seen more wide deployment of what you were talking about, something called a TPM or an enclave, which is just the simple definition of it's a hardware level secure technique where you can store a private key.
And so a really strong common form of passwordless security is a passkey or a public private key pair. And if you store that private key in a TPM, you can protect it, well protect it. And so you've got a private key pair in the TPM, and then you can store the public key pair. And then the passwordless transaction is just checking, just like we do with SSL today to make sure that we're talking to the right websites.
Exactly, and I see this is what everyone needs to be aware of. It's not just whatever face recognition or fingerprint. Right. It's that plus device, plus a piece of hardware that is very specific, very secure security hardware.
Anyway, there are risks of attacks. And maybe have a look at another slide here. Give me a second. So let's have a look at attacks, which are running fast. Right. So we always need to be aware these things are happening really at speed. And I think one of the things you've also shared here is about MFA bypass attacks, how they work, and attacker in the middle. Maybe you give a bit of an explanation on that before I sort of remove the slide again.
Yeah, well, just to get even into the topic, you know, the idea is we had passwords. We know that's weak for all the reasons that Martin already talked about before. And then the idea was, oh, we just added MFA factor to it, a one-time code or a push notification, those sorts of things. And then since we've got then two factors, it's harder to break in. And actually for some time, it really did increase the level of security.
What we're seeing now, unfortunately, is that what I would call the traditional or the first-gen or MFA that uses things like push notifications and one-time codes is not just easy. As Martin said, there's ongoing attacks right now, and they're using, and here's why they're happening. They're using tools that are now freely available. We've got Evogenics here. That's one example of a toolkit that isn't for sale on the dark underground. You can go to GitHub.
In fact, we put the link in there if you note that and search for it and download it. So how these attacks work in general, and it's typically called a reverse proxy or a proxy-based attack. It's a man in the middle. And so an attacker would create a link, and then we talked about those, send it an email or get you to, and with a good phishing email that might say, hey, we've got an issue. You need to reset your password, something that creates a level of urgency. They've got really nicely created links, well-crafted links, and a well-crafted email.
By the way, AI plays into this, can make those emails even better these days. So I get a nice phishing lure. I click on the link, and I'm actually talking first to the attacker website. And so what I do, and the attacker website looks just like the website that I'm trying to create. Maybe it's my bank. Maybe it's a consumer, other consumer application or a workforce application. And they basically sit in the middle. So I click the link, I start the password reset on the fake site. They take that information and send it to the real site, for example.
And then they get the push notification request or they get the one-time code that we send over, and they capture that. The biggest issue isn't just that they capture the codes or the passwords, because they sit in the middle of the transaction. One of the biggest issues that people often don't think about is they can capture the session token. As we log on to a site, we don't have to log on with every transaction back and forth that we do with our bank.
If we're looking at our balance and then moving some money around or paying a bill, we have a session token that keeps us on for hours, maybe even days, depending on how that's set. And if you steal that session token, then the attacker can inject that into their own browser and then bypass a lot of the other controls you have in place. So they can capture both the codes and things like the session token, which is really... And people tend to think that, oh, well, that's a really hard attack.
And again, a couple of years ago, it was. Yeah, but we have measures against it, which is, so to speak, truly password level authentication, which is at the end also a phishing resistant approach where we bring things together. You can talk about it in a minute. I think we also need to always look at email security because, okay, not everything is coming in through email, also through other forms, but there are technologies like email security solutions, sandboxing websites, and then trying to detect certain types of attacks.
So I think we need to, again, help our users that they don't fall trap because at the end, it will always be a race between the attackers and us, the defenders, but there are really a lot of means here. And so one of the things you're pushing out is always this sort of notion of phishing resistant. Right. What does it mean concretely? So concretely, at one level, it means that even if an attacker were to try that kind of attack that we just described, a man in the middle attack, it would fail.
And more specifically from a technological standpoint is that you can guarantee, you can establish trust on both ends of those conversations. So we already talked about a private key sitting in a TPM, maybe signing a certificate. So that's one level, but you could even do it without that technology if you could just guarantee that the requesting application and the thing that's providing the acknowledgement or the yes, we know that something can't sit in the middle of the attack. And so typically that means putting additional cryptographic controls on top of that transaction.
And I'm not talking about just a private transaction like SSL. People are very familiar with public private key crypto. They use it every day when they go online. Right? I would disagree that people are familiar with public private key. Fair enough. They are using it all the time.
Yeah, they're using it. I sometimes said, when you have a room of a hundred IT people and then ask them, hey, who's willing to stand up in front of the flip chart and explain public private key encryption, then probably not that many IT people will stand up. And I think a lot have an idea of what it is about, but then you go into the details, it gets a bit more tricky.
But yes, I think we have the technology. We have solutions for that. I think this is very important. We need to, we can use technology. We have technology to get better here, to really address the challenges that we are facing when it comes to passwords. And to the, we talked about the title about shutting the door. And shutting the door is in fact, where it's about someone coming in, authenticating and doing this in a fraudulent manner. So we must avoid this. And I think that the clear starting point also to my opinion is really passwordless authentication.
So when I maybe quickly go back to a few slides, I think the point is definitely also about focus here. And focus in that case also means what do we need to do and why it's so important. I think there's an interesting point and companies such as Beyond Identity sit on this upper left area of the CISA Zero Trust Maturity Model. So the CISA Zero Trust Maturity Model, I think is a very good one. And I said, I'll look at a matrix of Zero Trust Maturity. But honestly, there's a very good matrix which is the one provided by CISA. So this is a super good starting point. And what it actually says here.
So for me, Zero Trust always is someone often is using a device, authenticating, going over network and application, accessing certain types of data. And in an optimal way, it means that we have a strong grip on authentication, which is identity and device. And this is for me, also for everything in Zero Trust, it is the starting point. And maybe Patrick, you wanna comment a bit on this slide here.
Yeah, it's exact. We think it's a starting point too, but I can take my beyond identity marketing guy hat on and put my old analyst, my former analyst hat on. And it really is the foundational layer. If we can't establish that it's Martin, coming into whatever resource he's getting access to, whether it's a consumer application like his bank, or it's his internal HR application or finance application, where Martin as the principal has much more authority.
If we can't establish that it's him and establish that he's using a device that the organization has approved him to use and establish that that device, and this is a really, I'm gonna say this really specifically because it matters, is appropriately secure. We can't, and Martin, you point this out to me all the time. We can't guarantee that anything's perfectly secure.
The only thing we can do is know that on the device that we're granting access that Martin is going to use to get to these applications or system resources is that we've got the appropriate security controls installed on that device at the first of all, at the time of authentication. And that really covers the first three bullets of that slide. Is it Martin? Is it a device that we've allowed him to use? And then is that device have the security controls?
But the idea of zero trust isn't once and done, set a long session timer, let Martin stay in there for eight hours or eight days or eight weeks without reassessing this, it's continuously reassessed. So what I think the CISA model does a really nice job of is combining both the user identity and the device security posture and saying you absolutely have to make a risk decision getting in, but then you have to continuously reevaluate. And continuously is a range, right? You're not necessarily doing it every second. You're also not doing it every day because a lot of things can happen.
So it can be 10 minutes every hour, but reevaluating whether we're seeing signals that maybe this isn't Martin, or maybe that device, maybe Martin for good reason turned off his lock screen on his phone and he's accessing through his phone or on purpose or inadvertently turned off his firewall. We would wanna know those things and then be able to take some action. Not just you wanna send the security operations center alert about that, but attackers move fast these days. So we have to take some immediate action.
So that's kind of where CISA, I think, as you said, I think they did a very good job of outlining, you know, where you need to get to. I think also that's a good metrics to start with because it's really well-structured, well-thought out. And I'd love to get these wonderful metrics from our European entities as well. But CISA is really an excellent source here. And I think you talked a bit already about taking actions. And I think there's a bit of different perspective also on actions.
And that is, so not only the tool taking actions, which is one part of it, but it's also us, the IT people, the decision makers taking actions. And so what would be your recommendations here for taking actions aside of, for sure, purchasing beyond identity, which you probably would say?
So, you know, there's certainly at a minimum level, and I think we've seen a lot of this in the industry already, where any of your security infrastructure, identity infrastructure needs to communicate well. You need to take the exhaust, all the transactions that happen and make sure that they get to the security operation center. And then if you see some issues, you know, that you're alerting them.
So, you know, part of this is just wiring this into the flows that you're using for your network detection, you know, for folks that still have real on-prem stuff or your endpoint detection and response kinds of things. So that's kind of the, I would call it table stakes things. But a lot of people have made serious investments in technologies that you can use to, for example, quarantine a user. So one of the, I'll point to something that we do as an example of two things that we can do as just an example of this, but there's others.
You know, one is you see an issue, I mentioned that maybe Martin turned off his firewall, which, you know, now leaves his endpoint open to exposure. We could call out to something like CrowdStrike or other EDR technologies or an MDM and quarantine that device so that, you know, Martin no longer has access to those resources, like immediately or, you know, within, you know, minutes, you know, rather than waiting for an alert to weave its way through and somebody to finally, you know, see if that's important and then work it. Or drop a network connection.
There's products, you know, there's the SASE product categories and ZTNA categories that, you know, all of the nice thing is this ecosystem has done, I've been really happy to see the ecosystem security at any tool to a better job with API. So now a tool like a Beyond Identity can call out to a tool like, you know, a ZTNA tool and say, hey, drop that network connection or quarantine that device, you know. And we can get more signals from way more sources nowadays. I think this is the other side of it.
So we can consume the signals to help us to at least continually reevaluate the risk and on the other hand, we can trigger more actions by integrating solutions. And I think from an actual perspective, what I would recommend is to understand what you have on both ends, so to speak, which is what can provide signals, what do you already have in place and what can you already use to sort of for corrective actions around that. So as a starting point, then look at how can you integrate it.
So really seeking a more holistic solution that looks at every type of device as well as every type of access of every type of identity. And I think this is something we also need to be aware of.
Yes, there's the employee access to a certain environment, but in most environments, there's more and the tricky parts come when you look at operation technology, when you look at software developers, when you look at externals, et cetera, then it usually becomes way more challenging because then we are in that space where it's really about heterogeneity and we still need to solve it and we should really start from a bigger perspective like we did on more the overall identity piece when we started talking about the identity fabric a couple of years ago. Exactly.
And basically we also need to take a bit of a fabric approach on how can we deliver that service and what do we need to fabric in a sense of a mesh? How do we need to put all these things together?
Yeah, the way we think about it is frankly, I can extension to what you guys have been talking about. It's the identity fabric, the identity mesh overlapping with the cybersecurity mesh.
Companies, organizations have made huge investments in things like EDR and network detection and various different anomaly detections. As you said, if we can consume those risk signals to make better authentication signals on the identity side, then we're just in a much better place and we're leveraging technologies and investments that we've already made. So we're finally at a point, this is kind of a really interesting time to be both an identity professional and a cybersecurity professional.
We can actually bring those two worlds together in a meaningful way, not just taking the actions like we were talking about, but consuming additional really robust data to make just better decisions. It's gonna require tools that have a really good risk-based policy engine, of course, to do that and can talk to things. But we're at a really interesting point, which we need to be.
When we talked about shutting the front door, I sometimes I'll be honest, I sometimes get a little frustrated when I was like, wait, wait, we hear this interesting new vulnerability that a log4j, for example, we have to pay attention to that. Of course, it's an externally exposed thing. It came in, like you said, through software, so it's a supply chain kind of an issue. And as security professionals, we have to go look at that and figure out where we're exposed and take care of that.
But every day we're leaving a bit of an exposure like that with passwords and things like that, something that large already is in our environment. So I would love to see the same level of activity to close that big vulnerability. And I think that is important. If you want to become more secure, then closing that door, the password door, so to speak, is super essential. And we have a lot of things in place to make it work. And I think this is a good closing statement for the part of our webinar where we discussed. And what I want to do right now is I want to run one more poll.
And after that poll, we then go into the Q&A session. So the second poll for today, that will be after the action, so to speak, we quickly discussed. I really love an open, frank answer. We can't track who responded in which way. So maybe you spend a few seconds on responding to a SEO organization where you suffered a cyber attack that was caused by or related to breached passwords. So curious about the number of responses and whether a realistic number of people would say yes. Some people are shy to say that, but, and we understand.
I mean, it's, but yeah, it's. But we will, we don't and can't track who is responding in which way. So no worries here. Looking forward to leave it open for another whatever, 30 seconds. I can comment now. So have your questions ready. I'll make Martin answer all the really hard ones and then I'll take the easy ones. Okay.
Yeah, so I think it seems to be a bit too optimistic response here, at least when I look at the interim state of the poll. Anyway, I would say we close it in 10 seconds and then we move to the Q&A session. When I looked, when we talked about the, the interesting thing that I like always about the Verizon Data Report, and it gets repeated, you know, the, lots of other threat intel companies have done kind of research studies like they have, but they, their starting point ends up being successful breaches.
So not, it's not theoretical stuff. They start off with, okay, a breach happened.
You know, let's go back and figure out exactly what happened and how. And there's all kinds of different breaches from ransomware to, you know, so they've, you know, for people who haven't looked at that, it's really illustrative, regardless of the password information. It just gives you a really good idea of the most critical things that you're facing, you know, which is always, that's the hard job in identity and cybersecurity.
You know, we've got a lot to do, figuring out what are the things that we can do that will most lower our risk. Or make it hard, yep. Let's look at the questions. We have a couple of questions here. So the first one, I hand it over to you. It's an easy one. Small businesses are just as vulnerable as the medium or large businesses. Do you agree on that? I think they're more vulnerable in many cases. And we see that with some of the ransom, you know, as an example, with the ransomware attacks, they don't necessarily have all of the same level of resources.
You know, I've been working in the industry and have had, you know, large banking, you know, large international banks to work with. And they've got just threat intel organizations that are, you know, many hundreds, even a thousand people just doing, you know, the detection response and action that we talked about.
So, you know, and then, you know, you talk to some small businesses that, you know, it's one IT guy, you know, and he has to take care of all of it. So, yeah, no, I 100% agree with that. Okay. And maybe directly moving to the second, by the way, of the respondents to the second poll, around two-thirds said, our organization never has experienced or suffered from a passport-related breach. I would dare to say this is a bit too positive from, as a number, but anyway. That's our result and we have to live by it.
Yeah, and maybe it's just because all the experts are listening to us. Anyway, so they don't make the fundamental mistakes anymore.
So, and we could also say, okay, then there are two-thirds which are still waiting for that to happen. That would be silly. The old security joke, there's two kinds of companies, those that have been breached and those that don't know that they've been breached. Or that will be breached. However you phrase it, exactly. Is passport loss authentication the same as single sign-on or is that too short to say?
No, I think that's too short, but that's a really good observation. So, with single sign-on, for example, they've helped fix some of the last mile stuff.
So, the integration between the SSO tool and the application. To give you a real example, we're all on Zoom today, for example. If we're using whatever SSO, whether it's Microsoft or Okta or Ping, there's a SAML assertion and there's a cryptographic binding there.
So, that's a pretty secure, they're not moving a password, but you still have to get into the SSO system and very often that's with, surprisingly, a password. All the SSO systems also have MFA. Unfortunately, as we've talked about, some of the older MFA styles are just not as effective at stopping breaches.
So, if I get into the SSO system using a regular password and an MFA, that's the issue part. The back end of it is more secure, but you also notice, there's one point here, there's a lot of SSOs that, or a lot of applications, in fact, there's a wall of shame if you search on it. Application providers who either don't provide a SAML assertion, so you can't use SAML to get into the application, so the SSO can't use a passwordless way to do that, or they offer that, but only in their upper tier.
So, you have to pay more for the thing to be secure, which is kind of a Nazi moron. But in those cases, they have to default back to a password.
So, I might use a password to sign into my SSO and then my SSO acts just like a password manager and puts a password across the network, which can be breached with some of the techniques that we talked about earlier. So, next question. From your expertise, what potential obstacles or limitations might organizations encounter when implementing zero trust authentication, passwordless authentication, and how to overcome them?
Yeah, I think there's the biggest issue, and I think, Martin, when we first started talking, when I first briefed you on what we're doing, I think you brought up something like this, if I recall. There are lots and lots of different use cases.
So, the biggest obstacle, let me back up. There are technologies today that you can plug, beyond identity and others, that you can plug into your SSO and take you passwordless and provide some of the other capabilities that we talked about, the device trust and things like that. The biggest issue is figuring out the edge cases. And there's lots, and so, I'll mention one, one we ran into fairly recently.
You know, we're working with a large chip manufacturer. They've got a clean room, you know? Some of the biometrics, when you've got masks and things on or fingerprints all covered up, don't work there.
So, you have to have, you know, having a key fob, something like a Fido key, or, you know, one of the Fido keys or something along those lines, you know, or something that they can, you know, put inside a proximity card, that sort of thing. So, it's- Yeah, wristbands, et cetera. I also came with one customer across the question about ATEX-compliant devices.
So, for environments where you have a high risk of explosions, et cetera. Right, right. Makes things way more interesting, by the way, these challenges. And there's little ones, even.
You take, I'll give you another one, and I'll come back to this. A bank, banks and companies like that will have a customer support service center. They don't let you bring a phone in. You're going typically, you know, the representatives that come in aren't necessarily going to the same desktop, you know, every day that's, you know, it's a bunch of desktops that they have in there, and they use whatever, you know, desktop that they sit in, or hoteling, you know, kinds of things.
So, I'm not saying this to dissuade people or to do it, because there are also big chunks that you can solve today. And cybersecurity is always about doing the things you can do today to lower the risk as you figure out some of the edge cases.
And so, you know, doing nothing until I can, you know, until I can do everything is going to be a failed, you know, way to go about cybersecurity. But you can really start off to bite off chunks, and you can do it. But that's the issue. It's some of the edge cases. The technology's available today. And the other thing I would point out is a little bit, this is more in the thoughts of the cybersecurity guys. When you showed the table, the CISA table, that look, you know, there's different levels that you can go to, you know, and Optimal was the thing that we had the circle around.
A lot of people think you necessarily have to go through stage one and stage two and stage three, because it's a maturity model mentality. And, you know, I did, I was a former engineer, so I worked through those stages of CMM and engineering, and you always had to kind of build up. You can skip some stages, you know, with different technologies and things like that, you can actually go right to Optimal, you know, that's our pitch to folks. We can take you from sub-Optimal right to the Optimal CISA levels, at least on the device trust and the identity thing.
You know, there's other columns there that you have to take care of that we don't do anything about, but, you know, it's this thinking. So those are the big issues. By the way, I liked that point you said.
So first, maybe let me comment on the edge cases. Interestingly, I think for the vast majority of edge cases, there are some solutions. Sometimes not as easy to find, sometimes not perfect, but they are. And the other point I like is saying, let's look at what we can do, not at what we can't do. Unfortunately, I think when I look at many conversations I had with cybersecurity professionals, it was about why things don't work. And in some of my previous talks, I had a graphic where I looked at the limit of security going towards 100% and the limit of cost is infinite.
So there is no 100% security. And that again means we need to look at what we can do and how we can get better, not for trying to shoot for the perfect security, because, and I sometimes hint to the book after the, the movie after the book of Dan Brown, I believe it was Illuminati. The ones who have seen it know there is no 100% security. There are always ways to bypass security if it's the hard way.
Patrick, I think this was a very, very interesting conversation. I hope that the audience learn also a lot from it and gain some insights. So thank you very much to you for all the insights you provided. Thank you very much to Beyond Identity for supporting this webinar. Thank you to all attendees for listening in and hope to have you soon back at one of our webinars or conferences. Thank you. Thanks for having me. It was great.
