Thank you very much. And hello from Boston, Massachusetts in the USA. Definitely. Sorry not to be there in person. I'll assume you can hear me okay unless someone chimes up.
Yes, I saw some pictures from last night. People enjoying themselves. Definitely more fun than I had. My night was quite quiet, but the advantage is I don't have to fly around the world to, to do this presentation.
So, as Alex said, I'm gonna be talking about basically a little bit of, a little bit of history of identity and then how that leads us to sort of where we are right now. And then the, the why and the what of what are is commonly known as identity, threat detection and response. I believe there'll be some discussion later from Mike Neuenschwander and perhaps others talking about maybe that's not the best name for what this domain is all about, but for now, I'm just gonna refer to it as ITDR, you know, when, when relevant.
So I, first I wanna talk a little bit about history. Give me some leeway on the numbers.
They're, they're broadly rounded in every way, but the, the principle is the same, where if you think over the last 20 plus years, the identity and access management market has essentially grown from next to nothing to maybe 10% or even more of the overall cybersecurity investment. And so it's come a long way, but you know, in this, in our world of cybersecurity, no good deed goes unpunished and threat actors have certainly taken notice of this domain of identity, identity, security, identity and access management.
So one takeaway is we've done well as an industry, but now we have to get back to work and, and basically invest in various aspects of the next generation of identity and, and access management related security controls. Again, if you think about the, the early days of identity and access management, I was involved in, in the early days of web access management, web, single sign on identity federation, all were, you know, turned out to be, you know, important steps in better management of identity and a better experience for end users.
But the reality that did come up, you know, with some regularity as we were doing it, people would note that we were essentially aggregating identity and access management. When when whenever you're aggregating functionality and centralizing it, you're in effect centralizing risk. We knew it at the time, but the, the changes that we had to make, you know, to get to where we are now in the industry, were are still, you know, wildly positive.
But, but we've sort of reached the point where over the last few years where threat actors have taken advantage of this or started to take advantage of this centralizing of risk by essentially the success of the identity and access management marketplace and customers investing and, and using the tools that the, the vendors have come up with. And so this, this aggregation of identity and access management has led to increased risk in a way.
And it really comes in, in two areas.
One, the, the area that we mostly think about is threat actors targeting individual identities and getting control of them through techniques that we're probably all very familiar with, whether it's phishing or password cracking or MFA bypass. They have multiple techniques. Social engineering, I should probably also add, they have multiple techniques to take over an identity, whether it's an average user or whether it's a privileged user, which is usually what they're really interested in.
You know, it happens all the time. In fact, data that we've collected last end of last year was about 62% of organizations have experienced account takeovers last year. So the majority of organizations, and probably you all deal with it with some regularity. Threat actors take over an account, whether it be cloud-based or otherwise, and then use that as a stepping stone in their, their, their cyber crime.
The other area that doesn't come up as much, but as much worse in many ways than when it does, is targeting the idea identity management systems themselves is of course, because of this aggregation of, of capability and policy and control, privilege control that is inherent in identity management systems. If they can get a control of any of an identity provider or, you know, an MFA generating system or an access management systems or what have you, that gives them unbelievable control. And that has been happening with some increasing regularity.
So this is the step where I have to use AI generated graphics, because that's the thing these days. So I I the first one is that an important key, you know, if they break into one of your users or even your privileged users, it's a, it's a key access point into your organization. It's not game over of course, at that point. There are other, you know, controls and some of which I'm gonna talk about that can be applied to stop, you know, the, that minor incident incident of an account takeover turning into a major breach.
However, if they take over any important part of your identity management infrastructure, that's when the key gets really glossy and you have a amazing castle gets taken over, you know, your, your critical assets.
So, you know, th this is a, a concept that's been out there now for a while.
You know, most cyber criminals are, are, are basically saying in, in some words or, or some other words, why hack when you can just log in? And this actually does happen now with, with some regularity. Not every breach that you see in the news, do you really find out all the steps that occurred for the breach to become a major breach and hit the news. But there are three examples here where identity access to identity or identity systems were a critical step in the breach.
Turning in, you know, a minor incident turning into a major breach, capita had, you know, M 365 access was a, was a key stepping stone. The, in Uber's case, they actually went after their privilege access management system. And then Colonial Pipeline also had, you know, basically going after active directory and be and becoming a domain administrator.
So I, you know, this is just a three examples of where identity became a key stepping stone to a, a successful breach.
So what do you do about it? That's really what the remaining of my, my sessions about is, is basically if you think about what has to happen now, now that you know, identity and access management systems have become relatively ubiquitous and, and quite, you know, critical to how identities are managed in in most enterprises, we need to now move on to what we're calling identity threat detection and response.
So in my view with that and you know, the views of others, what that constitutes is a combination of identity centric hygiene and identity centric detection and response. So you really need to find out and, and understand in advance, ideally, whose identity provides an attack path. So you can clean it up.
Obviously, it's also somewhat useful in the midst of a, of an, an actual threat investigation because instead of having to boil the ocean to understand what systems might be impacted, if you know the systems that a, a given user has access to while you're doing an investigation, that's critical.
So that's sort of where the concept of a blast radius where if you can know the impact, the potential impact of a, a user's privileges would have in your organization, you can either clean them up or put compensating controls in place.
And then the third step is, is assume breach basically and, and have a, a finely tuned identity centric detection and response functionality embedded in your security sys environment so that you can get, you know, faster and better and, and more clear detection. A more holistic way to think about it is to think about the attack chain and how identity threat detection and response type controls should apply and provide functionality against the attack chain.
And this is where the concept of defense in depth really becomes clear where there's multiple areas or multiple stages of an attack chain that an ITDR oriented security system can help.
So first on the far left is, you know, is basically the hygiene function where you, you want to try to discover and remediate these vulnerable identities, these overprivileged users or these cash credentials or all the things that a threat actor uses to progress their attack and, and clean it up before they get there. But of course, defense in depth means you don't assume that that's going to be perfect.
You will still have privileged users that that will get their accounts taken over. So you need to have early detection ideally so that when accounts do get taken over, you find out quickly so that you can re can remediate them. But you know, just following down the line, it, it assume breach. So you need ways inside, deep inside your organization, both on premises and in the cloud to detect attempts at lateral movement and privilege escalation, which is, you know, using your identities as a stepping stone.
And then finally, you know, being able to efficiently investigate and remediate.
So I think of a identity threat detection and response solutions, basically needing to include this defense in depth concept all the way down the attack chain. And ideally doing it, you know, as a, a holistic identity management system, you know, closely complimenting.
In fact, the final, my final slide of this session is basically an IT ITDR system, in addition to being able to provide defense in depth in an identity centric way, needs also to be plugged into all of your identity repositories, policy engines, and even third party, even other security controls. So this is not a complete list of all the things you need an ITDR system to, to plug into, but categorically, you know, your, your cloud providers, your identity providers, your IGA systems, your PAMs, et cetera.
And in addition, I I show for example, integrating into an email security system such that your preventive controls can also be well-informed by your current hygiene and, and other data that can be collected by your ITDR system. So hopefully that this, this takeaway is that identities are under attack, they're successfully being taken over the, you know, threat actors have incentive to leverage the aggregated risk that's inside your identities and your identity management systems.
And that there's a, a next generation approach necessary to better control the great success in some ways that we've had with our, our identity management investments over the last 20 years. And, and for now we're calling that ITDR. So tha that is what I prepared. Thank you.
Well, thank you Matthew. That was a really a, a very thought provoking presentation. Just a quick reminder, if anyone has questions, please raise your hand or submit them through the, the power of the internet. I actually have one question from the online audience. Do you see the move to our cloud-based directories like intra ID as a security risk?
Well, I mean it's, it's another identity repository and it will have hygiene issues and it will be an attack, an attackable identity system, just like active directory is today. So I think it, it's definitely part of the, the identity fabric and needs to be considered part of the, the environment you need to protect.
Yeah, but is it inherently more attackable than the on-prem active directory?
I mean, it's more inherently accessible. I think I would agree with that. It is less complex.
I mean, if you think of active directory today at your average company and your, your, you know, your AWS or your Google Cloud or your Okta or whatever, it's less complex. So it's easier to defend in a way, but easier to access. So I wouldn't say it's more or less, no, I would say it's just now part of the complexity really comes from having many identity repositories as opposed to even just one, you know, active directory back in the day. So that's sort of a, an ambiguous answer. Sorry about that. Right.
Okay. Thank you very much Matthew.
My pleasure.
