Next speaker is going to extend a little bit on the cloud ideas in the identity and access management environment. And please welcome Ravi. Good morning. You're with IBM. That's right.
Yes, I am. So what is your mic working?
Can you guys hear me okay?
Yeah. Okay. I think it works getting better now. What are you responsible for?
I run product management worldwide for security products, primarily focused on cloud security and identity and access management.
Okay, so please floor yours.
Great. Thank you. So this is my second year attending the, the conference here and I see a lot of familiar faces from last year, but I do see a lot of our, my fellow partners and vendors and customers as well in other occasions as well. So this year, as I was preparing for this talk, I was, I was wondering, I said, I, let me go look back as to what did I share last year? Last year I was, I said, we had a, kind of a bold statement.
I am 2020 vision saying based on all the customer interactions, based on what we're seeing in the market, we wanted to highlight to you what the three key takeaways were for what organizations are gonna be doing in terms of transforming their identity and access management environment. So I said, these three things, I said, first organizations are gonna use identity as a key security control. Looks like that team is seem to be accelerating, right?
You, you heard a lot about it in the last two days about think of identity as not what you want to manage, but look at identity as a security control for supporting all your transformations. The second topic we talked about last year was I said, look at cloud security, not as piece parts, but cloud security as three key capabilities that need to come together. Identity protection and insights.
Interestingly enough, coming out of the, the big security conference in the us a few weeks ago, there were over 70 web vendors talking about cloud security in that topic, they call it cloud security, broker, cloud security, access gateway, all sorts of things, but really trying to bring three key elements together to drive cloud security.
And the third topic I said was by 2020, we'll be using a lot more IAM analytics as a core set of intelligence, not just for real time security intelligence, which is still very, very important, but also as information that you would use for driving decisions, better decisions inside the organization. And clearly we are seeing that a lot, even in the show floor here where a lot of organizations are highlighting to you, how they can help organizations put together an analytics practice to support and your decisions in your environment.
So I'm gonna still say that these, these are still the right three trends, and we see that those trends just being accelerated in 2015 and 16, what's driving those accelerations, right? I wanted to share with you from a perspective of an organization like IBM, that has threat research worldwide. We have two big research teams, one focused on X-Force, another focused on malware, and we are trolling the websites every minute of the day, looking at attacks, looking at malware. And this is our analysis, not headlines, but this is our analysis of what we are seeing happening in the internet.
And what's interesting is attackers are continuing to break through traditional safeguards that you've put in place 2014. We saw a lot more data leakage in terms of customers. The attacker stealing records, the average days that the attackers were in the environment was about 225 days using advanced, persistent threats as way to get in and stay there.
If you look at the year 2015, so far, we've seen a lot more focus on malware and actually IBM helped discover one of those malwares last year, IBM actually helped discover this malware called dire.
So I wanted to spend a few minutes to share with you the anatomy of the attack, just so that you can get a perspective as identity professionals as to the changing role of you in your organization. We're certainly not talking about the boogieman and the hidden boogieman and how to respond to them. I just wanted to use this example to share with you that this is the kind of experiences that your organization is going through. And as identity professionals, we have to help organizations inside your company, respond to these threats.
So let me take a look at this discovery last year in June, this is the first time it was reported by a lot of banks in UK and the us by September, they went to targeting mega sites like Salesforce. Then we saw them in October branching out into defense department in the us. Then we saw them attack in October, moving their attack to, to a lot of sites in Europe,
Including a lot of banks here in Germany. In November, we saw a lot more of targeted regional banks being hit by this same malware. And by December we saw attacks targeting China and Australia.
So in this course of six months, the same attack was being used across large number of banks around the world. So the commonality here is we all may think our banks are different in each region, but guess what? They're not the websites that you put together in a regional bank here in Munich is no different from a regional bank website in India or in China or in Australia, because they have, they seem to have the same set of vulnerabilities that these exploiters are attacking. So we went to the source and said, okay, where are we seeing this originating from?
So these malwares were being originated and, and attacked. Guess what? Using cloud, just as all of us are trying to transform our businesses by moving our workload to the cloud, the attackers are using cloud in a very efficient way to distribute the malware and, and drive the business from, from the cloud. So just take, let me take a few minutes to share with you the anatomy of what we saw happening, right? Because this is very, very critical for all of us as identity professionals, because what's interesting is as you saw the anatomy of this attack, they were clearly focusing on the user.
They were clearly focusing on the user's experience from the landing page to the login experience, to the authentication experience. Even when those customers had strong authentication,
Because the traditional malware, as we all know it was the phishing attack, right? You send a phishing email, you click on a link and then you redirect to a webpage. That was the manual way of doing that's what's in the top of this chart, but dire malware wasn't like that.
It was actually at the bottom of the chart where they were automating that experience, going from the landing page to the login page, to the strong authentication experience that the user can do compromising the strong authentication as well. So this is the malware experience is now sophisticated enough to be able to bypass even the strong authentication methodology they're putting in place.
Why do I say that?
So the reason I'm saying this is experience is if you look at the compromising effects of the dire malware, every step of the way, the attackers are trying to be a step ahead of your defenses, including the identity and access management defenses. If you look at dires experiences, they bypass the antivirus, right? They bypass the customer's websites by giving them a fake URL to, to divert the customers. They were even taking over the account and compromising the authentication, forwarding the real authentication experiences to the end user to capture their second factor.
If that was what was being used as well. And the device IDs of trying to do context based saying, let me collect all the information about the device ID. Guess what, just as we IAM professionals are capturing information from the devices, the attackers were doing the same thing. They were capturing information from the mobile browsers because this is a mobile malware attack. So they were forwarding the same set of informations from the browser that we could forward as well.
So as what I wanted to do was to share with you that one single experience of our discovery of the malware, and we published this to the experience, to, to clients around the world to really start to look at that six months of attack duration that happened from June to December last year, cuz we believe there is an opportunity just as the bad guys are well organized and looking at attacking the environment that that is an opportunity for threat sharing intelligence in the marketplace is so what does that mean to identity and access management professionals like us, right?
We have an opportunity to evolve identity and access management, keeping ID as a security control. If you look at digital identities and we are going to use digital identities for all the interactions in the world, we have to start evolving identity and access management to become use identity in that, in that context, not as something that you wanna manage, not something that you want to do a bunch of access control with and traditional authentication and authorization, but add the element of security capabilities as well.
So what that means is identity management has to start looking a lot more at the entitlements creeps and trying to lock down those entitlements. On the access side, we can no longer be agnostic to content. Traditional access management systems will authenticate the user. They'll authorize the user they'll even do dynamic access control, but at some point they'll let the traffic go through. We have to start looking at the content as well because that's, what's compromised in most of the opportunities sessions are hijacked. They'll still take these off the shelf malware to intrude.
So we've gotta start looking at access control as a way to become a lot more aware of the content and the malicious nature of the content as well.
Clearly from our perspective, we'll do the same thing in the marketplace. We will continue to enhance IBM's capabilities and we refer to it as threat aware identity and access management to be able to support those transformations as well. But what I wanted to do today was to not talk about what we're doing from IBM's perspective and identity and access management.
But I wanted to communicate the opportunity we have as a community to start looking at how to use identity and access management as a security control to support your organizations. And so there are three ways we could do that. First is Martin talked about it at the, at the kickoff as well, starting to think about using risk based security intelligence.
Well, here's an example of what we have already in the marketplace for doing risk based identity intelligence. I'm showing you a dashboard of a security intelligence, plat of capability, which is enriched with identity information because typically a security information event management system will pick up what it'll pick up account information from firewalls. It'll pick up account information from the network, from the applications, but it doesn't pick up anything about the user and who they are and what they have access to and identity system does that.
So being able to enrich a security information and event system with identity information that we are all sitting on is a powerful way for us to provide that realtime security intelligence.
The second one I wanted to share with you is this is what I wanted to. This is really exciting for us. We have introduced in the marketplace, a threat intelligence sharing Porwal the bad guys are organizing sharing information. Guess what? We're gonna try to beat them by providing all the good guys and ability to share information about malware's and threats and URLs that are intruding in your environment.
So we launched this threat Porwal a few weeks ago. It is it's free. You can sign up for it. The URL for it is X force.ibm cloud.com. And you can try this. You can actually put in URLs and it'll give you information about the URL, whether it is malicious or not. It'll tell you. So we all try this dude. We all put our own websites to see what's happening. Who's connecting. What's the nature of the, the attacks, the goal for us with this threat sharing intelligence Porwal is simple.
Allow the, we have to shorten the time that the malwares and attacks are being used in the marketplace.
If, if an organization in Toronto bank in Toronto finds a attack, they can go to the threat Porwal type in that attack and see if it's a real, is it a one time thing or are they starting to see others as well? They can post saying, Hey, I saw this attack. The goal is for us to be able to then start sharing that information to all the other banks worldwide so that they can start to look at how to reduce the time. So that dire malware, which took from June to December to our goal is when similar things happen.
Next time we can shorten that time from six months to a few weeks, the other major point is banks might also have regional attacks, right? So the goal is for us to use this threat sharing Porwal as a way to find out if it is a one time thing that you're seeing, or is it a, is an attack that that could be happening more broadly. So this is an example of a cloud security offering that we're opening up the community so that we can have organizations use the threat intelligence to drive better decisions inside of your organizations.
The last piece I wanted to highlight here is some I am identity and access management capabilities that we're delivering as APIs in the cloud. It's really exciting for us to do this again. I know Kim Cameron talked about capabilities that Microsoft is doing in Azure wording. A very similar thing with IBM cloud. We have a platform as a service and as part, as part of the platform as a service, we have a collection of security capabilities that we've offered from the cloud, and it's not just IBM capabilities. It's open to third party capabilities as well.
So in this graphics at the bottom, I've got about five services already in the IBM platform from an authentication vendor, a multifactor authentication vendor to a single sign on capabilities, as well as application scanning capabilities. The goal here is for developers being able to build their application in the cloud with security built in so that they can drive a lot more of their security, their application rollout in a secure manner.
So we're starting to move the security conversation more earlier into the development lifecycle, opening it up to organizations so that companies can start to build their applications in a secure manner. Again, the sign up for this is free. You can try it out for free and would love to hear feedback from it. The URL for that is ibm.com/bloomix Bloomix is our IBM's security cloud platform as a service as well. So with that, let me just summarize the key takeaways. So my key takeaways for you as identity and access management professionals are very simple.
First is as I am owners inside your company, engage with the other security teams inside your company. We're not a silo anymore. We're we're we were a silo in it teams, but guess what? Now we have to work with the other teams because identity is a security control. Show them how you can use identity as a security control, especially with the security operations team, the fraud team, the network team, the endpoint security team.
They're all hungry for information about how to use identities as a security control, because that is how your organization's gonna respond better to security.
Second is seek out the shadow it teams. They are busy. They're busy in trying to enable the business to go quickly, connect a software as a service and roll out new mobile applications. So here's again, an opportunity as an IAM professional to show them how to use identity context in those rollouts, because if they don't roll it out with identity context, then you are opening it up to all the malwares and potential attacks as well.
And last but not least as I am professionals, look at how you're gonna evolve your IAM program to strengthen both the use of digital identities, as well as not just identities for users, but for APIs and internet of things, but also look at how are we gonna simplify this IAM because we, we need to be doing a lot more with the identity and access management programs, especially for governance and analytics as well. So with that, thank you so much for your time today. This morning, we're here throughout the conference and we'd love to hear from you as well.
Thank you so much regarding this X force platform. You, you launched it some weeks ago, you said
Yes.
Yeah, we launched it in February and then we, we got it announced at the another trade show.
So can you give us some more, some ideas is this, is this a sharing platform? So everybody could also put his information and his, his Fred
Exactly. Ex the goal is it's an open platform. It's a very simple platform, very easy to sign up. Once you sign up, you can then put in information about URLs that you're concerned about.
Like, you get an email, you don't wanna click on the link, but type that URL into this, this system and see what it looks like.
Is it meant for individuals or for organizations
It's meant for organizations. Okay. And it also is, is meant for multiple organizations. So you could have, you could adopt this for just your organization saying I'm gonna share information inside my company. We can also set this up for other companies to collaborate. So banks in Canada, for example, okay. They can all collaborate and say, I'm all going to put information and share information with the audience.
Okay.
Cool. Cool. Thank you very
Much. Okay. Thank you.
