And
It's not, it's never enough. Right?
So you're talking about fire safety and cybersecurity and smoke detectors are not enough enough. So you wanna have thank
You.
How many,
You only have 10 slides, so you don't need
Effect. Well, and, and you've warned me. What is the timer? There's no timer here. It is. Perfect. Thank you. Awesome. So how many, you know, my kids have grown up and they've left the house. And when I was a kid, this is how this is all starting. So I want to give you the little story when I was younger in the sixties in order to go out and make pocket change.
Most kids my age at that time went out and be they would babysit their, you know, neighbors, kids, and they'd get a buck an hour or two bucks an hour, whatever it was back then are teenagers and young, younger kids still doing that. Now does anybody know?
No, nobody babysits anymore, not a single person in the audience as a kid that babysits to get, make money. One person. Thank you very much.
Anyway, I guess it was very popular when I was younger and I'm obviously not young anymore, but the interesting thing was in the, in the community that I lived in in order to be a babysitter for your neighbor, you actually had to go and pass a course.
You had to get a babysitter certificate. Imagine being 11 years old, 12 years old, this was now guys and gals. This was before 9 1 1 existed or whatever the emergency number is in Germany. I'm not sure what it is.
One 11, something. We couldn't have an international standard for that, right? But we could have one for X 500, which no one uses. But anyway, you had to learn about fire safety. You had to learn about the, what numbers to phone and memorize the fire department number and the police department number. So there was a little bit to this and, and, you know, I talked to so many customers, you know, about our products and about what's going on with them from a security perspective. I keep hearing these stories that made me think about my early days when I had to take this babysitter course.
And I had to learn about various things about fire safety.
So I thought I would put this together and, and just talk a little bit about why smoke detectors are not enough.
And, and again, I'll just mention to you, you get all these, right? You understand all these I'll, I'll take you through them. Smoke detectors, actually weren't commercially available until 1972. Okay. So before that, I was actually one of these kids that went out and did, did babysitting. So it was actually a heck of a lot more important to know a little bit about fire safety. Some of the other stats here on the left, there are 14,000 cases in the United States, every year of spontaneous combustion. Okay.
Fires that start without a source, 84% of those could have been prevented if there was actually some fire prevention going on in the home or, or, or actually a lot of these happen in organizations and the actual damage is about 11 billion.
Okay. So fairly significant overall, every 39 seconds, there's a cybersecurity attack hack.
That is, that is successful. 54% of those cybersecurity hacks originate or are helped by an insider. Okay. Which is critical.
I mean, if I hope SunTrust isn't here, cuz I'm gonna single them out and I'm gonna single out another organization in my slides. But last week there was, I think it was last week. There was a, a whole write up about what happened at SunTrust. And it was an insider who basically released a whole bunch of consumer information in the wild. It takes about 87 days to determine that you've been hacked and 105 to respond. And in a lot of cases, if you've been around for a while and you've been watching some of this stuff, it takes longer than that to do both.
And typically the damages in the range of $2 trillion now.
So a huge disparity between these things, but I'm gonna bring them together for you in a second. So what are the challenges?
I mean, these guys, I think I've heard a few of the speakers already talk about how fast hackers are, are, are, are working on these things. They're constantly exploiting weaknesses. We've got users, resources and entitlements everywhere, right? It's no longer just what we're we're we're using in the enterprise, but it's things that we're using at home and, and various other places. It's it's O T it's, it's just so many different things. It's very difficult to know who has the right access. Security teams are increasingly reactive.
So I'm seeing situations where there's very little attention being paid in some companies towards prevention. It's all about reacting when something ha has happened. In other words, the burglar alarm is going off and we gotta find out, you know, did somebody open a window or is, is it is the correct alarm or not everyone.
And everything is connected. And you know, I, I did a presentation three, I think it was three years ago about T in the wild west. And I wanted to put up this one graphic at the bottom here.
This is a, a snapshot of the internet traffic out of my house where there's a whole bunch of T devices, nothing fancy my TV and my DVD player and this, that, and the other thing, nothing, no big deal. But you know, it's interesting to see where the number two amount of traffic is in and out of my home. Okay. And you would only know this with a commercial firewall, not with your, you know, TWC telecom thing that most people have in their home.
So, you know, if, if I sit there and I ask people about this, when I meet with them, if this is going on in my house, imagine what's going on in your organization and do you know, what's actually going on with this traffic, that's going to China or I, I guess, potentially other places.
So people make bad choices.
We see, I see this all the time. I mean, this is, this is a great illustration of a bad choice.
You know, there's risk everywhere. There's temporary solutions that are put in place.
My whole, my whole point about this is you wanna reduce the risk before the disaster strikes and it, and it's not just, you know, there should be more than one hand, how many people, their significant other, or someone in their family calls them up and says, should I open this email from bill gates? Right.
I, I mean, constantly get that my wife, I mean yesterday or the day before, when I was flying over from, from Canada, had one from our bank and it looked like it was very legitimate. And she said, should I click on it? And I said, absolutely not. Don't click on it. How many times I've said that?
But she said, it looks legitimate and I, well, it doesn't, but, and people still do this.
I mean, you've seen a lot of stuff around this. So I talk a lot about, it's not just about educating the end users, not to click appropriate links. It's about discovering and profiling risk in an organization it's about documenting it and verifying it and certifying it and then mitigating it, which is where a lot of organizations fall behind. And the problem with, you know, this kind of gadget on the left, which does anyone look at the underneath of these things where it says, never connect two of these together.
That's about as bad as doing this and you end up with this and, you know, potentially a lot worse. So the other, the other bad thing is, you know, I, I, I can have customers who say to me, well, we, we think we're pretty well okay.
Inside. And then I, I, I start talking about this entropy, you know, I had the pleasure and the, and the honor of working at Microsoft from 99 to 2005. And in 2000 when they launched active directory, which I was on the team for, you know, no one knew what active directory was.
So here we fast forward, 18 years later, most of the folks in this room have probably used it for 10 plus years. And entropy has set in, and physics are conspiring against all of our directory systems and all of our internal systems around what's in the directory.
You know, what things are going on with ACLS and, and, and documents and files. We, we spend a lot of time talking to customers about data governance and file classification.
And it's, it's, it's really amazing and unbelievable. I think my next slide might, might, might show that in more detail, but, you know, it's not just what you're doing yourself, but it's everything that's happening in the organization around entropy. This stuff requires constant care and feeding.
So two signs of a coin. I see a lot of people looking at eliminating risk in motion, they've got user behavior analytics, they've got all kinds of stuff that helps them when something has happened.
And my whole point here is I think we need to be doing more in most organizations to eliminate risk at rest. Okay, what's going on with your entitlement grants?
You know, what is it that we can do to eliminate and reduce risky things before we have to worry about it. In other words, closing the door on the safe or locking the doors on the building before you're actually broken into.
So, you know, you have to avoid this disaster by managing at rest. And, and in particular, you know, we, we know, as I mentioned before here, about some of the active things like UVAs and Sims and monitoring and all these things that can tell you that possibly something just happened, assuming that it's not, you're not, you know, like the guys at target, when the smoke detector was ringing, they kept turning it off.
Not realizing that they actually had been attacked and actually had been compromised.
And, but then there's all this privilege, the preventative stuff that needs to go on around things like, do you have privileged account management? And if you don't, why not? Because it's one of the, I think one of the critical things in an organization to have that data governance, DL DLP and file classification also from a preventative perspective and then entitlement reviews and certifications, every single customer I go to, I ask a series of set questions. And one of them is how many groups do you have in your organization? Is it more than the number of employees? And I see I's roll.
I, then I ask, is it two times as many groups as employees or five times as many groups as employees. And it's usually somewhere in that five plus range and I ask them, so you obviously know who the owners and of all these groups are and what the usage of all these groups is for and eyes roll again.
And I go, and, and what does that look like around your, your security groups and things like that. And a lot of people start growing and if it's the security guy, he turns green. So my point just being, we all know that we have a problem and this entropy aspect of, of, of our networks is not making it any easier.
So I wanted to put this illustration up.
And again, if there's somebody from Sony in the audience, I apologize, but, you know, I said, does this look risky? So this, this is an interesting thing. I went online. I did a Google search about the Sony, cuz I, I knew about this, this particular case. This is actually a screen print from what the hackers published on the internet. They published all these files and the index to the files. And this was an index to the files.
Now a, a lot of customers say to me, we're not so worried about our unprivileged users. And I always say to them, well, I think you need to be worried about your unprivileged users, your contractors, anybody that can get access to a file share is somebody who potentially could do a directory listing on a server and look for files that just have the word password either in them or as part of the name of the file.
And these are literally ones from Sony and I, you don't have to look too far down to see things like payroll password or remote users or reset passwords or server passwords on this list. I mean, literally directly from the Sony breach.
So, you know, it's, it's again, if you had a fire prevention officer or you had your, your teenage child who had gone on fire prevention courses like I did, when I was, you know, in the, in the late sixties, they might have walked around and, and seen some of this or been an administrator and done a directory listing and say, geez, why do we have all these files out there called password dot something? So, you know, how do you, you know, what are, what are some of the things that can help you prevent spontaneous combustion in these particular cases?
Well, there are products there's file classification products.
You might wanna look for passwords or, or titles that are passwords and just flag those privileged account management.
Again, if you're not protecting your privileged account somehow, well, that's a, that's a big deal, multifactor authentication. And of course, user education also important, but all of these things, you know, kind of add up to that. I here's another one, you know, I was specifically told, I'm not allowed to mention which company we took this from, but we do a lot of, of, of our engineering work, obviously internal.
So I won't say anything further about that, but we did this risk analysis and we actually came across little, did we know I'm not an it I'm, I'm actually in product development and product management, but we came across this user called J banks and Jay, interestingly enough, how we found him was we just did a look through and we wanted to see all the cus all the end users who don't have, who have the password never expires flag.
And J banks was one of them and were like, well, who the heck is Jay banks? We never heard of them. I'd never heard of them.
I've been with the company for more than 15 years. So what the heck? And we go in and we do a little bit more analysis on the right. I'm sorry if you can't see it, but it's, it's right out of active directory. And basically this person has every privilege known to mankind with respect to active directory.
I mean, everything from soup to nuts, they could do whatever they wanted and this guy has a password that doesn't expire. So you can imagine from my perspective, as somebody who is, was looking at this and we're just testing our, our software, that this was pretty amazing, fine for us. So back to spontaneous combustion, what are some of the preventative measures to take before an attack occurs, least privileged management discipline, I think is key, you know, privilege account management and password vaults.
Very key.
The whole aspect of looking through and doing entitlement analysis and review is also very important. Access certification, access governance, data classification. And while I'm not, have you ever had one of those invitations where somebody says, Hey, come to my party Friday night and they forget to tell you that it's a masquerade party and you show up, you know, dressed. Normally this is kind of like this party where I showed up and everybody's talking about blockchain except me.
So I'm gonna mention machine learning maybe next year machine learning will be the cool thing that we're all gonna talk about, but there's some really interesting stuff going on in that area that I'll, that I'll, that I'll mention quickly here. So one of the, one of the things that, you know, I mentioned at the start was attackers are getting better and things are happening faster.
I mean, we just can't keep up with an attack every 39 seconds.
So one of the things that's really interesting is how can we sort of monitor digital behavior? How can we gather users' digital footprints? One of the previous speakers was talking a little bit about this. Also doing things like hardware and device fingerprinting define what's normal and build user baselines.
And, and this is all, you know, sort of towards this effort of becoming more real time because as the hackers get to be more real time in our lives, we want our software and we want our response systems internally at our companies to be more real time. So how can you, as I say here, how can you identify unusual and risky events in real time? And I think there's a number of ways, you know, behavioral analytics or behavioral biometric inputs is interesting.
We've had a number of customers come to us and, and you know, I'll put a star here and I, and recognize the fact that there's a GDPR issue here, but my, my job isn't GDPR issues.
That's what lawyers and other people are for. But there's been a number of companies that have approached us saying we wanna record everything that our employees do when they get on a system.
I'm like, okay, why do you wanna do that? And this is the real reason they want to do it. They want to be able to see what's going on in real time and take some actions on it. So tracking behavioral inputs through keyboard and mouse, historical command usage, and norms, temporal usage and norms, again, you know, is it normal for Jackson to be on it three o'clock in the morning while it is in this case? Cuz you know, he's in, he's in Europe and then evaluate these risks in real time and proactively request confirmation, which I think is, is, is really key.
So just, you know, that in that sort of last sentence, with respect to this, the hackers are getting real time.
We have to be real time and there's a heck of a lot to this more than just doing user behavior analysis and things once sort of the, the, the horses out of the barn, we all have to become fire prevention officers and look at things that are happening in an organization before the fire breaks out. We've got tons of these things in our, in our networks and on our systems that lead to spontaneous combustion and, and we have to keep an eye on them. So reduce your tax surface.
That's what this is all about. And it's through access analysis.
And, and as I said before, accelerated remediation. So four, four aspects to protecting yourself against cyber attacks. Most of us aren't doing all of these, but I'll, I'll leave the, leave. The slide up as Martin comes up for any questions. This is the key thing.
Again, these guys are moving fast, you've gotta move fast and it's not just about what's happening in real time as they break in, but you need to start doing some fire prevention, walk around, see where the oily rags are and, and try to get these things prevented before they happen. So two minutes is that enough time. Perfect.
Okay.
Thank you, trackin.
You're welcome.
And so make, let's make a little Q and a discussion. I also wanna introduce one of my other colleagues Matthias Reinwarth maybe for that part of the Q and a. And I have one question to the both of you, which I think fits perfectly well to that picture. So I also talk a lot about, a lot about prevent, detect, respond, recover, however you'd like to phrase it.
I think there various, there are various ways to phrase it, but when I look at what a lot of people are talking about, and there's the one thing is model respond, restore, or respondent recover part and the others are talking more about the immune system. So what is the more important thing Matthias your perspective and then checks your perspective. Short answer. Short
Answer. Short answer. Yeah. I think with the, with the line between inside the, the, the, the company network and outside the company network is blurring.
Anyway, I thinking a system can only work for a small extent. And I think that the, that the applying intelligence to what's happening anywhere in this system is much more important than trying to, to shut it down.
Right? Yeah.
I, I, yes, it's a pity.
I definitely, no, I definitely agree. But the interesting thing about the immune system and I'm certainly know doctor by any means, I have a son who's who's in medical school, but I think what the nice thing about the immune system is it learns from its attacks, which is much like what we're starting to see around machine learning.
I have one of these slides, which Richard also has improve in it, which is sort of exactly that point. Maybe we look necessarily are some questions from the audience.
No, no questions.
Perfect. To directly move to the next part of the session. Thank you. You're welcome. Again. Check.
