KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Identity and Access Management (IAM) market is undergoing rapid and at times transformative change. A steady progression from on-premises to API and cloud platforms is visible as vendors innovate, but authentication tools are under attack from determined adversaries.
The Identity and Access Management (IAM) market is undergoing rapid and at times transformative change. A steady progression from on-premises to API and cloud platforms is visible as vendors innovate, but authentication tools are under attack from determined adversaries.
Hello. Good afternoon. And welcome to this webinar brought to you today by KuppingerCole and supported by transmit security. We're gonna be talking about multifactor authentication, but more particularly extending beyond the limits of MFA with continuous adaptive trust. My name is Paul Fisher. I'm a senior Analyst at clip in Cole, and I'm delighted to be joined by Mark Byers, who will be presenting the second half of our presentation. He's a director of product marketing at transmit security. So there's our agenda for this afternoon.
I'll go through a little overview, brief overview of identity access management as it is today and how the modern digital environment and modern business needs are shaping it and also creating new demands. Then mark will explain how continuous adaptive technologies can detect and stop cyber attacks. Should they successfully breach? So your authentication defenses. And then of course, at the end, after our two presentations, it's your chance to ask questions to both of us and you can send those questions directly in the tool Before we get into the actual webinar.
I'd just like to introduce a little bit about KuppingerCole. We are a global Analyst firm and we do a number of services for the it industry. We do reports in the shape of executive views are flagship leadership conferences, where we take a product sector and look at the leaders in those fields. We obviously do some Analyst, Analyst briefings and webinars such as the one that you are listening to right now, we also do a number of advisory projects for the industry where we'll actually serve as consultant to, to companies advising them on projects in our specialist areas.
We also have a very thriving conference division, which I'll. I mentioned more in a little bit e-learning and meetups, and all three of our key areas are covered by those identity and access cybersecurity and artificial intelligence. Apologize if there's a little delay on the slides here. So our Casey research self formats, as I said, the leadership compass is our flagship product. This gives an overview of a tech market identifying the leaders, and it's very much a very highly in depth buying guide for various services.
For example, privileged access management is a leadership compass that I'll be working on and be available next year. We also do executive views, which are more condensed reports about specific products and services and focus on the strengths and challenges of those products. The advisory node is where our analysts are given free reign to talk about a topic or a vendor or a product service in great detail, and also make operational recommendations to our clients.
Finally, we have a leadership briefs which are two page reports, which focus on key business challenges. Quite often. These are ones that have come up for the first time and just to plug our new KC plus content research platform, which is easily searchable and directly available online. It also is available now for one off payment of 800 euros, which gives you full access to all of the research that I've just been mentioned for around 12 months.
And just quickly to, because you hire a heads up on a few events that be happening in next year, we have, of course the European identity and cloud conference, which is our main sort of flagship event, which it takes place every year in Munich, where we discuss everything around European identity and cloud. But of course that means virtually everything can do with cybersecurity in, in the modern business world.
We have then the customer world customer world event, sorry, which is happening in Amsterdam, which is focusing on the interconnected world, which is enabling companies to do business in a much more consumer orientated way and something that we'll touch on in our presentation in just a minute. And we'll be looking at that present conference, how you can connect with customers in a higher frequency and through far more convenient communication channels than ever before. Finally cybernetics world, which will be taking place in three locations in 2020.
This brings together the most cutting edge minds and research to co-create the new world, marketing automation, mobility, smart cars, finance insurance, and cybersecurity, very much looking at AI and its impact on the business world. Little bit of housekeeping, you or muted. So you don't need to worry about muting or muting unmuting yourself. This of course will be recorded this webinar so that for any of your colleagues, that didn't make it to the live event, we will be able to provide them with a full download and audio recording later.
And as I said, there will be a Q and a session at the end of both of our presentations. And you can enter your questions by using the go to webinar panel, which you'll see on the right hand side, you enter your questions there, then I'll be able to pick them up. So back to our agenda, I'll giving a quick overview of the IM in space. Their mark from transmit security will be talking about continuous adaptive risk and trust technologies, which will help detect and stop cyber criminals. Should they get through your authentication defenses? And then we'll have the Q and a at the end.
So this is a slide which I think looks a fairly complicated slide. And that's probably because it's reflecting the business challenges that many organizations are facing today. As some of those conferences that I alluded to just now we'll see that digital trends are affecting virtually every type of business from the smallest to the largest. And in fact, some of the largest industries are finding it the hardest to cope with this digital change.
If we go from, from left to right I'll justly, mention some of the trends in terms of identity and access management, the biggest one is consumers for a long time.
Consumers were very much the sort of passive receivers of business, and didn't really have too much say in the product development with the digital landscape and with social media and everything else that's happened in the last few years, consumers are taking a much more proactive position in how businesses are run and we're even seeing now consumers are having a physical entry almost into the business itself where marketing teams want to talk to them directly.
So we need systems that are able to not just manage our employees, but also manage those third party actors, such as consumers and partners, which is also there on the screen, which are coming in through the channel, into the main organization and impacting on product development, product, life cycle. And indeed the actual marketing of the business employees obviously were always an important part of any organization, but they too are now having a greater say in more parts of the business in certainly in terms of operations.
And we've seen that in the growth of, for example, privilege access accounts, where more employees, other than traditional privilege access holders are starting to get access to data, which would be considered highly privileged and also highly attractive to cyber criminals. So we need to protect all that.
And then on the other side, we have the cloud artificial intelligence and of course the legacy side of things cloud, we've been talking about cloud for many years, but it's surprising how many companies still have yet to either fully engage with the cloud or even starting engaging with the cloud at all.
So there's huge amounts of opportunities, not just for cloud providers, but for, for those in organizations, to make sure that they're ready for the cloud and all the security and operational challenges that the cloud will bring artificial intelligence or artificial intelligence as a service and data analytics are possibly areas, which are a little bit misunderstood and perhaps over hyped.
I think when we talk an awful lot about artificial intelligence at the moment, what we are really talking about is machine learning, where we use the amount being increased amounts of data that we are now generating to teach machines, how to do things. So they're not necessarily doing it and making decisions for themselves just yet.
But then what is happening is that means data is now being sent from individuals it's being sent from consumers, partners and employers also onto the other side, and being used by AI applications to change the way that business is done, finding legacy applications and legacy infrastructure are something that the biggest org organizations are having to deal with and finding it very difficult sometimes to integrate legacy applications will all these new trends. So in the middle, we can see how all of this is turning into what you might call virtual circles.
So we have customer identities, data, user monetize, digital services, et cetera, taking in feed from all these things on the left and the right and creating what we call digital services for digital businesses. All of that though is happening against a backdrop of increased cyber crime, increased compliance demands just recently, we've been the Californian privacy laws just, or just about to be made, going to onto the statute books, which is very much like Europe's GDPR. And no doubt that'll transform the way that data is used in digital businesses across the United States.
Just a, a slide that I won't go through completely every detail, but we're getting more into how identity has evolved over the last few years through network businesses, the sharing of data services and shared identities. So we've gone from systems right up to shared identities. User managements in the previous earlier were very much just accounts per system. We had manual administration and these were protected by a fairly basic username and password authentications. Then we came to identity management where synchronized accounts were between systems workflows were provisioned.
And we started to focus on employee identities. Then we had federated identities where we started sharing identities across business partners and other stakeholders. So their standard protocols became established, and these were adopted by many cloud services for single sign on with the advent of consumers and consumer identity management. We started to turn the spotlight onto consumer and customer and moving customer ID, consumer identities from proprietary digital services to central consumer identity management.
Finally, we've got an increased number of shared identities and universal identities, which are starting to appear in organizations of different sizes. So we have such trends as bring your own identity and universal identity. Prior providers. We've also got New York customer, which is particularly of interest in the financial sector and insurance sectors where we identities must be proven to be correct. And a great deal is riding on that.
And, and whether we have that identity correct or not. And I'll tell you when we get to a little later slide of a personal story that happened to me this very weekend about how identities can so easily be lost in the world that we're now living in. So this slide, it's kind of a simplified version of everything that I've just been talking about, which presented a very complicated world of identity, a very complicated world of authentication and one that is likely to become more. So we can't do much about preventing this complex scenario. It's something, a trend that, that cannot be stopped.
Even if you take one example, such as social media, where people are sharing identities across all sorts of different applications. So what we need is we need to move away. People have been saying this obviously for a long time, that we need to move away from username and password. It's still by far the most common way for people to authenticate themselves on a day by day basis and will need to do this through mobile social and risk adaptive scenarios.
So what we are looking for is a way of continuous authentication, a continuous authentication, so that it follows you from one place to the other. And that it is secure. That is a lot easier said than done, but that is the goal that perhaps we should be looking for.
Now, multifactor authentication is one step up from past username and password. And this of course does actually improve things. A great deal. If you have more than one factor involved in any authentication procedure, it's likely to increase security. And for good reason, people are always the weakest link in any authentication. People tend to write passwords down or they share them.
So any, any device that can be added to authentication process to prove that the person that's trying to gain access is the person they say they are, is going to be more ideal, more MFA allows the flexibility that we need for secure authentication to get through the complex digital environments that I've been talking about, right through this and final and GRC or compliance governance, risk and compliance.
As I just mentioned in new California laws, many of these are now asking for multifactoral authentication to be compulsory within organizations, if they're even gonna begin to become considered compliant. So those three things are good reasons for MFA to be adaptive above and beyond username and password would, however, multifactor authentication is not the silver bullet. It still has some limitations. It still often requires password. It can be vulnerable to a device. The device that used as the one of the factors can be lost.
It's still vulnerable to social engineering and even basic theft types, such as shoulder surfing. When someone can literally look over someone's shoulder and see how they're using the device, the success of multifactor authentication usually depends on a thorough risk management assessment being undertaken in the organization before it is implemented to make sure that a multifactor authentication is right for the organization.
And secondly, that it is the right kind of multifactor authentication going ahead and just saying, we've got multifactor authentication, isn't necessarily gonna make you more secure or more compliant. There is a lot of multifactor authentication solutions out there finding the right one can be time consuming to get, right. It can also be hard to configure across multi-cloud and hybrid environments. And of course, through legacy environments, which are, excuse me, which as I said previously, also one of the challenges that organizations are having when it comes to authentication.
And of course, if you have different drivers, sorry, different devices being used throughout the enterprise, which is a very common scenario these days, whereas people use their own devices or perhaps a note device that's not fully supported, but they somehow manage to hack so that they use as an authentication device. Somehow these have gotta be supported through, through, through the organization. And then if people are using somehow devices, which are not authorized, these present a security risk in themselves.
So those are some of the, the draw not drawbacks, but some of the challenges of, of implementing multifactor authentication. Now I must make it clear that multifactor authentication is, is a far better way of doing authentication. That the FBI in the us has actually recently identified some vulnerabilities that criminals have used in social engineering and technical attacks to, to circumvent multifactor implication authentication.
And there are just three examples here in 2019, a us banking institution was targeted by a cyber attacker who was able to take advantage of flooring, the bank's website to circumvent the two factor authentication that was implemented to protect accounts in February of the same year, a cybersecurity expert demonstrated a large variety of schemes and attack cyber actors could use to certain multifactor authentication.
He presented realtime examples of how cyber actors could use man in the middle attacks and session hijacking to intercept the traffic between a user and a website to conduct these techs and maintain access for as long as possible. And finally, in 2016, customers of a us banking institution were targeted by a cyber attacker who reported their phone number to a phone. He owned an attack, which is known as SIM swapping. So all of those attacks were able to crack physical aspects of multifactor authentication, also the websites or web access protocols that some of these use.
So it just goes to show that it can be cracked, but the FBI does emphasize that these types of attacks are usually re rely or need very high levels of skill, very high levels of technical competence. The like of which is usually only found through state sponsored threat actors.
However, I mentioned earlier that I had a personal story to tell, and it's, it's, it's ironic, but I should be doing this webcast with you about multifactor authentication that my mobile phone account was actually hacked at the weekend. The first I knew of this was some suspicious activity. When I received two text messages from Vodafone, the provider saying that given me two, one time pin numbers to access my online account.
The next thing I knew was an email from the same provider saying that my new iPhone pro or iPhone 11 pro was being delivered, which would be very nice if I was the one that actually had ordered that. So what had happened was that attackers had somehow managed to use my email and password presumably, and they had used a multifactor procedure to hack into my account by somehow getting the one time pin access codes that the Vodafone had recently introduced to improved security. Luckily I phoned VO phones, fraud prevention team. The order was stopped.
It was investigated and it was indeed proven to be fraudulent of behavior. However, they didn't explain to me. And I still don't know quite how this was undertaken, but it just shows that it does happen. And it happens in the real world and that multifactor can be bypassed. So as we go forward, there are more trends which will increase on what multifactor authentication vendors will need to address. We will see even more endpoints, millions of endpoints across all types of access points, including phones, laptops, tablets, et cetera.
We'll probably even at some point, see end points or access point through OT devices. We may see push notifications, which are more convenient, but may introduce a new vulnerability because there is no human involvement buyer electrics offer potentially a stronger multifactor authentication and password and pins as in the case of my Vodafone hack. But then there are compatibility and integration issues across devices. Step up authentication is also another way of adding an extra layer of security. When the authentication is, is asked for a second opinion as it were.
But again, that adds complexity and time to the process. And the time is something in modern organizations that is limited. And finally, DevOps is something that really talking about where time is limited. DevOps is a place where application development life cycle management is moving faster and faster usually than security development and multifactor authentication will need to somehow cater for the speed of DevOps within organizations. So that brings me to the end of my brief overview. Just will now hand over to mark buyers. I hope just do as mark.
Who's the director of product marketing at transmit security. All right.
Thank you, Paul. Hopefully everyone can see my screen. I'm Mark Byers. As Paul mentioned, I'm the director of product marketing and transmit security.
I, before I start, I just wanna go on the record that I had nothing to do with Paul's channel jacking incident for any type of dramatic flourish as it relates to his presentation today. But that is a great example of the, I wanna call it the safe sense of the safety or the false sense of security that multifactor can actually have before I begin.
You know, this is, you know, this presentation mostly is about multifactor. A lot of headlines out there today, whereby you know, well, 99% of your problems are solved by just putting multifactor or, you know, it's the least you can do. And it actually is the least you can do in order to help with your security these days. It is by far probably the easiest to deploy. There's some that are very simple little, you know, a few more that are a little more complicated, especially as you get into advanced biometrics, but ultimately it is gonna, it will solve a lot of your problems.
And I'm going to clarify that as or state that it's more, it will prevent attacks that are these casual type of attacks. As Paul mentioned from the FBI report, you do have state actors, you have some sophisticated groups, cyber criminal groups that are, are outside of the state actors that actually are, or that, or that have access to tools that facilitate some of these men in the middle attacks and other types of attacks that are out there.
So depending on the value of the target, the multifactor can definitely stop some casual incursions, but if you have a determined actor, they are going to go after those high value targets and they will be get, they will get more and more sophisticated over time. So with that, we'll, we'll go into the presentation that I have here. There we go.
So just sort of restating, or just maybe, you know, adding a little more color to some of the elements that Paul mentioned in multifactor authentication this, you know, these are, this is how we sort of view the world as it relates to multifactor and that, you know, it's great. It's phenomenal.
However, every technology has its limits and that every, every single one of them is vulnerable to coercion. Others are, are susceptible to things like man in the middle fishing, social engineering, malware attacks, shoulder surfing, just pure outright theft either of the device or the mobile device or the actual laptop itself or the USB key, etcetera.
So again, every technology eventually will have its weakness. If it doesn't have one today, it will have in future. The other challenge that's out there is from a multifactor perspective, you have this, you know, binary type of good or bad, you know, is it okay? Or is it not okay to let the user through you don't have this, you know, assertion of, you know, is it a what's the shade of, okay, is it, is it look risky? Does it not look risky? What should we do? It's either getting good or bad technologies are changing rapidly every day.
It seems there's a new authentication technology introduced or a new vendor. That's introducing something. That's a take on a different or existing technology that's out there. And I mentioned before this false sense of security, I come from the security industry where, you know, you always assume a breach and no matter how good your defenses are, and if you think you're covered, you're probably not.
And again, a determined attacker is always going to go after your high value targets. That could be a high value customer. Maybe they're have a large amount of assets or could be an employee. And the way I look at employees, some of your employees that are out there are, you know, they are the keys to your castle. They could be a database administrator that has access to the databases for your organization, your customer databases. When you compare the customer identity, access management to employee identity, access management, you know, customer, you know, it's one to one.
If a customer gets breached or customer, you're dealing with one individual customer, when you're dealing with an employee breach, you could be dealing with a one to your entire customer base type of attack. So breaches are definitely the biggest problem when it comes to the employee identity, access management, again, that's, you know, protected to some degree by multifactor, but even with that, again, there's ways around it. So with that, we're gonna take an example of a high value target and our poor unfortunate soul here is John. He's a database administrator.
This is an employee example right now, the company he works for, they are pretty lax with their security. He's just using a username and password. But this as we've talked about, there's many different ways of getting usernames and passwords could be simple. It could be malware effective website. It could be phished, it could be stolen. It could be from the dark web, it been stolen previously. It could be guests. When I say guests, sometimes it's, you know, passwords are reused. If somebody has credentials that were stolen from a previous type of breach, they could be tempting to use that here.
So again, just tons of different ways to be able to go after that, the attacker gets it, credentials are stolen or they're using stolen credentials. Hey, guess what? It's breached game over.
You know, the administrator now has lost access, well, not lost access, but has allowed access via the attacker going in there too. Basically everything, AWS, customer orders, product databases, et cetera. All right. So the company now gets a little bit smarter. They decide that they wanna put in a SMS one time passcode, you know, then you see that a lot, a lot of organizations put that in place. It's very simple. Most people have a cell phone these days or a mobile phone, and it's easy to just get a text message. As Paul mentioned, he was hijacked this weekend or his channel jacked.
So then there are risks associated with that. Again, it's again, probably one of the least things you can do in order to add some layer of security. But you know, if Paul's Paul, wasn't a top of what was going on with him is SIM spoof can also lead to a breach.
And again, here again, game over the organization has been breached. All right. So now the organization's even smarter.
They said, well, we don't wanna use one time passcodes. You know, we're gonna go with a more sophisticated type of technique or authenticator. So we're gonna use mobile device biometrics and here it's a fingerprint reader.
So again, much more, much more difficult to bypass or to get around or to spoof you can't, you know, even if you, you know, there's just ways you just can't get around it. However, there still are vulnerable. And this goes to how the company has deployed this authentication technology. Is it a convenience factor? Like a lot of us use, like probably for example, for me with my iPhone, if I fail my face ID, it shows me enter my passcode.
Well, that's another form of pin. Again, that's just an insecure fallback procedure versus again, implementing biometrics for security, where you cannot fall back to something like a passcode. So in this example, it has been a, it's a biometric that's being used with an insecure fallback, which is a pin code again, difficult to get, cuz you have to have the device, it has to be stolen. And then you have to have the pin code, which has probably happened, has been shoulder served.
The, the ability to do this, I takes a lot of effort to do it. You have to have a very high value target. It is definitely something that is not going be an easy casual type of attack, but it can happen. So with that, we wanna look at ways we can get around it. So we've we, and a lot of others are talking about this continuous adaptive risk and trust assessments. That's the Gartner term for, we call it continuous adaptive trust. And what that is basically is it's looking at the user in context of what they've done previously here at transmit.
We have a very sophisticated system whereby we store user profiles going back in time and building array of different metrics on the user ranging from what type of authenticators they're using when they last used them. What's the trust level, that particular authenticator that they've used? What type of devices are they using? When was it last used? When was it registered? What are the security devices on the, on the, on the actual features on the actual device? What has the user done with these systems in the past? Have they logged into particular system?
How many times do they log into that system? When do they log into that system, et cetera, profilers, we have statistical and heat map type of ways of being able to look at where customers are using the device, where they've used it, how often they've used it there, what systems they're using, how often they're using those systems. So we have, again, very sophisticated ways of being able to determine historical usage patterns. We add to that third party, risk assessment engines and pulling in different metrics from those.
And then finally we have the actual realtime attributes of what's actually happening to the user. So things that may not be profiled, it could be what's the operating system on the device. What's the manufacturer of the device? How are they, how are they connected? Is it over wifi? Is it over? Is it over the public network, et cetera. So you take a look at all these different things. We build a dynamic risk score that changes in real time as the user uses systems or as a authenticate or as a switch from device or switch from application to application.
So again, we are continuously doing this continuously monitoring. And again, here, you can see just a, a sample set of attributes. This is by no means comprehensive. These are just a few different things that we're looking at from us at transmit security.
We, we cover hundreds of different parameters that we track. So here, you know, we're looking at mobile, what the device they're using, what's the operating system. What's the workstation that they're logging in from, with the, with the, the OS that they're using, where are they using it from? What kind of systems are they using, et cetera, et cetera. So we have this basically this dynamic set of data that's in real time updated that we're comparing against what's happening now. So here is the here is John's profile that we've built upon his usage in the past. He has been compromised.
We don't know that the system doesn't know that right now, but as this user comes on, they've masked their identity. They've masked their mobile device, their workstation, they they're trying to now access 10,000 records through a sequel command. They've failed their biometric. We know they're on a, they're using a backup pin and they've tried 10 different times to do this. This score now being usually John's, you know, very, you know, very low risk. This score now is very high. It's gone up to an 80. We're just throwing out a number here, very high.
We don't want, we don't wanna let this person through or let this user through, unless we do something. So types of actions that can be taken again, this is from the transmit platform, but there's plenty of others that are out there. We offer just a ton of these ranging from being able, just simply approving, which we don't wanna do here. We can step up. We can ask for stronger authenticator. We can ask to log in through a different channel, through a different third party. It could be, we wanna have the manager approve this here.
For example, we can restrict it to a trusted device that we have on the profile. We can trusted operations.
So that's, we can restrict it to only things that they've done before in the past we can deny. And then we have shades of denying. We can reset the authenticator, lock the authenticator, lock the device, do a device, wipe all these different device controls that are available can be taken.
So here, for example, we're using just simply denying this transaction, going through the point is we're adding friction here to the process. So in real time, as we're seeing these things come through and it's entirely possible, the user is, you know, in a situation that could be, could be just showing these red flags. So we may wanna just restrict it.
You know, that that's a possibility it's completely configurable, but again, we're, this is a very high situation here or very, a very high risk. We definitely wanna deny before any action is taken and any breaches done. So in this regard, or in this example, going back to before, you know, we had a fail back or the failed fail back procedure to the biometric. We now see the, everything is very risky. We deny access. And now the organization is not breached by the fallback or the failure of the MFA here. All right.
So before you, you know, just to kind of just show you just some of the different MFA technologies that are out there and how we sort of view them as far as, you know, good, better, best. And again, this is just our opinion. Everyone's gonna have their opinion on how, you know, how they, how they look at these things. But I think everybody can agree that password only is not a good way of going about this. Then you see the knowledge based authenticator or knowledge based questions.
Typically it's, you know what, you know, what you have and who you are, these things, password and KBA are just two of these, what, you know, type of scenarios when you move into true MFA, you know, password plus MFA, you're looking at a device or could be a biometric, or it could be a token or something like that. Anything is better than again, the just pure password or even these knowledge based questions that can be easily fished or easily social engineered better yet is adding adaptive trust. And we talked a little bit about that.
So even if you don't want to go, you know, full know passwordless, you still have the ability with this adaptive trust to be able to take a look at the challenges or, sorry, take a look at, you know, anomalies to what the user has done before, what they're doing today and be able to approve, or perhaps add more friction or reduce friction to the user experience better than that. Potentially again, probably about the same, in my opinion, is eliminating passwords all together, cuz that's the easiest thing to get and having two, two non password elements.
So again, it could be a device could be a biometric, could be a token, et cetera, having two multifactor elements or two non password elements is much more secure than one. One of those is a password. And then I think the gold standard, at least in my opinion, and transmits opinion is having no password whatsoever and then having that reinforced and secured by our continuous adaptive trust. All right.
And then just to, you know, a couple things here, as far as how we, you know, how continuous adaptive trust, you know, as you know, to MFA makes it, you know, secure, it's a, it's a behavior based detection enhances any authentication technology. I don't wanna go out on a limb and say, even if, you know, just using passwords and user IDs alone, it's, it's gonna help there, but still you wanna have multifactor.
And, and on top of that, previous patterns are looked at the history, the profile anomalies or triggering actions in real time, it's immediate, you're not waiting, you're not waiting for behaviors to be observed and looking out for what's going on. And then it's future proof. Our system in particular is future proof that you can just drag or drop in new authenticators as they, as they develop. So you don't have to, you know, wait for months or in some cases, years to deploy new technology.
And the wrap up my portion of the presentation in some of the elements that that Paul had mentioned MFA is great. And we don't wanna disparage MFA in any way.
It's just, again, it's the best best you can do to start the process, but it isn't perfect. And again, if you have high value targets, employees or customers, you need to have more cause you need more than MFA cuz it's, there's gonna be a workaround at some point for it. And then you also wanna have more of the, more than just a good and bad thumbs up, thumbs down. You want to be able to have the ability to see, you know, the risk elements associated with it.
So what to look for centralized risk intelligence, decisioning, orchestration, integration, realtime adaptive risk and trust assessments has a, a big portion of what we talked about today. And again, we can, part of a transmit solution is this ability to abstract identity logic, to be able to drag and drop these new authentication technologies. As they're introduced transmit, we've been around for a little while, a few years now we are an agile identity and risk orchestration platform. We integrate, we orchestrate and we consolidate all the I IM technologies.
We add risk and then we adapt and, and, or act in real time to prevent fraud as it, you know, before it happens or fraud in our crew, any type breach activities. And we offer the continuous runtime adaptive trust. We've spent a little bit of time there and we are, we are one of the only solutions that has this realtime risk based MFA for immediate detection and stopping threats before they actually take hold. And with that, I am going to transfer back to Paul and we're gonna go into the Q and a portion of the presentation Mark. Thanks very much for that. Yeah.
Just, just to wrap up a little bit of my, my unfortunate experience. And I think I said in my presentation that humans are the weakest link and I'm pretty sure that I'm not responsible, but I bet that some old username passwords of mine were trolled at some point. And like you say, were found on the dark web after that. And I have to admit that I'm probably not as diligent as I should be, which just shows you how passwords are very weak in using different passwords all the time.
So once those guys have got hold of user username and password, then they have to do the, the fairly simple to them technical bit of ding, the, the SIM, which I'm guess is how they did it. But, but let's send a quick look at the questions. The first one is how would a continuous trust approach detect intrusions if an attacker has similar usage and behavior patterns as the compromised user I'll, I'll take that one.
Well, they good question. The, the with I'll speak strictly to the transmit security platform and how we would be able to do that.
We, we have so many different variables and a history of the history of that user from like 200, 300, 400 different variables that we're tracking and can be, can be applied to the users, minor differences. There's always gonna be some difference. It could be a different phone. It could be a different system that they're accessing from different location, anything like that can trigger an anomaly and it doesn't necessarily have to block something. It just could be a simple, you know, additional amount of friction. So let's say something just looks a little bit fishy.
We can ask for in a different authenticator, or we can ask for them to log in using a different channel, perhaps using a voice authentication dial in type of thing. So it's, there's always going to be some degree of difference.
A, an attacker is not gonna be able to mimic perfectly and a system that tracks that many variables or as many variables as we do. We can very easily pick that up and again, not block, but we can add that friction to, to verify. And usually that friction is enough to stop and attack in its tracks. Great. Thanks. I've got another question, having a little trouble reading it on the tool here, but I'll have to do it slowly. It is from Roman Vico. I think that's how I pronounce it.
He says, what about the reverse hack by using multi manufacturer informations from the user are the informations of the user save in terms of creation of user profiles, examples, social media, Google, Facebook, and company, to be honest, I'm not quite sure if you, you get that question, mark. We might have to give that to one of the more technical people afterwards.
Yeah, let me, I could just what I would say there, if it's a reverse hack or let's say a, a, there has been a compromise where there has been a hack again, depending on how much history there has been. There's always going to be an anomaly versus what's been used in the past. So let's say a, let's say an authenticator has been completely compromised that is going to show up versus the existing usage pattern.
The, yeah, I that's, again, that's just a, so let's say for example, I've been compromised. My, my somebody's stolen a USB key for me and they've used they're that that's anomaly or the anomaly usage is gonna show up and be able to be tracked and stopped. Okay.
Well, well we, we, I hope we'll be able to get back to the question on that one, whether your guys perhaps can go into more detail after the event. That'd be great. Another question, excuse me. Doesn't a trust based system need to observe an attackers option before it can react. How long would it take to detect a problem and mitigate it before any serious damage is done? Good question for our system it's immediate and before anything is allowed to happen.
Unlike other systems or user behavior things where things have to be monitored and then acted upon or alerted, or, you know, it's usually post the fact because we've built this real time dynamic system that is continuously updated immediately updated any anomaly that looks fishy is going to trigger in an action or trigger a blocking event. So let's say for example, so something just doesn't look right. Let's say it's even me.
I, I, I decided to go to the coffee shop cuz my house is being painted for the day and I had to had to sit there and just, it doesn't look right that can trigger enough of a, we'll call it a friction event whereby I am going to be asked to use a different authenticator. I, or I may have to receive a telephone call on my phone to validate that it's actually me or use a voice print or something like that, or have to use a, you know, an additional step up, you know, with a different, or I have to like a website login or something like that from my trusted device or from a laptop or something.
So it just, again, it depends on it de it depends on how different it is. And again, if it's something that's severe, it could be blocked immediately. But other things that just look the slightest bit fishy or begin to look fishy can be stopped in the tracks based upon the friction that's added. I guess this is a question perhaps for both of us. And do you think we'll ever get rid of password?
My answer would be perhaps one day, but I think the real risk is, is, is on the consumer side in that, you know, people are signing up for so many things these days and we still rely on a password and a username and people do it as quickly as possible. And probably like myself, they'll just use one that they use for everything else, cuz they just wanna get onto that store or they want to get onto that service and use it.
And I think, I dunno what your opinion is, but I think things like password lockers where, for example, browsers, Google, apple, Firefox, etc, will, will create a password for you and lock it in the browser certainly are a little bit more secure, but they then don't get over the problem of someone else having access to, to that device because the, the keywords already there. Yeah. And that's, and there in lies the issue.
They, I think the answer to the question, sadly passwords will be with us probably for a long time. There are certain companies that are moving forward to try and get rid of passwords as fast as possible. There are others that wanna get there MFA, you know, is a good stop gap to start bolstering passwords, but passwords are woven into everything that we do and it takes a, it's a monumental lift to get those out of the, get those out of the backend systems that are out there. It's doable organizations are doing it. It's not just a simple, you know, waving of the hand and it's done.
So they will eventually go. They'll probably be with us a little bit longer than we wish that they were. But there again, there are technologies that can help bolster that and that can, you know, the MFA is a good, good way at least protecting that until they are gone and gone for. Good. Okay. Finally you mentioned, I think Gartner's Carter model and continuous adapted trust. What what's what's the, the difference there? Yeah.
Gardner Gardner came up with the term Carta it's I think it's a, it's a nice, nice way of saying it versus cat Carta is the continuous adaptive risk and trust assessments. I don't wanna say it's a mouthful. It's a nice, nice acronym. We through the use of the term trust trust is based on risk and based on the actual trust of the device itself, it's just, it's easier to, you know, easy, easier to spell it and, and have the, the concept of it.
There, again, it does include risk. Risk is, you know, your device is trusted. Your user is trusted again.
It's just, it's our way of just saying it. We still believe. And we still, you know, we use the term card a lot in our stuff, but again for presentations and things we use continuous adaptive trust. Good. Glad to hear it. Okay. I don't have any more questions at the moment, so no, I think in that case, unless you wanna add anything just briefly mark, just at the end.
No, again, I think this is, I think for organizations that are looking at multifactor, please do, and again, that's probably the least that you can do in order to secure your organizations, either from your customer side of the house or from employees, especially employees. Again, the risk there with, with them is tremendous.
Again, back to that one to one versus one to your customer base. And I just like, if you look at the, you know, passwords are the number one cause of breaches. So just keep that in the back of your minds.
And again, don't be comfortable with MFA. I mean it helps, but don't feel you're completely protected, know that you are still vulnerable and a solution like transmit security can help you patch up the final final elements and bring you over the finish line to make a much more secure solution.
Yeah, for sure. I mean, my, my incident has certainly, I guess when you maybe get a bit blase and it's embarrassing when you, you know, you write about this stuff, but it, it just proved that it can happen to, to anyone anytime. And it certainly made me think a little bit more about that in the future.
Well, mark, I really wanna thank you for this afternoon. It's been a pleasure talking to you and listening to your presentation. I'd like to thank everyone that attended. We had an excellent attendee rate for this webinar. So with Matt I'll wish you all a very good evening, wherever you are and hope to see you soon on another webinar. Goodbye.
