Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. My guest today is Martin Kuppinger. He is the Principal Analyst and one of the founders of KuppingerCole. Hi Martin, good to see you.
Hi, Matthias. Pleasure being here again.
Great to have you and we want to cover a topic and this is on the one hand looking back again to EIC because it was a strong topic there, at the European Identity and Cloud Conference for those who don't know. Great event we had in June in Berlin and also looking forward already towards the cyberevolution taking place in December in Frankfurt which will cover that topic as well with a slightly different angle. And we're talking about identity security. You and I Martin, we are doing identity and access management almost the whole of our lives, and it's gaining more and more importance. And what are some of the key reasons that you see that identity and access management is so important, especially when we look at cybersecurity?
So first, think we need to be always a bit careful with terms. So identity and access management does not equal identity security. And identity security does not equal cybersecurity. There are things in cybersecurity which have to do little or nothing with identity, like for instance, the big failure of last week, the CrowdStrike incident, which was something in the cybersecurity field but nothing about identity. In that case, there are areas in cybersecurity which are not related to identity. There are things in identity, especially when we move more towards digital identity, decentralized identity, consumer identities that are about business enablement, not about cybersecurity. But identity security is this intersection of where identity plays a central role for cybersecurity for improving our security posture and at the end of the day, we just look at the zero trust concept, it starts with identity. It starts with Martin authenticating to a device. The identity, it's about authorizing Martin later in this process, et cetera. So it's something where it becomes very clear, identity plays a very central role, especially when we think identity beyond humans into all the other types of identities, identities of services, of resources, of things, et cetera. Identity is very central. Identity security is a key element of cybersecurity. So you can't be successful in cybersecurity without a strong identity posture. But you still can fail like the recent incident has shown.
Yeah, we've seen that and we're analysts and we are expected to look at new developments in the market, new developments when it comes to threats and services and products. And one four-letter acronym that just came up is ITDR. I did an episode on that with John just recently. It's identity threat detection and response. This is a new thing, is it? The first question mark, second is how important is it and can you explain the concept behind that?
Yeah, so to the first question, basically, it's not really new. There was a three-letter and a four-letter acronym in the past. We used for something that is at least the foundation of what we see in ITDR, which was either UBA or UEBA, so user behavior analytics or user and entity behavior analytics. But I think there's a very important difference. So when you say UBA, user behavior, then your workers council, et cetera, they will say, oh problem, we can't do that. If you say identity threat detection and response, then everyone will say, cool thing, we need it. So the term can make a huge difference. And yes, ITDR is an evolution that's also very clear. It goes beyond what we did in the UBA. And I would say we have basically two facets of ITDR. The one is more identity centric facet, which is really looking at what is a user doing? How is the user using the entitlements? How is the user accessing files and other stuff? That is the one side of it. The other side is really where it's more part and is increasingly becoming an integral part of XDR, so the extended detection response.
Right. and if you look at that, and John mentioned that also as well, there are capabilities built into ITDR that are also built in platforms that are called FRIP, so that it's fraud reduction. So the capabilities are the same and they are just like Lego blocks combined in a slightly different way, fulfilling different new purposes. And that is, I think, where ITDR also shows its strength because it's not a single capability, but it provides a combination. Thus it gets better when we look at cybersecurity. ...
But which also raises the question, will there be an ITDR market in three or five or seven years from now?
Or might it be built into something?
Exactly. I personally would predict that it converges into other technologies that it becomes an integral part. In most cases, we will probably have a few specialists still, but overall, I believe ITDR will be something which converges into IGA platforms as well as into XDR into FRIP, fraud reduction intelligence platform. So it will be something which is really more a capability than a isolated technology. And I also believe that its biggest value comes from this deep integration because you need to analyze or identify the anomalies, the outliers, and then you need to do something with that. And that is where the integration is needed. Right and one threat that even made it into some of the key topics for the upcoming cyberevolution is really cybersecurity in an AI driven world. And AI driven does not only mean that we are using the benefits of AI, but we are also seeing the issues that come with the use of generative AI, especially when it comes to creating new identity threats and especially using AI for account takeover. But that is an area where ITDR also shows its strengths, right?
Yeah. But I think in that space, generally speaking, think the art will be to integrate a huge number of signals from different areas. So I think, you know, it's not only ITDR that helps us here. It's the analysis of, this really likely that Matthias has written that mail that comes to Martin? Or is this a very different style, despite Gen AI clearly helps attackers to write a more correct mail. So, the average phishing mail is more difficult to spot nowadays because there are lesser mistakes in spelling and grammar, etc. But that's only one part. When I look at this 25 million transaction from a deepfake video session. You also need to look at the anomalies in your business systems. So if there's a very uncommon 25 million transaction, then not only the identity and security systems should raise an alert, but also the business systems and you need to combine it. So we need to get better on that. So identity security will not stop in the sort of technical identity and security, the cybersecurity departments. It must integrate with the business processes, with the business information to really sort of fully leverage the information we have. So if there's an anomaly, also take a standard access or uncommon access to certain business systems, to certain files or whatever. If you put this into the context of the business process and the transaction, the business and the interactions, then you can make much better decisions. I think we are still not yet at the end of what we can do here. And I think fraud reduction intelligence platforms are a wonderful example for that, because there you take this anomaly and you put it into the business context. Is this really a regular transaction? So your transactions might be different than mine, or are surely different than mine. So that is then the huge difference here.
And that is usually just the employee identity part that we're looking at and where we need to apply this ITDR and the capabilities that are hidden in there. But it originates originally from consumer identity. And there there's a much larger volume of transactions. But there is a more limited and more narrow picture of what we expect of consumer identities to do as well. The question is, what role does fraud reduction play in consumer identity when it comes to ITDR and the protection mechanism that it can provide? That should be much more efficient, right?
Yeah, I think we have very established fraud reduction technologies in place. So the experience is quite big and usually it's really a very focused use case. The advantage, I think, in the consumer space is that the use cases are more limited, are more narrow. And there's a of experience about it. On the enterprise side, the challenge is that the use cases are more diverse. On the other hand, I think we can learn also from the other side. So when you take fraud reduction in e-commerce and payments that are around whatever the holiday season or Black Friday, there are peaks. You have in business processes also things where you have certain actions, interactions, strange actions only happening at a certain point in But then again, it means we need the business context to get better. By just looking at what someone is doing, we can reach a certain level, but we will get better when we understand the business context, which also means we need some configurability of these systems. I remember when the initial systems for privileged user behavior analytics were released. My first question was, can I configure planned maintenance periods? Can I configure certain other areas where I say there will be peaks at a certain time because we do certain things at a certain time and it is planned. If you can do that, or if you can bring in more context, our decisions will be better. Where at the end of the day, this RAG thing, so putting in data into models for analysis, surely can be something that helps us in that area.
And if we look forward to cyberevolution, if you look forward to three, four, five months that we have where the market can develop, you already hinted at some developments that are maybe expectable, that those tools will merge into existing IGA platforms, fraud protection platforms. But we can be checked in three or four months when we are at cyberevolution. What are other developments that you expect? If I may start, I think deepfake detections or deepfake videos, deepfake picture detection will be a capability that will be in ITDR more prominent, but it will be just one capability. What else do you see in this market? Do you see quick changes?
As I said, I think what we will see is we probably will see some that really focus more at it from more the XDR perspective. So, gathering a lot of signals also on identity and others that put it more into the context of access entitlements, et cetera. But we also may see the first level of convergence here in ITDR. I'm not exactly sure whether deepfake detection will become of ITDR. So, deepfake detection might also be a capability that provides signals that we use together with ITDR, signals in a broader context. I think this is probably the better way to look at it would be the better type of evolution because deepfake detection needs to send signals to a lot of other places and combine them with other signals to get really good. But the good thing is when there's a threat, we also see always a lot of new startups appearing, a lot of evolution in this market. So we will see surely a lot of new things happening because, and I think this is true with deepfake detection, there are really a lot of startups out there because there's a problem. There's a potential business. There's money going into this market and there's evolution. So the market doesn't stand still here and it will be definitely interesting to see and discuss at CRE24 in December, what's going on.
Right, and talking about things going on, I think the audience has realized that there's something going on in your back office as well. So we are talking about identities for worker processes, but there are workers in your room as well. So it was quite tough for you to do this interview for today, but nevertheless, we've made it through. Thank you very much, Martin. We will look back on the ITDR evolution taking place from now to December, and then of course look forward to what's happening starting then. For the time being, thank you for being my guest today, for talking with me about identity security and especially ITDR. And I'm looking forward to having another episode quite soon with you. And there might be something very topical on the list that we can do rather soon. Thank you very much, Martin, for being my guest today.
Thank you, Matthias, for inviting me. Pleasure.
See you, bye bye.
