All right. ITDR. Does anybody know what that is?
Is that, oh yeah. That's why you're, okay. All right. So this is gonna be fun.
Now, this room, I gotta tell you, is very strange. They put pillars right in the middle of the room, so everybody's kind of shifting left, as we say. But anyway, that's, yeah. All right.
So let's, where's the clicker? Okay, go forward.
Yeah, we're gonna have to do this fit quick. There's only 15 minutes, but I've got these four sections. I'm gonna talk about what ITDR is from our standpoint, and then why it's so hard to define. And then also we're gonna take a quick look at the market and some use cases.
Okay, so just to move on, this is just a quick way of looking at it. The idea is that you're trying to have some structural protections of your identity systems, right?
Because we, as we know, they're being attacked. It's a maintenance of your identity posture. We talk about security posture in many cases, but identity posture is now coming to be one of the most important pieces of your security posture. So we'll talk about that some more in a moment. It's of course a response to any attacks that happen in your identity system.
And then re restoration of the posture once, once that's detected. Now as I see it, there's kind of a cycle that goes on where one of the first things you want to do is have what we call hygiene. So just visibility of what identities you have, all of them. It's not really possible to get that from an ias IAM system. Believe it or not, workforce identity tends to live there. There something flying, but, but a lot of other identities don't, right?
And then we, that's to be, we'll delve into that in a moment.
So this idea of discovery and visibility and then doing a risk assessment on the current status or your current posture of the identity system. Those are all typically done by your identity and access management folks. It's an administrative type thing.
You keep, make sure that you have a clean identity system to begin with, but on top of that, you have what happens when you start monitoring for anything that is an event. And usually when what we're talking about here is some collection of events, because I identities that are hacked into, usually there's lateral movement as we call it, and it's unclear. And this can take place over a course of a few minutes, or it could take a, a year or two, right?
Because somebody will steal your identities, sell them on the, on the dark web, and then sometime later you'll end up finding out that you, you were compromised, but you didn't know it, you know, months ago.
And, and that's, that's pretty common actually. So then obviously there needs to be a threat investigation. And now we're starting to get into the security operations center. SOC analysts essentially get involved here and then try to figure out what's going on. How do you know MGM had that massive breach? As we know, we'd have to get into that too much.
But at some point, if your identity system is breached, you have to bring in people who are used to doing threat detection and response generally. But normally in that case, they don't know all that much about identity. They don't know much about active directory on ID and that sort of thing, how these things work. And so they need a lot of help from the people who are experts on that identity.
You know, people in this room most likely who, who work on those systems.
Alright? And then there's obviously a remediation strategy needed.
And again, this is very difficult for a SOC analyst to know what the remediation, where's the kill chain on this thing, right? What, how do you actually go about stopping the attack and being sure that you stop the attack? Oftentimes it's a blend of a SOC analyst expertise and identity management expertise, which usually doesn't happen in the same person.
So then, and then of course, what are the actions and how do you restore posture? And again, that takes a lot of co cooperation between those two departments. I think I'm advancing this. Okay. Yeah. And then of course, to fill this out, it's important to have like an identity data lake of, of signals, right? We're talking about making sure that you're keeping track of all of the interesting events that are happening and, and making sure that you're restoring posture up above.
Now, what kinds of attacks do you find on identity systems? Well, there's some pretty well known attacks out there, and a lot of the ITDR companies explicitly make sure that when, when you, when you use one of these products or solutions, they'll look for stuff like this, all right? I'm not gonna go through 'em all. You can take a picture of something, but, but it's very specific types of things that are known, problems with identity systems where they're vulnerable. Okay? Now there's other problems. We mentioned AI all the time. This is my AI slide.
It'll allow me, this one of course, I, I don't know if you've been watching this, but there's all of these models out there LMS explicitly for hackers, okay? So you got things like worm, GPT and that helps you fish in a very good way, okay? So it starts using all kinds of identity data and you, it can really mimic what somebody in your organization would say to you, for example.
And so yeah, you would click on that phishing link. There's a whole LLM for that, right? And then there's a misinformation and disinformation. So you've got dark bard and dark GPT. We can kind of screw people up.
Not that I've explored the dark web by the way, but this is, I thought everybody should know poison. GPT is, is it's how to jailbreak existing GPT models and then fraud.
GPT, it's just like, it sounds right, cyber criminals. But this is just four, right? There are thousands of these. So you know, we all know about open AI and chat GPT, but the hackers have figured out how to create entire models that do almost exactly the same thing with the sole purpose of, you know, of haunting and hunting you, right?
So, oh, oops, I forgot to mention, so purple is the new black, which means that when you have to do sort of threat modeling and understanding what, what that looks like, what are you dealing with?
Instead of having red blue teams, as is normally the case with, with SOC type approaches, now that the color purple has become like the big deal.
And we, you can automate this and you can test your own identity capabilities using like purple AI is out there and there's a, there's a number of other ways you can actually automate testing and do run books with some of these products. Okay?
Alright, this is the fun part. Okay, so I'm a red dwarf fan. So there's this funny moment in Red Dwarf where it's Arnold j Rimmer here and he is like, they were arguing about something, about how they were all going to die and he, he says, wait a minute, let's, we're losing sight of the real issue here, which is what are we going to call ourselves? Now I think that's relevant because ITDR is a terminology that really has been borrowed and lifted from the security, you know, cybersecurity SOC type people.
And that's why we get all these things.
We got TDR, we got NDR, we got XDR, we got MD can you stop it already? I said, I don't know if you're as annoyed by that, I as I am, but we just seem to throw, if there's a problem, all you have to do is put a, a DR behind it and then we've got that resolved. Okay? But that's, there's a problem with that.
Okay, wait, actually let me, yeah, I wanted to make one last point there, which is that identity systems aren't like any of these other endpoints, right? So a lot of the DR stuff deals with, alright, how do you protect, you know, endpoints, how do you protect network in, you know, routers and things like that?
And, and, and these are kind of physical things that you can have some sort of controls over, right? But identity isn't really like that and I can get more nuanced about that in a moment, but, you know, given the time, we'll keep moving. So some people have suggested, I've heard this a lot from vendors that we stop calling it ITDR and start talking about identity security and you know, that's cool.
Is there insecurity that would be even funnier? But I like, I like this one.
I, I came up with this myself, identity defense and death in death, death depth or I did because it's so much fun to say, right? So you can be, you know, I put on here, like Mike says, I did, you did what? Right? So it's a little bit like this whole, this whole play on the old who's on first meme.
So you, if you wanna go out on LinkedIn and start promoting, I did with something like that, some weird conversation you had in the hallway about I did or the other way to say it is, ID, id, which is even funnier, right? Like, or I don't know.
Anyway, I was having a lot of fun with that, but I'm really promoting it. So try to go out there and help me.
Alright, so the, how big is the identity? Well now I, I'm gonna call it the ID market now. So how big is this market?
Well, you know, we found in, in our research, I just put out a report on this a couple months ago and the, we found that it's at least 2 billion for 2023 and growing at extremely extreme rates. It's not easy to really get a number. I've seen some numbers out there that say it's 12 billion, but I think they throw in a lot of things. But 2 billion, let's go there because it's an easy one.
I think what's more important to imagine is that the, the think about all the money that's been spent on ransom payments, and I've talked to a few lawyers about this who do this sort of thing for a living and they say that almost everybody pays the ransom eventually, even if they won't say it publicly, right?
It's very, you know, they're like, you know, so that's, that's probably an accurate number. So that's part of what this, it's like you can, you can pay to get the, the solution in place or you can pay the ransom, but you're going to pay for this, right?
At some point in, in addition, the estimated damages alone for the MGA in MGM incident was o in excess of a hundred million dollars and that's what they declared publicly. And it's still ongoing really, they're still cleaning up after that and then almost, you know, over 4,000 victims in 2023 of these ransomware attacks. So this all goes also into how big is the market, right? Because you can't just look at what's being spent on the software itself.
You have to look at all of the money that's, that's going into the legal fees, the lawsuits, the ransom payments, everything, you know, all the, all the expensive people working on this project.
Now I wanna give you a quick, quick idea, and these are just a, this isn't the entire market, but I wanted to give you an idea of some of the bigger players of the market and they're all pretty much falling into this same category of, you know, working on this problem we described as ITDR earlier, but as now I did right now, I thought it would be helpful, even though this is kind of really not entirely accurate, but you can see, let's see, alright, so I call these guys the signals group, which is, they, they tend to approach this problem from a behavioral analysis and looking at a lot of signals that are coming in and then using things like AI or ML to figure out where the problems are.
So they, they connect to a whole lot of systems and they get a lot of signals in and then they work through the what could possibly be wrong thing.
The thing that's nice about this approach is that it doesn't re it can, it can detect things that are happening adaptively rather than be wait till somebody gets attacked or a couple people get attacked and then it's well known what that role is before they worry about it. These guys, John, how are we doing for time?
This thing is not what, all right, alright, well you can read that somewhere else, but let me, let me, let me just do this real quick though. So on OnPrem and CL cloud group, these guys really focus on your AD and entra ID and that sort of thing, the existing infrastructure and, you know, the, the IGA extended group, which it, it tends to be, they're really, really focused on identity governance primarily, but they also do ITDR and then the SOC ready kinds of folks, the people who are already in the SOAR and SIM kind of space. What's that?
CrowdStrike as well, that's what I'm hearing.
Okay, good. Talk to me about that. Oh yeah. Okay. I don't really have time to go through this then do I? I'll just kind of get it up here for you.
Yeah, they can take a look afterward. Yeah, talk about it.
So if you, if you really are looking for something that you need to do, you, you, the industry is still working on a number of these problems, but really it's better to do both. Okay. And so what I see happening is that there is a general convergence between things that are I identity systems, workloads, and cloud infrastructure. And I think that's the new, that's the new issue is I tdr is becoming something bigger than it, than it was framed to be. Okay. All right. We'll do this in a moment.
Yeah, I came up with this other thing, a large security model instead of LLM and that should be part of the NIST thing. Alright? There's a use case slide there that I can't really go through. It gets into a lot of ways. It's how you get started with I identity observability and hygiene and posture, and then you move into the SOC stuff. That's really the, the, the plan of attack for how you get involved in these systems. All right? So that's it. Thank you.
