I'm looking at the time. It's still morning, so good morning. Morning.
So yeah, my name is Fadi. I work for PWC as a enterprise security architect, specialize with digital identity. And can I get the, yeah, so I'd like us to start with these two specific numbers. And the first number is basically there's 80% of all cyber attacks is actually starting with some kind of phishing email of text messages. But the second number is actually very interesting because it's 240,000 identity based attacks is being blocked by Microsoft.
This is a, a, a number coming from Microsoft every single minute, every single day. I mean, this is just really big, huge number we're talking about per minute.
So, and, and the re and, and you know, if you go back in history, so if you go to, I dunno, two decades or one decade ago, the, the attacks were, we were, we used to hear about man in the middle attack.
We used to to hear about DDoS attack. And the reason is because our protection system was basically the network. And of course it makes sense that everybody attacked the network. Today our defense mechanism is based on identity and of course everybody would like to start attacking the identity.
So to explain of course the reason about why this happened, I would like to start with the most simple thing ever exist. And this is just a normal cell, a human cell.
And it is, it is of course very simple thing. It, it's just a cell it, eat it, throw what doesn't want and reproduce very, very simple thing. Just like our good old IT system, identity system, which it was basically an IT service. You need a simple username, four letter password. Sometimes it's exactly the same as the username and you're good to go. But of course this of course worked very good.
It developed over time, it get much better. And as any good system, like for example the cell, it reproduce and it becomes something like this. It become very complex cell system.
Same thing with the identity, our identity today, it looks something like this. So before we used to talk about employees only today we talk about customer, we talk about partners, we talk about suppliers, we start talking about workload. They use secret management tools. We talk about machine identity Today, firewalls are actually based on identities and attributes instead of IP addresses, we're talking about the way we, we map our data into our attributes. So all of this, of course, we're talking about a lot of identities.
So for example, the study, a company of 1000 employees today, they have 45,000 identities between all of this. So this is really a big, huge number and this is what we're using to defend ourself from the bad actors.
Now it's working very well and it's our defense system. And we all know when you have a good defense system, this is where the microbes come, come and attack us. This is where the bad actor actually come and attack us.
So, and again, if you compare this to our identity, it looks something like this. Where is it?
Okay, so these are the kind of attacks that we are actually getting today. There's really a lot of them.
And, and, and it just looks very scary. So we are not anymore in the IT business as you can see here, we're not anymore about, you know, ensuring that we do our journal lever mover process in time and we are good to go. We need to start defending ourself from all of these attacks, which is of course a very complex thing to do.
Now, to solve this specific problem, very easy, we come with an acronym and that is ITDR.
And that's not disaster recovery, of course it's identity, threat detection, a response. And of course once we come up with a good acronym, then some people roll up their sleeves and they say all over the internet, I've got just the right tool for you. And we all know this, we all seen this. But of course I'm here to say according to our experience and our what we do every day, unfortunately it's a little bit more than this. It's not just a tool that you implement and you're good to go.
It's actually, we, we designed a framework about it and, and, and the presentation today is actually to talk about this specific framework. So, so the framework here, I will start with the first. It's not the first, it's a circular. So you keep going around, but I will start with the identity baseline and what does that mean?
So an identity baseline, what that mean is you need to of course have in a place a robust identity foundation.
This is, we're really talking about how you do your GJML process. How do you have your authentication processes, how do you manage your identities? And of course, I'm not only talking about human identities, but also the nonhuman. These identities, you need also to ensure that you just don't just have it and manage it. You also need to have visibility on it. So who's doing what, who has access to what and ensure that this is actually monitored closely. But of course when we start talking about 45,000 identities, you're not going to have an eye and look at it.
You also need to start thinking about some behavioral analytics. So me, I'm an employee at pwc. I access my computer at this time. I access this system at this time, and this is my baseline. Once you start seeing me accessing and downloading stuff, and I don't know what else, maybe this baseline will, will, I'll go beyond the baseline. And that's already something to be careful about. So this is what I mean by identity baseline.
And again, it's not something you start with because maybe at the end of the day you'll come back and visit it and improve your identity baseline.
Second thing is about, okay, we have a baseline and then what we need to start identifying our, our risks here, and this is actually is a very crucial, important area and unfortunately we don't always do it. And this is what I mean by this is from a business perspective, my organization, what is, what is my business here? How do I actually make money for my organization? And what are, what are these processes? How can I protect this?
So what our risk is attacking my, my business processes here. And this is of course from the inside out so I know what I have and protect myself. And then I also need to look from the outside in what are threats out there that they're trying to attack me every day in my sector, in my company. So I need to have this vision also from the outside in.
And also the third thing, I also need to look about my vulnerabilities within my organization. And I don't mean about zero days and, and CVE and all of this, i I really mean also maybe someone from my C level is actually not very security aware.
So what do I do with this? This is a vulnerability. This something can cause a lot of problems and I need to be aware of this and I need to mitigate it. So vulnerability of course is in a border term and not only my vulnerability system. By knowing this, then I can move into, okay, how do I start detection? How can I start detecting, you know, all the things happening? So for example, and, and of of course now what we do is we look into our active directory or we look into our Okta are, we look into our systems to try to, to detect logs and all of this.
But here, why don't we start taking a, a border approach and look into our CM and see for example, I dunno when someone actually clicked on a phish link or, or when is the last time this specific application talked to my secret management to, to get a secret. So it's really about expanding and actually going beyond into my CM and see what can I detect here, what use cases I can detect once I built these use cases.
And of course you see how this is important with the risk identification because if I know what I want to protect myself from the business, the bigger the, the most important things here, then I can start building my use cases together with the risk identification. So online, with the business, with the risk identification then, and this is really, really important. It's about having an step, an actionable use cases.
So these use cases we've, I'm not sure if you've seen the sock and how it looked like. Of course you have a million alerts a day and what do we do with it?
We just throw it around, we just don't do anything about it because it's really overwhelming. In fact, there is alert fatigue, that's what we call it. So we need to have something, what we call actionable use case that need to be mapped to our risks. And then when I see a use case, what do I do with it? I need to have an action about it.
And, and once I do this, then I need to hand over this information and integrate it with the soc because the SOC is, they are the one capable of doing it. But as as identity team, we need to come up with all step one and step two and the things behind it.
Now we, we detect, we know what, what we're detecting, what are the use cases. Now I can actually look at these use cases, the actionable one, and I can decide and I can, yeah, I can work on how can I automate this? Can I use playbooks to automate these things? So for example, I dunno, I, I'm accessing a system and I'm based in the Netherlands and suddenly my MFA response is being received from China or vice versa is this, what do I do with this? If this certain use case is map, what do I do with it? Maybe I need to basic, basically block the user or suspend the user.
So this is something, of course you can automate it, you don't need to do it manually, but of course there are other things you cannot do it. So if someone clicked on a phish link, then what do I do with this user? I assign 'em to maybe security awareness training. But that is more of a manual activity because I need to ensure that this is done or not.
And again, continuing on the manual activity, you need to go back again to the identity baseline and ensure that these things are part of the baseline. So this is how you going to improve your identity system.
Maybe you'll discover more risks and you add it to your risk tracker. Maybe you, you discover more use cases and you add it to your detection mechanism. So this is how at the end of the day, IDDR is actually looking at something like this. How do you do your foundation? How do you ensure you have visibility? How do you have behavioral analytics and so on. And this is how the framework actually look like. And and also what we do is in PWC also we we've we've, we've came up with a reference architecture about which tools actually can help us in which area.
And, and this is where of course, yeah, you can actually implement ITDR. So i i, I would like now to leave you with four takeaways. One is about products will facilitate the journey, but they are not the journey. So it's very clear when you look at this whole framework is products will do help you in certain areas, but they cannot really help you, or not yet, at least I'm, I'm not aware of one tool that can help you with all of this. And you can see there's a lot of manual activities by us that still, still need to be done.
It's very important to actually prioritize business risks because to not get overwhelmed, because you need to increase your sensitivity and your security operation around the bus protecting the business because we always as identity people or security or IT people, we are assuming that we know the business, but that's not always the case. So we need to prioritize that. And of course to not fall into alert fatigue, we need to start creating actionable use cases. And then it's a continuous process. So it's a circle.
So we always going to visit the baseline, improve the baseline, improve the risk identification, and adjust the process as we go. There is a detailed white paper about this.
You can, you can actually read it or you can also stop by the booth if you want to look into more details into the how does a framework look like and what, what kind of capabilities and all of this. Thank you very much
Time for a question. Anybody have a question in the room here,
I have one from the online audience. So which teams are pivotal to developing and governing it? TR solutions?
Yeah, so, so again, I mean if, if you look back in the slide, we are really moving from an IT service into a defense cybersecurity system. So it really depend on the organization because some organization they have the identity within their IT department, then of course it's the IT department and identity in correlation with the soc because there's a lot of SOC activities need to be done as well.
But if it, if identity under cyber, then of course then cyber will be dealing with IT together with soc again in In how, yeah, because, because when you start talking about risk identification, then it's really actually you go beyond security and IT into the business and start talking again. Maybe I talk with my CFO, how do, how do I generate revenue? What process are involved in and how do I generate revenue? How can I protect this instead of assuming that, I dunno, Salesforce is important for me. I need to ensure that this is actually the process that I need to protect.
So it's really, I think it's not only identity, not only soc but actually the business also involved in this.
Okay, great. Thank you very much. Thank you.
