Shut the Door to Cyber Attackers Permanently

Welcome everyone to our co webinar. Shut the Door to Cyber Attackers Permanently. This webinar is supported by beyond that entity, and the speakers today are Patrick McBride, who's Chief Marketing Officer at Beyond Entity and me Martin Kuppinger. I'm Principal Analyst Analyst. So what we'll do today is really looking at the, so to speak, the door, the front door where attackers tend to come in. So what do we need to do to protect this better? To keep it shut so it's not avoiding every type of cyber attack, but it's really the ones that come through the doors into our organizations. Before we dive into this, today's subject, a little bit of housekeeping here. So you're mute centrally, nothing to do here. We'll run two polls during the webinar, and if time allows, we'll discuss the results during q and a. And there, as I said, there will be a q and a.
And when you look at the, the tool you're using, then there's a q and a part at usually the right side of the screen where you will find the q and a, where you also find the pulse and where you'll find the chat function. So use them, make it interactive, always more interesting, more lively, and you have the great opportunity to raise your questions to Patrick and maybe even to me. And we are recording the webinar. And may we'll make available recording and slide X at the little slide deck we are using today short after the webinar. So before we dive into today's subject, I want to ask you a question that is, does your organization, this is where you can then use the poll feature on the right side. Does your organization offer passwordless authentication, m f a and or risk-based a authentication for consumers?
There are different types of users in that case, a bit more focus on the consumer side, customer consumer than on the workforce side. So a simple question, just yes or no. So please enter your, your vote and the more we have, the better it is. So come on, we give you roughly a minute here overall. Okay, we see responses coming in 10 more seconds and then we'll close the poll. So used the opportunity to vote right now. It looks like most of you are already, at least when it comes to customers and consumers beyond the password. So I think we can close the poll now. Thank you for participating. As I said, if time allows, we'll have a look at the poll results later on during the q and a session. So the agenda today is a bit simpler than it is most cases, because Patrick and me, we decided that we will do this more in a conversational style.
So please welcome Patrick here now. And so it'll be a conversation between the two of us looking at various aspects of what do we need to do, why do we need to do it, how do we do it, all these things, and bringing our, our perspectives. And I'd like to start with a, a bit of a question. So I, I think every one of you has probably an opinion on that, but maybe Patrick, to you, what's the problem with passwords? And by the way, this is a good password. It's not 1, 2, 3, 4, 5, 6. It's 3, 3 2. So, so better than many of the other passwords here, you tend to use, at least according to all the, all these surveys about 10 most used passwords. So,
Well, the number one is password. So is my password true? Yeah, there's, there's, you know, I I what we look at, there's two main issues with passwords. The, the first is simple. People hate them. I mean, they're a pain. That's, you know, we have to create new ones. And because they're weak, we have to change them frequently, you know, based on policies. We can't use the same one because it's easy to guess that way for the, for the bad guys, or if you get one compromise and they can use it to log into a different account. So just, and, and that does lead to real cost for companies. I mean, there's, you know, there's password resets, whether you're talking Martin, you said the, the workforce or the consumer side. There's, there's both technology and, and, and cost. Yeah, sorry, go ahead.
Yeah, and, and I think for the consumer side also, it goes to drop off rates during registration, it goes to churn rates because you don't come back or the password reset, whatever takes too long is to cumbersome. I think all these things are that I, I truly agree, are familiar to every one of us. And I think no one really likes to use passwords because you are always in this situation also of the dichotomy between do you reuse passwords or how do you keep passwords in mind, or where do you start, which system do you use when you use a lot of different passwords and Right. None of these approaches is really appealing.
Exactly. And you know, we do a lot of those crazy things with passwords because of problem number two. They're just insecure. I, I've gotten fond of saying there is no such thing as a strong password. You know, people will tell you, well, if it's eight characters or 12 characters, it's, it's really difficult to crack, you know, to, you know, if, if the password is well kept in a, you know, in a cryptographic form or something, but the, the, at the end of the day, that's not where the bad guys steal 'em. Yeah. And so that's the big issue. They steal the, when they're in the clear
And it's hard to correct unless you look under the keyboard.
Yeah, exactly. Where it's
Written down.
Yeah, we can find them under the keyboard or the or or the bad guys have lots of different ways to, to intercept them when they're, when they're not encrypted. And so
Let, lemme quickly, quickly share, share some, some numbers here maybe for, for a second. I think that is, that is interesting. And these are numbers you have also provided, provided. So from, from external source in this case to Verizon 2020 related breach investigations report. And maybe Patrick, you wanna comment on these numbers?
Yeah, th this is much like the 2022, the 2021. The 2020. Every year we find out that passwords themselves are at the top of the list for the initial attack vector for, for breaches. So on the left side, we call it the, the easy button, you know, for, for the bad guys, 85 in, in this year report 85% of the breaches. So not kind of, you know, attacks things that may happen. These are breaches that actually did happen when they looked back at them, 85% of the, the breaches of web applications involve stolen and then reuse credentials. So however, the bad guys stole 'em. They were, they were reused. And the interesting, and I lost a bet on this one, Martin. The, the second thing is on, on ransomware. I, I lost a bet to my CEO e o a couple of years ago, and he loves to remind me about it every once in a while.
But my bet was, I, I always thought, I, you, I've been in cybersecurity for 25 years, I always thought that the main cause of ransomware was somebody clicking on a bad link, whether it's in an email or on a website that downloaded some malware onto an endpoint. And that's kind of where the, where it started, in fact. And, and if you look here, the use of stolen credentials attacking, you know, desktop sharing software, something that gives the attacker access to servers and things like that, it is the number one, you know, so they looked at all the ransomware breaches that they had data for and you know, it, people still do click links and, and, and get something downloaded. But that's the number, the number two. So I owed my bosses a steak dinner over that, but, you know, it's, you know, I I don't have to be right all the time.
Yeah. But, but, but I think that this is, this is an important thing and I think we always can question such number. So 86% being sort of path for identity related, I don't know. I think we, we, we see a lot of software or supply chain types of attacks these days, et cetera. Yeah. So we, we see the attacks using vulnerabilities, but I think we, we, we all agree on the fact that this is the, the simple way, and we all know that there's a ton of sort of automated types of attacks that are permanently running. So, so one, one, once you, you have, you are connected so to speak, then you are in the tech, we are receiving a lot of mails and regardless of what we use in email security, et cetera, some come through and some people fall trap to them. And that is where, where we see that situation, that passwords are a problem.
And I, I'm also, we see regarding the no one laughs, passwords. And so, so what, what I brought up a while ago is I said one of the worst sentences, so to speak, you, you, you, you can use in cybersecurity is balancing security and convenience. And in some way we, we, we do that with passwords. We, we try to make passwords stronger and convenience goes even further down, but convenience anyway is low with passwords. And what we need to do is we need to bring both up. So we need to combine and that balance, security and convenience. Because balance always means if one goes up, the other goes down, right? And we don't, we, we want to have both. We want to have security and we want to have convenience. And I think this is the, the, the essential aspect here. We, we, we need to look at.
And I, I think the other point, and that is something maybe we, we, we can continue that conversation with. And let me quickly bring up another slide here that is really the aspect of cost. So I think the point next point, we, we, we should look a bit in this context is cost. And again, maybe, and to, to bring up a number to, to, to foster our, our conversation here that is followed five, followed four, 5 million, a number of just recently published by I B m I think everyone can keep it in mind, followed four forward have been even simpler. But I think there's a cost in that case, a cost of data breach. And so I think we, we, we and everyone is in agreement, we need to do something. I think the interesting question we could have is why do we still need, or why do many organizations, many CSOs still need to ask for money? There's a business case, okay, you could argue that everyone is experiencing a, a server data breach. But if it happens, I, I know about organizations, whatever really prominent with market companies over here, for instance, Germany, where the entire organization, including production, was out of service for three weeks or even more, right? And then we are talking about tens of millions sometimes.
Yeah. In the I B m report, they, they actually talk about some of those kinds of attacks, you know, the, the super attacks that that, that people may see if it Schutze down a refinery, you know, for example, a plant that, that produces, you know, millions of, of, of dollars in goods, you know, a day or a, or an online service that, you know, does millions of dollars of service. It has a, it has a huge cost and it to the revenue, it to your customer, the reputation with your customers, potential future business and, and all of those things. So it's not just a convenience piece that you brought up and trying to balance them. One thing I will say, Martin on, just to, to go back to your convenience thing, you know, I, I, I'm, I, I've been doing the cybersecurity thing for a while and, and the old school CISOs, you know, if you, you know, if I went back 10 years ago, it, it was, you know, kind of this my way or the highway, I don't really care if I make it inconvenient for you 'cause I'm making it secure. That's not the perception these days. I've seen a market change every time I sit down and talk with chief information secure. If they're saying the same thing that you're saying, we, we shouldn't have to make that trade off. We shouldn't have to, we shouldn't have to put the burden on the end users, whether they're consumers or the workforce. There's different ways to do this where if you burden them too much, they're just gonna make you turn it off or try to work around it anyway. So we really have to figure out that balance. Yeah.
By the way, that's one of these other sentences we heard a lot, which, which really drives me mad, which is the, the, the human is the weakest link in security. So my my point, I'm right with you, my, my, my point is, if, so first encourage people, they are the fir first line of defense. The other point is, you know, if a user gives away a password, what is the problem? What is the root cause of the problem? The user or the one in it that still had a technology in place that worked with passwords? So the the answer is very simple. If you don't have passwords, no one can give away a password. Exactly. So why should we blame the user for something We, to be honest, and I'm I'm an IT person, we, that's why I say we, we in IT didn't do perfect. So not, let's not blame the user, let's fix the problem. Which brings us to, I think a topic that is close to your heart, which is passwordless authentication.
Right? Right. The, you know, it, it's, I I to, I totally agree with that and I think, again, I, there there's really been a mind shift that I've seen in the industry of people security professionals and IT professionals just understanding that they have to figure out a, a, a better way to do this, a more secure way. You know, the, the same goes for clicking on a link. If you click on a link and then something bad happens, then maybe we haven't kind of completed our, our job. A quick story there. I i, it was a couple of companies ago, there, there, there's lots of education tools out there that educate users and then test them as, as, as we know and, you know, send you malignant links. I had been doing business with a particular bank, and then I got, I got a test phishing email, you know, from that bank.
And I said, wait a minute. I had, I had just closed it out. And so even, you know, I, I've, I've got a 25 year career in cybersecurity and I looked at the U R L and, and it was just, it used a LIC character that disguised it, it looked just fine and the red light goes up and I just, the good news was the IT director was right down the hallway from me. So I got up from my seat and walked down and, and, and walked into his room and said, I'm sorry, but you know, a a again, if, you know, people are going to make, you know, even people being very, very thoughtful Yeah. Are gonna make mistakes.
Yeah. And I I I I, I just have to admit, yes, so we have this in our firm and I'm pretty good, but I'm not perfect. So at least once I fall trap to that, yeah. So the, the headline sort of hit the nerve and I, I wasn't right conscious enough in that case. So it can happen. I spoke most of these fool,
You and I, if they fool you and I, when we're being careful, they can certainly fool users who are just trying to get their work done and work, you know? Yeah. And working hard and working fast and trying to just, you know, do their, do their job.
Yeah. And I, I think that, that, that's the point. And so I'm absolutely, I I think that this, the thing I personally like with, with passwordless authentication is it's really this, it is more convenient to us and it's more secure. And I think that that is maybe something to, to look a bit more in detail because I think when you, when you look at sort of, let's say standard baseline passwordless authentication, it basically is that you use a bit of biometrics on your device. And, and, and, and so, so the question clearly is, and, and not go even into the details, not at least not yet into of whatever phishing resistance, et cetera. But why, why is it it more secure? And I think the, the thing a lot of people I think here in, in that sort of virtual room a lot are aware of, but when you take the broader community, a lot of people are not aware of on at least most modern devices, there's some more hardware it doesn't display here with the filter, which is some sort of a secure and secure element, whatever. Maybe can you kind of give a bit bit more, more insight into that?
Yeah. The one thing just before that, and, and I know you've run into this Martin, is just the idea of, you know, so passers, when we got into the market, you know, we had a certain mindset of what was pass us. And we were thinking, you know, highly secure using cryptographic techniques that we'll talk about here in just a second. But there's also a thing, a lot of things that are passwordless, meaning nobody uses a password, but they're not necessarily secure. So I send you a code rather than make you do a password or I, you know, a ask you other knowledge factors, which effectively are, are, are, are dis are new shared secrets, you know, so, you know, things that are shared secrets by another name are, are still passwords, even if you didn't call it a password. But to, to your question specifically, since, you know, e even before, but in, in, since the iPhone four came out, when we all put our finger, you know, print on the iPhone four reader and it let us use our biometric to get into our phone companies, there's, we've seen more wide deployment of, of what you were talking about, something called A T P M or an enclave, which is just a, you know, the simple definition of, it's a very, very, it's a hardware level secure technique where you can store a private key.
And so you, in the, a really strong common form of passwordless security is a pass key or a public-private key pair. And if you store that private key in A T P M, you know, you, you can protect it, well protect it. And so you've got a private key pair in the T P M and then you can store the public key pair and then the passwordless the transaction is just checking, just like we do with SS s l today to make sure that we're talking to the right websites.
Exactly. And I see this is, this is what, what, what would everyone needs to be aware of. It's not just a whatever face recognition or fingerprint, right? It's that plus a device, plus a piece of hardware that is a very specific, very secure security hardware. Anyway, there are risks of attacks and maybe, maybe have a look at another slide here. Give me a second. So let's have a look at attacks, which are running fast, right? Right. So, so we always need to be aware these things are happening really at speed. And I, I think one, one of the things you, you've also shared here is about M F a bypass attacks, how they work an attacker in the, in the middle. Maybe you give a bit of an explanation on that before I sort of remove the slide again.
Yeah, well, well just to get even into the topic, you know, the, the ideas we had passwords, we know that's weak for all the reasons that, that Martin already talked about before. And then the, the idea was, oh, we just added M f a factor to it, a one-time code or a push notification, those sorts of things. And then since we've got then two factors, it's harder to break in. And for actually for some time, it really did increase the, the level of security. What we're seeing now, unfortunately, is that the, you know, what I would call the traditional or the, you know, first gen M F A that uses things like push notifications in one-time codes. It is not just easy a a as Martin said, there's ongoing attacks right now and they're using, and and here's why they're, they're happening. They're using tools that are now freely available.
We've got evil genix, you know, here. That's one example of a toolkit that isn't for sale on the dark underground. You can go to GitHub and in fact we put the, the link in there if you, you note that and, and search for it and, and download it. So how these attacks work in, in general, and it's, it's typically called a reverse proxy or a proxy based attack. It's a man in the middle. And so an attacker would create a link and then we talked about those, you know, send it an email or get you to, you know, and, and the, with a, with a good phishing email that might say, Hey, you know, we've got an issue, you need to reset your password. Something that creates a level of urgency. They've got really nicely created links, you know, wall crafted links and a wall crafted email.
By the way, AI plays into this, they make, make those emails even better these days. So I get a nice phishing lure. I click on the link and I'm actually talking first to the attacker website. And, and so what I do, and the attacker website looks just like the website that I'm trying to create. Maybe it's my bank, maybe it's a consumer app, other consumer application, a workforce application. And you know, they, they basically, you know, sit in the middle. So I click the link, I start the password reset on the fake site. They take that information and, and send it to the real site, for example. And, and then they get the push notification request or they get the one-time code that we send over and they capture that the, the biggest issue isn't just that they capture the codes or the passwords 'cause they sit in the middle of the transaction.
One of the, one of the biggest issues that people o often don't think about is they can capture the session token. You know, as we log onto a site, we don't do, we, we don't have to log on with every transaction back and forth that we do with our bank. If we're looking at our balance and, and then making a, you know, moving some money around or paying a bill. You know, we, we, we have a session token that keeps us on for hours, maybe even days depending on, on how that's set. And if you steal that session token, then you've, then you can buy the, the attacker can inject that into their own, you know, browser and then bypass a lot of the other controls you have in place so they can capture both the codes and, and things like the, the session token, which, which is really, and and people tend to think that, oh, well that's a really hard attack. And again, a couple of years was
Yeah, but, but we have measures against it, which is sort of speak truly password level application, which is at the end also phishing resistant approach where we bring the things together, and you can talk about it a minute, I think we also need to always look at email security because Right, okay. Not everything is coming in through email, also other forms, but there are technologies like email security solutions, sandboxing websites and, and trying to, to detect certain types of attacks. And I think we need to, to to, to again help our users that they don't fall trap. Because at the end it's always a, it, it'll always be a race between the attackers and us as the defenders. But there are really a lot of means here. And, and, and so, so one of the things you're, you're pushing out is always this sort of notion of phishing resistant,
Right? Right.
What, what does it mean concretely?
So concretely it means, you know, at at, at one level, it means that even if an attacker were to try that kind of attack that we just described, a man in the middle attack, it, it would fail. And more specifically to, from a technological standpoint is that you can guarantee you can establish trust on both ends of this conversation. So we already talked about a private key sitting in A T P M, you know, maybe signing a certificate. So, you know, that's, that's one level. But you know, you, you, if, if you could, you could even do it with, without that technology, if you could just guarantee that the, the requesting application and the thing that's providing the, the, you know, the acknowledgement or the yes, you know, we know that something can't sit in the middle of the attack. And so typically that means putting additional cryptographic controls on top of that transaction. And, and I'm not talking about just, you know, a private transaction. Like, like ss SS l people are familiar, people are very familiar with public, private key crypto. They use it every day when, when they go online, right? I
I I I, I would disagree that people are familiar with public private key. Fair enough. They're using it all the time. They're using it sometimes, sometimes that, you know, when you have a room of, of, of a hundred IT people and, and ask them, hey, who, who's willing to, to, to stand up in front of the flip chart
And
Quickly explain public drive key right? Encryption then, then probably not that many IT people will, will, will stand up. I think a lot have have an idea of what it is about, but when you go into the details it gets a bit more tricky. But, but yes, I think we have the technology, we have, we have solutions for that. And I think this is very important. We, we need to, we can use technology, we have technology to get better here
To, to, to really address the challenges we we are facing when it comes to passwords and to the, we talked about the title about shutting the door, right? And shutting the door is, is is in fact where it's about someone coming in authenticating and doing this in a fraudulent manner. So we must avoid this. And I think that the clear starting point also to my opinion is, is really passwordless authentication. So when I, when I maybe quickly go back to, to our few slides, I think the point is definitely also about focus here and focus in, in that case also means what do we need to do and why is so important. I think there's, there's an interesting point and companies such as beyond that entity sit on this upper left area of the CS A zero trust maturity model. So the CS a zero trust maturity model I think is a very good one.
And, and I said I'll, I'll look at a metrics of that and of, of zero trust maturity. But honestly there's a very good metrics, which is the one provided by CS a. So this is a, is a super good starting point and what it factually says here. So, and, and for me, zero trust always is someone, Martin is using a device also indicating going over network and application, accessing certain type of data. And in an, in an optimal way, it means that we have a strong grip of indication, which is identity and device. And this is for me also for everything in zero trust is the starting point. And maybe, maybe Patrick you wanna comment a bit on this slide here?
Yeah, it, it's, it, it's exact, we, we think it's a starting point too. But I can take my, you know, beyond identity marketing guy hat on and put my old Analyst, you know, my former Analyst hat on, and, and it, it, it really is the found doubt foundational layer. If we can't establish that it's Martin, you know, coming into whatever resource he's getting access to, whether it's a consumer application like his bank, you know, or it's his, you know, internal HR application or finance application where Martin as the principal has, you know, much more authority if we can't establish that it's him and establish that he's using a device that, that, you know, the, the organization has approved him to use and establish that that device, and this is a really, I'm I'm gonna say this really specifically 'cause it, 'cause it matters is appropriately secure.
We can't, and, and Martin you point this out to me all the time, we can't guarantee that anything's perfectly secure. The only thing we can do is know that, you know, on the device that we're granting access and Martin's going to use to get to these applications or or system resources is that we've got the appropriate security controls installed on that device at the first of all, at the time of authentication. And, and that really covers the fir first three, you know, bullets of that slide. You know, is it Martin? Is it a device we've, you know, that we've authenticated allowed him to use and then is that device have the security controls? But the idea of zero trust isn't, you know, once and done set a long session timer, you know, let Martin, you know, stay in there for eight 10, you know, eight hours or eight days or or eight weeks without reassessing this.
It's continuously reassessed. So what I think the CSA model does a really nice job of is combining both the user identity and the device security posture and saying you absolutely have to, you know, make a risk decision getting in, but then you have to continuously reevaluate and, and continuously is, is a range, right? You know, you're not necessarily doing it every second, you're also not doing it every day. 'cause a lot of things can happen. So, you know, it can be 10 minutes every hour, but reevaluating, you know, whether, you know, we're seeing signals that that, you know, maybe this isn't Martin or maybe that device may, maybe Martin, you know, for good reason turned off his lock screen on his phone and he's accessing through his phone or, or on purpose or inadvertently turned off his firewall. We would want to know those things and then be able to take some action. Not just we, you wanna send the security operations center an alert about that, but attackers move fast these days. So we, we have to take some immediate action. So that's kind of where cisa, I think as you said, I I think they did a very good job of outlining, you know Yeah. Where you need to get to.
And I think also that's, that's a, a good metrics to start with because it's really a well structured, well sort out. I I'd love to get these wonderful metrics from, from our European entities as well. Yeah. But ci CI a is is really a excellent source here. And, and I think we, we, you, you talked a bit already about taking actions and I think there's a bit, bit of different perspective also on actions and that is, so not only the tool taking actions, which is one, one part of it, but it's also us, the IT people, the decision makers taking actions. And so what would be your recommendations here for, for taking actions aside of for sure purchasing beyond identity tools, which you probably would say.
So, you know, there, there's, there's certainly at, at a minimum level, and, and I think we've seen a lot of this in, in, in the industry already, where any of your security infrastructure, identity infrastructure needs to communicate well, it, you know, you, you need to take the exhaust all the transactions are happening and make sure that they get to the security operation center. And that if you see some issues, you know, that, that you're alerting them. So, you know, part of this is just wiring this into the flows that you're using for your network detection, you know, for so folks that still have real on-prem stuff or your endpoint detection response kinds of things. So that's, that's kind of the, i I would call it table stakes things. But a lot of people have made serious investments in technologies that you can use to, for example, quarantine a user.
So one of the, I I'll I'll point to something that, that we do as an example of two things that we can do as just an example of this, but there's others, you know, one is you see an issue, I, I, I mentioned that maybe Martin turned off his, his firewall, which you know, now leaves his endpoint open to exposure. We could call out to something like CrowdStrike or or other E D R technologies or an M D M and quarantine that device so that, you know, Martin no longer has access to, to those resources like immediately or, you know, within, you know, minutes, you know, rather than waiting for an alert to weave its way through and somebody to finally, you know, see if that's important and, and then work it or drop a network connection. There's products, you know, there's the SASS e product categories and Z T N A categories that, you know, all the, the, the nice thing is this ecosystem has done, I've been really happy to see the ecosystem security and identity tool do a better job with APIs. So now a tool like a Beyond identity can call out to a tool like, you know, a A Z T N A tool and say, Hey, drop that network connection or quarantine that device. You know, we, yeah,
And we can get more signals from way more sources nowadays. I think this is, this is the other side of it. So we can consume the signals to help us to at least continually reevaluate the risk. And on the other hand, we, we can trigger more actions by, by integrating solutions. And I think from an action perspective, what I would recommend is to, to understand what you have on both ends, so to speak, which is what can provide signals, what do you already have in place and what can you already use to sort of for corrective actions around that. So as a starting point, and then look at how can you integrate it. So really seeking a more holistic solution that looks at, at every type of device as well as at every type of access of every type of identity. And I think this is something we also need to be aware of.
Yes, there's, there's the employee access to a certain environment, but in, in most environments there's more, the tricky parts come when you look at operation technology, when you look at software developers, when you look at externals, et cetera, then, then it usually becomes way, way more, more challenging because then we, we are in that, that space where, where it's really about heterogene and we, we still need to solve it and we should really start from a, from a bigger perspective like we did on more the overall identity piece when we, when we started talking about the identity fabric a couple of years ago.
Exactly.
And basically we, we also need to take a bit of a fabric approach on how can we deliver that service and what do we need to fabric in a sense of a mesh? How do we need to put all these things together?
Yeah. The, the way we think about is frankly an extension of what you guys have been talking about. It's, it's the identity fabric, the identity mesh overlapping with the cybersecurity mesh. It's, you know, the, we've people, you know, companies, organizations have made huge investments in things like E D R and network detection and anno, you know, various different anomaly detections, you know, as, as, as you said, if we can consume those risk signals to make better authentication signals on the identity side, that we're just in a much better place and we're leveraging technologies and investments that, that we've already made. So, you know, that we're, we're at a point, we're, we're finally at a point, you know, I I, I'm, this is kind of a really interesting time to be both an identity professional and a cybersecurity professional. We can actually bring those two worlds together in a, in a meaningful way, not just taking the actions like we were talking about, but consuming more additional really robust data to make just better decisions.
It's gonna require, you know, tools that have a really good risk-based policy engine, of course, to do that and can talk to, to things. But you know, we're, we're at a really interesting point, which, which we need to be, you know, when we talked about, you know, the sh shutting the front door, it's, I, I, sometimes I'll be honest, I sometimes get a little frustrated when it's like, wait, wait, we, we hear this in interesting new vulnerability that, you know, a log for J for example, you, we have to pay attention to that of, of course it's an externally exposed thing. It, it came in, like you said, through software, you know, so it's a supply chain kind of an kind of issue. And we ha you know, as security professionals, we have to go look at that and figure out where we're exposed and, and take care of that. But every day we're leaving a bit of an exposure like that with, with passwords and, and things like that. O open something that large already is, is in our environment. So I would love to see the same level of, of activity to, to close that big vulnerability. Yeah.
And I think that is, that is important if you want to, to become more secure than closing that door. The password door, so to speak, is super essential and we have a lot of things in place to make it work. And I think this is a, is a good closing statement for that part of our, our webinar where we discussed. And what, what I wanna do right now is I want to run one poll, one more poll, and after that poll, we then go into the q and a session. So the second poll for today, that will be after the action, so to speak. We quickly discussed, I i i I really laugh and, and open frank answer. We can't track who responded with in which way. So, so maybe you spent a few seconds on responding to a, has your organization already suffered a cyber attack that was caused by or related to breach passwords? So curious about the number of responses and whether a realistic number of people would say yes.
Some people are shy to say that, but, and, and we understand. I mean, it's, but yeah, it's,
But we'll, we don't ca and can't track who is responding in which way, so Exactly. No, no worries here. Looking forward. Leave it open for another whatever, 30 seconds
I can comment now. So, so have your questions ready. I, I'll I'll make Martin answer all the really hard ones and then I'll take the easy ones.
Okay. Yeah. So, so I think it seems to be a bit too optimistic response here, at least when I look at the interim state of the, well anyway, I would say we closer than 10 seconds and then we move to the q and a session.
When I looked, when we talked about the, the, the interesting thing that, that I like always about the Verizon data report and it gets repeated, you know, the, the lots of other threat intel companies have done kind of research studies like, like they have, but they, their starting point ends up being successful breaches. So not, it's not theoretical stuff. They start off with, okay, a breach happened, you know, let's go back and figure out exactly what happened and, and how, and there's all kinds of different breaches, you know, from ransomware to, you know, so they're, they've if for, you know, for people who haven't looked at that, it's really illustrative regardless of pa the password, you know, information. It just gives you a, a really good idea of the, the most critical things that you're facing, you know, which is always, that's the hard job in identity and cybersecurity, you know, we've got a lot to do figuring out what are the things that we can do that will most lower our risk or most. Yep.
Let's look at the questions. We have a couple of questions here. So, so the first one I hand it over to you, it's an easy one. Small businesses are just as vulnerable as the medium or large businesses. Do you agree on that?
I think they're more, I, I think they're more vulnerable in, in, in many cases. And, and we see that with some of the ransom, you know, we, as an example, as with the ransomware attacks, they don't necessarily have all of the, the same level of resources. You know, I I I've been working in the industry and have had, you know, large banking, you know, large international banks to work with and they've got just threat intel organizations that are, you know, many hundreds, even even a thousand people just doing, you know, the detection response and, and action that we talked about. So, you know, and then, you know, you talk to some small businesses that, you know, it's one it guy, you know, and, and he has to take care of, of all of it. So yeah, no, I, I a hundred percent agree with that.
Okay. And, and maybe, maybe directly moving to the second by, by the way, after respondents to the, the second poll around two thirds that our organization never has experienced or suffered from a passport related breach. I would dare to say this is a bit too positive from as a number, but, but anyway,
That's our result and we have to live by,
That's the yeah, and, and, and may maybe it's, it's just because all the, the, the experts are listening to us anyway, so they, they, they don't make the, the fundamental mistakes anymore. So, and we, we could also say, okay, then there there are two thirds which are still waiting for that to happen. That would
Yes, the old joke, the old cybersecurity joke, there's two kinds of companies Yes. Those that have been breached and those that don't know that they've been breached
Or that will be breached. Yeah. However you phrase it. Exactly. Is password loss a syndication the same as single sign-on? Or is that too short to say?
No, I, I think that's too short, but that's a really good observation. So with, with single sign-on, for example, they've, they've helped fix some of, you know, the last mile stuff. So the appli the, the integration between the s ss o tool and the application. You know, to give you a real example, we're all on Zoom today, for example, you know, if we're using, you know, what, whatever s S o, whether it's Microsoft or Okta or pinging, you know, there's a SAML assertion and you know, there, there's a cryptographic binding there, you know, so, so that's a pretty secure, it's, it's, they're not moving a password, but you still have to get into the s s O system and, and very often that's with surprisingly a password. The all the s s O systems also have M F A unfortunately, as, as we've talked about, some of the older M F A styles are just not as effective at, at, you know, stopping breaches.
So it's, if I get into the SS s o system, you know, using a regular password and an M F a, it, that's, that's the, the issue part. The, the backend of it is, is more secure. But you also notice the one thing, one point here is there's a lot of comp, there's a lot of SSOs that, or a lot of applications. In fact, there's a wall of shame if you, if you search on it, application providers who either don't provide a saml, you know, assertion, so you can't use, you know, SAML to get into the applications, to the S S o can't use a passwordless way to do that, or they, they offer that, but only in their upper tier. So you have to pay more for the thing to be secure, which is kind of a, you know, kind of an oxymoron. But in, in those cases, they have to default back to a password. So I might use a password to sign into my S ss o and then my s s O acts just like a password manager and, you know, puts a password across the network, which is, you know, which can be breached with some of the techniques that we talked about earlier.
So. So next question. From your expertise, what potential obstacles, obstacles or limitations might organizations encounter when implementing zero trust, authentication, passwordless authentication, and how to overcome them?
Yeah, I, I think there's, the, the biggest issue, and I think Martin, when, when we first started talking, when I first briefed you on what we were doing, I think you brought up something like this. If, if I recall, there are lots and lots of different use cases. So the biggest obstacle there, let me back up. There are technologies today that you can plug beyond identity and others that you can plug into your ss s o and take and, and take you password list and provide some of the other capabilities that we talked about, the device trust and, and things like that. The, the biggest issue is, is figuring out the edge cases. And, and there's always, and so I'll, I'll, I'll mention one, you know, you, we one we ran into fairly recently, you know, we're working with a large chip manufacturer, they've got a clean room, you know, they're, they're, you know, some of the biometrics when you've got masks and things on or fingerprints all covered up don't work there. So you have to have, you know, having a, a key fob something like a phyto key or you know, one of the Fido keys or, or something along those lines, you know, or something that they can, you know, put inside a proximity card that, that sort of thing. So it's, yeah,
Wristbands, et cetera. I also came one customer across the question about atex compliant devices. So for explo high environments where have high risk of explosions, et cetera. Right? Right. Makes things way more interesting, by the way, these challenges.
And, and there's, and there's little ones even you take, I, I'll, I'll give you another one and and I'll come back to this. A a bank banks and in in, and companies like that will have a customer support service center. They don't let you bring a phone in. You're going typically, you know, the, the, the representatives that come in aren't necessarily going to the same desktop, you know, every day. That's, you know, it's a bunch of desktops that they have in there and, and they use whatever, you know, desktop that they, they sit in or hotel, you know, kinds of things. So I'm not saying this to dissuade people or, or to do it. 'cause there are also big chunks that you can solve today. And cybersecurity is already always about doing the things you can do today to lower the risk as you figure out some of the edge cases.
And so do, you know, doing nothing until I can, you know, until I can do everything is gonna be a failed, you know, way to go about cybersecurity. But you can really start off to bite off chunks and you can do it. But that, that's the issue. It it is some of the edge cases, the technology's available today. And the other thing I would point out is, is a little bit, this is more in the thoughts of the cybersecurity guys when you showed the table, the CISA table that look, you know, there's different levels that you can go to, you know, and optimal was the thing that we had the circle around. A lot of people think you necessarily have to go through stage one and stage two and stage three 'cause it's a maturity model mentality. And you know, I did, I was, you know, a former engineer, so I, I worked through those stages of C M M and and and engineering and you always had to kind of build up, up, you can skip some stages. You, you know, with different technologies and things like that, you can actually go right to optimal, you know, that that's, you know, that's our pitch to folks. We can take you from suboptimal right, to the optimal Cecil levels, at least on the device trust and the identity thing. You know, there's other columns there that you have to take care of that we don't do anything about. But, you know, it's, it's this thinking. So those are the big issues
By, by the way, I I like that point. You said so, so first maybe let, let me comment on the edge cases. Interestingly, I think for, for the vast majority of edge cases, there are some solutions, sometimes not as easy to find, sometimes not perfect. But there are, and the other point I like is saying, let's look at what we can do, not at what we can't do. Unfortunately, I think when I look at many conversations I had with cybersecurity professionals, it was about why things don't work. And, and in some of my, my, my previous talks, I had a, I had a graphic where I looked at the limit of security going towards 100% and the limit of cost is infinite. So there is no 100% security. That again means we need to look at what we can do and how we can Right.
Get better. Not for shoot, trying to shoot for the perfect security because, and, and I sometimes hint to the book after the, the movie after the book of Dan Brown, I believe it was Illuminati, the ones who have seen it, know there is no 100% security. There are always ways to, to, to bypass security. And if it's the hard way, Patrick, I think this was a very, very interesting conversation. I hope that the audience learn also a lot from it and gain some, some insights. So thank you very much for to you for all the insights you provided. Thank you very much to beyond the identity for supporting this commun call webinar. Thank you to all attendees for listening in and hope to have you soon back at one of our webinars or conferences. Thank you.
Thanks for having me. It was great.