Webinar Recording
Can't see the wood from the trees?
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good morning, ladies and gentlemen, welcome to our equipping. A call webinar can see the wood from trees, access intelligence, gaining insight into the real access versus this webinar is supported by ion. The speakers today are me Martin Kuppinger I'm, founder and principle Analyst at call encourag Johnson, vice president of strategy and corporate development. At ion. Before we start some general information on some house computing information on the, before we don't dive into the webinar itself. So a call, we are Analyst company providing enterprise it research device services, decision support, and networking for I, for it professionals, research services, advice for service and our events, our main one, the European identity and cloud conference, which will be held next time May 5th to eighth in Munich, sort of the must attend conference in Europe when it comes to identity, information, security, access Golans, and a lot of related topics regarding the webinar.
You are muted centrally, so you don't have to mute or unmute yourself. We control the mute and unmute features. We will record the webinar and the recording will be available tomorrow. By the way, we also will provide the PDF versions of the slide X for download so that you can download them. If you want. We will do a Q and a session at the end of the webinar. You can add the questions at any time using the questions feature in the go to webinar control panel, which you usually will find at the right side of your screen. So let's have a look ATM as usual. This agenda split into three parts. In the first part, I will talk about why new risks need new approaches on understanding your real access risk, and why this leads also to the need for access intelligence and the second part occur trends.
And we'll talk about, or provide deeper, dive into identity and access and challenge trends. Looking more in detail into this topic. The third paradigm we will do Q and a. You can, as I said, you can answer questions at any time so that we have a good list of questions when we haved the two presentations. So let's start with my sort of standard picture, the computing, the use code of information security. And I think this is really what, what is affecting and what is changing, sort of the it information security world. Today. We have cloud computing with more deployment models. We have social computing with changing use of populations, more uses. We have to deal with specialist. So integrating customers leads prospects. We have to mobile computing with me, devices and things become more complex. So we, we have a far less sort of structured it environment.
We have to deal with different types of deployment models, more users, and more devices. And still, we have to protect the information in that context. And this is what really is, is changing things we are doing. And we need to understand our risks to take the right measures on that. When we invest in, in, in information security, we should understand what really helps us to get better in mitigating risks we are facing, and this sort of larger context, a lot of things are changing and it's not the only change we have some other change. That'll talk later about changing threat landscape cetera, but basically this is one of the starting points within this, or to address sort of the area of access risk and to keep access entitlements under control. There's the area of access governance, access governance as well established part of it right now.
What is this about? It's about some questions we want to answer. We need to answer these main questions are who has access to what and who has access to what and who has granted that access. So understanding who can access what who's doing, what was which information clearly also understanding is this the right level of access entitlement, or is this far too much? Are people accessing information trying to access information? They should not. So this is basically what we are looking at and there, and this broader set of access governance, there are a number of technical aspects. So there's the access warehouse to collect current entitlements there's re-certification, which was one of the starting points. So looking at reviewing who has currently, which access rights, and then there are areas such as X analytics and intelligence. So understanding, analyzing for instance, uncommonly large accumulations of access, rights of entitlement and access risk management, understanding where are my high risk items?
Where do I have to put a specific focus on when auditing all that stuff? We have to access request management, so requesting access, which is also very important part. How can we make it easy to request access, but still avoid excessive access? Right? We have to role management as one discipline within this, and we have segregation of duty management. So currently access governance tools have a number of features such as the warehouse and re-certification analytics and intelligence, which is done where, where the risk part comes in the role management, the request management, the sod part. So this is what it, what really makes up these tools and the one sort of in the middle, the, and analytics and intelligence becoming increasingly important because it's not only about sort of having a, a blame approach on, on reification, for instance, but understanding what are the high risk things to look at?
Where are the critical things, where things going wrong, and then putting more emphasis on these. Otherwise you have a lot of recertification where 12 months might be far too long for some high risk items where, whereas you might even say for some items, I don't need recertification where I do it only every two years and the other fraud might do it every three months or even more frequently. So let's have a little look at the risk part. So what is the risk risk as a threat, which has a specific probability to happen? So a risk is different from an uncertainty in the sense of that. There's a probability you can define there's an impact on the assets. So you can add a value on that. There's an impact potentially on business processes. So Stratus in fact, probability plus impact or threat plus probability and impact in fact adds ends up being a risk and understanding this risk is a very important part.
Commonly we see various types of risk, so strategic risks, which are seen from a business perspective. So this risk, which can lead to, to your, to situation where you're just out of business at the end of the day, operational risks, which can cost you a lot of money, which can cause problems in, in your business process, et cetera. And then commonly there's the it risk part. In fact, the structure is not the best one. It's a very common one, but it's not the best one because it sort of says it, risks are no business risk. It's just not true. The only reason why we look at it, risks are because they can be operational. They can be strategic. You also might add reputational as part have reputation at the end of the day is, is operational strategic, more frequently strategic. So when we look at it risks, then we look at that at this risk because they affect or can affect our business.
And I think there are some very good examples, especially around access. So if you take AIAN around UBS and some of the other finance institutions where obviously the access risk and challenges of not having good enough access governance implemented, implemented, and executed led to operational. And in fact, in the more cases, just strategic risks, which really put the entire business at risk. So we should understand that it risks are in fact business, relevant risks, there're various sources of risk. So that might be malicious activity such as hacking data theft, et cetera, that might be misuse. So app use of privileges, which is exposed to malicious activity, ju curiosity, trust, etcetera. There might be mistakes where things trust go wrong because someone did something wrong accidentally. So I know about situations where, and at administrator accidentally deleted part of an active directory three, which then led to a situation that it provisions through to an SAP system causing massive availability issues in the SAP system.
So this takes also can be pretty critical, critical. You can avoid everything of them. So sometimes people need the ability to do some changes, but understanding who has access to what and minimizing the risks is the first step of step here. And, and that really helps you to reduce the overall risk exposure of your organization. As I've said, access risks is a very important part within that. What you clearly need to do is you need to set up an structured approach from dealing with which means from a higher level perspective, you need a QRC program and QRC infrastructure, and you need to do the same at a lower level sort of quota, for instance, for access risk. So understand your threats. What are the threats, the probability, the impact they have, what is the valuation of the assets and what is the resulting business impact define the control?
So this is really where access governance, and particularly also access intelligence, come in helping you to define controls, to define automated controls, to make it easier to execute these controls. And this is what you really need to do. And then you need to have your various types of activities. So you need to have improvement activities. You need to understand the status and you need to also have a crisis and incident management in place. So if you, if you do that, if you do your access governance program, if you do your access intelligence implementation, you should do it sort of big enough in the sense of defining it. Not only from a technical perspective, not only from a tool perspective, but underpinning it with an organization structure that really helps you mitigating the risk. So access risk, why do we need to sink and risk? I think I started talking a risk is a thread on asset as a specific probability and the impact an information risk is a risk for specific information from the perspective of the business.
So in fact, we, we have the situation that some of our information is at risk and there are numbers out and, and, and service, which end up with sort of roughly 50% of the corporate value of an average organization based on their informational assets. So this is a lot of value which can be at risk information is part of business processes. And that informational risk is a business risks. Everything we do around access risk in fact, is business risk management. We should understand it because the biggest part of information risk is malicious access. So this is what we really need to, so we need to understand what is the information we need to understand the risk associated with the specific information we need to mitigate these risks. So we need to understand where, to where the biggest risk, where to start with this is really where, where we need intelligence, where we need to understand where are the things we really have to deal with.
This is where access intelligence and, and other things come play, mitigate the biggest risk start, where the biggest risks are and mitigate where the balance of risk and reward fits. So at the end of the day, it's always done a, a simple calculation. I think it's the same, like with an insurance contract in real life, if the insurance contract is too expensive, compared to the risk, you will not sign it. If it's too expensive to mitigate a risk, you might decide on carrying the risk because it's cheaper than sort of mitigating that, how to evaluate access risk. So which information used by which services impacts which business process you need to understand two things. And one is in fact who has access to what, where are the, from an, from an entitlement perspective, or is on the hand, you need to understand your information. So which information is used by which services, which can be a standard application, which can be a cloud service, whatever, and which impacts which business process, that's the other side of thing, which you need to understand.
You need to understand the threats, which are threats. You're facing really look at this. What, what is the biggest risk? So who might be interested in which part, which information from internal and from an external attacker perspective, look at the probabilities, what are the realistic probabilities and at the impact, what is the realistic one? What I frequently see in organizations that organizations underestimate both probability and impact, and that they are to cost grain when doing that rating. So due this correctly, do it roughly and understand that it's not only about systems. So traditionally we have sort of a system governance approach to the left, where we look at trust, what is the risk of a system? I think we need more, we need at least an information governance where we understand what is the risk of information and to do access intelligence right over time.
We need to understand that an information can be at various systems. That information really is our asset, not the system is the asset. The system is a technical tool to do it. Ideally we moving forward and, and understand that it's about the relationship of services, business, processes, and information, how this look like. So we should take the right approach. And clearly this is beyond the system approach, but I think this is also very important thing to keep in mind. Then when we take another on the entire stuff of the access risks, and we have this perspective of who are our, so who, who causes the risk, who are the sort of the attackers let's call it attackers. It might not all be attackers. As, as I said before, when you look at the, the sources of risks, so mistakes are not really about an attacker, but let's keep with this.
And the important thing is we need to understand both of them are internal and external are here. Both of them are a challenge for us. We need to understand which are the risk caused by internals, which are the risk caused by externals. And we need to understand, I think this is something which is relatively new in the entire story. You need to understand that what an internal does might be caused by an external. So if you look at the advance attacks of today, they are increasingly long running, have multiple stages are sophisticated. So they are definitely far more complex than they have been before. And so the might be in the external one acting in the identity in the context of an internal one. And this becomes pretty clear when you look at the anatomy of an story of an advanced persistence thread. So very typically one, I put it a little bit down, but basically this is something which has been observed and report by some companies right now, with which had sort of massive attacks.
And frequently it starts with email sent internal users with some ware in so frequently, also based on information available for social networks, etcetera, the user click, or opens the attachment or link and installs the malware. And if you look at your inbox day by day, you see a lot of malware. And so there's a lot of things are going on the cans, the network for vulnerable systems. And it also tries to, so it, in fact, acts on behalf of that particular user. So some of you users then start doing up doing abnormal or showing abnormal activities. That is where, where the thing really becomes interesting tries to elevate privileges. So it might try to change access rights. It might might try to elevate privileges might try to act on behalf. Other uses, privilege accounts, be individual system or service and constant. You need to understand, okay, what is happening here are things changing, are the behavior changing, et cetera.
And then when it's at the target, it send back data to varying servers and difficult to direct locations, changing IP addresses, etcetera. There are some very sophisticated forms of data attacks. And I think it's important to understand that it's not only about understanding who has potentially which access. It's also about understanding who is doing what with that type of access. The other thing, which is very important, this is one of my favorite slides is that when we only look at the access governance identity provisioning layer, we don't look into the details. So when we do identity provisionally, commonly associate for instance, say, okay, we create an account Martin, ER, in the active directory, we assign the membership and the group finance, the global group, finance Martin, but the, the group finance them, that's something which is managed in the active directory itself. And the same is true for SAP there's the association is an SAP business role, but there are also projects and extracts below, which are managed in SAP.
So there's an entire hierarchy of entitlements and managed systems. And what we need to to do is to gain insight into the details, understand which ACLS are behind the group, finance, which transactions are behind the SAP business role, whatever. So understanding this sort of break point and, and solving it by X governance, analytics and intelligence is a very important step to do. So. We also need to understand that there's more than trust is high level rights. We need permissioning governance. We need to understand what users are doing. Deeper insight intelligence on that, understand what privileged users are doing. And we need to do it continuously for the IDs and access, what is happening there. So this is really where we need to go beyond sort of the traditional approach of identity provisioning and access governance. And a while ago, I, I created a number slide was, was a number of areas where I see evolution governance. There are various areas. So doing it for the cloud, going into the details of file service and SharePoint doing it, integrating it with privilege management, etcetera, but probably the most important one, one to the upper left is really adding advanced analytic capabilities,
Maybe
Based on standard business intelligence technology, maybe based on other technology, whatever, but really using good and strong capabilities for analytics. And this is I think, one of the most important areas to get better in managing your, and mitigating your access risks. And that's where I want to hand over to Kurt.
Great. Thank you very much, Martin. And thank you for that. Excellent overview. And I, I think Martin did an, an excellent job really kind of portraying how important this whole notion of access risk is. And, you know, before I get into more detail about that and really where the role of intelligence plays in that, I just wanted to give you kind of a quick understanding of who Curion is. We provide software solutions for identity and access management really is. We say in our mission here to help our customers succeed in this world of open access and increasing threats. And by open access, we're really talking about the fact that, you know, as Martin alluded to that access and business becoming very tightly intertwined and the need to get access to information and data to our customers and partners is an important business task, but we have to understand the threat that goes along with, with that and the risk.
And so Curion solutions provide, enable some of the things that Martin talked about around provisioning to give people the access they need around governance to help with the audit, but, and I'll spend a good deal of time today talking more about the role of intelligence and continuous monitoring. And at the end of the day, really what our focus is is to, you know, ensure that oops, that the right people are getting the right access to this broad array of resources, whether those beyond premise systems, cloud systems structured and unstructured data and are doing the right things with that access. And again, Martin touched on how important it is for organizations to have a better visibility of activity, not just looking at what people have access to and the potential of what they can do, but what they're actually doing. And that all is centered around a better understanding of risk.
And again, Martin did a great job of talking about risk, and I think one of the big points he made was how it risk pretty much is business risk based on what everybody is doing. And I'd just like to, you know, go a little bit further into that and just, I think there's been one very prominent security incident in the recent past that I think illustrates this very well, which was the breach and attack on target, which is the large, oh large retailer here in the United States though. I think the, the story and the ramifications have kind of global implications. And I know many people have heard a lot about the target attack and heard just the, you know, over a hundred million credit card numbers potentially breached as part of this and personal information along with it. But I wanted to just touch on it briefly from the standpoint of illustrating and, and playing off the point that Martin made about it, risk and business risk, pretty much being the same thing and really what the role of access risk management is in this.
So as I mentioned right around the holiday season, target was breached their credit card data stolen, and immediately it was headline news. And we had so-called experts on every TV station and every newspaper giving their opinion and view on what this meant to consumers. And given the fact that it really hit consumers. It had significant appeal, a significant amount of fear that was raised in the hearts and minds of the consumer population who had done business at target. And, you know, sure enough, it also ended up becoming the butt of jokes of satirical cartoonists. Any marketing expert knows this is not a place that you want to see your brand displayed when, you know, mocking kind of the situation that occurred. And it required that their CEO go out and make a very public statement as to what this meant to them. And just, you know, talking about how, you know, coming forward to discuss and disclose that what had happened give as much information as they could, and really try to regain the public's trust that target was in control of this and knew what they were doing.
But I think an incident like this and the ramifications of it sometime get overlooked. And, you know, Martin had mentioned reputational risk and there is a website called U gov.com that actually tracks something called the buzz score. And what a buzz score is, is the public perception of a company's brand and anything over 30, there is like one of the top, most popular brands. And what you're looking at here is the red line is historical view of targets, buzz score, and their brand image. And the gray line underneath that is large retail organizations as a whole. So looking at the marks and Spencers and the Walmarts and the others of the world, and as you could see, target traditionally had a brand image that exceeded the industry as a whole. And they went on a very heavy advertising campaign around the holiday season that actually put them over that 30 mark that made them one of the most recognizable and trusted brands out in the marketplace.
Once the breach occurred, however it plummeted their reputation and their buzz score. So not only below those historic eyes, not only below those of their competition in the market as a whole, but plumbing it to almost historic loads that anytime you get below zero, your brand is perceived as a negative brand. And it went even kind of well below the zero and all due to the lack of trust that the public had and what target was doing in addition to reputational risk, it hit financial risk as well. And this is a stock price of the target of target from when the breach was disclosed and a fairly significant decline that resulted in over a $5 billion impact of their market capitalization. And there were part costs associated with this breach as well. And they saw fourth quarter net income fall 46%, not as much from the decrease in revenue, but more so from all of the significant costs that this breach created for them on a very, you know, hard dollars and cents kind of basis.
And then there was personal impact as well, excuse me, where the CIO was forced to resign. Of course there needs to be a scapegoat in situations like this. And she was kind of at the, the middle of all of that. And given that this was an it breach and cybersecurity breach, she took the fall for this, but it didn't stop there as well. Where a couple months later the CEO was forced to resign. And if you can read the little caption under the picture there, it just said, it's the latest in a series of moves made by the company as it struggles to recover from last year's holiday breach. So clearly long lasting significant, very powerful impact. And if you've looked and read the reports as to how this breach occurred, the original source of the breach was through a heating ventilation and air conditioning partner of targets that it was that had poor access controls.
And the malware was originally launched by gaining access through this partner's credentials. So this HVAC partner had access to target systems to submit invoices and other things on the target systems. And this was how they initially breached target to do all of this havoc. And, and it's not just target, you know, we're, we're seeing this as a very popular form to launch a tax within organizations. You know, this data is from last year's or this year's Verizon data breach investigations report. And one of the things they look at from the different number of breaches is to put them into various categories on how those breaches occurred, whether that was human error or just misuse a physical breach. And as you can see, there's a number that have been rising pretty significantly. The social using social means are alluded to this when he was talking about the APTs and how they really target very specific individuals.
The malware that's launched to do this, but as you can see, hacking pure form hacking continues to be the number one source of breaches to organization and is rising at a rate even faster than the others. If you peel the onion back on that a little bit, there's they categorize that into different areas of hacking. And it includes things such as, you know, SQL injections, improved force back doors and command and control, which are declining or SQL injections increasing a little bit. But the number one source of hacking breaches are the use of stolen credentials over half of them. And the one that's increasing at the fastest rate. So they're getting in from the access they're getting in from the misuse and stealing credentials or people just abusing the credentials they have. And, and Martin talked about that a P T attack. And, you know, here's just kind of another graphic that kind of says the same things.
You know, we, we've been seeing a lot of it security spend on the early part to look at tracking malware tracking when viruses and things infiltrate the system. There's a lot of focus on things like security incident and event management or deep packet inspection on the end point when they start actually transferring data to other servers to try to catch it before it goes out the door. But as Martin talked about, there's a lot of this lateral movement and looking for the privileged accounts and doing things with those accounts and even changing privileges and midstream that we're not putting enough scrutiny and focus on today. And that really is where it just stresses the importance and how broader security controls and identity and access management need to come together. But let's be honest with ourselves. Let's take a closer look at how we've been dealing with these kind of controls.
We've had two primary levels of control for identity and access management over the years, which Martin talked about, you know, first there's provisioning and the whole concept of this is to have preventative controls to make sure that people are only getting the kind of access they're supposed to have. And what's the main level of control that goes into provisioning. Well, it's an approval. So if we've sent this to a manager and the manager says, yes, I think Kurt should get this access. We pretty much trust the fact that he should get that access, but we know this wasn't enough and the audits became more stringent. And there were more focus on this of really looking into why people have the access they do, which is where governance came about. And specifically around the access certification reviews, where once, twice, maybe three or four times a year, we require our business managers to take a look at all the access that all their employees have.
And again, the control is whether they approve of that access and certify that review. And this has really been the way that we've gone about to determine whether access is appropriate or not, but I'm sure we're all completely confident with the fact that we never see the old rubber stamp taking place, right. Managers always spend all the time. They need to really go diligently through all those reviews, right. Or do we ever worry that they may just want to pull this rubber stamp out? You know, as I mentioned before, Curion, it was actually the first vendor to introduce an access certification product to the market way back in 2004. And we kind of knew some of this was going on when the first feature enhancement we got for our access certification product was the addition of a button that said except all at the top.
And that was one of the biggest end user requests, because in many cases we know they would do these type of things. So, you know, I mentioned, you know, the potential impact and the threat and the vulnerability of access that was clearly indicated in the target breach. You know, Martin mentioned UBS, there's been many that have had similar types of issues, but I think, you know, when we saw things like target, and then there were other large retailers like ne even Marcus in the us Tesco over in the UK, there was, you know, the Verizon data breach report, I think summed it up well where they kind of always put a theme around their report. And they said that 2013 may be remembered as the year of the retailer breach, but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large scale attacks on payment card systems.
And that obviously the vulnerability of payment card systems make it a very attractive target, no pun intended that we saw many implications of over the last year. And we also know that there are regulations for compliance in audit for retail, specifically PCI the payment card industry audits and compliance and regulations. And Verizon also does a report that looks at PCI compliance. And it was kind of interesting when you looked at 2012 to 2013 trend, given this significant increase in security incidents around payment cards, you might be surprised to see that the average compliance from retailers went up. It went up from an average of 53%, 2012 to over 85% in 2013. Not only is that an increase, which you may not necessarily be expecting when we see this increase in attacks, but it increased significantly 30% plus increase in average compliance generally would indicate a very good trend.
So why are we seeing all these attacks? Well, there's one requirement of PC I DSS, which is about identity and access. It's all about identifying and authenticating access to system components. And there were some pretty interesting findings. You know, they found that only 24% of organizations that actually suffered a security breach were compliant with this requirement at the time of the breach. And that, you know, one of the big things is looking at shared accounts and privileged accounts and that 60, almost 65% of organizations, two thirds failed to restrict each account with access to cardholder data, to just one user. So there were shared accounts, administrative accounts accessing cardholder data, and they also found that a number of attacks came from insiders. And when they looked at it, they said that more than half of the insiders committing it sabotage were former employees who regained access via back doors or corporate accounts that were never disabled.
And it's not just retail and PCI. We see a similar thing in financial services. This is data from a Deloitte report that looks at the top audit findings. There's an ongoing list of about 40 different audit findings. And every year they've been doing this report, the top four audit findings have been consistent people with excessive access rights developers with excessive access to production systems. So a developer built an application, did it against test data. That application went live, and now they have access. Nobody ever changed that access or turned it off. And now they have access to live data, the lack of removal of access following the transfer termination and toxic combinations of access or segregation of duties. Not only have these been the top four audit findings every year that Deloitte's been doing this survey, but in almost every case, they're increasing rather significantly.
And, you know, Einstein said it best, you know, insanity doing the same thing over and over again, and expecting different results. And within the world of identity and access management, we've been pretty much caught on this pattern of the preventative controls of provisioning and the periodic certification reviews to be enough. And that's the whole notion of them periodic done once, twice, three times a year. You know, Martin mentioned it that, you know, there might be high risk items. Do we really wanna wait 12 months before we look at that again? So while all these breaches are occurring, we're also forced to deal with the reality that I alluded to earlier around this whole notion of open access. And we're seeing this perfect storm kind of occurring. And I don't know if any of you saw the movie a number of years back with George Clooney and mark Walberg called the perfect storm.
It was about a true incident that occurred off the east coast of the United States where this rare combination of atmosphere of conditions came together to create a very powerful and very surprising super storm. And unfortunately, there was a fishing vessel that was caught in the midst of this due to the unpredictability of it that unfortunately the occupants of the fishing vessel perished in this storm, just due to the magnitude of it. And it was a hurricane that was dying out in the Atlantic with a major cold front coming through with some other atmosphere, pressure systems occurring that created this. And we're seeing a similar thing in the it industry, but unfortunately like a storm that blows through this one, isn't going anywhere for a while. And it's all about the vast amount of data that is online being accessed by a broader array of individuals, including partners and employees and customers from an increasingly varied number of devices.
And even today, it's not even just the end users with the devices, we're even hearing more and more about the internet of things, where the devices themselves have access to various data and information out there. As a matter of fact, I was meeting with the chief security officer of one of our large healthcare customers. And they said that they actually found out that kidney dialysis machines were accessing the hospitals credit card database. And there's probably not a lot of reason that kidney dialysis machines need access to credit cards, but it just stresses how important this focus of identity is. And we know folks it's not getting any easier that the number of security incidents continue to rise. This is from a Pricewaterhouse Cooper's survey, very similar trends to many other surveys that we see that incidents are going up and going up quickly. But what I really in found interesting with this survey was the bubble that showed that the amount of people that didn't know their number of security incidents doubled over the last couple years.
And again, this is a trend that we've also seen come out of the Verizon data breach report, where they look at the percent of breaches where the time was days or less, and the amount of time the compromise occurred in days or less was well over 90%. And it's increased quite significantly over time. That means the hackers are getting in in minutes hours, or at most days in over 90% of the cases. However, the amount of time it takes to discover the incident occurred the amount of time that that happened in days or less was only 25% of the time. So that gap between their ability of getting in quickly and our ability to discover it is widening. And in the case of the point of sales systems, the PC, the payment card breaches, 99% of the time, according to Verizon, the intrusions were discovered not by the organization themselves by, but somebody external to the organization.
Most, most of the time it's law enforcement. So this gap is increasing and there was a quote from one of the security reports out there saying there needs to be this mind shifts mindset to shift our security mindset from incident response to continuous response, wherein systems are assumed to be compromised and requires continuous monitoring and remediation. And given the fact that we're seeing more and more identity breaches, we need to move away from this notion that we can do this once or twice a year. So we need to be looking at identity and access on a continuous basis with intelligence to understand what we're looking at in order to alert and notify the appropriate people at the appropriate time and take action. And this is what the importance and what we call inte IAM is all about. And I'm not talking this kind of intelligence, which translates into more reports.
This isn't just spitting out more reports on data, but it truly to do it in a real intelligent way is a big data exercise. And I know big data is a big buzzword. It's thrown a lot about a roundabout a lot, but really what big data is all about is, you know, they characterize it by the three BS, large volumes of data with a lot of variety and different types of data with a lot of velocity and change. And I think that certainly applies in the world of identity and access, where we see more and more users with various policies and regulations governing what they should access accessing more and more different types of resources with different rights and entitlements underneath all of those. And as Martin pointed out the importance of activity, really looking at what users are doing, and when we pull this together, it has the potential to be trillions of different potential relationships.
And we can't look at all of that. The human eye just can't look at it. So we need to focus on where that risk is greatest, what data is of biggest threat, what resources and assets does that data reside and how vulnerable are we to attack. So customer data sitting on a SharePoint site that everybody has access to, well, that's a high risk, and that's where we wanna focus our attention. CIO did an article recently talk about how do you present cybersecurity issues to the board? And it says, use stories, visual aids, and simple language. So it's interesting to see that talking to our boards is a lot like talking to our, you know, five year olds that we need to use pretty pictures and simple language, but it does make the point, which is why when Curion extended its suite to add this whole notion of access intelligence, we had to put nice pictures, high heat maps, you know, getting back to what Martin talked about the risk is that probability plus the impact let's focus where that risk is greatest and give them the details and the data underneath behind that, to understand why is something up into the right on that high impact, high probability with the breakdown to kind of show them exactly what's behind that and what the source of that is.
And when you can see somebody's access and how they get it, we also created this visualization, this access Explorer to see an individual in all the access they have, even when that's rooted nested three levels deep in an ad group. So you can see specifically what's granting access to somebody and what makes it concerning and by doing so, we think we can give a whole new view of traditional access certification reviews. You know, in the past we looked at, you know, who had access and we always had the orphan accounts, these accounts that were active, that were not linked to individuals. Well, let's look at those on a heat map where we've got this one, which is a low risk application with low risk entitlements, no activity taken place, this one, a higher risk application, but no activity where some of these are orphans that occur on more moderate risk applications that actually have some user activity or high risk applications with high risk entitlements or at the highest level orphan accounts on high risk applications with high risk entitlements that are being used constantly, as opposed to waiting for the end of the year to do a certification review, immediately notify the manager saying, we're seeing this, can you please comment on this and take action?
And we've seen this have major ramifications. There was a customer of ours that did an annual certification review. They looked at hundreds of thousands of accounts and they found us five orphan accounts and were deliriously happy. When we ran our analytics tool and test with them, we actually found that the applications where these orphans were on were high risk applications, there were a number of privileged accounts on those systems. And coincidentally, those orphan accounts were all high privileged applica or entitlements. They were for users that did not exist in the HR system. They were created within hours of one another. They never went through a formal approval process and they had activity on them. So what was happening in this case was that there was a rogue administrator who set up these accounts right before he left the organization to do some very bad things.
So taking a look at this on a heat map, we could see this as soon as it occurs that this high, this account was created outside the provisioning system, another and another. And again, focus that attention to do what we call a micro certification to send just that information to the manager, to say, what's going on here and immediately take action. And we see the same process can also be beneficial for provisioning. Whereas I said today, that evaluation is all about approvals. And we wait for that approval before we set up the accounts or reject those accounts. But imagine if the system itself could do a risk scoring and say, you know what, this request's low risk. It's the same accounts that everybody in that job function gets. Let's automatically fulfill that let's not waste the time by sending this off for manager approval, but where we see one that has a little bit more moderate risk, well, then we do wanna send that to a manager and say, Hey, this is an account being created for Kurt Kurt's in this job function.
And he's asking for access that looks a little bit different, is that okay? And either approve or disapprove, but where we see something that's high risk segregation of duty, conflict, high risk entitlement, something very different than the rest of the peer group. Well, then we wanna send that out for multiple steps of approval. So again, by focusing approval only where necessary only where risk is greater, we can make our manager's lives easier, but we can also avoid the rubber stamping. And ultimately, we also can see, this can be very beneficial for role mining that as opposed to doing traditional role management role mining, the system is analyzing and looking at patterns of behavior to create peer groups. So we can see when access is similar and when it's dissimilar to make better decisions around it. And just for the kind of the sake of time, I was gonna skip over this part, just to talk about this evolution.
You know, we need to move from this provisioning led mentality, where everything was about making administrators' lives easier. And just focusing on setting up the accounts, you know, we moved to the second level of this, where we added governance and certification reviews once or twice a year, but to truly do this intelligence, we need to make better decision making in real time revolutionary to see things we couldn't see with just the human eye, things that don't show up in reports, where we're looking at things and focusing on risk that's looks different than peer groups, different than norm user activity. That looks different such as privileges being raised in the middle of an apt attack and take action on them immediately. And that's what we believe the world of intelligent IAM can be where we compliment these provisioning and governance to do it better. Do it real time continuously while at the same time, adding this notion of continuous monitoring and analytics alongside it. So with that, I'll turn it back over to Martin in our Q and a session.
Thank you, Kurt. And I'd like to ask the attendees to that questions have so that we can pick them up. So the one question I fear is you talked about this PCI regulation stuff that the compliance went up, but the number of incidents also grew significantly. Is it a problem of regulations or regulations not good enough, or is it that regulations never can be good enough as long as they are not complimented by good human sense?
Yeah, I think, you know, I, I think that's to the key point, it, it does, you need more than just regulations and, and, and really what compliance is about is, you know, checking to make sure we're doing the things we're supposed to be doing under the, you know, risk of financial penalties. And so it, it really, in many cases might defocus us from a broader, more common sense approach to looking at these things. We can't expect that the regulators are really predicting everything and, and really what the compliance is about is assessing risk. Do we have controls in place to help manage that risk? But I think too often, the, the regulators become such a burden to organizations that they spend so much resources trying to appease that, that they lose sight of that bigger picture. And really, to truly understand that hackers are coming up with newer ways all the time on how we infiltrate systems insiders are misusing and abusing access that is perfectly authorized, but they're doing unauthorized things with that access.
We need to take a broader perspective on this. And, and a great example of this is a customer that's using our access insight, which is that analytic product is looking at user activity. And they've had managers that have approved access year after year after year for systems that they now see, no one's even logged onto for three or four years. So now they've got the proof to go back to 'em and say, Hey, you've checked off that this person needs this account. They're not even needing using it. So it, it arms them with better information. And I think taking a continuous monitoring analytical approach makes you more prepared for the auditors as opposed to defocusing your attention on vulnerability and threat by just responding to the auditors.
Okay. Another question. So, so if I take these two of those, those things, things, I think one of the challenge was GOs that is adds a sort of organizational layer and adds organizational challenges to what we are doing and end access management. So compared to the traditional provisioning driven things, which were very technical, you need to work far tighter with business. And, and a lot of organizations sort of had their challenges in, in making this convergence between it and technology on one side on business, on the other side. So it's intelligence. So you, you levels three below, is this making things even more complex or do you think it makes things easier because it helps them to focus instead of first building complex processes, rose etcetera.
Yeah. I, I, I think it, it really highlights the importance of kind of the relationship between it and it security and business. You know, ultimately at the end of the day, the business manager is responsible for access. You know, we've got all this important data, whether it be patient data or cardholder information, or just company trade secrets, we need to say, well, is it appropriate for Martin to access this and Kurt to access that the business manager needs to make that call. If we, as it professionals are putting in front of them, it speak entitlements and roles. We, we kind of get what we deserve and we can't go to a business manager saying, Hey, does Kurt need access to cost fin underscore 1 23, trying to figure out what the heck that means that's well, does he need access to the customer billing data? So there's a responsibility to translate a lot of this, it speak into business terms, but what I think we can make, what the analytics allow us to do is focus things when they're happening, as opposed to these broad periodic reviews, that if I'm a manager and I've got a hundred employees, and those employees have, you know, 10 applications each with 20 entitlements, I'm asking them to review thousands of pieces of data where I can just do this micro certification to say, Hey, Kurt, Kurt's, you know, your, your employee here, Martin is in our sales organization, but his access makes him look a lot more like an it administrator.
Why is that? Maybe Martin's my salesforce.com guru and has those rights, or maybe somebody changed his privileges inappropriately and he's got broader access than what he needs to do. So what the analytics allow us to do is give that focus to really look at what's important. So we can remove that from the noise. And then theoretically, if we're looking at this on a continuous basis, if we still feel the need to do the annual certification review, it's much more of just a, you know, quick scan to say, Hey, we've been taking care of all these things. We're pretty confident it's in line, just do a quick review. And we even have some customers talking to their auditors about eliminating access certification reviews altogether, by doing this continuous monitoring and analytics. And at the end of the day, that's gonna make a manager's life a lot easier.
Okay. So final question. You, you also talked about identifying sort of app use or, or uncommon use abnormal use of privileged accounts. So a lot of organizations are, are spending a lot of money in technologies to get a better triple on the privileged account. And there's some reasons of shared account management, etcetera, but, but overall, when you look at it from that perspective, and maybe you're a little bit biased, but would it doesn't make more sense to start on this privilege management technology or does make more sense to start this access intelligence technology to get a grip on the privileged account use?
Yeah, I, I, I think they're, I think they're very closely related. And matter of fact, when we came out with our access intelligence product, the access insight, one of the first things that is a feature of that is the discovery of privileged accounts and looking at the use and the access and the activity around those accounts, just because they definitely fit the mold of the highest risk, where we can mirror that alongside some of the privileged account management, we partner very closely with cyber arc. For example, we can create a solution that blends the best of preventative detective and analytical controls around that. So I think anytime you talk today about access privileges accounts definitely factor into that equation very significantly. And they really, you need to kind of have those be looked at from one perspective, as opposed to privilege accounts here and all other accounts there.
Yeah. That's also think it's my, my view on that. I think access governance and privilege management are two dimensions of the same challenge and they need to be understood as something which is tied very much together. So thank you, Kurt. Thank you to all the attendees, listening to this call webinar. Hope to have you soon again, as participants in upcoming call webinars. Thank you and have a nice day.
You are muted centrally, so you don't have to mute or unmute yourself. We control the mute and unmute features. We will record the webinar and the recording will be available tomorrow. By the way, we also will provide the PDF versions of the slide X for download so that you can download them. If you want. We will do a Q and a session at the end of the webinar. You can add the questions at any time using the questions feature in the go to webinar control panel, which you usually will find at the right side of your screen. So let's have a look ATM as usual. This agenda split into three parts. In the first part, I will talk about why new risks need new approaches on understanding your real access risk, and why this leads also to the need for access intelligence and the second part occur trends.
And we'll talk about, or provide deeper, dive into identity and access and challenge trends. Looking more in detail into this topic. The third paradigm we will do Q and a. You can, as I said, you can answer questions at any time so that we have a good list of questions when we haved the two presentations. So let's start with my sort of standard picture, the computing, the use code of information security. And I think this is really what, what is affecting and what is changing, sort of the it information security world. Today. We have cloud computing with more deployment models. We have social computing with changing use of populations, more uses. We have to deal with specialist. So integrating customers leads prospects. We have to mobile computing with me, devices and things become more complex. So we, we have a far less sort of structured it environment.
We have to deal with different types of deployment models, more users, and more devices. And still, we have to protect the information in that context. And this is what really is, is changing things we are doing. And we need to understand our risks to take the right measures on that. When we invest in, in, in information security, we should understand what really helps us to get better in mitigating risks we are facing, and this sort of larger context, a lot of things are changing and it's not the only change we have some other change. That'll talk later about changing threat landscape cetera, but basically this is one of the starting points within this, or to address sort of the area of access risk and to keep access entitlements under control. There's the area of access governance, access governance as well established part of it right now.
What is this about? It's about some questions we want to answer. We need to answer these main questions are who has access to what and who has access to what and who has granted that access. So understanding who can access what who's doing, what was which information clearly also understanding is this the right level of access entitlement, or is this far too much? Are people accessing information trying to access information? They should not. So this is basically what we are looking at and there, and this broader set of access governance, there are a number of technical aspects. So there's the access warehouse to collect current entitlements there's re-certification, which was one of the starting points. So looking at reviewing who has currently, which access rights, and then there are areas such as X analytics and intelligence. So understanding, analyzing for instance, uncommonly large accumulations of access, rights of entitlement and access risk management, understanding where are my high risk items?
Where do I have to put a specific focus on when auditing all that stuff? We have to access request management, so requesting access, which is also very important part. How can we make it easy to request access, but still avoid excessive access? Right? We have to role management as one discipline within this, and we have segregation of duty management. So currently access governance tools have a number of features such as the warehouse and re-certification analytics and intelligence, which is done where, where the risk part comes in the role management, the request management, the sod part. So this is what it, what really makes up these tools and the one sort of in the middle, the, and analytics and intelligence becoming increasingly important because it's not only about sort of having a, a blame approach on, on reification, for instance, but understanding what are the high risk things to look at?
Where are the critical things, where things going wrong, and then putting more emphasis on these. Otherwise you have a lot of recertification where 12 months might be far too long for some high risk items where, whereas you might even say for some items, I don't need recertification where I do it only every two years and the other fraud might do it every three months or even more frequently. So let's have a little look at the risk part. So what is the risk risk as a threat, which has a specific probability to happen? So a risk is different from an uncertainty in the sense of that. There's a probability you can define there's an impact on the assets. So you can add a value on that. There's an impact potentially on business processes. So Stratus in fact, probability plus impact or threat plus probability and impact in fact adds ends up being a risk and understanding this risk is a very important part.
Commonly we see various types of risk, so strategic risks, which are seen from a business perspective. So this risk, which can lead to, to your, to situation where you're just out of business at the end of the day, operational risks, which can cost you a lot of money, which can cause problems in, in your business process, et cetera. And then commonly there's the it risk part. In fact, the structure is not the best one. It's a very common one, but it's not the best one because it sort of says it, risks are no business risk. It's just not true. The only reason why we look at it, risks are because they can be operational. They can be strategic. You also might add reputational as part have reputation at the end of the day is, is operational strategic, more frequently strategic. So when we look at it risks, then we look at that at this risk because they affect or can affect our business.
And I think there are some very good examples, especially around access. So if you take AIAN around UBS and some of the other finance institutions where obviously the access risk and challenges of not having good enough access governance implemented, implemented, and executed led to operational. And in fact, in the more cases, just strategic risks, which really put the entire business at risk. So we should understand that it risks are in fact business, relevant risks, there're various sources of risk. So that might be malicious activity such as hacking data theft, et cetera, that might be misuse. So app use of privileges, which is exposed to malicious activity, ju curiosity, trust, etcetera. There might be mistakes where things trust go wrong because someone did something wrong accidentally. So I know about situations where, and at administrator accidentally deleted part of an active directory three, which then led to a situation that it provisions through to an SAP system causing massive availability issues in the SAP system.
So this takes also can be pretty critical, critical. You can avoid everything of them. So sometimes people need the ability to do some changes, but understanding who has access to what and minimizing the risks is the first step of step here. And, and that really helps you to reduce the overall risk exposure of your organization. As I've said, access risks is a very important part within that. What you clearly need to do is you need to set up an structured approach from dealing with which means from a higher level perspective, you need a QRC program and QRC infrastructure, and you need to do the same at a lower level sort of quota, for instance, for access risk. So understand your threats. What are the threats, the probability, the impact they have, what is the valuation of the assets and what is the resulting business impact define the control?
So this is really where access governance, and particularly also access intelligence, come in helping you to define controls, to define automated controls, to make it easier to execute these controls. And this is what you really need to do. And then you need to have your various types of activities. So you need to have improvement activities. You need to understand the status and you need to also have a crisis and incident management in place. So if you, if you do that, if you do your access governance program, if you do your access intelligence implementation, you should do it sort of big enough in the sense of defining it. Not only from a technical perspective, not only from a tool perspective, but underpinning it with an organization structure that really helps you mitigating the risk. So access risk, why do we need to sink and risk? I think I started talking a risk is a thread on asset as a specific probability and the impact an information risk is a risk for specific information from the perspective of the business.
So in fact, we, we have the situation that some of our information is at risk and there are numbers out and, and, and service, which end up with sort of roughly 50% of the corporate value of an average organization based on their informational assets. So this is a lot of value which can be at risk information is part of business processes. And that informational risk is a business risks. Everything we do around access risk in fact, is business risk management. We should understand it because the biggest part of information risk is malicious access. So this is what we really need to, so we need to understand what is the information we need to understand the risk associated with the specific information we need to mitigate these risks. So we need to understand where, to where the biggest risk, where to start with this is really where, where we need intelligence, where we need to understand where are the things we really have to deal with.
This is where access intelligence and, and other things come play, mitigate the biggest risk start, where the biggest risks are and mitigate where the balance of risk and reward fits. So at the end of the day, it's always done a, a simple calculation. I think it's the same, like with an insurance contract in real life, if the insurance contract is too expensive, compared to the risk, you will not sign it. If it's too expensive to mitigate a risk, you might decide on carrying the risk because it's cheaper than sort of mitigating that, how to evaluate access risk. So which information used by which services impacts which business process you need to understand two things. And one is in fact who has access to what, where are the, from an, from an entitlement perspective, or is on the hand, you need to understand your information. So which information is used by which services, which can be a standard application, which can be a cloud service, whatever, and which impacts which business process, that's the other side of thing, which you need to understand.
You need to understand the threats, which are threats. You're facing really look at this. What, what is the biggest risk? So who might be interested in which part, which information from internal and from an external attacker perspective, look at the probabilities, what are the realistic probabilities and at the impact, what is the realistic one? What I frequently see in organizations that organizations underestimate both probability and impact, and that they are to cost grain when doing that rating. So due this correctly, do it roughly and understand that it's not only about systems. So traditionally we have sort of a system governance approach to the left, where we look at trust, what is the risk of a system? I think we need more, we need at least an information governance where we understand what is the risk of information and to do access intelligence right over time.
We need to understand that an information can be at various systems. That information really is our asset, not the system is the asset. The system is a technical tool to do it. Ideally we moving forward and, and understand that it's about the relationship of services, business, processes, and information, how this look like. So we should take the right approach. And clearly this is beyond the system approach, but I think this is also very important thing to keep in mind. Then when we take another on the entire stuff of the access risks, and we have this perspective of who are our, so who, who causes the risk, who are the sort of the attackers let's call it attackers. It might not all be attackers. As, as I said before, when you look at the, the sources of risks, so mistakes are not really about an attacker, but let's keep with this.
And the important thing is we need to understand both of them are internal and external are here. Both of them are a challenge for us. We need to understand which are the risk caused by internals, which are the risk caused by externals. And we need to understand, I think this is something which is relatively new in the entire story. You need to understand that what an internal does might be caused by an external. So if you look at the advance attacks of today, they are increasingly long running, have multiple stages are sophisticated. So they are definitely far more complex than they have been before. And so the might be in the external one acting in the identity in the context of an internal one. And this becomes pretty clear when you look at the anatomy of an story of an advanced persistence thread. So very typically one, I put it a little bit down, but basically this is something which has been observed and report by some companies right now, with which had sort of massive attacks.
And frequently it starts with email sent internal users with some ware in so frequently, also based on information available for social networks, etcetera, the user click, or opens the attachment or link and installs the malware. And if you look at your inbox day by day, you see a lot of malware. And so there's a lot of things are going on the cans, the network for vulnerable systems. And it also tries to, so it, in fact, acts on behalf of that particular user. So some of you users then start doing up doing abnormal or showing abnormal activities. That is where, where the thing really becomes interesting tries to elevate privileges. So it might try to change access rights. It might might try to elevate privileges might try to act on behalf. Other uses, privilege accounts, be individual system or service and constant. You need to understand, okay, what is happening here are things changing, are the behavior changing, et cetera.
And then when it's at the target, it send back data to varying servers and difficult to direct locations, changing IP addresses, etcetera. There are some very sophisticated forms of data attacks. And I think it's important to understand that it's not only about understanding who has potentially which access. It's also about understanding who is doing what with that type of access. The other thing, which is very important, this is one of my favorite slides is that when we only look at the access governance identity provisioning layer, we don't look into the details. So when we do identity provisionally, commonly associate for instance, say, okay, we create an account Martin, ER, in the active directory, we assign the membership and the group finance, the global group, finance Martin, but the, the group finance them, that's something which is managed in the active directory itself. And the same is true for SAP there's the association is an SAP business role, but there are also projects and extracts below, which are managed in SAP.
So there's an entire hierarchy of entitlements and managed systems. And what we need to to do is to gain insight into the details, understand which ACLS are behind the group, finance, which transactions are behind the SAP business role, whatever. So understanding this sort of break point and, and solving it by X governance, analytics and intelligence is a very important step to do. So. We also need to understand that there's more than trust is high level rights. We need permissioning governance. We need to understand what users are doing. Deeper insight intelligence on that, understand what privileged users are doing. And we need to do it continuously for the IDs and access, what is happening there. So this is really where we need to go beyond sort of the traditional approach of identity provisioning and access governance. And a while ago, I, I created a number slide was, was a number of areas where I see evolution governance. There are various areas. So doing it for the cloud, going into the details of file service and SharePoint doing it, integrating it with privilege management, etcetera, but probably the most important one, one to the upper left is really adding advanced analytic capabilities,
Maybe
Based on standard business intelligence technology, maybe based on other technology, whatever, but really using good and strong capabilities for analytics. And this is I think, one of the most important areas to get better in managing your, and mitigating your access risks. And that's where I want to hand over to Kurt.
Great. Thank you very much, Martin. And thank you for that. Excellent overview. And I, I think Martin did an, an excellent job really kind of portraying how important this whole notion of access risk is. And, you know, before I get into more detail about that and really where the role of intelligence plays in that, I just wanted to give you kind of a quick understanding of who Curion is. We provide software solutions for identity and access management really is. We say in our mission here to help our customers succeed in this world of open access and increasing threats. And by open access, we're really talking about the fact that, you know, as Martin alluded to that access and business becoming very tightly intertwined and the need to get access to information and data to our customers and partners is an important business task, but we have to understand the threat that goes along with, with that and the risk.
And so Curion solutions provide, enable some of the things that Martin talked about around provisioning to give people the access they need around governance to help with the audit, but, and I'll spend a good deal of time today talking more about the role of intelligence and continuous monitoring. And at the end of the day, really what our focus is is to, you know, ensure that oops, that the right people are getting the right access to this broad array of resources, whether those beyond premise systems, cloud systems structured and unstructured data and are doing the right things with that access. And again, Martin touched on how important it is for organizations to have a better visibility of activity, not just looking at what people have access to and the potential of what they can do, but what they're actually doing. And that all is centered around a better understanding of risk.
And again, Martin did a great job of talking about risk, and I think one of the big points he made was how it risk pretty much is business risk based on what everybody is doing. And I'd just like to, you know, go a little bit further into that and just, I think there's been one very prominent security incident in the recent past that I think illustrates this very well, which was the breach and attack on target, which is the large, oh large retailer here in the United States though. I think the, the story and the ramifications have kind of global implications. And I know many people have heard a lot about the target attack and heard just the, you know, over a hundred million credit card numbers potentially breached as part of this and personal information along with it. But I wanted to just touch on it briefly from the standpoint of illustrating and, and playing off the point that Martin made about it, risk and business risk, pretty much being the same thing and really what the role of access risk management is in this.
So as I mentioned right around the holiday season, target was breached their credit card data stolen, and immediately it was headline news. And we had so-called experts on every TV station and every newspaper giving their opinion and view on what this meant to consumers. And given the fact that it really hit consumers. It had significant appeal, a significant amount of fear that was raised in the hearts and minds of the consumer population who had done business at target. And, you know, sure enough, it also ended up becoming the butt of jokes of satirical cartoonists. Any marketing expert knows this is not a place that you want to see your brand displayed when, you know, mocking kind of the situation that occurred. And it required that their CEO go out and make a very public statement as to what this meant to them. And just, you know, talking about how, you know, coming forward to discuss and disclose that what had happened give as much information as they could, and really try to regain the public's trust that target was in control of this and knew what they were doing.
But I think an incident like this and the ramifications of it sometime get overlooked. And, you know, Martin had mentioned reputational risk and there is a website called U gov.com that actually tracks something called the buzz score. And what a buzz score is, is the public perception of a company's brand and anything over 30, there is like one of the top, most popular brands. And what you're looking at here is the red line is historical view of targets, buzz score, and their brand image. And the gray line underneath that is large retail organizations as a whole. So looking at the marks and Spencers and the Walmarts and the others of the world, and as you could see, target traditionally had a brand image that exceeded the industry as a whole. And they went on a very heavy advertising campaign around the holiday season that actually put them over that 30 mark that made them one of the most recognizable and trusted brands out in the marketplace.
Once the breach occurred, however it plummeted their reputation and their buzz score. So not only below those historic eyes, not only below those of their competition in the market as a whole, but plumbing it to almost historic loads that anytime you get below zero, your brand is perceived as a negative brand. And it went even kind of well below the zero and all due to the lack of trust that the public had and what target was doing in addition to reputational risk, it hit financial risk as well. And this is a stock price of the target of target from when the breach was disclosed and a fairly significant decline that resulted in over a $5 billion impact of their market capitalization. And there were part costs associated with this breach as well. And they saw fourth quarter net income fall 46%, not as much from the decrease in revenue, but more so from all of the significant costs that this breach created for them on a very, you know, hard dollars and cents kind of basis.
And then there was personal impact as well, excuse me, where the CIO was forced to resign. Of course there needs to be a scapegoat in situations like this. And she was kind of at the, the middle of all of that. And given that this was an it breach and cybersecurity breach, she took the fall for this, but it didn't stop there as well. Where a couple months later the CEO was forced to resign. And if you can read the little caption under the picture there, it just said, it's the latest in a series of moves made by the company as it struggles to recover from last year's holiday breach. So clearly long lasting significant, very powerful impact. And if you've looked and read the reports as to how this breach occurred, the original source of the breach was through a heating ventilation and air conditioning partner of targets that it was that had poor access controls.
And the malware was originally launched by gaining access through this partner's credentials. So this HVAC partner had access to target systems to submit invoices and other things on the target systems. And this was how they initially breached target to do all of this havoc. And, and it's not just target, you know, we're, we're seeing this as a very popular form to launch a tax within organizations. You know, this data is from last year's or this year's Verizon data breach investigations report. And one of the things they look at from the different number of breaches is to put them into various categories on how those breaches occurred, whether that was human error or just misuse a physical breach. And as you can see, there's a number that have been rising pretty significantly. The social using social means are alluded to this when he was talking about the APTs and how they really target very specific individuals.
The malware that's launched to do this, but as you can see, hacking pure form hacking continues to be the number one source of breaches to organization and is rising at a rate even faster than the others. If you peel the onion back on that a little bit, there's they categorize that into different areas of hacking. And it includes things such as, you know, SQL injections, improved force back doors and command and control, which are declining or SQL injections increasing a little bit. But the number one source of hacking breaches are the use of stolen credentials over half of them. And the one that's increasing at the fastest rate. So they're getting in from the access they're getting in from the misuse and stealing credentials or people just abusing the credentials they have. And, and Martin talked about that a P T attack. And, you know, here's just kind of another graphic that kind of says the same things.
You know, we, we've been seeing a lot of it security spend on the early part to look at tracking malware tracking when viruses and things infiltrate the system. There's a lot of focus on things like security incident and event management or deep packet inspection on the end point when they start actually transferring data to other servers to try to catch it before it goes out the door. But as Martin talked about, there's a lot of this lateral movement and looking for the privileged accounts and doing things with those accounts and even changing privileges and midstream that we're not putting enough scrutiny and focus on today. And that really is where it just stresses the importance and how broader security controls and identity and access management need to come together. But let's be honest with ourselves. Let's take a closer look at how we've been dealing with these kind of controls.
We've had two primary levels of control for identity and access management over the years, which Martin talked about, you know, first there's provisioning and the whole concept of this is to have preventative controls to make sure that people are only getting the kind of access they're supposed to have. And what's the main level of control that goes into provisioning. Well, it's an approval. So if we've sent this to a manager and the manager says, yes, I think Kurt should get this access. We pretty much trust the fact that he should get that access, but we know this wasn't enough and the audits became more stringent. And there were more focus on this of really looking into why people have the access they do, which is where governance came about. And specifically around the access certification reviews, where once, twice, maybe three or four times a year, we require our business managers to take a look at all the access that all their employees have.
And again, the control is whether they approve of that access and certify that review. And this has really been the way that we've gone about to determine whether access is appropriate or not, but I'm sure we're all completely confident with the fact that we never see the old rubber stamp taking place, right. Managers always spend all the time. They need to really go diligently through all those reviews, right. Or do we ever worry that they may just want to pull this rubber stamp out? You know, as I mentioned before, Curion, it was actually the first vendor to introduce an access certification product to the market way back in 2004. And we kind of knew some of this was going on when the first feature enhancement we got for our access certification product was the addition of a button that said except all at the top.
And that was one of the biggest end user requests, because in many cases we know they would do these type of things. So, you know, I mentioned, you know, the potential impact and the threat and the vulnerability of access that was clearly indicated in the target breach. You know, Martin mentioned UBS, there's been many that have had similar types of issues, but I think, you know, when we saw things like target, and then there were other large retailers like ne even Marcus in the us Tesco over in the UK, there was, you know, the Verizon data breach report, I think summed it up well where they kind of always put a theme around their report. And they said that 2013 may be remembered as the year of the retailer breach, but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large scale attacks on payment card systems.
And that obviously the vulnerability of payment card systems make it a very attractive target, no pun intended that we saw many implications of over the last year. And we also know that there are regulations for compliance in audit for retail, specifically PCI the payment card industry audits and compliance and regulations. And Verizon also does a report that looks at PCI compliance. And it was kind of interesting when you looked at 2012 to 2013 trend, given this significant increase in security incidents around payment cards, you might be surprised to see that the average compliance from retailers went up. It went up from an average of 53%, 2012 to over 85% in 2013. Not only is that an increase, which you may not necessarily be expecting when we see this increase in attacks, but it increased significantly 30% plus increase in average compliance generally would indicate a very good trend.
So why are we seeing all these attacks? Well, there's one requirement of PC I DSS, which is about identity and access. It's all about identifying and authenticating access to system components. And there were some pretty interesting findings. You know, they found that only 24% of organizations that actually suffered a security breach were compliant with this requirement at the time of the breach. And that, you know, one of the big things is looking at shared accounts and privileged accounts and that 60, almost 65% of organizations, two thirds failed to restrict each account with access to cardholder data, to just one user. So there were shared accounts, administrative accounts accessing cardholder data, and they also found that a number of attacks came from insiders. And when they looked at it, they said that more than half of the insiders committing it sabotage were former employees who regained access via back doors or corporate accounts that were never disabled.
And it's not just retail and PCI. We see a similar thing in financial services. This is data from a Deloitte report that looks at the top audit findings. There's an ongoing list of about 40 different audit findings. And every year they've been doing this report, the top four audit findings have been consistent people with excessive access rights developers with excessive access to production systems. So a developer built an application, did it against test data. That application went live, and now they have access. Nobody ever changed that access or turned it off. And now they have access to live data, the lack of removal of access following the transfer termination and toxic combinations of access or segregation of duties. Not only have these been the top four audit findings every year that Deloitte's been doing this survey, but in almost every case, they're increasing rather significantly.
And, you know, Einstein said it best, you know, insanity doing the same thing over and over again, and expecting different results. And within the world of identity and access management, we've been pretty much caught on this pattern of the preventative controls of provisioning and the periodic certification reviews to be enough. And that's the whole notion of them periodic done once, twice, three times a year. You know, Martin mentioned it that, you know, there might be high risk items. Do we really wanna wait 12 months before we look at that again? So while all these breaches are occurring, we're also forced to deal with the reality that I alluded to earlier around this whole notion of open access. And we're seeing this perfect storm kind of occurring. And I don't know if any of you saw the movie a number of years back with George Clooney and mark Walberg called the perfect storm.
It was about a true incident that occurred off the east coast of the United States where this rare combination of atmosphere of conditions came together to create a very powerful and very surprising super storm. And unfortunately, there was a fishing vessel that was caught in the midst of this due to the unpredictability of it that unfortunately the occupants of the fishing vessel perished in this storm, just due to the magnitude of it. And it was a hurricane that was dying out in the Atlantic with a major cold front coming through with some other atmosphere, pressure systems occurring that created this. And we're seeing a similar thing in the it industry, but unfortunately like a storm that blows through this one, isn't going anywhere for a while. And it's all about the vast amount of data that is online being accessed by a broader array of individuals, including partners and employees and customers from an increasingly varied number of devices.
And even today, it's not even just the end users with the devices, we're even hearing more and more about the internet of things, where the devices themselves have access to various data and information out there. As a matter of fact, I was meeting with the chief security officer of one of our large healthcare customers. And they said that they actually found out that kidney dialysis machines were accessing the hospitals credit card database. And there's probably not a lot of reason that kidney dialysis machines need access to credit cards, but it just stresses how important this focus of identity is. And we know folks it's not getting any easier that the number of security incidents continue to rise. This is from a Pricewaterhouse Cooper's survey, very similar trends to many other surveys that we see that incidents are going up and going up quickly. But what I really in found interesting with this survey was the bubble that showed that the amount of people that didn't know their number of security incidents doubled over the last couple years.
And again, this is a trend that we've also seen come out of the Verizon data breach report, where they look at the percent of breaches where the time was days or less, and the amount of time the compromise occurred in days or less was well over 90%. And it's increased quite significantly over time. That means the hackers are getting in in minutes hours, or at most days in over 90% of the cases. However, the amount of time it takes to discover the incident occurred the amount of time that that happened in days or less was only 25% of the time. So that gap between their ability of getting in quickly and our ability to discover it is widening. And in the case of the point of sales systems, the PC, the payment card breaches, 99% of the time, according to Verizon, the intrusions were discovered not by the organization themselves by, but somebody external to the organization.
Most, most of the time it's law enforcement. So this gap is increasing and there was a quote from one of the security reports out there saying there needs to be this mind shifts mindset to shift our security mindset from incident response to continuous response, wherein systems are assumed to be compromised and requires continuous monitoring and remediation. And given the fact that we're seeing more and more identity breaches, we need to move away from this notion that we can do this once or twice a year. So we need to be looking at identity and access on a continuous basis with intelligence to understand what we're looking at in order to alert and notify the appropriate people at the appropriate time and take action. And this is what the importance and what we call inte IAM is all about. And I'm not talking this kind of intelligence, which translates into more reports.
This isn't just spitting out more reports on data, but it truly to do it in a real intelligent way is a big data exercise. And I know big data is a big buzzword. It's thrown a lot about a roundabout a lot, but really what big data is all about is, you know, they characterize it by the three BS, large volumes of data with a lot of variety and different types of data with a lot of velocity and change. And I think that certainly applies in the world of identity and access, where we see more and more users with various policies and regulations governing what they should access accessing more and more different types of resources with different rights and entitlements underneath all of those. And as Martin pointed out the importance of activity, really looking at what users are doing, and when we pull this together, it has the potential to be trillions of different potential relationships.
And we can't look at all of that. The human eye just can't look at it. So we need to focus on where that risk is greatest, what data is of biggest threat, what resources and assets does that data reside and how vulnerable are we to attack. So customer data sitting on a SharePoint site that everybody has access to, well, that's a high risk, and that's where we wanna focus our attention. CIO did an article recently talk about how do you present cybersecurity issues to the board? And it says, use stories, visual aids, and simple language. So it's interesting to see that talking to our boards is a lot like talking to our, you know, five year olds that we need to use pretty pictures and simple language, but it does make the point, which is why when Curion extended its suite to add this whole notion of access intelligence, we had to put nice pictures, high heat maps, you know, getting back to what Martin talked about the risk is that probability plus the impact let's focus where that risk is greatest and give them the details and the data underneath behind that, to understand why is something up into the right on that high impact, high probability with the breakdown to kind of show them exactly what's behind that and what the source of that is.
And when you can see somebody's access and how they get it, we also created this visualization, this access Explorer to see an individual in all the access they have, even when that's rooted nested three levels deep in an ad group. So you can see specifically what's granting access to somebody and what makes it concerning and by doing so, we think we can give a whole new view of traditional access certification reviews. You know, in the past we looked at, you know, who had access and we always had the orphan accounts, these accounts that were active, that were not linked to individuals. Well, let's look at those on a heat map where we've got this one, which is a low risk application with low risk entitlements, no activity taken place, this one, a higher risk application, but no activity where some of these are orphans that occur on more moderate risk applications that actually have some user activity or high risk applications with high risk entitlements or at the highest level orphan accounts on high risk applications with high risk entitlements that are being used constantly, as opposed to waiting for the end of the year to do a certification review, immediately notify the manager saying, we're seeing this, can you please comment on this and take action?
And we've seen this have major ramifications. There was a customer of ours that did an annual certification review. They looked at hundreds of thousands of accounts and they found us five orphan accounts and were deliriously happy. When we ran our analytics tool and test with them, we actually found that the applications where these orphans were on were high risk applications, there were a number of privileged accounts on those systems. And coincidentally, those orphan accounts were all high privileged applica or entitlements. They were for users that did not exist in the HR system. They were created within hours of one another. They never went through a formal approval process and they had activity on them. So what was happening in this case was that there was a rogue administrator who set up these accounts right before he left the organization to do some very bad things.
So taking a look at this on a heat map, we could see this as soon as it occurs that this high, this account was created outside the provisioning system, another and another. And again, focus that attention to do what we call a micro certification to send just that information to the manager, to say, what's going on here and immediately take action. And we see the same process can also be beneficial for provisioning. Whereas I said today, that evaluation is all about approvals. And we wait for that approval before we set up the accounts or reject those accounts. But imagine if the system itself could do a risk scoring and say, you know what, this request's low risk. It's the same accounts that everybody in that job function gets. Let's automatically fulfill that let's not waste the time by sending this off for manager approval, but where we see one that has a little bit more moderate risk, well, then we do wanna send that to a manager and say, Hey, this is an account being created for Kurt Kurt's in this job function.
And he's asking for access that looks a little bit different, is that okay? And either approve or disapprove, but where we see something that's high risk segregation of duty, conflict, high risk entitlement, something very different than the rest of the peer group. Well, then we wanna send that out for multiple steps of approval. So again, by focusing approval only where necessary only where risk is greater, we can make our manager's lives easier, but we can also avoid the rubber stamping. And ultimately, we also can see, this can be very beneficial for role mining that as opposed to doing traditional role management role mining, the system is analyzing and looking at patterns of behavior to create peer groups. So we can see when access is similar and when it's dissimilar to make better decisions around it. And just for the kind of the sake of time, I was gonna skip over this part, just to talk about this evolution.
You know, we need to move from this provisioning led mentality, where everything was about making administrators' lives easier. And just focusing on setting up the accounts, you know, we moved to the second level of this, where we added governance and certification reviews once or twice a year, but to truly do this intelligence, we need to make better decision making in real time revolutionary to see things we couldn't see with just the human eye, things that don't show up in reports, where we're looking at things and focusing on risk that's looks different than peer groups, different than norm user activity. That looks different such as privileges being raised in the middle of an apt attack and take action on them immediately. And that's what we believe the world of intelligent IAM can be where we compliment these provisioning and governance to do it better. Do it real time continuously while at the same time, adding this notion of continuous monitoring and analytics alongside it. So with that, I'll turn it back over to Martin in our Q and a session.
Thank you, Kurt. And I'd like to ask the attendees to that questions have so that we can pick them up. So the one question I fear is you talked about this PCI regulation stuff that the compliance went up, but the number of incidents also grew significantly. Is it a problem of regulations or regulations not good enough, or is it that regulations never can be good enough as long as they are not complimented by good human sense?
Yeah, I think, you know, I, I think that's to the key point, it, it does, you need more than just regulations and, and, and really what compliance is about is, you know, checking to make sure we're doing the things we're supposed to be doing under the, you know, risk of financial penalties. And so it, it really, in many cases might defocus us from a broader, more common sense approach to looking at these things. We can't expect that the regulators are really predicting everything and, and really what the compliance is about is assessing risk. Do we have controls in place to help manage that risk? But I think too often, the, the regulators become such a burden to organizations that they spend so much resources trying to appease that, that they lose sight of that bigger picture. And really, to truly understand that hackers are coming up with newer ways all the time on how we infiltrate systems insiders are misusing and abusing access that is perfectly authorized, but they're doing unauthorized things with that access.
We need to take a broader perspective on this. And, and a great example of this is a customer that's using our access insight, which is that analytic product is looking at user activity. And they've had managers that have approved access year after year after year for systems that they now see, no one's even logged onto for three or four years. So now they've got the proof to go back to 'em and say, Hey, you've checked off that this person needs this account. They're not even needing using it. So it, it arms them with better information. And I think taking a continuous monitoring analytical approach makes you more prepared for the auditors as opposed to defocusing your attention on vulnerability and threat by just responding to the auditors.
Okay. Another question. So, so if I take these two of those, those things, things, I think one of the challenge was GOs that is adds a sort of organizational layer and adds organizational challenges to what we are doing and end access management. So compared to the traditional provisioning driven things, which were very technical, you need to work far tighter with business. And, and a lot of organizations sort of had their challenges in, in making this convergence between it and technology on one side on business, on the other side. So it's intelligence. So you, you levels three below, is this making things even more complex or do you think it makes things easier because it helps them to focus instead of first building complex processes, rose etcetera.
Yeah. I, I, I think it, it really highlights the importance of kind of the relationship between it and it security and business. You know, ultimately at the end of the day, the business manager is responsible for access. You know, we've got all this important data, whether it be patient data or cardholder information, or just company trade secrets, we need to say, well, is it appropriate for Martin to access this and Kurt to access that the business manager needs to make that call. If we, as it professionals are putting in front of them, it speak entitlements and roles. We, we kind of get what we deserve and we can't go to a business manager saying, Hey, does Kurt need access to cost fin underscore 1 23, trying to figure out what the heck that means that's well, does he need access to the customer billing data? So there's a responsibility to translate a lot of this, it speak into business terms, but what I think we can make, what the analytics allow us to do is focus things when they're happening, as opposed to these broad periodic reviews, that if I'm a manager and I've got a hundred employees, and those employees have, you know, 10 applications each with 20 entitlements, I'm asking them to review thousands of pieces of data where I can just do this micro certification to say, Hey, Kurt, Kurt's, you know, your, your employee here, Martin is in our sales organization, but his access makes him look a lot more like an it administrator.
Why is that? Maybe Martin's my salesforce.com guru and has those rights, or maybe somebody changed his privileges inappropriately and he's got broader access than what he needs to do. So what the analytics allow us to do is give that focus to really look at what's important. So we can remove that from the noise. And then theoretically, if we're looking at this on a continuous basis, if we still feel the need to do the annual certification review, it's much more of just a, you know, quick scan to say, Hey, we've been taking care of all these things. We're pretty confident it's in line, just do a quick review. And we even have some customers talking to their auditors about eliminating access certification reviews altogether, by doing this continuous monitoring and analytics. And at the end of the day, that's gonna make a manager's life a lot easier.
Okay. So final question. You, you also talked about identifying sort of app use or, or uncommon use abnormal use of privileged accounts. So a lot of organizations are, are spending a lot of money in technologies to get a better triple on the privileged account. And there's some reasons of shared account management, etcetera, but, but overall, when you look at it from that perspective, and maybe you're a little bit biased, but would it doesn't make more sense to start on this privilege management technology or does make more sense to start this access intelligence technology to get a grip on the privileged account use?
Yeah, I, I, I think they're, I think they're very closely related. And matter of fact, when we came out with our access intelligence product, the access insight, one of the first things that is a feature of that is the discovery of privileged accounts and looking at the use and the access and the activity around those accounts, just because they definitely fit the mold of the highest risk, where we can mirror that alongside some of the privileged account management, we partner very closely with cyber arc. For example, we can create a solution that blends the best of preventative detective and analytical controls around that. So I think anytime you talk today about access privileges accounts definitely factor into that equation very significantly. And they really, you need to kind of have those be looked at from one perspective, as opposed to privilege accounts here and all other accounts there.
Yeah. That's also think it's my, my view on that. I think access governance and privilege management are two dimensions of the same challenge and they need to be understood as something which is tied very much together. So thank you, Kurt. Thank you to all the attendees, listening to this call webinar. Hope to have you soon again, as participants in upcoming call webinars. Thank you and have a nice day.
Stay Connected
How can we help you