Wonderful. Good morning. Thank you very much for joining me today for our talk. So much of identity and access management focuses on how this group of experts can advance the business so much is focused on helping processes scale across large organizations. Like we just saw so much is focused on enabling better interactions with consumers. And it's a very exciting space. I'm here to talk about a different aspect of identity and access management. One that is equally critical in our view yet takes a very different approach. I've been in the identity space since 1997. So it's been a long time doing product strategy, product management, with a number of vendors in the space. And I have a good understanding of, of the basic tenets of, of what we're up to here. I think there's something very, very special about privileged account security, privileged account management, because it helps the business in a very, very critical way. And in fact, as we'll see this morning, it actually helps keep the lights on
I'm coming at this from a security perspective, a core security perspective. In fact, we spend as much time talking at core security conferences as we do at identity conferences, because it's so critical for us to really kind of bring these two functions together and make sure that the two groups actually speak with each other. And one of the tenants I learned very early in my career is the first thing an outsider has to do is gain the credentials of an insider. He can't do anything. If he breaches the perimeter, he can't go anywhere unless he's got the credentials for it, something we all understand,
But what we're seeing with advanced threats, advanced attacks over the past three years, and I'm sure it was happening before then, we might not have noticed was that attackers were coming in compromising credentials of insiders, compromising privileged credentials, and really having their way with the organization. Why do they go after privileged credentials? Simple reason. It gives them access to just about anything they want and it allows them to hide. They can bury their, their footprints. They can make sure no one actually knows they're there. And when you see statistics like this, other statistics from similar vendors will tell you, or similar research teams will tell you that the average attacker is active inside an organization for over 242 days, right? The only way they can do that is that they've got these privileged access, privileged credentials.
So let's talk about how privileged account security can actually help keep the lights on. I'm gonna show you a case study of one of our research teams has been very effective at kind of deconstructing what actually takes place and look for privilege connections in a number of cyber attacks. I could have shown you the bank Bangladesh example. I could have shown you Sony. I could have shown you Sans casino. I could have shown you any number of these. And the story would be very similar, but this seemed very timely back in December of last year, about 225,000 people in the Ukraine lost power one night and they lost power because a cyber attack. And it was the first time that it had been confirmed by reliable sources, including numerous government agencies that a cyber attack had actually caused power outages. And someone had able to take down a large section of the electric grid through a cyber attack.
So that in and of itself is very important because we're not just talking about protecting data, protecting consumer data or protecting intellectual property. We're actually talking about how to protect how society actually functions. So what happened? So three different power organizations were targeted during this attack. It was coordinated. Two of them fell victim to the attack about 225,000 people without power. Not only did they take down the power, they made it very, very hard to recover, right? Very well thought out very well executed. So let's talk about how it happened. It happens just like almost every other cyber attack. There was a fishing attack. The first presenter this morning spoke about this idea of embracing your people and really making the partners in your security program, which is a fantastic idea. And I'm a big supporter of that. I also know from experience that between one in 10 or one in 20 fishing emails will be successful.
So if you have an organization with 10,000 people, you can do your best to educate them, but somebody's going to get in your people have to be perfect. 100% of the time, the attacker has to get lucky once or twice. In this case, they sent phishing emails, presumably from trusted vendors and trusted people in government that work with the utility when they targeted it, people, it, people actually opened the emails when it prompted them to execute a macro because of the safety check in Microsoft, they said, yes, go ahead and do that. And the next thing you know, there was contact with a command and control server. Malware's being downloaded. Remote access tools were being downloaded and there was a base of operation inside these power companies for the attackers to operate phishing attack
And point was infected. They have a base of operation attackers gain access start, Don loading tools, back doors, and then they start doing reconnaissance. Reconnaissance means you start looking around to see what else is there. You wanna understand the network's apology. You wanna understand as an attacker where the assets are, and you also need to go and grab more credentials because the efficient attack will get you a certain set of credentials. And oftentimes by the way, it's not the it person that falls victim. It's just a basic end user. So the challenge is how do I escalate? My privilege is how do I make sure I've got the credentials I need to access the systems. I need to access to carry out my objective, whatever it might be. And that takes time. They were fortunate in this case because they got privileged credentials right off the bat. They got some, it people's credentials. These were not totally give them broad system access. So they had to grab more as they went around. So they rec they do reconnaissance. They grab the network information. They find out where the important pieces are and they, they grab more credentials on the way.
So the next thing is they start saying, okay, where would these credentials take me? Right. They can explore. They can go even further. And because their purpose was to take down the electric grid, they had to get from the it network over to the operational technology network. They had to cross that gap. Well, a couple things were a problem here. Number one is there was no air gap between the internet connected it network and the supposedly safe OT network major problem. Right? The second thing was they were able to grab credentials and actually set up a VP VPN connection from it to OT and all they needed were those privileged credentials to make that happen.
So once inside, they now had access to all the systems on the operational technology network and that technology in that space, which many of you probably know better than I do. It's a combination of a lot of windows at the management level, a lot of proprietary protocols that are very difficult because you have to have specialized software to do that or specialized skill set to do that. But in this case, they actually had enough privilege and enough knowledge by watching over the course of, of days, how these systems were operated, that they could actually shut the relay switches off and actually turn the breakers off. So the power would actually go out. So in the process of moving around, by the way, they took some malware called kill disk and they dropped it on a bunch of computers along the way. And the whole purpose was they wanna make it hard to recover from this particular piece, from this particular attack.
So when the attack happened, they decided to throw the switch. They had these kill dis stuff sitting dormant, and the power went out, right? What they also did is they took control of the human machine interface, the operator consoles, and they took control and they shut off the mouse capabilities and keyboard capabilities. So if someone noticed what was going on, they would have the be totally unable to respond to the attack. They'd be left without any controls on the computers to actually respond to the attack, right? Took privilege access to do that. And then the last piece is that they launched a denial of service attack against the call centers. So people from the outside, knowing what's going on start calling could not get through.
And then they launched the kill disc efforts. So across their whole it network where they had the attackers had been systems were destroyed, they deleted 40 or 50 key files made those systems interoperable. They did the same thing on much of the OT side of the house as well, right? 225,000 people without power. And the only way to restore power because of the destructive nature of what they did was to manually send out teams of people to over 30 different substations in the area to manually reset the breakers, to turn the power back on. And even several months afterwards, the only way that the organizations could, could actually manage those substations was not through a centralized control center. They had to manually go out to those substations and perform any maintenance or administrative functions on that because of the devastating nature of the attack.
So the role of privilege, first of all, it started at the end point, a user fell victim to a malware, to a fishing attack, and they downloaded malware. They were able to grab privilege credentials from that point and then move about the organization as they did that they could move laterally. They could do reconnaissance, they could grab more credentials. And eventually they found the credentials that would let them operate the breakers remotely from the operational technology command center and execute the attack. As I said before, you could look at Sony, you could look at the German parliament, you could look at Lamont TV in Paris. You could look at Sans casino in, in Macau. They all follow a very, very similar path. And if you look at that small little diagram in the bottom, right of your screen, this cycle of grabbing credentials, moving around the organization and then moving to the next step, continues over the course of hours and days. And sometimes weeks and months as people really, as the attackers map out their plan and grab their credentials, they need to carry out the attack. And when they're ready, they hit the switch and the attack happens.
So how could privileged account security actually help with this? First of all, you put those credentials in a secure place. And that means whether they're password based credentials, whether ssht credentials, you put 'em in a secure place, you provide accountability to specific users for using those often shared credentials. And you make sure access is tightly guarded to those credentials. Best practice used to be that if you rotated admin credentials, every 90 days, people thought you were doing well for high profile systems, you should be doing that every single minute. Basically every time a credential is used, it should be discarded, rotated in a new one should be put in place, high administrative overhead. If you don't have automation, but it's something you really need to do for your domain controllers for critical OT accounts and some of your critical server assets that you wanna protect.
One of the important parts of a privileged account security solution is the ability to not only protect their credentials in the vault and do the rotation, but actually provide security throughout the session itself. One of the critical capabilities you wanna look for is making sure that that credential never goes down to the administrator's endpoint. Oftentimes it's not your endpoint. It's a third party vendor's endpoint, and you have no idea what the security status of that device is. So you make sure the credential never goes there. The next thing you do is you force a brokerage situation, a jump server situation where only certain things are allowed to pass through. So you don't let malware pass through your jump. Serveral can't get through mouse clicks, keystrokes only, and that provides this central point of control. That gives you a couple nice benefits. Number one, if it's a third party person performing the function, you can actually have someone looking over the shoulder, virtually looking at everything they do.
And if they see something they don't like, they can hit the switch to stop. The session more common is you're gonna have a full recording of what took place for compliance purposes, as well as forensics benefits, right? But that control point gives you security of, of making sure that only trusted activity happens gives you total control over administrative functions on that particular target and provides a good strong session security. In this case of the, of the Ukraine attack, such an architecture would make sure that only authorized users could actually get over to the OT side because of the secure network connection handled through the privileged account security solution. So you have a strong end to end credential protection, session protection, monitoring, everything that took place during that session, which is extremely valuable. The next thing is you wanna make sure you're monitoring your privilege activity on a consistent basis.
It's not every so often. It's not something that is done just by the security operations team. As part of your broader analytics, you wanna understand the behavior of your privileged credentials in this case, if you see those credentials doing a lot of things they've never done before, you can actually identify that those credentials are probably in the hands of an untrusted user, or at least there's gonna see it be a policy violation or something unusual that someone can look at that and say, you know what? I need to look into that because this has never happened before. This is unusual. I need to take a look at this. And finally, don't forget about the end points. If you can prevent that initial infection from going anywhere else, if you can prevent the malware from being installed, you've actually blocked the attack before it actually got started, which is very, very critical.
The lesson here, the cyber, the cyber attack battleground is no longer at the perimeter it's inside your network. Your strategies have to assume that you're already been penetrated. People are on the inside of your network. And the question is, what do I do now? I talked about the life cycle of this attack. Oops, sorry. The life cycle of the attack is that it goes from endpoint privilege, escalation, maybe I, I scrape memory and I find a, a hash value that stored there. Maybe I can do a brute force attack on other credentials there, maybe I'm lucky. And I get an admin credential right away. And I play this game of Pacman. If you're familiar with the video game many, many years ago, where the little character goes around and grabs gobbles up dots, it get stronger every single time they do. They go. It's the same thing with privileged attacks, privilege based attacks.
Every credential they get gives 'em more access, more power, more ability to carry out the attack. And it's a cycle they can carry on for days, weeks, and even months. And then eventually the attacker can say, I've got what I need. I can execute my attack. They can exfiltrate the data they can cause damage, whatever it is that they want to do privilege is at the center of that. And if you can break that privilege, escalation cycle, either, right at the end point at that initial point of infection or somewhere in your data center, somewhere in your cloud assets, you can actually break the attack. You can stop the attack and at least you can definitely mitigate any potential damage that's gonna take place because of that, we know that attackers go after privilege. They go after privilege in 100% of the high profile attacks you've ever read about.
And they go after privilege in the vast majority of every single attack that happens for the very simple reason that privileged access is what they need to get the attack to be successful. Privileged credentials are different from basic identity credentials. In many ways, if an attacker gets my credentials, he's not gonna go too far. If he gets my it administrator's credentials, he'll go a lot further. The simple model that also plays out is not just this lateral movement, but it's asset escalation. I start at the end point and I need to find credentials that will move me up the asset stack to a higher value asset. I need to get up to my server level.
And from there eventually I typically wanna go to my domain controllers because that's where I can really do a total take down of the organization. That's where I can do the most damage. The only way to get there is by grabbing privileged credentials. So again, if you can block that credential escalation, if you can detect it before serious damage is done, you've gone a very, very long way and mitigating any potential cyber attack that might happen. So the overall strategy that we advocate is you do you find your credentials, you identify where all of them are. And by the way, I guarantee you have more than you think you have. We've had customers that have done full audits and they stopped counting after a million. And they NEC they weren't necessarily huge organizations. They might have had 20 or 30,000 employees. The numbers are stunning are stunning because they're in applications.
They're in scripts, they're in your dev environment, your QA environment, they're in all your network devices, they're in all your databases and applications, they're everywhere. And they proliferate like you wouldn't believe you gotta find them lock 'em up and make sure only authorize people gain access. Next is secure the session through that isolation and control I spoke about, and the third is this continuous monitoring capability, so that you'll see policy violations, you'll see suspicious activity. And you may even see a privileged credential being used that should not be used. And you can actually automatically remediate that by rotating that credential and making it invalid, you need that comprehensive approach to privileged account security. I won't go into the details. You can learn more about the CYC solution upstairs, just to let you know, we build our solution of multiple products to handle the whole lifecycle of privilege in your organization on a shared technology platform, which makes it very cost effective.
Very easy to start with one particular solution and then grow over time. As you need to finally, I'll let you know that CYC is very focused on cybersecurity. We have security research teams, seven or eight people, Intel Aviv, and their whole goal is to better understand vulnerabilities, better understand privilege, escalation, better understand how attackers are actually functioning so we can build algorithms into our products. We can share the knowledge with our teams so that we can actually stop these attacks and treat this as a security problem that it is we're fortunate enough to be growing very, very quickly, which just tells you the demand for this is unbelievable. The, the demand from when I started three and a half years ago to now has just been incredible as organizations start to understand what's taking place. And the key change in the market that we've seen is it used to be very compliance, driven.
We'd have an audit, finding the, the company would respond to the audit finding, and they'd go back to another project until the auditors came by again. And they said, now you have to do this, or you have to do that more and more organizations are looking at this as not a project, but a program, something that they have to build on over multiple years to really make sure they can mitigate the risk of these cyber attacks. And it's something that Cy is very eager to help you with. So if we have a chance, we'd love to talk to you later on today. Thank you very much.
Thank you, John. Thank you very much. I think we have one question just came in in the last minute.
What is the single most common function we see people deploy? So if you looked at the solution slide there, the common components are a vaulting capability for secure storage and retrieval of the credentials. There is the monitoring function. There's the application integration and then continuous monitoring at some of the endpoint least privileged solutions. The most common one is the vault. It's the cornerstone of just about everything, except for the end point solution. I will tell you that right now, about 30% of our customers, our new customers are actually buying three or more products. So they're not just buying one. And then building over time, they're actually starting with two products or even three products as they go through that. And the typical combination is to start with a vault and the session monitoring and session security capabilities. So you really have end to end protection of that privilege credential. And then the third one varies. Sometimes people place a high priority on the application privilege credentials, and they want to take care of that. First other people would look at the end point solution and want to do that first. So there's some variability with that, but those first two of credential protection and session security are, are the most common
All. Okay. Thank you so much. Thank
You very much.
