KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So we have, we have cast and Fisher Fisher, deputy group, chief security officer, which is a quite long title of Deutche bank, the larger the organization, the longer the titles, isn't it. And that Carol, who is our CEO at Coco Analyst. And the two of you will sort of exchange their thoughts on the role of identity and access management, for instance, very resilient.
And so we, the track evolution of identity management, I think this is an maybe to give you a starting point. I think this is one of these areas where it's really about evolution of identity management, because identity management not just is about onboarding or things like that. Or actually re-certification, it's an essential part to my perspective of cyber security and silly as my daughter. And then you it's up to you, most attack are related to identity. So if you're not good in identity, we always will struggle with cyber security customer battle. Does This work? Yes.
So thank you, Martin. Initially we have planned to have Stefan Berg here who, who was a victim or his company was a victim of a ransomware attack. Thankfully that's not the case with your employer.
You never, but nevertheless, I'm sure you can contribute to this discussion accordingly, just to make sure that we are all on the same page here. So when we talk about ransomware, let's, let's briefly reflect what it is. So obviously typically after gaining unauthorized access access, so there's already the excess part of it. Yeah. Malva will be deployed, which can either harvest corporate data or prevent the business from accessing its systems or, or the data until a ransom is being paid. And typically that's today done in current, such as Bitcoin, et cetera. Right?
So just one example in 2021, such as last year, Brent, a German based chemical distribution company was attacked and they have claimed to gain access by purchasing is another interesting thing, credentials from the dark web and, and they had to pay, ultimately I think 4 million euros, which was one of the largest resos at the, at the time. Right.
And, and if you're unlucky like today, this morning I read colonial pipeline. Not only had to pay the random, but they were fine quite substantially for not being good enough. Yeah.
So, and alright, so now let's focus on how can identity access management help us to, to, to fight that. And before we come to the fancy stuff, let's talk about the simple, the basics. And it looks like Carsten humans seem to be still the weakest link, right? They are. And that's probably human being to be that weakest link. That's why before we start talking about identity and access in that regard, and that's super important, but I think we need to learn that humans are the weakest link and we need to make sure that we protect them as best as possible.
I think we've all done and invested a lot into awareness training, and then we make people aware and they still click. So we need to make sure that even if they click nothing happens. Yeah. And I think that was focused for most of us over the last couple of years. I recently read that study, which says 85% of awareness trainings is failing. They do. And then I would not claim to be safe for that.
So I, if it's, if it's, if it's a smart attack, I probably a victim as in the hectic of the work, a daily work And smart attack is as simple as your son sending you a WhatsApp and you clicking on the link because you don't consider that your son could send you something that is malicious. What happened to me three days ago and nothing happened.
Good, protected, all great. But this is really people still click. That's what I mean with that. So you need to consider that they still click. So item number one, you try to build additional protection so that if they click, ideally they do that somewhere in a, in a sandbox environment and nothing happens or that you block what comes in and click, but then you are ultimately ending up with, okay, let's talk about identity because what happens if they click? What happens if credentials aren't mean?
So then we talk about the non fancy stuff, like multifactor authentication, all of that, but you can clearly see that a ransomware most likely starts with identity and access. Yeah. In 50% of the cases, it said ransomware attacks are fishing attacks. And since we are still relying to passwords, to a large extent, I mean, they're going off the password still. Right?
And it, it will come that way. We just had an inter interesting discussion with our internal auditor who was trying to convince us that via an SFTP environment, somebody could place a ransomware because it comes encrypted and place it on our environment and then de encrypt and nothing happens.
And, and then it will be spreading all over the place because auditors think that way. So can't happen because as soon as you de encrypted, a scan will catch it and all those things, but let's be realistic. The 50% number I would challenge, but it's research. So it's difficult to challenge. But I do think from a perception perspective, it's even more, it's the really, it's the fishing link coming in and then still, or stolen credentials that, that I used.
So, so the typical, the, the old school measures like forcing people to, to use strong passwords or, or single sign on, they won't help either. Right? What means strong password.
If, if somebody's sitting on your desktop and sniffing your password, it can be super strong. They're still sniff it. And they have it. So strong passwords usually lead to the fact that somebody's writing it down because it's so strong that they can't remember it. So they need to write it down. Then this becomes a weak link.
So the, I mean, we all talk about password less. We don't want to have passwords any longer. We're probably still a couple of years out. So that means we need to build additional layers beyond Password. Yeah. And single that on if it's relying on passwords, same problem. Right. Same problem. So multifactor authentication helps a bit, but again, the, our measures to circumvent that as well, but this is probably one of the stronger controls at least. Yeah. Yeah.
I think that's, that's probably what, what people were, were now trying to implement on a large, large scale in, in the past couple of years, MFA is sort of the standard now, but then number one, it, it takes a while to implement it across the board. And secondly, not sure what's your experience.
We still, we still do see it assets, which are not, not registered shadow it. So how do you protect them? How do you protect them? You need to find them first because they are shadow it. That means they are somewhere the shadow and they're hidden.
So, I mean, we are scanning regularly. We find assets that we may have not known about before. And then you take additional measures, but it's also, you deploy multifactor authentication, but it's inconvenient for folks. I have that debate at home with my wife every single day, where she asked me to switch off multifactor on her PayPal account. Cause it's inconvenient. You cannot do that with one click, you need two clicks. So we need to train people in saying, yeah, okay. Maybe convenience is the opposite of security. I don't think it is. You can combine that.
I mean, if you look at multifactor authentication tools, nowadays, the push notifications, you press the button. Yeah, you are done. So security's also about making the security control, convenient API able or whatever. I keep telling my folks a security control needs to be like an API. You ping it, you get a zero, you get a one. This is it, nothing more. And this holds true for identity and access in that regard as well, a multifactor authentication. If you make it powerful, like one click, then people will use it. If you don't do it like this, then people will bypass it.
Now what, how will behavioral analytics help us? So if you, if you find ha would have the capability to identify suspicious behavior in your well network. So I'm probably thinking about that since you invited me for that interview, because I knew that question would come at one point in time and I don't have a proper answer to it. Other than starting to explain how things can work.
When the pandemic started, most companies who had a proper UBA tool in place, switch it off, cuz they got millions of alerts cuz behavior changed significantly and dramatically within hours or days when everybody went into lockdown, this is the biggest, I think that's the best way to describe how difficult it is to use, use user behaved analytics. What's the basis. What is the basis that you're looking for?
And what's then the, the difference in the variance to the basis and how much does the difference indicate to you that something malicious is happening versus somebody just having chosen to work in a different style or whatsoever? Same with clients.
I mean, we are bank. We're trying to make sure that we understand client behavior. And as soon as client behavior changed, we are sort of assuming that the client got hacked and somebody happens, but what's the basis. I think this, this is still before you even start considering UBA as a tool, as a process whatsoever start thinking around what's your basis. How do you measure your basis and how do you then measure abnormal behavior to the basis? I think that's the big challenge. And that's why a lot of UBA tools, a lot of UBA processes fail.
At one point in time, if you look into research, they will probably tell you a lot of UBA projects failed. They failed because that you don't have the proper basis. There is a little bit because most of the tools we have out there today are trust, secret sauce. So the vendor says they do the drop, but you can't tell the tool for instance, oh, we are approaching the end of the fiscal year. And all my people in the finance department will do things they didn't do for the other 11 and a half months. And I think this is also part of that story.
That tools need to get better in the sense of, we can tell the tool, this will happen. It's okay.
So it's, you're absolutely right. Martin. The other thing in the pandemic that became obvious is if my office is in Frankfurt and people are usually working in my office in Frankfurt, then I know if they're connecting from outside Frankfurt, there may be something completely wrong, but if they now work remotely in Austria, But That's completely wrong, but Does this bring us back to identity management in cybersecurity so that we say we need to, to enable everyone to, to, to access from everywhere with every device.
And if you can protect us, we can also protect the more Critical use case. It comes back to the last slide we saw in the presentation before don't trust. Always verify, bring that as you said, that one device, but you need to verify, I need to verify I'm cast and Fisher. I'm allowed to do those things. And if I'm cast and Fisher, there's a role and a profile, what I'm allowed to do. But I need to verify that I'm cast and Fisher and I mean, this is probably the best way to go. There's another problem with a cast and Fisher, there are More of them. Yes.
Even in Deutsche, there's more than one cast and Fisher Fisher. That's why I'm cast minus B Fisher, But leaving the area of authentication. Now you might have too many rights. Yeah. Yeah. You might have too many rights for your day to day job and you might to have many rights for the things you need to do now.
So how, how do we get on top of that problem? We've discussed that last week. We probably that area of identity and access will most likely over the next two, three years, see a lot of artificial intelligence and machine learning, getting included. I think we've all focused a lot about, okay, let's get our provisioning, right? Let's get our re-certification process. Right. Then you get the revocation process. Right?
I think the next evolution will most likely be that we then need to start thinking around other clever methods to do that more automated and, and maybe that's where UBA can help, but that's most likely where artificial intelligence can help over time that you just don't leave it to individuals. If my boss needs to certify, re-certify all of my accounts and entitlements, it needs to start with the entitlements, need to tell him what I do and all of that. And that's cumbersome as you know, so there needs to be something beyond.
And I think that the tricky thing about, about over being overprivileged is that it is, it is dependent on the context. Yes. In some situations it may be fully okay to have a certain right. In others. It is not. Or if you have already a certain set of right, how do you make sure, sure. If you get additional rights that they are not toxic to the ones you already have, these Are segregation of duty, all that good stuff.
I mean, we bankers, we have been, we have been hit a lot. We all know that with, with sock gen where somebody had access to both sides of the story to trading and ops, obviously that was, I dunno, 2008, that lead to a lot of improvements on segregation of duty and all of that. But I think we now need to go into the next evolution we really need to. Yeah. That makes then life easier also with some rent ware attacks. Because if you make sure that cast and Fisher doesn't have privileged access rights and he shouldn't, then there's less risk to do it.
Let me quickly step in with a question from the audience we have in here. And I always encourage the audience on site and online to, to erase the questions, whoever can use the app. Also the room, raise the hand. So the questions, would you agree that incident response teams, or maybe also the red teams or others should expand their findings and recommendations to also fix gaps in IM processes?
So should we expand the cybersecurity stuff to identity management And they do so we have, we have included, I think just right after you left that, in fact we have included I and M completely into our incident management process from a security perspective. So every preach on the Inna side will be followed up with problem management as well, if it's systemic and then you learn from that. And then you think about how you protect that further.
That's, that's super important. Yeah.
But yeah, since you mentioned it, obviously going back to the ransom text, obviously they're always going after the highest privileges. So would you agree, Carson that having a privileged access management concept solution in place is one of the strongest ways to, to protect from random?
It, it absolutely is. It's, that's one of the reasons why all major companies invest a lot into privileged access management in different ways with different tools, but they all do invest in that because obviously the Twitter hack two years ago, privilege admin. Yeah. This will always happen. That's why this is the group where you protect with, you started with awareness. This is the group you need to be, make most aware because they are targeted. They put their profile into LinkedIn. It's saying I'm a privileged access manager in Doche bank. Great. So you are my target.
So you need to really protect that. Yeah. Okay.
Time, 18 seconds, 17 seconds. Let me close on something that is then coming after that. Cuz you said we haven't been hit by a ransomware attack. That's not completely true because I remember years, years in the early days of cyber, we had a small ransomware attack against personal fires and, and storage we could recover. So the next discussion we probably need to have is on operational resilience because you can protect, you can then do the RNA thing. The most important thing you need to worry about with a ransomware attack is operational resilience. How quick can you recover after an attack?
If you are able to recover, you don't need to pay a fine, This is a great closing statement.
