KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
With the introduction of AI, machine learning and UEBA, the SOC objective is to detect abnormal behavior. More than ever Identity is the battleground in this new concept of iSOC.
During this keynote, you will learn how Identity Governance and SOC need to be tight and how to remediate when a threat is detected on a specific Identity with the concept of "Threat Aware Authentication".
With the introduction of AI, machine learning and UEBA, the SOC objective is to detect abnormal behavior. More than ever Identity is the battleground in this new concept of iSOC.
During this keynote, you will learn how Identity Governance and SOC need to be tight and how to remediate when a threat is detected on a specific Identity with the concept of "Threat Aware Authentication".
Data, People and Software security: how does them relate to the GDPR security principles? In this new attack landscape, network-centric security is no longer enough because threats come from inside and outside the network. Oracle Identity SOC is an identity-centric, context-aware intelligence and automation framework for security operations centers, backed by advanced user behavior analytics and machine learning to spot compelling events that require automated remediation.
The holy grail of security is to ensure the right people have access to the right things, always, anywhere, everywhere and all the time. Is it simply coincidence or a premonition of fate that the mission of the Identerati is to enable the same thing? With identity becoming the control point, the backplane and the new perimeter in a world with shifting borders, it's time to rethink our overall approach to information security. Identity defined security is moving to center stage and this session will explore the patterns and architectures of this new approach to security.
People are the weak link in security. Most data breaches start with bad actors using stolen user credentials and this is fundamentally an identity problem. For too long Identity & Access Management has been viewed as silo often walled off from the security group but this must change. Now, more than ever Identity & Access Management must be viewed as a key security control that can help minimize and mitigate security intrusions.
Join experts from KuppingerCole Analysts and AI-assisted behavioral analysis firm Sharelock as they discuss why Identity Threat Detection & Response (ITDR) is a crucial component of an overall Identity & Access Management (IAM) strategy, why Cloud Workload Protection (CWP) is a growing security concern, and how these issues can be addressed.
Martin Kuppinger, Principal Analyst at KuppingerCole will explain why we need to get better at protecting the digital identities of human and non-human actors in an age where the majority of cyber-attacks is identity-based, and why we need AI to be successful.
Andrea Rossi, Senior Identity & Cybersecurity expert at Sharelock will introduce the Sharelock behavioral anomaly detection platform and describe how ITDR platforms can augment IAM controls to identify potential security breaches and take preventive actions. He will also explain how a combination of ITDR and CWP can address run-time DevOps security requirements.
Today, the Security Operations Center (SOC) is at the heart of enterprise security management. Security analysts in most SOCs are still relying on traditional SIEM systems as a core platform for their daily operations. These are the primary tools to monitor and analyze security alerts coming from the various systems across the enterprise and to take actions against detected threats. However, the rapidly growing number and sophistication of modern advanced cyber-attacks make running a SOC an increasingly challenging task even for the largest enterprises with their fat budgets for IT security.
From statistical correlation methods to machine learning algorithms, from risk models to behavior profiling, from threat intelligence to cognitive technologies – there is a lot of exciting new developments going on in information security, which promise to dramatically improve the efficiency of your SOC.
Cybersecurity practitioners agree that Identity is now at the heart of everything we do. A variety of inescapable forces have brought us to this point and our success in the next years depends critically on how well we exploit the strategically placed Identity center piece. Rising to this challenge requires our accumulated business analysis and deployment experience as well as the power of modern Identity platforms. Critical to realizing this vision is an integrated set of connected identity services that communicate seamlessly within the identity fabric but also across the wider Cyber security ecosystem. One Identity lives and breathes connected Identity, and we are happy to share our experience helping organizations achieve value from connected identity security models. Whether you are struggling to integrate your existing Identity silos, wondering what Zero Trust means for identity or looking to new Identity services like PBAC and decentralized identity, One Identity's innovative approach and design patterns shared in this session will be of interest.
Takeaways:
Although companies are constantly increasing their cybersecurity budgets, this does not seem to help much: each day we learn about new large-scale data breaches. Considering that over 80% of hacking-related breaches leverage compromised user credentials, it’s mindboggling why so many organizations are still focusing on securing their network perimeters.
This keynote outlines an entirely new approach — Zero Trust Security. This paradigm assumes that nothing in your corporate IT infrastructure — including users, endpoints, networks, and resources — is ever trusted, and each interaction must be verified to decrease the chance of a security breach. Zero Trust Security ensures secure access to resources while significantly reducing the possibility of access by bad actors.
Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine solutions to address key identity security issues.
John Tolbert, Director Cybersecurity Research at KuppingerCole will cover the background on identity involved data breaches and discuss the need for identity threat detection. He will also describe where identity fits in the MITRE ATT&CK matrix, and how Zero Trust architecture can reduce the threat of attacks involving identity aspects.Gautam Singh Deo, Director Strategic Business Engagements at ARCON will give examples of identity-based attacks, discuss the evolution of the identity landscape, explain the importance of identity-centric security in the context of a Zero Trust, and provide an overview of identity threat detection and response solutions and building a contextual data model.
Although companies are constantly increasing their cybersecurity budgets, this does not seem to help much: each day we learn about new large-scale data breaches. Considering that over 80% of hacking-related breaches leverage compromised user credentials, it’s mindboggling why so many organizations are still focusing on securing their network perimeters.
Okay, so again, so thanks lot for, for the introduction, as you said, I'm Theia field CTO, I'm part of the CTO office of RSA and, and today the subject I wanted to, to share with you, I would have wished to, to do it physically, but it's very important. Thanks for, for you copy a call to maintain the link between us with cyber security event virtually.
So yes, the subject and the theme for today for my presentation is something I called the new concept of ISOC. This is not a new, I gadget again, I'm, I'm working for RSA, but this is clearly a trend. And you know, a subject where the identity, which is as, as you mentioned in, in the introduction, one of my background and never been tighter to the security operations center. And I want to present today. This let's go ahead.
But before going to directly the subject, I think most of us, if it's not all of us, you know, not so long ago, we knew 15 years ago, roughly that our security landscape was very different. We were managing networks, you know, firewalls, VPN, antivirus, authentication, and, and the goal. And the challenge that we had was to protect that network from intrusion. Our mission in fact, was to protect was I'm I'm calling the castle and, and the parameter, everything inside the network was considered as a safe place and everything outside, you know, was not secured.
And so our mission was to keep the bad guys out. So to detect intrusions, we invented the concept concept of SIM security incident and event management. So I just use a little Bible sentence, let there be the seam.
And there, there was a light, the goal was to collect all the devices logs and to put all those logs into a central point, to be able to detect intrusions and generate alerts. In fact, collecting those logs, making them to one place that was a same challenge and the same mandate, the main, you know, use cases that we wanted to, to detect was intrusion network intrusions, deny of services, any kind of vulnerabilities.
Now, sometimes as well, the sea was used for post mortem investigation, but the main issue with the seam was, and still today, when, if we didn't have any alert, we didn't have any threat. If you go back to the castle analogy, the scene was like the Sentinel in front of the front door of the castle, trying to find out if there is any bad guy trying to enter inside this, you know, perimeter.
And that was the parameter we wanted to protect like, like, like really a kind of a church going back to the Bible analogy, but no alert was meaning no threat, an Analyst using a seam without having any alert was completely blind if he had any kind of threats. But most of the time we're making confusion between intrusion and breach.
As you can see in the title of that slide, you know, this is clearly an evolution in our mindset, because if you look at the use cases, what is an intrusion intrusion is someone that has bypassed a control, which is in place at a network level, at the endpoint level or at the application level, the control has been put it in place and someone find a way to bypass it. The main use case, or let's say categories of, of, of, yeah. Use case that we want to cover with intrusion are mainly network penetration, malware detection, or a vulnerability that has been used. A bridge is much more.
We are living in a state of compromise when we change that mindset. That mean that we know that our network today or the place or application could be compromised.
Anyway, it's not only trying to detect what is going in, but also what is going out. It's a in and out problem with a breach, when a breach happen, we have to have the full attack visibility in order to remedy and respond. But we also have to answer to two main questions who, and what if I make another analogy? Yeah. Potentially in the middle age of that castle period of time, intrusion and breach was the same when a, when a castle was breach. That mean that someone came in and that was one of the stuff that the Sentinel wanted to to do.
But if I make another analogy, when someone breaks into your house, you clearly have an intrusion, but if nothing happens and then the peop the bad guys going out without stealing anything, it was just an intrusion. If, if he stole something, then we have a bridge and what, what are we doing? We are making a long investigation to find out what are the extent of the damage. That is the main difference between an intrusion and a bridge. This is also the main difference between the role of a seam and the mission of a SOC security operation center.
Now, in those logs, in the middle to achieve a security operation center, in fact, what we've done step by step progressively, we had it more and more features, technologies process, and obviously people, but, you know, we wanted to detect and understand vulnerabilities. We also wanted to have the full visibility in the network up to the end point. We need to have a clear data protection and sometimes data leak prevention, threaten tail threat detection oriented in order to aggregate all those alerts and to scale.
That was the mission of a, so, as you mentioned in my introduction for more than roughly 20 years at RSA, for the past six, seven years, I had the opportunity to meet a lot of customers in their security operation centers, more and more data, more and more alerts, sometimes hundreds or many hundreds alerts per day. That was, and still is the challenge of the security Analyst. The secret journalists say to me, but Bernard, we have clearly an alert, fatigue. It's very difficult to find within, you know, this amount of data, what is important and what is not important.
So then the parameter exploded. We all know that today. We all know that our castle or the parameter around whatever the size of the wall, or if the world is thick, it's not enough anymore because that castle doesn't exist anymore. With mobile access cloud adoption. I T in some of the industries and island of identities everywhere, the parameter doesn't exist anymore. It's the reality is not even a debate. So we introduced machine learning and artificial intelligence.
As you mentioned in my, in your introduction, I've got a background in artificial intelligence as well, and I can understand why finally the machine needed to help, help. I need somebody help, which is one of my favorite band. If you know this sentence, in fact, we introduced real time, risk engine, statistical analysis and machine learning to achieve one goal, not only to protect, but also to detect target threats and respond. Ideally Analyst, what Analyst want today.
He's Hey, Siri, can you find the bad guy for me, please? That would be great now to just, you know, press a button and find with machine learning and artificial intelligence, more threat than what we can do today. It's a little bit of dream, but we introduced very recently in one of those features and function one path, which is very important called U E B. If you never seen this a acronym, and we have a ton of aro in our industry, this is user entity and analytics analysis, but part is very important here and which is new. And you will understand why I'm calling that ISO.
We're not trying to find if a network level has been compromised. We try to find here if a specific user, the you of U E B a as a bad behavior or a behavior, which is abnormal abnormal doesn't mean mal shoes.
First, it could be suspicious. But then with U E B a user and entity, behavioral analytics, we are focusing much more on the identity. On the user itself. We are helped by the machine learning, you know, capacity, but the goal is now not to track. If there is an even vulnerability, we will consider there is a vulnerability, but the goal is to track. If there is a specific user, having a bizarre behavior, this is the link between the classical so and the new eyes.
O in fact, we try to find out if there is a bad access in identity, what kind of access do we have? We have the access that the user have when someone has granted me an access. I have a specific access. When I have a strong authentication. For example, someone is giving me access for a certain period of time to an application. The second kind of access is the access that the user should have. And the third kind of access is the access that the user really have. If you look at those three main domain, you will recognize the access control, black, white.
You give me access now to this specific application, the identity is the visibility on all of the access I should have. And sometimes there is some gaps. For example, if someone is leaving a company, you shouldn't have that access, but it has it anyway, because we didn't position the lever access properly. And the security operation center, what is the goal is to find out what's the access that user really have finding the network and exactly, Hey, capturing this season access that never seen before.
And this is how U E B a in fact is helping here and in the middle of those three access kind of categories of access, we have a trend which is now called zero trust. I know we talked about it this morning, but I will redefine a little bit about that new concept. Is it really new? Let's see. So is O with a zero trust mindset we have now the identity, which is in the middle of the so challenge or the SOC mission, we need identity visibility. We also need identity insight that we can be translated of in analysis in order to do and find the right action.
As I said to you, to you at the beginning, I don't think that the zero trust is not a product. It's not really a feature. Sometimes.
You know, some vendors ask claiming, Hey, yes, we have zero trust solution for you. It's not really new as well. Let's step back again.
In 1976, ser a professor in the, you know, famous MIT and introduce for the first time, this notion of least privilege. I'm pretty sure all of us, you know, around, you know, this event with a lot of identity background, we know that concept or notion, least amount of privilege. If someone want to, you know, complete a job or task, or having access to a system, we need to give him the least amount of privilege, you know, in order to do that task no more. That was already something which is, Hey, I'm not trusting.
We need to give as, as less as possible at the same period of time, three famous people at RSA, we know them very well, reverse chime net man. And before them, you know, DP, L man and introduced the notion of publicly cryptography or publicly and infrastructures in the middle of that P we also had a trust, but the trust in this way was not something positive. It was viewed as a negative term. First of all, in cyber security, we do not trust.
We, it is not the same way in a normal life where we have some friends or people we know physically, and we have a human relationship. We trust people.
Now, in this case first, we don't trust an example. If a certificate authority was not trusted anymore, then the entire transactions were compromised.
So again, trusted, but in a negative way, then in the mid nineties, exactly 1994, a working group has been created to develop the idea of de parametrization. It was early stages, but today we are, we know it today. That it's the reality. Why? Because they thought that the core network couldn't be trusted anymore. In early 2000, the network platform today at RSA has been developed to capture, analyze this network, capturing and analyzing the legitimate network to find in this network that we think is safe.
If there is any potential threats, we cutting that the white space, everything that has been filtered is not analyzed because it already blocked. But when we go to, you know, this legitimate network, we need to find some threats. So at the end of the day, zero trust for is much more an evolution. It's a mindset. And if we do risk driven approach, then clearly this exists for decades.
Now, going back to the ISO concept with an identity, triage, identity assurance, access assurance, and activity assurance, combining identity and SOC, those are the features and functions to support this identity triage, continuous monitoring, deep visibility in access and entitlement risk based authentication on the identity part, but also linking those access to the logs, the network, and the endpoint being able to in real time, coordinate action and answer. But obviously having in mind that this need to be driven by risk with a business context to finish.
I want to show you just a use case. Imagine, you know, the stock is detecting an identity, which is compromised by having, for example, the U E B a user identity behavior analytics, which is detecting an abnormal identity usage. An alert is raised, and then an investigation need to begin with the identity context context from the identity. We clearly have an identity scanner with an identity solution giving whole visibility into the sock.
Like we have vulnerability scanners, you know, identity solutions are identity scanners, and then need to give the context back to the SOC Analyst immediately as a remediation plan, or I remediation action. We can modify on the fly, this specific entitlement that has been used by the bad guy, just because potentially it was not well positioned, or it has been compromised for making an escalation of privilege that what we can do as well is to step up the authentication on that specific identity.
I want that the sock that is press a button and then immediately the MFA consume the fact that is a threat related to that specific identity. And step up the authentication. We're calling that the threat aware access and authentication of an I. So thanks a lot.
