Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine solutions to address key identity security issues.
John Tolbert, Director Cybersecurity Research at KuppingerCole will cover the background on identity involved data breaches and discuss the need for identity threat detection. He will also describe where identity fits in the MITRE ATT&CK matrix, and how Zero Trust architecture can reduce the threat of attacks involving identity aspects.Gautam Singh Deo, Director Strategic Business Engagements at ARCON will give examples of identity-based attacks, discuss the evolution of the identity landscape, explain the importance of identity-centric security in the context of a Zero Trust, and provide an overview of identity threat detection and response solutions and building a contextual data model.
Hi, John. Good morning, good afternoon, good evening to everyone joining from different parts of the world. Happy to be here.
Thank you. Yeah, likewise, some logistics info. First, we're in control of the audio, so there's no need to mute or unmute yourself. We will do questions and answers at the end of the session, and you'll notice there's a questions blank and go to webinar control panel so you can type in questions as they come up at any time. We'll also be doing a couple of polls during my session, and then we'll look at the results of those during the q and a session. And we are recording this, so both the recording and the slides will be available shortly.
So I'm gonna start off by talking about how digital identities are involved in cyber attacks and cyber crime, what the identity elements are in the minor attack framework, and then talk about some of the tools that are involved in helping prevent identity based attacks, including zero trust. Then I'll turn it over to Gotham, and then we will do q and a at the end. So first up, identity is a vector as, as we all know, identity is a, a key way in, in probably most of the cyber attacks, data breaches, cyber crime that we read about in the news, you know, every day. And for the last 10 or 15 years, identity is sort of key for the attackers to get in and, and get what they want and cause damage. So, you know, my identity elements, it can kind of include a lot of different things from user names, credentials or other credentials, passwords, even tokens and tickets like Aker ticket, password hashes.
We'll see the things like domain trusts, federation trusts and configurations can be involved in attacks. And we do, of course, recommend multifactor authentication everywhere possible, but there have been exploits that have leveraged, you know, or compromised multifactor authentication as well. So a question comes up, where do the attackers get this credential information? Well, there's old fashioned brute force password guessing is still in use, they do reconnaissance. And that in fact is a step on the, the miter attack framework. We'll look at in more detail. There's information that they find on the dark web from other password breaches, from other attacks, and there are even access brokers who gather that information, you know, from previous attacks and sell it to other attackers. And lastly, there are cases where insiders, you know, employees, contractors, partners might be involved in it. So first up, let's talk about MIR attack. It's an industry standard way of understanding, discovering, and even helping to remediate against cyber attacks. My first poll question is, are you familiar with MI attack and, and how it is relevant in the identity space? So we'll give a few minutes here or a few to collect those answers.
And we'll take a look at how that turned out and in a few minutes. So I know this is hard to read, and I've got, I've made slides for smaller groupings of this information, but I think it's good to show, you know, the major phases across the MIR attack framework. So this is about visualizing, conceptualizing how a cyber attack begins and all the different types of steps in between that can lead to things like data exfiltration and what the long term impacts are. So across the top we see the names, the individual stages from reconnaissance, resource development, initial access, execution, persistence, escalation of privileges, evading defenses, credential access, and of course that's all about identity. There, there discovering data, the data that they are interested in exporting or stealing lateral movement within the target victim organization collection of all that information that they intend to steal, command and control. And then lastly, filtration and the impact. So again, there, this is just a subset. This is, you know, what I've found is the identity related subset of tactics, techniques, procedures that have been identified as, you know, ways of compromising an organization.
So let's look at the first two, reconnaissance and resource, the identity related techniques. Here are things like phishing, you know, using a phishing email to get information about people inside the organization. The attackers also sometimes probe authentication services, those that are externally exposed, you know, perhaps looking to see what kind of authentication methods you supported or how to subvert that. They can also look at social media to get information about accounts to compromise. And, you know, there are other forms of social media that, or social media credentials that might be used even on tech support sites or, you know, informal tech support sites. So that might be a way for an attacker to learn about who's responsible for what kinds of systems in an organization.
So by resource development, we mean, you know, how, what, what sorts of resources do they create to be able to facilitate their attacks. First up is, you know, taking over an account in the victim's organization and then using that to establish other accounts within that organization. The next two phases are initial access and execution. And again, you'll see that there's some, some of the techniques are shared between the different stages in an attack. Phishing, again, is one of them. Supply chain compromise. You know, this has been in the news a lot in the last couple of years because attackers realize that a well coordinated attack on a member, an upstream member of a supply chain, they give them access to lots of other companies, lots of other products and their customers. They can also exploit trust relationships. Again, this might be part of the supply chain.
It might be, you know, even in, not in a large supply chain, but you know, just a business to business connection. One off business to business connections. And then they use valid accounts. That's why they take them over. That's why they create other accounts once they get in inside the organization that they are intending to steal data from execution, you know, getting the user to do something that leads to the compromise of their machine or, or exposes additional access to the attacker. Again, think of things like, you know, a weaponized office document. Unfortunately, macros were disabled by default by Microsoft office about a year ago. But they're, any executable that you can get the user to run is potentially something that could lead to the compromise of their machine. And then others persistence. Once an attacker gets in, they want to stay in. What in the, the realm of identity do they use for that? Well, they edit the accounts that they may control. Once they get access, they create other accounts, use those. They can even modify authentication policies because they may wanna make it easier for them to get in. Then, you know, maybe having to use mfa, you know, on an outside account. So there have been cases where exactly this has happened. They'll get in change policies, set up accounts to make it easier for them to come back in in case they get discovered.
Privilege escalation, you know, this is another big, you know, very solidly identity concept. You know, privilege associated with certain kinds of accounts. They can abuse the privilege elevation controls, they can create an edit access tokens. You know, and this is quite insidious, you know, editing domain policies and adding federation connections. You know, there have been cases where exactly this has happened, where the attacker gets in and again, to make it easier for them to persist and, and gain additional access, they will, you know, add, add federation trust between different domains in the target domain. They can even create real domain controllers, keep them out of sight and find other ways to subvert trust controls.
Defensive eva, once they get in and they want to persist, then you know, it's necessary to sort of hide the tracks. So again, they can use techniques like abusing privilege elevation, manipulating access tokens, creating more access tokens, adding and editing permissions, masquerade as other users modify those authentication policies. The domain controllers and even, you know, white blogs in an attempt to throw off investigators. You know, obviously most, most systems are logging various events and if they're not, you know, logging them in a consolidated and centralized way, attackers can make it easier to conceal what they've been doing. So this is a, you know, a key thing for enabling them to keep their persistence going by evading defenses. And these, this is not, you know, the full MIR identity mir tech technique list. These are just the ones that I think, you know, really pertain to identity.
But when you get to credential access, it's mostly about identity, you know, and there's a long list of tactics or techniques and sub techniques that you could find on the miter website, and it covers some of the things that we've been talking about here with brute force password, guessing different places from which they can steal credentials, passwords, even cookies, different kinds of tokens like job tokens or certificates taking over keys, you know, intercepting multifactor authentication. This is one that's been in the news a lot lately. You know, creating MFA requests, hoping that the, the person that's been targeted will just eventually tire of that and, and say yes to it and enable them to capture that, you know, stealing credentials from an os say an endpoint, and then leveraging that or hoping there's similarity maybe in, in naming conventions and being able to move around from one end point to another. And then just general unsecured credentials can be used in this phase of an attack discovery. So by discovery, we're thinking of what, what kind of identity related elements would they want to find? And then, you know, further exploit during an ongoing campaign. Of course, there are accounts and other resources, but those domain trusts, fruit policies, password policies, permissions, adding themselves to different groups that may have permissions, and then finding who are the system owners for, you know, some of the key systems that they may want to target.
Then the next four are lateral movement, collection, command and control and exfiltration. And for lateral movement, you know, there may be internal spear fishing once they get inside and find out, okay, who are the responsible parties for, you know, X, y, and Z systems? Find out who those system owners are, then they can take that information, craft an email or message that looks like it's coming from, you know, the appropriate person inside. And further compromise those who receive those, you know, and using alternate authentication material like other curbs tickets or tokens for the next three. Collection, command and control and exfiltration, they're mostly using the identity information that they have acquired in all the steps that we've talked about up to this point in the last phase is impact. What is the impact caused by the use of identity information? And again, this is a subset, you know, they can do things like remove accounts of valid users. They being attackers, they can conduct internal denial of service attacks. You know, one way they may do that is simply turning off services or hijacking other resources. And, you know, potentially most damaging is once investigators, security analysts have figured out, yes, there's something going on, they can actually interfere with the recovery process, you know, thus delaying, you know, remediation, you know, and you can see throughout these different phases, there's opportunities for them to increase the meantime to detect and increase the meantime to remediate.
So how does zero trust fit into this? You know, many of us in industry have been talking about zero trust for a few years, and we think it's, you know, a really good paradigm for increasing an overall security posture. So zero trust, you know, we think of as instantiating the principle of least privilege, and it means doing proper authentication and authorization for all the different types of resource access. And, and here are the different factors that need to be evaluated for each and every resource access attempt. Looking at user information, again, this is where identity comes in. Strong authentication, risk based authentication device, device intelligence, device identity. Knowing the context around, you know, the device network information, IP addresses, IP reputation for external ips, you know, making sure the encryption of the communication is encrypted.
It also extends to system and applications. And this is where you might use things like access governance, user behavioral analysis, SIM systems, you know, the consolidation and centralization of log data to prevent that step back where we were talking about, you know, an attacker trying to wipe out information on each individual server to cover up their tracks. And then data, you know, looking at data centric security, which users have access. So each, each evaluation at runtime should be able to take into account data and metadata about all these different contextual elements and render a decision in accordance policy.
So again, in a zero trust principle of least privilege, you know, this is aligned, I believe with the NIST SP 802 7, I think. I think that does a good job of sort of encompassing a lot of the principles that Zero Trust embodies. And this is, you know, using that device intelligence, authenticating devices, securing the communications, making sure it's encrypted regardless of where the traffic originates access on a session by session basis, doing the authentication and authorization and, and it must be evaluated against policies. Policy based access control is, is certainly far more efficient than things like group or role based access control, integrity and securing all assets monitoring. I know the, the, this document talks about continuous diagnostics and monitoring, and that in itself can become a source of intelligence that can be used to dissuade attackers.
Policy based access control equals continuous authentication and authorization. Now we have the capabilities to do this. In many cases, these trusts need to be continuously verified. And oftentimes, I know in, in security we talk more about authentication, but authentication is an initial step. Authorization, you know, making sure that each request and all the elements of it are, are properly, you know, granted permission in advance and then context in metadata, looking at each and every one of these different bits of information that we've been discussing so far, and evaluating that again at run time. So wrapping up here, thinking about the minor attack framework and the different stages, this is just a, a, a non-exhaustive list of different kinds of security tools that can be used at each one of the phases of an attack. And with an emphasis on identity, you can see the things like secure identity and access management, multifactor authentication, zero trust architecture, zero trust network, a access are, are important across these first few phases. Things like escalation of privilege, tools such as privileged access management and endpoint privilege management can be essential for shutting down or delaying attacks at this phase.
Then, you know, come things like epd, r endpoint protection, detection response, network detection response, xdr, they can certainly be valuable for providing information. Additional context, you know, device context, network context for those zero trust network access decisions, credential access. You know, we're starting to see more and more discussion around identity threat detection and response and the other tools here, you know, dlp, DLP definitely needs a notion of identity for being able to do device level access controls, casb, cloud access, security brokers, that's, you know, DLP in the cloud being able to stop users from moving data around that they don't have permission to do. So, I know I'm kind of running up against the end of my time here, but this again is not a, a complete list, but I think you can see how the different kinds of tools that we discuss in security architecture fit in with the different phases of minor tech and should be able to help you build out a more resilient security architecture. So the last poll question is, is identity threat protection on your organization's radar? Is this something you've heard about? Is this something you have planned already, maybe you haven't deployed already, or it, it, it's not something we've considered just yet.
Give a few more seconds to answer that. I, okay. Just a reminder, you can put questions into the go to webinar control panel and we will take them at the end of our session. Looking forward to that. And with that, now I'll turn it over to got from our con
Thanks John, appreciate it. Extremely insightful presentation and it actually builds context to my session because I'm gonna pick up from where you left off and actually delve a little deeper into identity centric security, but the, my attack framework, I think is very well researched and, and also a very evolving framework as and when industry is learning about more and more such attacks, right? So thanks for that to, to, in, in my session, I think we'll be beginning with some news and views around what has been more in the public domain around some of the breaches, along with, you know, some statistics from a report that has come out recently on the cost of a, of a data breach. Moving on, we'll talk about some spends and trends and also evolution of the identity landscape and then see how really these can be addressed through identity, threat detection and response, right? So a recent report by IBM and the institute actually brought out that, sorry, I'll just minimize my,
Yeah. So it brought out that, you know, the average total cost of a breach is that it stands at about 4.35 million per breach. This is highest that has ever been recorded in the history of this report that has been going on for the last 18 years. Of course, multiply this by the number of breaches that are recorded on an, on an annual basis, and you'll see we are talking of trillions of dollars of utter wastage when it comes to, when it comes to such attacks, right? Interestingly, one in every five or about 20% of such attacks have been caused by an initial threat vector by offer credentialed theft, right? So the most common initial attack vector is an identity theft. And that really is, is an eye-opener in terms of where a focus of the, you know, protection and all the security measures that an organization is looking at needs to really prevail.
83% of the organizations that are study it said that they, they suffered more than one breach in course of that period, right? Of one year, which means that it is an ongoing process to actually keep resilience built up in your security systems to see that, you know, persistent attacks are, are always done away with or, or prevented. And you know, the sad part about this was if you look at the average number of days that it takes to even identify or contain a breach that is nearly three fourth of a year or 2 77 days, which means that the attacker could really have been within your systems, within the organization sitting, you know, without being noticed and persisting within your system, without actually being identified within the infrastructure, right? The longer it took to identify and contain the higher the cost of the breach went on. And this is an ever evolving, you know, increase in the total cost of a data breach, sad state of affairs, but this is really the reality that bites us every day.
Some examples of recent cyber attacks that have happened, which are, I I've picked up examples that are specific to credential or identity theft. This one was a sad, you know, intended bio attack. Actually, it happened in the state of, in the state of Florida where it was really a frontline worker of a water treatment plant who, who was working and, and his system was, there was a remote access taken off his system by the IT administrator to do some configuration changes. It was a five minute task and, and the work was done, the IT admin logged off, but in between there was a, there was a hacker that managed to get his way in and KU goes to the frontline worker because he observed after about five minutes, the mouse was still moving. He actually thought that the admin was still doing his job until he noticed that the mouse cursor was actually increasing.
The sodium hydroxide levels in the water treatment plant had been raised from hundred parts per million to actually 1100 parts per million, which would've been actually sufficient to poison the entire city, right? So what we are talking about here in terms of securing identities and, you know, securing their critical infrastructure really is, I think the previous slide now doesn't make sense. It's not really about the dollar value that you're trying to save, it's about lives, it's about, you know, people and it's about actual threat to entire populations at large, right? So this actually began a movement called water Cybersecurity, and it's around focusing on national infrastructure measures towards cyber threat protection. Another similar example, again, starting with a theft of a single credential, was around the colonial pipeline, which, which is responsible for transportation of about 45% of the entire fuel consumption of the east coast of the United States.
There was a ransomware attack on that and which brought down the entire infrastructure for many days, right? They got, they got away cheap, I believe they paid up a ransom of 4.4 million and, but just imagine, you know, it could have brought the entire East coast to a standstill and had the fuel pipelines being choked, you know, due to the IT systems in themselves. This of course caused penalties as well as reputational losses. But the idea being that it's, it's really not, there are reputational legal financial obligations, risks involved in such secure, you know, cyber attacks and also as I talked about, a risk to lives as well, right? That we're talking about.
None have been spared. I believe there's one thing that even billion dollar organizations cannot afford, and that really is a cyber attack, right? So the likes of Microsoft, Okta have also had breaches in the last just one year. And, you know, no one is really spared the likes of lapses dollar have been unfortunately very active in this, in this game. Again, what is, you know, it's gotta be a combination of solutions that one puts up in terms of guarding their, their infrastructure, their security measures, right? So SSO was one of the techniques that was applied, but I believe any single solution is not really sufficient. It's gotta be a convergence of that. It began with a small conversion of, you know, SSO with MFA put together. It does make sense, otherwise, it's really the single keys to the kingdom. This is now maturing into a convergence of complete identity, you know, as a, as a, as a stack, right?
So there's identity security as a converged access management platform that is the need of pr, that is where we are getting to right about some, and I, you know, again, borrowed some reports in the public domain, but filter this down to very specific InfoSec, global landscapes talking about identity access management, privilege access management, and the user authentication market bringing together, you know, more so about what organization are spending towards siloed and disparate technologies in the identity space, right? So this is, again, a, a huge spend. It's estimated to be about 13.8 billion in 2022, growing at a consist CEG of 6.6% and expected to reach in the, you know, upwards of 15.5 billion by 2024, right? The, the growth in the identity security identity centric security space has been a little more in terms of CGR than even data centric security, both being very important and actually a marrying of identity centric with data centric security is what we're gonna be talking about in a contextual data-centric model of secure, right?
So let's construct your digital identity, what really does a digital identity, you know, what are the various attributes of them, right? Identity is no longer just user IDs and password. That was back in the day, you know, maybe a quarter of century ago today, identity is really, and these are not all encompassing, but just some of the attributes that I wanted to list down to bring in the flavor. It's about your personal thoughts, your lights and the slides. How, when, what, where do you do some specific things? It's, it's about your PII information, what you do personally or professionally, what tools and machines do you use? So it's really around the way this attributes that make a specific identity in, in its uniqueness, right? So, and and across this full span of identities, business models are evolving right around the entire identity. It has to be more outcome based in, in, in its model, right?
Again, talking about investments that companies are making, let's pick an example of the specific identity and access space, right? An organization could be actually spending on MFA technology and SSO technology and identity and access management, PAM solution or even an IGA governance solution, right? But for each, they need to actually go to separate product owners, stakeholders, separate oem, separate skill sets to be adopted and still not having a unified governance for them all. Really all the investments that are, you know, a multiplier of each of these disparate technologies that they've invested in without really any kind of outcome that's not helping the cause of the organization. There's gotta be more outcome based models around identities. It's gotta be hyper-personalization, right? Let's say identity is the new parameter. Each identity of its has become a parameter of its own right? And that's how the protection as well as management of identities needs to be carried out.
And it's really about access versus ownership, right? You, it's, it's not about owning a specific application or, or technology, but really managing granular level access controls to that. So what are the industry standard frameworks or regulatory compliance or some of the lead leading analysts talking about in this space, right? So when we hear about an identity first security approach, identity being at the center of security, design thinking, right? Rather than the earth wide lineage design thinking. That's what the majority of leading analysts, anding, including KuppingerCole have been talking about. You pick up any of the latest industry standard frameworks or even regulations like John talked about in terms of the attack. It could be the is of 27,001 standards. It could be framework or even the, so compliance and GDPR regulations in terms of their legal implications, right? Of course for something like the bsi for the PCDs as you could pick up and more recent controls around cloud security, each of them is talking about identity becoming the new parameter and an identity first security approach being a top trend, right?
In addition to that, when we look at data centric security data is really like water and privacy needs to transcend the border of contextual data. This makes securing the props of data more difficult because data really needs to be tagged contextually, and I'll come into that a little more in detail as we, as we speak, right? But what is the evolution of the identity landscape? And I've mapped out something, you know, taking a time span of the last quarter of a century, gone other times of infrastructure like the mainframes and PCs. It, it was something that was nearly 25 years ago up until maybe 15 years ago, more recent in the decade that followed was, you know, data centers and mobile devices started cropping up. The identity trends moved from more of local identities to enterprise SSOs with two factor authentications, something we started seeing.
So a little more security got built in and the identity approach moved from network domains to little more enterprise-wide active directories, right? The challenges move from widespread password and weakness and reuse of passwords to little more credentialed theft attacks and mass password compromises because while passwords had become more localized, but their, their management or rotations weren't really still there, right? I think in the last five years to present day infrastructure has transformed now of course to a very high level of cloud adoption, especially with the pandemic coming in. There's been an exponential rise in cloud adoption with task technologies as well as, like John talked about zero trust architectures or SASSI approach, right? And of course, IOT devices taking main stage, the identity and access trends have become more federated with cloud identities as well as hybrid and of course a more passwordless driven approach with zero trust.
Access control is the approach in terms of the access management of things, right? Here's where the play of identity centric security comes into being. And, and this is a real evolving me, you know, space because now we are talking about identity, threat detection and response as well as a converged access management platform or an identity platform is how people want to, because enterprises are looking at more unification. And that's the, that's really the theme of today's webinar in terms of unifying identity and security to bring in, you know, to, to block identity based security attacks, right? More passwordless approach as well as infrastructure organizations going. Data centerless is the kind of notion that we've been seeing off lead.
So this brings in the need for zero trust and this slide really borrows from what John talked about in terms of the mid attack, typical cycle of how a cyber attacker would approach and, you know, breaking into an organization's infrastructure, right? They would try and, and more often than not, and I said one in every five case is through a, the most common attack vector is by taking control of a, of a user identity, right? They will try to gain initial access and then try to process within the organization's infrastructure, they will try to gain a foothold, become, you know, gain persistent access rather than a more I persistent one, which is cause initially, right? Once they've gained that foothold, they would, an attacker really tries to escalate their privileges, right? And gain higher level permissions by, you know, gaining some sort of administrative control on that particular identity that is taken on, right?
And elevate themselves to try and steal more credentials, gain access to other credentials, they can move laterally across identities, across users, across segments, across environments, and even beyond the parameter of the organization go onto, you know, cloud environments and then really hell is broken loose by then, right? Because now it's like a virus spreading or cancer spreading across your entire organization and then, you know, there's data exfiltration or stealing of information that's happening and you know, you're too late in the game, then it's all about negotiations vi say, or ransomware or stuff like that that we just talked about, right? You don't wanna get there. You need to be able to nip it in the bud and really put in preventive anomaly, threat detection response mechanisms to really have AIML built into those to kind of prevent such situations from happening. That brings us to the three principles of Rio Trust strategy.
And as our con, if we were to talk, the three principles really go into the heart of the very design thinking of our technologies, right? So the first one being around verifying explicitly and it talks about authentication authorization as well as having, you know, continuous modes of verifying that the user is who they he or she. Or if it's a non-human user, say a machine ID or service account to verify that that identity is what it is posing to be, right? So that have has to happen through multiple layers of authentication authorization or multifactor authentication, right? As well as ensuring that elemental data points including identity, location, device health, and the lights are all brought together in terms of the verification. There's also a need for least ed access control. This brings in just in time access with just enough access or least privileges in terms of a role or risk-based adaptive policy, right?
This comes with real access management controls in the conversed access or, you know, identity access management, privilege, access management, or end point privilege management controls in terms of the solutions that can look into such requirements, right? And finally, again, you may put all sorts of preventive mechanisms, but you've got to assume that a breach would still happen. You have to ensure that you minimize the attack surface to the bare minimum, such that even if an attack happens, you are mitigating the controls so that the impact is really brought down to the minimum. This really happens by visibility analytics, right? At a first level as well as an AIML driven threat analytics and detection response system being put in play. All of these things that I've talked together come together in a converged identity approach. And that's why unifying of security with identity is, is the need of pr.
So when we talk about the various pillars of a zero trust, and I think John covered all of these, what I'd really like to bring in perspective is that identity is really the point of integration of all of these elements of a zero trust, right? It is at the core of a zero trust strategy. It brings together users, devices, networks, applications, and your visibility and analytics put together. By controlling your entities, you'll be able to actually each of these pillars way or the other. And if that is compromised, and really there's an impact on each of the other pillars, right? So identity actually goes across all the pillars of a zero strategy and an identity centric security framework. This is a little more of a functional framework around that, but it stops about human and non-human identities put together. It could be a machine identity, a business identity, or a privileged identity, a service account, an IOT bot identity, so on and so forth, right?
You've gotta be managing your complete identity landscape through, you know, passwordless approaches like sso. You gotta have reduce your tax surface by controls like just in time. And as I talked about, verifying exclusively through multifactor authentication, that also has to bring in ease of use for the end user. So it's gotta be something that enables, you know, different types of multifactor authentication, be it a tdp odp or even facial recognition or biometric softs, right? At the foundation of this lies zero trust approach, which really talks about continuous assessment and strong visibility controls, like I talked about in the various principles of it, right? And, and of course this should be able to enable remote access as well as be in a, you know, able to have an ability to manage both cloud and premise assets because each of the different environments brings in their own complexities.
Finally, it's around user management or directories for, you know, different application, different devices or data center resources. So you've gotta have ample connectors built into the ecosystem that, you know, your entire, you know, converged management platform should be able to address. It should be a vaulted approach for your secrets management and, and security governance. At the end of it, you have to have a robust governance approach for your identity and administration. And at the end of it, there has to be a, a reconciliation as well as re-certification of user management as well as secrets management brought in play. And at the end of it, identity centric security will have to be built in, built on the back of contextual data models. This is what the backbone of Arcon thought process lies when it comes to a functional approach towards the converged access management platform.
Of course, when you talk about each of these technologies, they deliver upon every aspect of an identity threat detection and response ecosystem. There are really a combination of solutions that need to come together and, you know, this is how you can really look to address those, right? Just a little more about Arcon are a set of technology offerings that really deliver upon each of what we talked about, talking about managing identities and privileges, working of digital identities, of course, elements of IT, security and compliance. And finally identity threat detection and response through a, through IL driven anomaly threat detection, right? The first L bucket is what I talked about, really talk, you know, brings in the context of our converged access management platform, which is much in context of the flavor of the webinar today. A little more about us. We are a globally recognized organization.
You know, some of the leading Analyst, such as putting a call have recognized us as leaders in this. We are present in over 75 countries in terms of our customer presence across six continents. I believe we're still looking out for a customer and Antarctica, hopefully one day about 1200 plus global customers and continuously growing as a, as a, as an organization across the, you know, last 15 years of our existence, as I talked about, keeping their goal themselves have recognized us as innovation leader and product leaders. And that calls for a closure of my SP session as to why the entire identity thread detection and response ecosystem needs to be dealt with through a unified approach of identity and security.
So, great, thank you for that. Yeah, we've got, we've got some questions here, but why don't we take a look at the poll results before we get into the q and a.
So the first one, are you familiar with minor attack? Well, half and half. That's interesting. Well, I hope it's useful to learn about that. I think it's, it's a really good way to sort of conceptualize the, the different phases of attacks and, and that in itself helps you think about how to defend against the attacks and various techniques.
So next one,
This is interesting.
Yeah. Is identity protection your organization's radar.
What I'm looking at is about 82% of the respondents actually have this on their radar, which is, which is good to see. Yeah, I I I hope that with, with the little, you know, 2 cents that we've been able to share, that 18% will actually go down further because it really is the need of the r i I strongly believe so.
Yeah. Yeah, I would agree. It's, it's good to see a recognition of the centrality of identity in terms of how these cyber tax and data breaches happen and being able to build out your defenses with that in mind. Okay, so now let's take a look at the questions that we have. How do you decide how much to invest in each ELE element of miter attack framework? How do you balance the investment between initial access and execute, for example? You know, that's, that's a, that's a good question. I guess there are a couple of different ways to, to divide it up. I would think, you know, the old adage of, you know, prevention being better than, than cures is, is a good one. I mean, I know in the security realm we've talked a lot about things like detection and response for the last 10 years, but we also know that prevention in itself is important and, you know, I guess then look at, so yeah, prevention, focus on prevention where, where it makes sense, but acknowledging that you still have to do detection and response.
Looking at the kinds of tools in the matrix that have applicability at different phases across MI attack, you know, sort of getting the most value out of a single tool type. And then, but really, you know, you have to think about each individual organization, understand what business you're in, what do you have partners, or do those partners present risks? Are you part of a supply chain? Think about the software supply chain, you know, how exposed does that make your organization versus, you know, another kind of organization that maybe has thousands of partners that come in through old VPN or something. So I think it's almost on a case by case basis where you need to consider what your current security architecture is, what the threats are, and what the opportunities for improvements are. What do you think?
I fully agree, John and I, I believe there's no, there's no silver bullet right there. There really isn't. It's gotta be people, you know, a combination of people, processes and technologies coming together for each organization that's, it's a unique situation and they need to delve deeper into that to actually look at where the investments need to go. What is, what is their history been in terms of how, you know, their possibly being any kind of attacks or, or how is it that they believe their infrastructure could be vulnerable and, and accordingly take those. But I think what you covered in the micro attack framework is something quite holistic in terms of various different ways of tactic techniques as well as procedures and impacts. And each organization needs to kind of look in inwards into how that, to add to that, it's also gotta be a combination of mindset and sensitization across not just investments.
Okay, next question with increased cloud adoption, what are the new age problems for managing identities? Getting a handle on, yeah, getting a handle on where all of your users accounts may be, what permissions they have. I think that certainly makes it far more complex to be able to get that unified view of that where you were starting to say,
Yeah, sorry, I just missed that. Was it on cloud adoption that you said
With increased cloud adoption? What are the new identities?
Got it. I just missed hearing that. So yeah, John, I I, I'd agree, you know, cloud adoption and, and actually multi-cloud adoption, right? So we, we will come past that age where an organization may have just been going with a single cloud for their infrastructure. So you have people going in with at least three to five different service providers in itself. And also let's not even talk about the various cloud SaaS applications that they could be onboarding for, for, for various business purposes, right? So when you talk about multi-cloud environments, security is increasingly becoming all the more complex, right? So I, I believe with each, each cloud environment, I mean if we talk about, say an AWS Azure gcp, each has their own nuances and differences in how they control or manage, say privileges and access, right? Each of them work differently.
I recollect, you know, some report that I read which talked about, I think in a year or in the next five years, the maximum security failures will result really from inadequate management of identities on the cloud. So what really one needs to go with is a unified approach for multi-cloud environments wherein you are able to look at your cloud infrastructure and map them against your user entitlements. Also, cloud infrastructure and entitlement management solution of sorts with effective cloud governance is, is something that, you know, organizations should really look at. And you know, this will help them address some of the key risks and concerns for these multi-cloud environments. It could be inactive identities, say, you know, something like former employees, it could be any of the POC accounts or test IDs that are there still lying around, lingering in, in active states. It could be super identities, for example, in certain break glass scenarios. You know, there are certain super identities that may need to be called out and, and those just lingered on, right? So management of these different identities over permission, cross account access identities across the various multi-cloud environments with a unified view, but also with the AIML driven approach is, I think the, the answer to all of this, right? Because it's gotta be bringing down your attack surface to the minimum through an intelligent and smart governance approach. And the CM solution really can do that.
The next one is about aiml. Actually UHL is used for anomaly and threat detection. Can you elaborate with an example? Yeah, the,
So I had please go ahead talk.
There are many, many security tools need to use machine learning, especially like if you think of anything from endpoint protection, you know, NextGen antivirus, there's so many different kinds of MAA that are generated every day. There's not enough time for human analysts to identify them all. So they use machine learning, you know, user behavioral analytics, same sort of thing with, you know, looking at categorizing different kinds of events that are seen trying to, you know, create a normalized baseline. So yeah, AIML I think is imperative for most security tools today.
It should be a technology that is able to recognize, identify, or to profile a user and for every user understand the behavior and then really make the user work within that frame of the profile only a role-based mechanism against the user behavior context, right? So in fact, Arcon has some solutions that can deliver on this, which looks at also, you know, any kind of non-normal behavior. Suddenly God is trying to access a particular application he's never done before or use it at two in the night, it should be able to challenge control session, monitor the user, what are you really up to, right? This is not your normal behavior. So that is something that is, is addressable through AM and different models and also taking this further to contextual data models, right? You've gotta extend this to automatic means of discovery, classification, protection and tracking of data in itself.
Say you pick up a legal case file, it should be able to understand that this is a legal case file, it's sensitive in nature or to classify that into a sensitive information. But at the same time, again, build in user context. If it's lying, say with the legal manager visibly line with say an IT support engineer, the context of the same data line with two different users has very different context, right? Has very different meaning. So all of this can be achieved to ai different models, right? And yeah, we are in this space as well.
Okay, we've got time for one more and that is how do you make sure that these behavioral based profiling methods are meeting ever-changing privacy expectations and when does it go too far? You know, that's, that's another good question. I, in terms of, you know, privacy regulations governing employee access, employee profiling, you know, I think there are some justified business use cases for that, but again, it really depends on the jurisdiction. That's, it's very insightful. I would say that there security tools due in many cases take into account those regulations, especially in areas where those security tool vendors operate. What are your thoughts on that go?
Yep, I, I wouldn't agree any more. Right. So I think privacy is, is been talked about in all the important forums globally and regulations as you rightly said, the GDPR and the European context are. But I think every territory is coming up with very similar regulations and all ties down to basic fundamentals of security. You know, boring from the niche framework or the IS 27,001, you know, there are different countries bringing in some nuances to their own challenges, but at the end of it, it comes down to the very fundamentals of sensitizing, you know, public at large in terms of behavior. It also talks about having the right kind of investments in the combination of solutions and finally a amalgamation of people, processes, technologies coming together that can address privacy concerns.
Great. Well that's all the time we have today. Thanks everyone for joining us. Thanks Ga, Tom and Arcon for being part of this and again, been a pleasure. Thanks John. The recording and slides will be available shortly. Thanks everyone and join us for our next one. Have a good rest of your day. Bye-bye.
How can we help you