Webinar Recording

Zero Trust: Putting Theory Into Practice


Log in and watch the full video!

Now is the time to implement the Zero Trust security model because the traditional model of enforcing security at the network perimeter is no longer effective. However, moving from theory into practice can be challenging unless you start with a key element like effective endpoint management.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to our call webinar. The trust putting theory into practice, this webinar is supported by Tanium and the speakers today are sec Warren, the senior director of cybersecurity advisory Mia as, and me Martin I'm principal Analyst Analyst Analyst. Before we start with our webinar, quick end on some upcoming events. So we will have a, our Casey life event on zeroing in on zero trust. So to speak, following up on the theme of today's webinar, which will run on March 23rd. And then we have two conferences coming up. One in mid may, which is in Berlin, both are in Berlin. By the way, one is the European identity and cloud conference, 2022, that is the flagship. We went around. Everything we trusted, Google is identity and related topics. And then we have our cyber security leadership summit. As the name says, this is more focused on cybersecurity topics, and this will be running in November post events, by the way are hybrid.
So you can try on site or you can try remotely a little bit of input info around housekeeping. So we control audio. You don't have to care about, we will run two poles during the, over the course of the webinar. We do a Q and a session by the end, and we are recording the webinar and we deliver the slides for you. After the webinar, having said this, I directly want to start with a poll and then jump into the topic of today's webinar. So the poll for today, it's which of these five identity management security topics is most important to you this year. So is it modernizing the legacy I am? Is it multifactor and password less authentication? Is it getting a better CRI on all the endpoints, the managed end points, and also it bring your own UI endpoint, which is always important to context, zero trust for sure. Is it de with the multi-cloud multi hybridy environments or is it making zero trust a reality? So looking forward to your responses, that'll leave you a little time to, to answer the more participate the better is. So don't be shy. Enter your plans, your spective.
I would say we let it run for another few seconds and then proceed with our webinar. Thank you for participating. And so, as that's already said, the topic for today is really about zero trust, making it reality about the role, the endpoint playing that journey. And in the first part of today's webinar, I'll talk about making so how to make zero dress reality and also the role of endpoint security. The second part and sec, Warren will talk about more or less the same scene, but are the sort of deeper level really going into endpoint management security, helping in supporting, I think what, what the purpose of today is really giving you more concrete guidance beyond sort of the tres level, because I think it's really time to make these things work, to put into reality. And this is the theme for today. So when we look at this, what is the challenge behind it?
The challenge behind everything is that is very, very serious. Trust came up, was how can I make my sort of it more secure? And how can I avoid that? I have whatever, a single place where I trust and some attacker passes that. And then can I have this literal movement throughout the it, this is basically the foundation. And when we look at zero trust, we have a couple of building blocks. And so to my definition, to our definition of critical Analyst, these are seven pillars and the first pillars identity, it is someone or something, this using a device, okay, you could argue if it's a thing, then it's integrated. So there are things that communicate, but they also have an identity. Why are some network, usually networks, two systems and applications. If it's a SA service, then this is more or less one from your perspective, from the providers perspective, it's still modern one, but manages data and all that is powered by software.
And I think the two last pillars are somewhat lesser, familiar to, to most zero trust definitions, because zero trust started at a network level added identity, edited devices, looked at systems and applications to certain extent, but data is one of the things we tend to have overlooked at the end. We always want to protect data. So we need to take a look at data from a zero trust perspective, not just about, can someone do something in an application, but also what does it mean to the data? And we need to look at, take a look at the software, take the incidence of the last two years for solo and cetera. I think learning is we need to get a better grip on software and to understand, can we know differently zero trust don't trust the software, but verify. So we need to take measures here as well.
So it's zero trust is spanning multiple areas of it, but what is very clear, that's important for the context of today's webinar. So we will let go into all of these areas. There can't be zero trust without securing, without verifying the wise. So we need technology that helps us in this, and this is endpoint management. This is endpoint security. So this is a broad space. And when you look at the space, then there's when you take the broader term of unified endpoint management today, then this consists and relates to, to quite a, quite a number of, of technologies. So unified endpoint management is, is really sort of the discipline, which says we bring together everything we need to manage and security endpoint. So there are security aspects like endpoint security, even while there usually are some more specialized solutions. Some of the vendors in, in UEM, in endpoint security and endpoint management are rather strong in security.
We have the evolution of that endpoint security into E P D R. So the endpoint protection detection response. We have an intersection to it, service management, when it's about procuring desks, when it's about support tickets, when it's about all these things, we have very close relation to workplace delivery. So how do we deliver the workplaces? Which types of infrastructures do we need? We have this asset license, contract management aspect about understanding what we have and asset management, by the ways understanding what we have in a broader sense is super, super essential for everything we do in security. And clearly also in zero trust, we can't protect what we don't know. So we need to be good in this space. We also need, clearly that's very common in this space, managed license contracts, the mobile devices as well. All, all of this is by the way, outside of it, service management, which is a huge, large, similar discipline increasingly also converging. And we need to be good in various areas to protect our endpoints. When we now look at at how do we do we move forward with zero trust? And I believe it's very to have a look at the zero trust principles and how to make them sort of actionable how to really make this work. And so what we all have learned over the past years, zero trusts are from modern decay. So the network parameter model of the past is not longer sufficient users are everywhere.
We can't work with this implicit trust. So of who is in this good and who is out in span, the world has changed. It was users working from everywhere. And I think the past two years have so with the, the, the, the emergence of work from home that this is really changing. And we also have not this relatively stable model where we have our organization and the outer space, but we have way more connection. So there's, there have been already many years ago, there have been a lot of, so to speak holes in the pyramid and with the, the fact that we are working more closely with partners that in the digital each also the way we deal with other organizations has changed the way or how and where our, our, our workforce, all this has changed. And so we, we, we must find better ways.
I think this is very clear. This is very common with identity becoming a new parameter and a lot of other entities at the end, also becoming parameters. So also in some way, the devices, a parameter, and we need to assure, ensure that, that we have authorization adequately authentication, encryption planes for secure access for everyone on every device, to any applications on any network. Also taking the data into account. It's very important to understand that people today co use multiple devices. So when I trust, look at my desk right now, then there are three devices and people can come in via different devices. But anyway, we need to understand who is it? What is the device? Is there a wallet relationship? Is the device trust versus secure enough? Can there be things that come in wider wise? We must think about this verification at varies at many levels at the end of the day. So when we want to move forward, we need to come to more concrete action steps.
We need to assume that attempts come from untrusted networks. We need to apply the same principles, regardless of where applications run. We need to enable workers to work from everywhere. And also over untrusted networks, we need to ensure authorized access. We need to manage the privileges. We need to do these things, but it also helps us in many areas. So we reduce the possibility of compromise. We ease anti migration to the cloud. If we treat everything the same, we deliver greater flexibility for our stuff and enable these already common. I wouldn't have even in new ways of working, but also make it easier for third parties to access and be faster and deployment if we do it right. Maybe the envy even cheaper with that. If we do it right, the list has, has defined seven principles that should be met.
One is that all data sources, computing services are considered resources say communication is always secured regardless where, so no unencrypted traffic over the network access on a procession basis. Policy based control of who can do what this is quite big by, by the way, the, the zero monitoring everything. And I think in number five also, it's about, this is a very important point. Security poster of all owned and associated assets means device security endpoint. We need to monitor or measure and force security poster up across everything, whether it's our own or it's bring your own device device.
And we collect the data, use it to, to analyze this numerous students write this, this evaluation. So, so there are different ways to do it criteria based. So if certain criteria are met or score based, score based is clearly way more flexible. We, we, it criteria based. It says, if this, this, this math, it's fine. If not, then score base means we observe what happens, how things are changing, decide based on that in a more dynamic, more reactive way. And there is approach of doing it sort of singular contextual. So do we look at that one, and this is related to the other two. Do we do it for only that one access or do it, do it always in the context of what happens and where does the context come from to a large portion from the device, from the location of the device, from the health of the device, from the sort of assignment of device to user the relationship and all that stuff. And then the question is, how do we get there?
And this is not an architecture. So I put it into quotas and these are very bold quotas. There are so many technologies out there, and this is only identity network data endpoint. It not even includes for instance, software security. So there are even more of these, but there are steps. And I have printed down seven steps here, which are at the higher level, the risk, the starting point of which you always should keep in mind when moving forward in zero trust, it all starts with understanding your risks. Where are your risks? Where are your biggest risks? How do these risks change, risks change. So also this is not a static thing. You will need to update it, but understand what are the risks? What are the risks that can put you out of business? What are the risks that can stop your production? What are the risks that will cost you a ton of money?
What are the risks and really rate it? So there's so much technology around or methodology around risk management. That is, I think, something not easy to do, but where there's a lot of knowledge, a lot of advisory out of, out there, which can support you in that, including what we do as in our advisory branch, then you need to understand your requirements. So what do you want to achieve? Where are you heading? Look at the future, look at the trends. Also not only what you need today, then you can define your architecture. So what do you have and how should this look like ideally in future. And then you can make a fit gap analysis for the tooling. So look at what is your, your to be, what is your assets? What fits well, what is maybe good enough for a while, but needs ate later?
What is the big gap, always in context of the risks. And then you can prioritize this. You can start implementing, and this is a journey it's a sort of, maybe even a never ending journey. Then you can run. It's a journey, as I've said, yes. And another perspective when you, when you look at it from a perspective you need in a first step, identify actors on the enterprise. So when you want to do that, you need to understand who is it, who are special actors, and you need to understand assets. So aside of the risk perspective, when we go here more in the technical level, into the technical implementation steps, when you know what to do assets, as you know your assets, you know, your devices, you are able to identify and to manage and to secure devices, you need to understand the key processes and the risks.
And then you can start creating policies because you can't enforce policies. So the PEs and the first pillar, you can't enforce policies without the knowledge about the actors, about the risks, about the devices and about all the resources that are being to be accessed. So you need to formalize formulate policies. You need to look at solutions that help can help you forward. This will be a multi-step approach. That's not the one CT tool out. There are many tools like tools we are talking today about from, for, for the endpoint security endpoint management, which help you addressing a certain part of zero trust. So you never will find a vendor, a one-stop shopping for that one tool that helps you in zero trust. It's always a combination. Then you start deploying you monitor and you improve. And then you expand step by step into the broader space of zero trust. So this is really, these are sort of two, this slide on the previous slide to sort of step by step and multi-step approaches how you can move forward when you want to get better on zero trust. With that, I'm moving to my poll number two. And the second poll is about your cybersecurity budget change in 2022 compared to 2021. So again, looking forward to your responses and give you again some 30 to 40 seconds.
So the more participate, the better it is, I'll give you another 10 or seconds or so, so least add your entry answers. Okay. I think then we can close the poll. Thank you for that. And we'll look at the pulse if time allows later in the Q and a session, and that brings me already to the point that we are right now going, coming to our second part of this presentation, and this will be done by sec foreign. And he will talk about how endpoint management and security help concretely securing and supporting zero trust. And with that's your
Appreciate. And right here, there was a of great things that Martin shared with us, giving us insight into zero trust, into understanding the things that are needed to really build out this zero trust architecture, and to really understand where we're, where we need to be going to really get this developed. So I'd like to walk you through how we ATC zero trust and the influence that we can have positively on your, your security or your zero trust architecture. So, first of all, you know, to go take a step back, you know, this is, this is kind what the world looked like many moons ago, where we as organizations were really hyper focused on controlling everything within our network, within our perimeter. And this started to kind of change, you know, several years ago, when, you know, I like to joke when CEOs got their first iPad for Christmas and they brought that iPad in and they set it down on the desk of the CIO or of an it manager's desk and said, Hey, I want use this for work.
So, you know, it, some of us can think back to what that was like. We're like, oh my gosh, how do we manage this new device on our network? How do we allow our CEO to use this personal device? And that really brought about this idea of bring your own device in multiple different environments. Now that of course has evolved and continued to evolve to where we now have just tons and tons of different types of devices that individuals are using. So, you know, if you even think about your own personal life, you know, I personally use my phone for a lot of my work to gain access to a lot of my work applications and work data. I use my laptop, I have other devices that I use on a regular basis. And so each one of us has really kind of gone away from this traditional enterprise network perimeter.
And it started having fairly natural. Now, of course, through the pandemic, we saw this perimeter just continue to increase and become more and more difficult to secure. And so of course we have, you know, now this type of environment where we have individuals, you know, who are working in different cities on different days like myself, I do a lot of traveling for work, you know, maybe working from a train, maybe working from a coffee shop, maybe working from home. And the pandemic really brought in a major issue for a lot of organizations that couldn't even really get their hands on the right devices to send home with their employees. And so they were in this difficult situation and had to say, Hey, I need you to work from home because it's a must, but we don't have any laptops or anything to give you. So please, you know, work from your personal device.
And I mean, as a security professional, that's just like the worst case scenario to give people's private devices, access to my internal systems and data. And so that just kind of really made all of this spin out of control if you will. And, and of course, you know, a lot of organizations said, well, you know, at least we'll put in a VPN, of course, a lot of those VPN systems were overloaded by the amount of people that were working from home. And as we all know on this call or, you know, people with security backgrounds, it's fairly easy to spoof VPNs, right? So it's easy to take advantage of those systems to gain access into environments. So just because you're dialed in through a VPN, doesn't make you a hundred percent secure, right? So this is world that we're at secure this world of interconnected devices before when we had this on type of environment that was easier to secure.
Well, we start to have to look in, look into authentication and authorization. That means just like Martin had talked about in his presentation, we need to better identify the users of our systems and our data. So we need first of all, to have a good view on our users. And then on top of that, we then need to be able to take a look at our devices. What devices do we have in our enterprise, which devices are allowed to access, what data and what systems, and then what are our requirements of those devices? You know, do they need to have the latest version of our anti malware software on there? Do we need to make sure there's an EDR agent on there? What type of, you know, mandatory things do we have for our devices? And then finally the data that those devices or the services even that those devices are using within our environment, but also within the cloud environments that many of us are utilizing today.
So we need to make sure that we have security around these three components of our organization. And it does touch to what Martin was talking about around software and applications as well. We need to make sure that we have that visibility into our software visibility, into the dependencies of our applications and our software on the data that is needed to run those applications. So now we've gotten to this age of the endpoint as I like to call it, it really is a state of we're no longer the perimeter is at a firewall and everything on the inside is trusted. Everything on the outside is untrusted. At the very beginning of my career, I worked at Cisco systems as a security engineer, and I spent most of my, my time consulting and, and, and helping organizations develop their firewall rules, right? So I spent a lot of time in ASAs and even back with the, and the VPN concentrators and constantly helping them build IP secs and things of that nature, because what we really wanted to do was keep everything inside of our network, secure and trusted and anything outside was untrusted, right?
So it was a lot of that kinda gaining access. But now the endpoint is our new perimeter. Now we need to be focused on what are our endpoint devices doing and are they secure? So let's walk through kind of what zero trust and endpoint identity have in common and, and kind of my view of where we as Tanium can support, but also even if you're not utilizing Tanium where you need to be doing, you know, your due diligence to make sure that these devices are secure. So first of all, it's really that identity and access management. We need to verify the user and there needs to be multifactor authentication at the very least at this point. And so I would even suggest in your private lives, if you are working with a bank that doesn't require multifactor authentication moved, thanks. Right. If you're working with any type of service that has, you know, any type of private data or financial data of yours, please ask these organizations to build in multifactor authentication.
If they don't have it and they won't do it, then move somewhere else, take your business somewhere else. It is a must nowadays. So we need to first be able to verify the users by two things. First of all, what they know, right? So a password or something like that. And then what they have, you know, that multifactor authentication, like getting a text message and verifying that you're the correct user or a thumbprint or things of that nature. Right? So it used to be, we had, you know, tokens or cards that we would carry around and card readers to kind of have that, you know, multifactor authentication, but we needed to make that a lot more simple. So once we verified our user and we know that it really is Zach Warren, and he really does have, you know, multifactor authentication has shown that he's the right guy with the right access.
Then we need to understand what device Zach is using to enter into our environment. So we need to verify that device, is this a trusted device? And if it is a trusted device, you know, meaning is it one that we gave him from the company, right? Is he trying to access through a company owned device or is he trying to access through a personal device now, either way based on what your policies are within your organization, we can then take it a step further and say, okay, this is a work device, but has this work device had the latest upgrades? Does it have the right level of patching? Does it have the antivirus on it that we need have? And this is where Tanium can play a major role and help organizations make sure that any device that is accessing their environment gets checked for these criteria.
And these are different criteria that, that can be tweaked or configured and based upon what your company's needs are and compliance needs are. And then if they don't meet these needs, what do we do then? Right. Do we push down a patch and make that device upgrade before it's allowed to access? Do we quarantine that device and then make upgrades to it? Or there's many different paths that you can take, but kinda the easiest thing would then be to push down those application or operating system patches to make sure that that device is compliant and will be allowed to access our environment. Now, once we say that that device is allowed to access, then we need to start looking at least privilege. And this, my friends, I, where a lot of organizations are falling short. Even if you have multifactor authentication, even if you've taken the time to verify that device is clean and healthy and it hygienes in place, the least privilege is where I see a lot of organizations falling down.
And that's because when, you know, inside an environment, if one day I would had one role and I moved to another part of the organization, a lot of time organizations, aren't taking a look at the privileges. That means the access that this individual has to data and applications that he needed for his first job and doesn't need anymore in the second position in, in the company. But in the second position, he still has all the access to everything. So that just means that there's a lot more keys out there. That means there's a lot more access out there. And so what I need to do as an attacker is find one individual that has not been there has not been clean, you know, released of his, of his access throughout his career. And now he's got access to everything and all the keys of the kingdom.
And I can then use that to get into different corners of your environment. So we need to make sure that, you know, as Zach, as myself as Zach Warren, this is my role, this is my title. These are the things I need to access. And that's it right now. If I change over from the advisory side, maybe to the financial side of obtaining them, right, that'll never happen, but just that it did, you know, then I would need to lose all the access to all the advisory things and all the customer data and things like that, that I have access to today. And I would then need access to all the financials. But then if I was to move back into another role, I would, would need to access to all those. And that's by privilege, just Case's to, to look like, right. So let's, let's kinda walk through this together.
So you have a user that logs on to, you know, access, whatever the devices are or applications are that they need to do their job, right? So here's a couple of examples of enterprise applications. So we need an identity and access Porwal right. So there's many great, great solutions for that, you know, and you, you basically, you give your credentials in there's the multifactor authentication that goes in and they say, yep, this is the right person. And then you're able to access these enterprise applications. And you typically do that through, you know, a browser, things like that, making it easier, but that also helps us to keep visibility on the endpoint, understand the endpoint's identity and make sure that that endpoint is also allowed to access these, these applications. Now, once you have the identity of the client, you know, we need to be able to have that communication back to our identity of access management application, to be able to determine that level of permission, right back to that, you know, making sure that we have the least, least privileged permissions for that role. And once that's that's, you know, been done, then you have this more secure environment of the right people using the right applications in your environment and doing it in a controlled manner where you know that you don't have any major vulnerabilities, right? So this is reducing the level of risk in your organization and reducing the amount of vulnerabilities in your organization by doing these things.
And then how do we get started with this though? Like what do we actually need to start building? Okay. So I've broken this down into four, fairly simple kind of ways to, to get this process going. And then to also maintain this process. First, we need to identify the end, identify attack and protect services, right? So we first need to understand our environment. And I used to do a lot of work with organizations and helping them with enterprise segmentation, right? And the first thing you do with enterprise segmentation is first, you have to understand your data and understand the dependencies on that data from different applications. So we need to get that level of visibility in your environment and understand what it is. Secondarily, we need to start building out an, an identify communication path, right? We need to be able to understand what that path looks like, what that flow looks like through your organization.
Then we need to design and implement a zero trust architecture, which goes back to a lot of the things that I just talked about. Lot of the components I talked about, and also the things that, that Martin had brought up in his presentation. And then finally, it's that monitor and maintain. You need to have an eye on your zero trust environment on this architecture of authentication, understanding your devices and your data, right? So identity devices and data. And then you need to make sure that you're maintaining that care and feeding of these different tool sets so that you know, that you're in the right place.
So here's, again, is something, this would be a great slide. And of course, we'll be sharing these slides out as Martin had mentioned earlier. But just to take note of these are the things that really organizations need to be successful. Visibility is huge. I probably annoy my customers and my colleagues because all I talk about is visibility. And as a security, professional visibility is everything to me. I wanna make sure that I see what's going on in my environment, but before I do that, I wanna understand what we have today. So you need to be able to, if I ask you the question, how many endpoints do you have? You need to instead saying, yeah, we have about, you know, 5,000 to 6,000 endpoints. You need to tell me I have 5,732 endpoints, right? We need to get to that level of visibility. I know it's hard.
I know it's hard, but we need to get to that level of visibility because that'll reduce the right. And then when I say, well, what software's on those, you should be able to answer back to me. We run these different versions of software, right? And we have all of those devices patched, or if you don't have them patched, well, we've got, we know where we are today with our patching and we're working on getting it further and further, right? We need to have that level of visibility. And then on top of the devices, we need to be able to understand where our critical data is. If I was to attack your organization, if I was to go in there and gain access to data that would cripple your organization, critical data, you know, do you know where that data is? Do you know how to secure that data?
Do you have that data backed up? Right? These are huge questions around visibility that we need to be answering. And then we also need to, like I said, have the right insight into endpoints. We need to be able to assess them. We need to be able to report on them. I need to be able to answer any questions around these devices. And then I also need to be able to enforce something across the device. If someone's trying to access my environment with a unsanctioned, if you will device, then I need to be able to push it out. I need to be able to quarantine it. I need to be able to gather forensic data on it, whatever that needs to look like for my organization. And I need to be a hundred percent sure that I'm doing that and doing it correctly because a lot of times organizations feel like they have gotten the bad actors out of their environment only to find out months, weeks later, even a year later that they have, you know, found a nice quiet place in some dark corner of your environment.
That's not visible. And then they will use that as a pivot point to attack again. Right? So we need to make sure that we're getting people out and seeing that we can only do that. If we have real time, great data, that's coming into our stocks, that we're into our it environment so that we can have that level of visibility again. And then finally that complete and confident remediation, right? This is knowing that when I push out a patch that it is hundred percent successful or as close to percent as possible, I know it's hard. And then we also need to make sure that any vulnerabilities that are out there that we're updating, lot of vulnerabilities have been coming out lately. Just think of the log for all the doors that, that opened up for attacks. Do we know long four J instances are in our environments and if we do, what are we doing about them?
Are we able to react to those in time? Right. So we wanna make sure that we're doing those things and, and confident about them. And so with that, I would like to thank you for your time. Thank you, Martin, for inviting me to talk to you guys. And I really appreciate any, and everybody who is excited about cybersecurity and zero trust. And if you have any further questions, I know we're have a little bit of Q a now always open to have a conversation around zero trust in improving our security postures. So thank you very much.
Thank you. Let me take over moderation again, or the percent of role. Okay. So you should see the screen again. And like already said, we are at the Q a part right now. So we already have some questions here. So if you have any questions, please end up these questions. Now, the more questions we have, the better it is. And I'd like to, to, to start with, with one, which is about the, the role device fingerprinting place and this topic. So maybe like you want to bring up some of your thoughts about where to use it, how to do it, right.
Sorry. That was the, the device
Fingerprint device fingerprinting.
Yeah. So really we need to just, it more than device fingerprinting. We just need to be able to see devices that are trying to access our environments. Right. We need to make sure that any device that is, that is accessing our, our environment is up to speed is up to whatever code we need it to be so that we then allow it to access. I personally, you know, I don't, I've always, I, I guess I'm one of the old, old school thoughts of, you know, I don't like bringing your own device. I don't like devices that I don't have some sort of management or control over. So it is important that if you have some sort of bring your own device that you are looking at, you know, how do you push out your management agent onto those devices and control and a lot that gets into really sticky areas, you know, because if it's private device and you control, you know, you gotta have some, some MBM, so mobile device management capabilities in there and whatnot. So that's really the direct I go on
Which directly sort, the second question I have here from, from the audience, which is around how, how do you deal with agents? How do you deploy your, your solution on the end points? Or, or is it, is there mix of different approaches or what do you support? How do you do that?
Yeah. So from, from at Tanium perspective, we could push agents out initially through, you know, something that you already have in place today that you utilize to push out any type of patches or updates onto your environments, like in SCCM. But the, the thing about Atium is that Tanium can also then identify endpoints in an environment that don't are not yet managed and can push those endpoints from one to another. That means if my device is already managed by Atium and Martin's device is not managed by Atium, but should be, then my device will push an agent out to Martin. So there is a, it is a proprietary type of communication between endpoints by that is all encrypted, right? So all traffic is encrypted. All data is encrypted that will go out and find that team. Right. So, you know, if, if like I've seen before in a couple of different organizations, you know, we found that organizations that there were individuals that had things like Xboxes hidden underneath the desk. Right. And we were able to find those devices. Now we didn't put an agent on it, but we did report that back to it, leadership as a, as a vulnerability or something to take a look at. So that's kind how our agents work they'll push themselves out or will use existing tool sets in an organization, push those agents out initially. Yeah.
And I think all of us who are looking at many organizations, I've seen these scenarios where whatever a new server incident happened and whatever they first one and a half or two days over the weekend, the it security team was working on identifying the systems, which are, are, which need to need a patch or stuff like that. I think this is, this is really one of the, the things where we need to get better. We need to understand what we have, because as I said before, we, we can't secure what we don't have, but we also will not understand our full risk exposure when we don't know what is around in our network. And, and I think this is what, where we need to get from my perspective needs be definitely get better. So at that point, maybe that's, let's have a look at the, the results of the first poll, which you should see right now.
And I, I think with this audience, it's this topic, it's not a big surprise that 47% are looking at really making zero trust. In reality, it's a first priority and another 12% are looking more at the endpoint securities parts specifically, but you also see at least, or one out of four having MFA, and passwordless authentication very high on the list, which by the way, also relates to the devices because we can't do that well without looking at identity and authentication and device. So I would say it's, it's not, not really surprising these results, but they, so to speak, confirm a trend.
Yeah. And it, it makes me really glad to see that there is that level of visibility, not only developing zero trust architectures for our organizations, but on top of that, doing the, the first thing that one of the most important things, in my opinion, and that's multifactor authentication. Right? So, you know, really if, if you want to reduce your vulnerabilities by 80%, you're going to patch your systems, right. Making sure you have those vulnerabilities patched, and then you're gonna put multifactor authentication in place. And then if you've done those two things, that's really only zero that you've gotta worry about. You know, those, you know, I mean, of course there's gonna be the, I can't say that at a hundred percent because we're talking about cybersecurity here, right. There's nothing, that's a hundred percent, but you're gonna, you're really gonna clean up your systems. And I think that's huge that people are looking at multifactor authentication. And like I said before, if you're doing any business with an organization personally, or as a third party that doesn't use multifactor authentication, you should think twice, you should really think twice about partnering with them.
Yeah. Okay. One more question I have here. And that's a very interesting one. How can organizations know if they're zero trust strategies are working and are successful? I think that's the question where maybe you start SA and I, at my perspectives on that, I think it's a very interesting one.
I think it is an interesting one because it is, is one of those things that makes cybersecurity so hard to define and hard to get, you know, some funding for, from our executive teams, right? Because if everything's running well, then we don't see a bunch of alerts and we don't see a bunch of attacks, right. And visits can get on, you know, move on in a positive manner. And so it's kinda hard to show that ROI and zero trust is kind of the same way. You can have a grade, zero trust, you know, implementation and architecture in place, and that's gonna reduce your risk. But one of the things we need to be doing is we need to measure, right. We need to measure constantly CSOs need to see the numbers today. What does our environment look like today? How often are we being attacked? How often we being prodded and looking for vulnerabilities, you know, and if you can't see that today, that's gonna be a hard thing to measure, right. But if you can measure that and then you start to implement a zero trust policy and you measure again, and as you continue improving your zero trust or it's, you continue to mature your security practice, you continue to measure. And then, you know, from one year to the next, you should see improvement. You should see fewer, you know, alerts, you should see attacks and all those kinda things.
And, and for me, you're speaking to, you're preaching to the converter. So speak. I'm also preaching that, that measure man thing. And I think there, there two elements, the one is KPIs and the other is KRI. So key performance indicators and key risk indicators. So look at it from a risk perspective, as well as from how do you improve things and very importantly, start measuring. So you can't your, your, your brokers and what you, what you sort of improved when you didn't, when you don't have the baseline to compare with. So it is very important to start your measure amount at the very beginning, by the way, there's one, one, copy, a call report. I think there are two around K and KPIs. One more around the identity related one, one more around the cybersecurity related K and KPIs, just as sort of a baseline as a foundation, when you want to start your old exercises and measuring.
So, so have a look at this. And I think the other thing which can help you, and we have this also for identity and cybersecurity is looking at maturity levels. So maturity levels also give you a good indicator. And we have reports on that, which give you guidance on saying, okay, where do I stand compared to others? So where do I need to improve to get better? And this helps, and also to identify the areas where you do your measurement, but it's super, super important. Understand your risk, measure your risk, understand your current performance, measure your performance. You then can demonstrate your improvements. And that helps you then to move to a strategic evolution of cybersecurity and zero trust instead of this, what happens? So, as you said, if nothing happens, everything is quiet. It's hard to get, get a budget, talk about budgets in a minute, but I think it's easier these days than it has been couple of years ago, but it's still not super easy. The problem is that when something happens, unfortunately also a lot of decisions that are made in the panic mode, the had less chicken mode as I tend to call it where, where you don't trust in west, but not really in a, in a world land manner, we must get rid of this approach.
Yeah. I agree with that 100%, this, this kind of last minute decisions, these kind like, you know, who should be on the chopping block now that we've been breached, right? That is, you know, we see a loss of great leadership in cybersecurity because of that type of knee jerk reaction when you do get breached. And, and I've also personally seen, you know, great tool sets be purchased, you know, kind of this last minute knee jerk thing when someone's been breached. And then that organization uses that tool set to, to get, you know, their organization kind of outta, outta the dark, if you will. And then after the breach is over, they don't see the value in the, in the tool set anymore and throw it out out the window. You know, it's like, it's like, no, you need to be able to, you need to invest in the right things at the right time, keep maturing your security profile. And when you do give, breached, learn from it and, and move on. Right. So I agree with you. Yeah.
Okay. Maybe that's less of a quick look at the second poll. And the second poll I think is also interesting because, and I, I write this poll three or four times recently, and there were always 0%, which said we have a, sort of a decrease cybersecurity budget. So the tendency is very clear. There are a lot of organizations with a slide. So 20% is not that slide anymore, but you also have quite a number of organizations, very, very significant in the cybersecurity budget, which is, I think good. The only thing is we need to use the money the right way. I think that is the art right now. Hopefully we gave you some hints on that, on how to spend the money, right. Or how to understand where to spend the money. Because I think this is really what, what is what needs to be done.
Zero trust is big and you can't do everything at the same time. So you need to understand where to start. You need to demonstrate that you're doing the right things, because then you will be also get budget for the next, with that. We are the end of today's webinar. So thank you very much to all attendees for listening to our called webinar. Hope to have you soon back at one of our webinars or our case life events, or one of our hybrid events. Maybe see you in Berlin soon. Thank you very much, Zach, for your insights, these very, very valuable. And thank you for supporting us with this webinar,
Martin, Martin.