1 00:00:08,700 --> 00:00:17,500 Identity and access management welcome to the identity at the 2 00:00:17,500 --> 00:00:20,900 center podcast. This is Jeff and that's Jim. 3 00:00:20,900 --> 00:00:23,200 Hey, Jim hey Jeff, how's it going? 4 00:00:23,700 --> 00:00:27,600 Pretty good. Good, you getting ready for 5 00:00:27,600 --> 00:00:29,800 vacation next week? Oh wait. 6 00:00:30,000 --> 00:00:38,600 You know, me going on vacation to a hot spot of, please, please 7 00:00:38,600 --> 00:00:41,900 do not contract anything because I'm going to be swamped if not 8 00:00:42,300 --> 00:00:44,700 if so. You know what I find ironic 9 00:00:44,700 --> 00:00:48,200 though is I'm going to Florida for in because no, and I booked 10 00:00:48,200 --> 00:00:51,500 it like three months ago when it looked like Florida was the safe 11 00:00:51,500 --> 00:00:54,200 place compared to New York and New Jersey well. 12 00:00:54,200 --> 00:00:56,400 Now, New York and New Jersey are saying, hey, if you're coming 13 00:00:56,400 --> 00:00:59,300 from Florida, you're going to need to self quarantine for two 14 00:00:59,300 --> 00:01:01,300 weeks. Well, isn't that ironic? 15 00:01:01,900 --> 00:01:06,000 Yep, that's the way it works. We're doing a great job of 16 00:01:06,000 --> 00:01:08,300 containing this but I don't want to get political on it because 17 00:01:08,300 --> 00:01:11,000 like everything else. It's now everything is political 18 00:01:12,300 --> 00:01:14,800 political except The Insider threat. 19 00:01:14,800 --> 00:01:18,400 That is still a political I'm excited about having that as, 20 00:01:18,700 --> 00:01:23,500 you know, our main topic today and, you know, I've always felt 21 00:01:23,500 --> 00:01:27,900 like, oh, maybe maybe does get political but I've always felt 22 00:01:27,900 --> 00:01:31,200 like it's an ignored area because it Take the focus is so 23 00:01:31,200 --> 00:01:33,400 much on getting hacked from the outside. 24 00:01:33,400 --> 00:01:37,600 And, you know, since I've been in it that the standard approach 25 00:01:37,600 --> 00:01:42,800 has been hard, crunchy shell and kind of soften the inside. 26 00:01:42,800 --> 00:01:46,100 In other words, have a firewall really guard, the perimeter of 27 00:01:46,100 --> 00:01:50,500 your network and then trust the people inside, heck, Jeff. 28 00:01:50,500 --> 00:01:54,800 You and I work with clients all the time where we hear, you 29 00:01:54,800 --> 00:01:57,600 know, well only we only have this number of people with 30 00:01:57,600 --> 00:01:59,800 administrative accounts and what it boils down to is. 31 00:02:00,200 --> 00:02:04,900 These are the people that we trust, but The Insider threat is 32 00:02:05,000 --> 00:02:07,700 very real. And, you know, we we have one 33 00:02:07,700 --> 00:02:12,300 slide that we pulled from the Gartner, IM Summit back in. 34 00:02:12,300 --> 00:02:16,900 Nineteen feels like a century ago, but back in 19 and it 35 00:02:16,900 --> 00:02:22,900 talked about you know, the percentage of actors who make up 36 00:02:23,700 --> 00:02:27,700 each data breach and was the Insiders are like over 30 37 00:02:27,700 --> 00:02:29,900 percent so it's a very real issue. 38 00:02:30,000 --> 00:02:32,300 Shoo. Yeah, I think that traditional 39 00:02:32,300 --> 00:02:35,800 thinking of the you know the M&M right, the crunchy shell and the 40 00:02:35,808 --> 00:02:40,600 soft gooey Center is something that was you know 20 years ago 41 00:02:40,900 --> 00:02:44,000 you know maybe even ten Outta ten years ago but you know this 42 00:02:44,000 --> 00:02:47,100 whole zero trust framework has come about what you think is 43 00:02:47,100 --> 00:02:50,900 good and you do have to watch the out for The Insider threat, 44 00:02:51,500 --> 00:02:55,300 a third of a tax, you know, roughly come from the inside and 45 00:02:55,600 --> 00:03:00,000 it's typically you know you don't want to You don't really 46 00:03:00,000 --> 00:03:03,500 care about your normal users other than as a means to an end, 47 00:03:03,600 --> 00:03:04,800 right? They want to get into the 48 00:03:04,800 --> 00:03:08,100 accounts that actually have access to things that are 49 00:03:08,100 --> 00:03:11,000 important from a data perspective or from a social 50 00:03:11,000 --> 00:03:13,800 engineering perspective, right? If you can breach the executive 51 00:03:13,800 --> 00:03:16,800 account, you can pretty much ask for whatever you want, people 52 00:03:16,800 --> 00:03:19,100 give it to you. So that's one way to do it. 53 00:03:19,400 --> 00:03:21,800 So, it's a good thing that we're talking Insider threat because 54 00:03:21,800 --> 00:03:26,400 we also have a guest today we have for preamp security film 55 00:03:26,400 --> 00:03:27,800 analysis. Welcome Phil. 56 00:03:28,700 --> 00:03:32,000 Hey, thank you. Great - yeah. 57 00:03:32,500 --> 00:03:36,100 So we know one of the things that we like to get into with 58 00:03:36,100 --> 00:03:38,900 all of our guests as before we get into, kind of the topic here 59 00:03:38,900 --> 00:03:41,700 is kind of their background and I am and you know what? 60 00:03:41,700 --> 00:03:44,700 They've been working on and maybe we can start there Phil. 61 00:03:44,700 --> 00:03:46,500 Where did, how did you get into? I am. 62 00:03:46,500 --> 00:03:48,200 Let's start there. Sure. 63 00:03:48,200 --> 00:03:53,200 So I started my career in and really software engineering and 64 00:03:53,200 --> 00:03:55,600 post sales Professional Services. 65 00:03:56,700 --> 00:04:00,700 And then when I started in, I am was about 10 years ago. 66 00:04:01,200 --> 00:04:05,500 I joined a company called in Privada, which focuses on strong 67 00:04:05,500 --> 00:04:08,800 authentication and single sign-on for hospitals and 68 00:04:08,800 --> 00:04:12,100 Healthcare Systems. I wanted to get into pre-sales 69 00:04:12,100 --> 00:04:15,700 engineering so I started there as an inside SE and then moved 70 00:04:15,700 --> 00:04:18,500 into selling in the field. After a couple years, then 71 00:04:18,500 --> 00:04:24,100 started to manage a team of about 82 Tennessee's from there. 72 00:04:24,100 --> 00:04:28,200 I had a year in network security as a little bit. 73 00:04:28,400 --> 00:04:30,300 Gap but then I missed it so much. 74 00:04:30,300 --> 00:04:33,800 I came back to I am focusing on security where I am now at 75 00:04:33,800 --> 00:04:38,200 cramps. She actually started with I am, 76 00:04:38,500 --> 00:04:40,900 which is kind of interesting because most of the folks that 77 00:04:40,900 --> 00:04:42,800 we talked to Lisa and my experience my. 78 00:04:42,900 --> 00:04:45,800 So, my theory is that most people who are in, I am didn't 79 00:04:45,800 --> 00:04:49,000 start there, they started somewhere else, and then kind of 80 00:04:49,200 --> 00:04:52,500 fell into the, I am space. So, thanks for pulling that up 81 00:04:52,508 --> 00:04:53,600 for me. Appreciate that. 82 00:04:55,900 --> 00:05:11,600 What? So I was a software engineer. 83 00:05:12,000 --> 00:05:15,300 I was on the post Hillside that. That was, that was not. 84 00:05:15,300 --> 00:05:17,400 I am that was complete, so it's for your theory. 85 00:05:17,400 --> 00:05:20,500 Does still stand. Okay, good safe. 86 00:05:20,500 --> 00:05:24,500 Appreciate you. So now you're a preamp security, 87 00:05:24,500 --> 00:05:26,500 can you tell us a little about what preamp does and what you're 88 00:05:26,500 --> 00:05:28,400 doing for them? Yep. 89 00:05:28,400 --> 00:05:31,600 Preamp. So Prim takes a, look at your 90 00:05:31,600 --> 00:05:35,800 users identities. Just behaviors the different 91 00:05:35,800 --> 00:05:39,600 risks are user or an endpoint has and combine those all 92 00:05:39,600 --> 00:05:44,000 together to understand where the risks in your environment. 93 00:05:44,000 --> 00:05:50,100 How can we proactively address those risks and then putting in 94 00:05:50,100 --> 00:05:55,000 place, the ability to do things, like, trigger MFA or 95 00:05:55,000 --> 00:06:01,700 conditionally block access when rules are in place to to decide 96 00:06:01,700 --> 00:06:03,600 the user shouldn't be doing what they're supposed to do. 97 00:06:03,900 --> 00:06:06,100 Doing, or maybe they're doing something suspicious or 98 00:06:06,100 --> 00:06:07,800 malicious. That should be contested. 99 00:06:09,400 --> 00:06:13,000 So, basically the perfect person to have on to talk about Insider 100 00:06:13,000 --> 00:06:18,100 threat, huh? So there's a report that you 101 00:06:18,100 --> 00:06:20,000 guys are now we're working on and you guys have been kind 102 00:06:20,000 --> 00:06:25,800 enough to, you know, share maybe some stats before that gets gets 103 00:06:25,800 --> 00:06:28,300 out there and we'll have a link to it as part of our show notes 104 00:06:28,300 --> 00:06:31,000 for people who are listening out there, I know that you guys have 105 00:06:31,000 --> 00:06:33,500 been working on this for a while and it's around the hidden risks 106 00:06:33,500 --> 00:06:37,500 of Workforce identities. Maybe we can start with that. 107 00:06:38,600 --> 00:06:40,700 You know, are there? Either you know what's what are 108 00:06:40,700 --> 00:06:43,500 some of the key findings that you think you took away from 109 00:06:44,000 --> 00:06:45,500 what you might find in that report? 110 00:06:47,200 --> 00:06:52,600 I think some of the biggest ones that I was surprised by were 111 00:06:52,600 --> 00:06:56,300 just taking a look at users and all users in general. 112 00:06:57,200 --> 00:07:01,200 We could found that 10% of all users were found to be high 113 00:07:01,200 --> 00:07:04,000 risk. So whether it's a privileged 114 00:07:04,000 --> 00:07:08,600 user, a regular user without privileges, a service account 115 00:07:10,100 --> 00:07:14,400 ten percent of those users had risks associated with them that 116 00:07:14,400 --> 00:07:16,600 considered that user to be high risk. 117 00:07:17,600 --> 00:07:21,500 So things that contribute to high risk, things like does the 118 00:07:21,500 --> 00:07:25,500 user is the user using a compromise or weak password. 119 00:07:25,500 --> 00:07:29,900 That's been part of a known. Breach, our are their password 120 00:07:29,900 --> 00:07:33,700 policies, not strong enough. So do they have a password 121 00:07:33,700 --> 00:07:39,600 policy that doesn't require? Let's say, over 10 characters or 122 00:07:39,600 --> 00:07:43,800 the complexity is minimal. So those are just a couple of 123 00:07:43,800 --> 00:07:50,500 examples of Factors contributing to high risk, users one other 124 00:07:50,600 --> 00:07:51,300 one. Other stat. 125 00:07:51,300 --> 00:07:57,500 I thought that that was that stood out. 15% of accounts are 126 00:07:57,500 --> 00:08:01,200 still authenticating with with ntlm every week. 127 00:08:02,500 --> 00:08:08,900 That's a week, Microsoft active directory protocol that has been 128 00:08:08,900 --> 00:08:13,000 replaced by by Kerberos, but there's still plenty of 129 00:08:13,000 --> 00:08:16,600 applications out there that require Or ntlm. 130 00:08:16,600 --> 00:08:19,900 So the fact that that that protocol is still out there and 131 00:08:19,900 --> 00:08:24,200 still is being used not just by regular users, but by privileged 132 00:08:24,200 --> 00:08:28,400 users as well, really exposes them to two different types of 133 00:08:28,400 --> 00:08:32,600 attacks. Yeah, ntlm is really kind of 134 00:08:32,600 --> 00:08:34,100 designed for interoperability, right? 135 00:08:34,100 --> 00:08:38,500 So a lot of, you know, that's what happens when you try to try 136 00:08:38,500 --> 00:08:41,000 to do too much with one thing, right? 137 00:08:41,000 --> 00:08:42,400 You're trying to make things Backward, Compatible. 138 00:08:42,400 --> 00:08:45,500 You have to inherit, maybe some security weaknesses that come 139 00:08:45,500 --> 00:08:48,600 along with that Jimmer. You say something cause you're 140 00:08:48,600 --> 00:08:51,400 saying, you know, pretty much exactly what you said, but I was 141 00:08:51,400 --> 00:08:57,500 also going to say that ntlm and teal and man I guess antisense 142 00:08:57,500 --> 00:09:02,500 for new technology, right? Because that package And T 3 .5 143 00:09:02,500 --> 00:09:06,900 + NT 4.0 days. That was new technology. 144 00:09:07,800 --> 00:09:12,500 But ntlm has been around for a long time, right? 145 00:09:13,400 --> 00:09:15,300 And one of the ogs right, when it comes to Windows 146 00:09:15,300 --> 00:09:17,000 authentication. Yeah. 147 00:09:17,000 --> 00:09:19,500 It's oh gee. Okay. 148 00:09:19,500 --> 00:09:20,600 I think maybe they need to Rebrand. 149 00:09:20,600 --> 00:09:22,900 It may be new technology isn't the rate monitor for it? 150 00:09:22,900 --> 00:09:25,600 But I think it's too late now. Yeah. 151 00:09:26,800 --> 00:09:30,100 A ilm. Yeah, so it's definitely 152 00:09:30,100 --> 00:09:33,800 something Felton plan, man. We make it sound very new. 153 00:09:36,200 --> 00:09:38,400 Four against a film. Sorry. 154 00:09:38,400 --> 00:09:40,700 I was just going to say, we're, you know, we're definitely 155 00:09:40,700 --> 00:09:46,200 seeing customers, trying to remove the amount of NT elements 156 00:09:46,200 --> 00:09:48,900 used in their environments. And it's, it's a struggle. 157 00:09:48,900 --> 00:09:55,300 It's hard to to, to fight that battle and understand who is 158 00:09:55,300 --> 00:09:58,100 using that protocol where it's being used, where it's forced to 159 00:09:58,108 --> 00:10:00,900 being used. We see a lot of security tools 160 00:10:00,900 --> 00:10:03,300 using using ntlm and requiring ntlm. 161 00:10:04,400 --> 00:10:07,300 So it's a, it's Like the password. 162 00:10:07,300 --> 00:10:12,300 It's it's it's something that will will be around for a while. 163 00:10:12,300 --> 00:10:14,800 Let's try it. We're trying to remove it from 164 00:10:14,800 --> 00:10:19,500 an Enterprise's but it's a tough thing to to completely abolish. 165 00:10:20,500 --> 00:10:21,600 Yeah. Especially because a lot of 166 00:10:21,600 --> 00:10:24,300 these accounts, maybe our service accounts, right? 167 00:10:24,300 --> 00:10:28,400 Or things along those lines which may not have multi Factor 168 00:10:28,700 --> 00:10:31,800 associated with it, because of the nature of it, right? 169 00:10:31,800 --> 00:10:33,000 You don't have a service account. 170 00:10:33,000 --> 00:10:35,500 You have some, some poor guy out there with the fennec are just 171 00:10:35,500 --> 00:10:38,100 going off. Every second to approve 172 00:10:38,100 --> 00:10:40,100 everything. So, you know what? 173 00:10:40,100 --> 00:10:43,600 I guess, maybe we should kind of work its way backwards from. 174 00:10:43,600 --> 00:10:46,900 So if you've got an ntlm, hash right, where the Kerberos ticket 175 00:10:47,500 --> 00:10:52,900 might be going against, that's something that can be exported 176 00:10:52,900 --> 00:10:56,200 out of an organization and you could run Brute Force attacks on 177 00:10:56,200 --> 00:10:57,100 that. Is that right? 178 00:10:58,100 --> 00:10:59,300 That's right. So, one of the, one of the 179 00:10:59,300 --> 00:11:05,000 common attacks that we see is an attack called Kerberos Ting and 180 00:11:05,200 --> 00:11:09,300 what that is. Where you typically service 181 00:11:09,300 --> 00:11:13,400 accounts have what's called an ESPN associated with them, a 182 00:11:13,408 --> 00:11:20,600 service principal name that allows them to uniquely identify 183 00:11:20,600 --> 00:11:25,000 them and allows them to request an application to request that 184 00:11:25,000 --> 00:11:30,700 service authenticate and what users can do? 185 00:11:30,700 --> 00:11:32,300 It's in. It's a very any user can do. 186 00:11:32,300 --> 00:11:35,700 This is request all the accounts in active directory. 187 00:11:35,700 --> 00:11:37,300 That has Of an Espeon associated with them. 188 00:11:37,600 --> 00:11:39,700 So it could be a service account, it could be a human 189 00:11:39,700 --> 00:11:44,400 account as well. So once that's done requesting 190 00:11:44,400 --> 00:11:50,400 those, those Kerberos tickets for all those users who is where 191 00:11:50,400 --> 00:11:53,800 is Aunt, was where an attacker can can take those tickets and 192 00:11:53,808 --> 00:11:58,400 attempt to correct those hashes offline, The Brute Force. 193 00:11:58,900 --> 00:12:02,100 So if any of those users, whether human or service account 194 00:12:02,100 --> 00:12:07,800 has a password that is is weak because of Having a bad password 195 00:12:07,800 --> 00:12:11,400 policy or its week because it's been compromised, or part of a 196 00:12:11,400 --> 00:12:15,300 known bridge that that password, or that hash can be easily 197 00:12:15,300 --> 00:12:19,500 cracked. Yeah, I think, you know, I think 198 00:12:19,500 --> 00:12:23,200 that's really important for people understand is that this 199 00:12:23,200 --> 00:12:26,800 is an offline attack, right? Once you've exfiltrated those 200 00:12:26,800 --> 00:12:30,600 password hashes, you can spend as much time as you want, trying 201 00:12:30,600 --> 00:12:32,300 to crack it. And, you know, those accounts or 202 00:12:32,300 --> 00:12:35,900 those, those hashes I should say, without ever, you know, 203 00:12:35,900 --> 00:12:37,900 coming up on anyone's radar essentially. 204 00:12:37,900 --> 00:12:40,800 So, really, the key is to kind of catch people who are 205 00:12:40,800 --> 00:12:44,500 requesting, maybe the ESPN's within an organization, right? 206 00:12:44,500 --> 00:12:46,100 Or requesting in a normal amount. 207 00:12:46,200 --> 00:12:48,200 Out of Kerberos tickets, you know, those sort of things to 208 00:12:48,200 --> 00:12:52,800 try and, and identify a potential, you know, compromise 209 00:12:52,900 --> 00:12:55,200 kind of incident. So I think that's, I think 210 00:12:55,200 --> 00:12:57,800 that's really important to understand is that you said 211 00:12:57,800 --> 00:13:00,500 something, he there is that, you know, any active directory, user 212 00:13:00,500 --> 00:13:03,800 can request it. Right and active directory users 213 00:13:03,800 --> 00:13:08,200 are typically insiders, right? So you know, if you've got 214 00:13:08,200 --> 00:13:12,500 someone who is either assume the identity of one of your insiders 215 00:13:12,500 --> 00:13:15,200 or one of your insiders and is looking to do some damage, you 216 00:13:15,200 --> 00:13:18,100 know that's a great way. To kind of work on it on your 217 00:13:18,100 --> 00:13:21,700 own time and come back. And, you know, if you especially 218 00:13:21,700 --> 00:13:25,700 if you've got service accounts that are using weak passwords or 219 00:13:25,700 --> 00:13:28,700 cracked passwords, this is why you want to have really strong 220 00:13:28,700 --> 00:13:31,000 passwords for those accounts that are randomize and never 221 00:13:31,000 --> 00:13:34,000 used anywhere else make it. You don't want to make it easy 222 00:13:34,000 --> 00:13:36,600 for people to kind of roast you from the inside. 223 00:13:37,600 --> 00:13:43,000 And it comes with all the time when when customers conduct pain 224 00:13:43,000 --> 00:13:47,800 tests could roasting is one of the most Common techniques used 225 00:13:47,800 --> 00:13:53,100 by pentesters and usually is one of the findings that they have 226 00:13:53,100 --> 00:13:56,600 where they were able to successfully, grab an account 227 00:13:56,600 --> 00:13:59,000 credentials through through that type of attack. 228 00:14:00,900 --> 00:14:04,600 You know, I learned to inject here, jet to just kind of talk a 229 00:14:04,608 --> 00:14:08,100 little bit about motives because I think sometimes when it comes 230 00:14:08,100 --> 00:14:12,700 to this, it's maybe a little bit, esoteric, for a see, CEO of 231 00:14:13,900 --> 00:14:16,900 a company that hasn't traditionally thought of 232 00:14:16,900 --> 00:14:18,800 themselves as a Target. Right? 233 00:14:18,800 --> 00:14:23,200 They the Banking and Financial Services industry, has long held 234 00:14:23,200 --> 00:14:28,200 themselves a Target because hey, if I steal banking information 235 00:14:28,200 --> 00:14:34,500 from people or I can turn that into getting money but it's 236 00:14:34,500 --> 00:14:38,300 really the information that leads to either the financial 237 00:14:38,300 --> 00:14:41,300 crimes and pack. I mean I think what we're seeing 238 00:14:41,300 --> 00:14:45,600 going on in the world not just recent events but just over the 239 00:14:45,600 --> 00:14:51,800 past couple decades is is really that there's there are other 240 00:14:51,800 --> 00:14:55,100 motives than just Financial crimes Financial crime. 241 00:14:55,100 --> 00:14:59,400 Still leads the is the majority. But you know just getting data 242 00:14:59,400 --> 00:15:04,000 about people. You know and stealing emails and 243 00:15:04,000 --> 00:15:08,200 things like that, you can either blackmail a company which of 244 00:15:08,200 --> 00:15:12,200 course the financial crime or you can just embarrass a 245 00:15:12,200 --> 00:15:14,200 company. And there are a lot of clients 246 00:15:14,200 --> 00:15:19,100 that we've worked with, who are very afraid of kind of having a 247 00:15:19,100 --> 00:15:23,000 Sony type incident where their emails were dumped out on the 248 00:15:23,000 --> 00:15:26,000 dark web. And, you know, it just really 249 00:15:26,200 --> 00:15:32,300 hurt their company from like a Branding perspective. 250 00:15:32,600 --> 00:15:34,800 But I've talked to seizures before. 251 00:15:34,800 --> 00:15:37,300 He said, you know, we're not a bank. 252 00:15:37,300 --> 00:15:42,900 We make food, but as long as you are, the keeper of private 253 00:15:42,900 --> 00:15:46,100 information on, you have social security numbers, maybe you have 254 00:15:46,100 --> 00:15:52,000 even more more sensitive pii data, you could be a target for 255 00:15:52,000 --> 00:15:55,100 these Insider threat. So I guess the long and short of 256 00:15:55,100 --> 00:16:00,100 it is that I can't imagine any company that this isn't kind of 257 00:16:00,100 --> 00:16:01,700 an ace. Recent issue too. 258 00:16:01,700 --> 00:16:04,200 And I think everybody is listening. 259 00:16:04,200 --> 00:16:09,500 Should take this very seriously. Absolutely. 260 00:16:10,300 --> 00:16:14,500 And I guess what I'd like to do is complete the pick, this kick 261 00:16:14,500 --> 00:16:17,900 this back to fill because you're working a lot of inside threads. 262 00:16:18,500 --> 00:16:23,200 What are you seeing in terms of industries, that seem to be more 263 00:16:23,200 --> 00:16:28,300 interested in this versus Industries, who are investing 264 00:16:28,300 --> 00:16:32,100 Less on The Insider threat or you see it pick up across the 265 00:16:32,100 --> 00:16:35,900 board? I think it's, you know, I think 266 00:16:36,400 --> 00:16:40,400 across of all the industries of think Financial Services is 267 00:16:40,400 --> 00:16:45,800 probably the highest, but really the, the the interest is across 268 00:16:45,800 --> 00:16:49,200 the board. It's an issue in any vertical, 269 00:16:51,100 --> 00:16:55,100 and we're seeing that as we work with our, with our customers, 270 00:16:56,500 --> 00:17:00,000 it's Insider threats. It's its external threats. 271 00:17:00,000 --> 00:17:08,099 It's really It's something that every customer and you mentioned 272 00:17:08,099 --> 00:17:11,200 that the Foodservice industry. Also the retail industry 273 00:17:11,700 --> 00:17:17,900 Healthcare there are there are there's data to be to be taken 274 00:17:17,900 --> 00:17:21,700 and and to be sold and whether it's for a malicious intent or 275 00:17:21,700 --> 00:17:26,900 whether it's for just somebody snooping, its users are are 276 00:17:26,900 --> 00:17:30,300 trying to access things that they're most likely not supposed 277 00:17:30,300 --> 00:17:34,000 to be in the find ways to do it, and that's it. 278 00:17:34,100 --> 00:17:36,500 Back to service accounts. That's that's something that we 279 00:17:36,500 --> 00:17:41,300 often seek service accounts have elevated, privileges typically 280 00:17:41,300 --> 00:17:45,300 to do the tasks that they were, they were made to do, but 281 00:17:45,800 --> 00:17:49,100 there's a human that that has access to those service account 282 00:17:49,100 --> 00:17:54,000 credentials and sometimes the leverage, those credentials to 283 00:17:54,800 --> 00:18:00,300 perform their job quicker or easier because the credentials 284 00:18:00,300 --> 00:18:03,500 are available to them through that service account versus not 285 00:18:03,500 --> 00:18:04,900 having them too. Their own account. 286 00:18:05,800 --> 00:18:08,800 So it's definitely understanding what a service account is doing 287 00:18:08,800 --> 00:18:14,000 where it's going. What it's what it's accessing is 288 00:18:14,000 --> 00:18:17,700 is very important, especially how that, that service counters 289 00:18:17,700 --> 00:18:20,800 authenticating is it, is it doing that scheduled tasks or 290 00:18:21,600 --> 00:18:26,300 what it was meant to do on a scheduled basis or is it logging 291 00:18:26,300 --> 00:18:30,500 interactively be already P or an interactive logon where 292 00:18:30,600 --> 00:18:32,500 someone's actually using those credentials in a way they 293 00:18:32,500 --> 00:18:37,700 shouldn't be I think he's hit one of the things that Jim, and 294 00:18:37,700 --> 00:18:40,200 I see quite a bit when we're working with organizations 295 00:18:40,200 --> 00:18:43,900 around privileged accounts is in service account. 296 00:18:43,900 --> 00:18:46,900 Specifically is a lot of these have passwords that I have been 297 00:18:46,900 --> 00:18:49,700 hard, coded, or set and are not change very often. 298 00:18:49,800 --> 00:18:53,400 So if you have a user, who knows what that service account ID and 299 00:18:53,400 --> 00:18:58,200 password is, if it can be difficult to change it certainly 300 00:18:58,200 --> 00:19:01,600 in a timely manner, unless you've got tools in place that 301 00:19:01,600 --> 00:19:05,800 are helping you manage your Privileged access and, you know, 302 00:19:05,900 --> 00:19:08,600 people may walk out the door with that access then may keep 303 00:19:08,600 --> 00:19:11,300 it for a while until either the discovered or someone says 304 00:19:11,300 --> 00:19:13,400 change the password. So, I think it's a port from a 305 00:19:13,408 --> 00:19:17,100 hygiene perspective to understand, you know, as a 306 00:19:18,200 --> 00:19:21,900 privileged access management keyholder, if you're responsible 307 00:19:21,900 --> 00:19:24,900 for those types of keys is to make sure that those are being 308 00:19:25,500 --> 00:19:29,200 changed on a routine basis. And you know that when you have 309 00:19:29,200 --> 00:19:33,600 a, you know, termination event type thing that anybody who It 310 00:19:33,600 --> 00:19:37,000 had access to that, that you make sure that you definitely 311 00:19:37,000 --> 00:19:40,700 change those accounts. Yeah, I say we see that everyday 312 00:19:40,800 --> 00:19:46,400 wear and application was brought in to an Enterprise and back in 313 00:19:46,400 --> 00:19:49,800 2005 and then a service account was created specifically for 314 00:19:49,800 --> 00:19:53,600 that application. It was set with, you know, high 315 00:19:53,600 --> 00:19:56,500 privilege, has a password set to never expire. 316 00:19:57,000 --> 00:20:02,600 And then, Here Comes 2020. And we see that that same the 317 00:20:02,600 --> 00:20:05,900 the password has been Unchanged in 15 years, it's still set to 318 00:20:05,900 --> 00:20:08,800 never expire. And now it's been part of a 319 00:20:08,800 --> 00:20:11,700 known Bridge. So it's considered a compromise 320 00:20:11,700 --> 00:20:16,800 password so the combination of the high privileges not being 321 00:20:16,800 --> 00:20:20,000 changed in a long time, not needing to be changed and the 322 00:20:20,000 --> 00:20:27,200 worry of an Enterprise to change that password because they're 323 00:20:27,300 --> 00:20:29,800 nervous about what they're going to break if they do change that 324 00:20:29,800 --> 00:20:32,700 password because they don't know what that service count is 325 00:20:32,700 --> 00:20:35,700 doing. It's a very real concern but 326 00:20:35,700 --> 00:20:39,500 it's also like if you have a house and you know you know your 327 00:20:39,500 --> 00:20:43,000 electric bills $200 a month and you know that there's all these 328 00:20:43,000 --> 00:20:46,400 leaks you've got to go around and start sealing them up. 329 00:20:46,400 --> 00:20:49,600 You can't just say there's so many leaks in this house that 330 00:20:49,900 --> 00:20:52,500 will never get to the mall. So we're not going to do 331 00:20:52,500 --> 00:20:55,700 anything because they think if you go around and you close up, 332 00:20:56,000 --> 00:20:59,100 you know, 50% of leaks, you're going to drop that electric bill 333 00:20:59,100 --> 00:21:02,600 quite significantly. You know, I think that's one way 334 00:21:02,600 --> 00:21:04,600 of looking at it. It another words what I'm 335 00:21:04,600 --> 00:21:09,200 getting at is that you don't have to be perfect to be better 336 00:21:09,700 --> 00:21:13,300 and I think that's a big thing. That holds you back is that the 337 00:21:13,300 --> 00:21:16,600 enormity of the problem the enormity of how do we get our 338 00:21:16,600 --> 00:21:19,700 arms around this situation. We have so many service account 339 00:21:19,800 --> 00:21:22,800 you mentioned that service account after. 340 00:21:23,100 --> 00:21:25,000 And I know this this area very well. 341 00:21:25,000 --> 00:21:28,700 We're their service accounts. Like where are all the places it 342 00:21:28,700 --> 00:21:32,800 could be it's being used and things like that. 343 00:21:32,800 --> 00:21:36,400 But You have a service account seeing around for long enough. 344 00:21:36,800 --> 00:21:39,600 A lot of people who are no longer with your organization 345 00:21:39,600 --> 00:21:43,200 potentially know that password or a potentially that passwords 346 00:21:43,200 --> 00:21:47,800 gotten out on the internet, probably the passwords very we 347 00:21:47,800 --> 00:21:50,200 could be could be proved forced potentially. 348 00:21:52,200 --> 00:21:56,000 If that comes back to those part of a breach, you can bet your 349 00:21:56,000 --> 00:21:58,100 bottom dollar, they're going to change that password. 350 00:21:59,300 --> 00:22:01,200 So they're going to figure out a way to Julie. 351 00:22:01,400 --> 00:22:06,300 So why are we eating till After the breach has occurred, that's 352 00:22:06,900 --> 00:22:10,100 unfortunately, that's what we see a lot in the industry is 353 00:22:10,100 --> 00:22:14,400 that when two things get taken seriously, after they've gone 354 00:22:14,400 --> 00:22:17,000 too far right after a breach has occurred. 355 00:22:17,300 --> 00:22:18,900 Now, we're going to take it seriously. 356 00:22:18,900 --> 00:22:23,900 Well, you know, too bad, we take it seriously before that, right? 357 00:22:23,900 --> 00:22:30,200 It's understanding where those those risks are as far as, from 358 00:22:30,200 --> 00:22:33,300 a user perspective or from a, an end point perspective and 359 00:22:33,500 --> 00:22:37,000 Proactively cleaning them up just you know you again like you 360 00:22:37,000 --> 00:22:40,200 said, you can't be perfect but it helps a great deal if he can 361 00:22:40,200 --> 00:22:42,900 do it ahead of time before before something bad happens. 362 00:22:43,500 --> 00:22:46,600 One of the things that Jeff and I talked about a lot because 363 00:22:46,600 --> 00:22:50,800 comes back in various reports and surveys that are done is how 364 00:22:50,800 --> 00:22:54,000 long it takes to realize that a breach has occurred. 365 00:22:54,000 --> 00:22:57,600 And I don't think that the numbers are consistent because 366 00:22:57,600 --> 00:23:01,200 there's a report that came out recently that you know shortened 367 00:23:01,500 --> 00:23:03,300 versus what I've seen in the password. 368 00:23:03,400 --> 00:23:07,500 Just, you know, I'm on the magnitude of six months plus to 369 00:23:07,900 --> 00:23:13,000 discover breach, but I think, you know, when I think about 370 00:23:13,000 --> 00:23:17,600 what has happened in, I am over the past five years, the 371 00:23:17,600 --> 00:23:24,700 definition of I am is changing from who has access to what to 372 00:23:24,800 --> 00:23:29,200 who has access to, what plus was being done with that access. 373 00:23:29,500 --> 00:23:34,000 And that's to me, you know, really the next Frontier Choose 374 00:23:34,300 --> 00:23:38,700 ensure, you know, expanding our scope to buy and not just to 375 00:23:38,700 --> 00:23:41,700 make sure that the right accounts have the right access 376 00:23:41,700 --> 00:23:44,100 and we have shown controls or who can log in. 377 00:23:44,400 --> 00:23:48,900 But then monitoring the use of that access and being able to, 378 00:23:50,900 --> 00:23:55,600 you know, Define patterns for normal behavior and identify 379 00:23:55,800 --> 00:23:58,500 when that normal behavior is not being followed. 380 00:23:58,500 --> 00:24:03,100 So, you know, today, this account that only logged in as a 381 00:24:03,100 --> 00:24:07,000 sir, Discount once in a while logged in through the VPN, it's 382 00:24:07,000 --> 00:24:10,000 a legit through the VPN before. Whoa. 383 00:24:10,000 --> 00:24:13,000 Well, maybe somebody better look into that, right? 384 00:24:14,400 --> 00:24:18,600 And I think that that's, that's the biggest change I've seen in 385 00:24:18,600 --> 00:24:20,500 I am recently. I think there are a lot of 386 00:24:20,500 --> 00:24:26,200 things happening with AI and and things like that, but to me the 387 00:24:27,300 --> 00:24:30,800 understanding of what identities are doing on the network is 388 00:24:30,800 --> 00:24:33,500 really the big next. Sure. 389 00:24:33,500 --> 00:24:36,300 And it helps with Insider threats and it helps with 390 00:24:37,400 --> 00:24:40,000 external outside or breaches as well. 391 00:24:42,300 --> 00:24:45,400 Man if only there was a podcast that you know, focused on 392 00:24:45,400 --> 00:24:49,700 identity and why it's important cheese where can I find 393 00:24:49,700 --> 00:24:51,300 something like that? I don't know. 394 00:24:51,300 --> 00:24:54,500 There's one that's been around for about a year it's going up 395 00:24:54,500 --> 00:24:59,200 on that but I you you bring up a really interesting point in that 396 00:24:59,200 --> 00:25:01,700 is that, you know, identity really is at the center of a lot 397 00:25:01,700 --> 00:25:05,700 of these things, especially when it comes to threat detection, 398 00:25:06,900 --> 00:25:09,500 Phil, what kind of role do you see identity playing when it 399 00:25:09,500 --> 00:25:15,700 comes to identifying threats? It's so one interesting stat I 400 00:25:15,700 --> 00:25:23,100 saw her recently was that 80% of the text breach, the identity 401 00:25:23,100 --> 00:25:28,300 store or credential compromise or an Insider using credentials 402 00:25:28,300 --> 00:25:33,700 inappropriately, so focusing on identity based attacks just 403 00:25:33,700 --> 00:25:37,300 makes sense. It's if we're seeing the 404 00:25:37,300 --> 00:25:42,700 majority of attacks or on this the identity side, it's 405 00:25:42,700 --> 00:25:47,800 obviously the best place to start to start to look at. 406 00:25:48,000 --> 00:25:51,900 How are we going to detect these different types of attacks and 407 00:25:51,900 --> 00:25:56,600 also prevent them prevent them from continuing on prevent them 408 00:25:56,600 --> 00:25:59,800 from from moving across the network? 409 00:26:01,600 --> 00:26:05,200 What are some of the things that organizations can look for when 410 00:26:05,200 --> 00:26:09,700 it comes to Identity and trying to find, you know, indicators of 411 00:26:09,700 --> 00:26:14,900 compromise? So really things like as Jim was 412 00:26:14,900 --> 00:26:21,700 just mentioning before being able to identify a user or an 413 00:26:21,700 --> 00:26:26,800 endpoint user, typically accessing servers, a b and c. 414 00:26:27,000 --> 00:26:30,500 Now, all of a sudden for the first time ever there, They're 415 00:26:30,500 --> 00:26:37,300 accessing server D, is that something that is should be 416 00:26:37,300 --> 00:26:39,200 allowed? Should we should? 417 00:26:39,400 --> 00:26:40,700 Do you want to take an action on that? 418 00:26:40,700 --> 00:26:43,000 Do you want to alert somebody, the fact that that happened 419 00:26:43,800 --> 00:26:49,700 trigger MFA should up block that access being able to see again, 420 00:26:49,700 --> 00:26:52,200 starting with visibility understanding where the risks 421 00:26:52,200 --> 00:26:56,300 are in your environment on a per user per endpoint bases. 422 00:26:56,900 --> 00:27:00,700 Being able to clean that up as much as possible, but But where 423 00:27:00,700 --> 00:27:05,500 you can, when you see indicators where somebody's doing something 424 00:27:05,500 --> 00:27:11,900 suspicious being able to take, take an action on that Jim, what 425 00:27:11,900 --> 00:27:13,900 about you? What do you see as some other 426 00:27:14,000 --> 00:27:16,800 ways to look at identity and figure out if there's maybe a 427 00:27:16,808 --> 00:27:20,900 potential incident? Well I think you know, again 428 00:27:20,900 --> 00:27:26,300 kind of I think where I get energy comes into play is that 429 00:27:26,400 --> 00:27:34,000 in the past, were we Had like a sock or knock focus on wear 430 00:27:34,000 --> 00:27:36,900 breeches. May be taking place, it's been 431 00:27:36,900 --> 00:27:42,400 IP based, so it's been devoid of the context of identity. 432 00:27:42,700 --> 00:27:45,900 We've looked for, hey, there's some weird activity that's 433 00:27:45,900 --> 00:27:49,500 coming from this IP address across our network. 434 00:27:49,600 --> 00:27:53,300 But it said, identity context, that tells you whether or not 435 00:27:55,400 --> 00:27:59,400 that fits in from a user Behavior, Standpoint and to me, 436 00:27:59,400 --> 00:28:04,400 that's really the key is Larry and identity, like I mentioned 437 00:28:04,400 --> 00:28:10,200 earlier with the, you know, they're both important IP is 438 00:28:10,200 --> 00:28:13,700 very important as well because you have a computer that all of 439 00:28:13,700 --> 00:28:16,000 a sudden is like scanning the network. 440 00:28:16,300 --> 00:28:19,100 It doesn't matter what I didn't either using, that's a problem. 441 00:28:19,200 --> 00:28:22,400 Pray, that's a potential compromise that has happened 442 00:28:22,400 --> 00:28:27,500 within your within your network, but I mentioned that idea of 443 00:28:27,500 --> 00:28:32,800 okay, we Service account that logs in I don't know twice a 444 00:28:32,800 --> 00:28:36,300 year because that's how often those servers give rebooted for 445 00:28:36,300 --> 00:28:40,100 example and all the sudden the logs in from the VPN, you know, 446 00:28:40,100 --> 00:28:44,000 that one time event of logging into a VPN for an IP standpoint. 447 00:28:44,000 --> 00:28:47,100 Doesn't look like any kind of issue at all. 448 00:28:47,500 --> 00:28:51,600 Especially if the login is happening from some, you know, 449 00:28:51,600 --> 00:28:56,400 normal location either, you know, within the home country of 450 00:28:56,400 --> 00:28:59,700 that of that company or If the global company, who knows 451 00:29:00,400 --> 00:29:02,300 there's no there's nothing about that. 452 00:29:02,300 --> 00:29:05,700 Login, that looks suspicious until you take the identity 453 00:29:05,700 --> 00:29:08,800 context and wrapped around it. So to me that's what's so 454 00:29:08,800 --> 00:29:14,900 important around. You know, Building A View From 455 00:29:14,900 --> 00:29:19,700 identity standpoint of what is normal behavior so that you can 456 00:29:19,700 --> 00:29:22,800 then identify, what is abnormal behavior? 457 00:29:24,300 --> 00:29:26,400 I think those building blocks are really important, right? 458 00:29:26,400 --> 00:29:30,200 You have to have to know who has access to what and then what are 459 00:29:30,200 --> 00:29:31,500 they doing with? It is really important. 460 00:29:31,500 --> 00:29:34,400 I think it also to it like I am hygiene when it comes to 461 00:29:35,300 --> 00:29:37,200 inactive accounts dormant accounts. 462 00:29:37,400 --> 00:29:39,300 Right. A lot of times you have accounts 463 00:29:39,300 --> 00:29:43,000 out there that haven't been used in a year, two years, three 464 00:29:43,000 --> 00:29:46,700 years and people are afraid to remove them or you know, do 465 00:29:46,700 --> 00:29:50,200 whatever to clean them up because of the potential impact 466 00:29:50,200 --> 00:29:54,300 of what it might cause versus, you know, the Of what could 467 00:29:54,300 --> 00:29:56,700 happen if someone gets ahold of one those accounts that there's 468 00:29:56,700 --> 00:29:58,600 I think there's a lot of different ways that the identity 469 00:29:58,600 --> 00:30:02,000 plays in that. Is there any difference between 470 00:30:02,000 --> 00:30:06,100 trying to figure it out at the identity layer versus maybe just 471 00:30:06,100 --> 00:30:09,100 taking a log based approach? May be something like through a 472 00:30:09,108 --> 00:30:12,000 Sim or a tool similar on those lines. 473 00:30:13,000 --> 00:30:13,800 I guess. Phil. 474 00:30:13,800 --> 00:30:16,200 Maybe that's a question for you, sure. 475 00:30:16,600 --> 00:30:20,500 So when you when you're able to look at it authentication as it 476 00:30:20,500 --> 00:30:25,300 happens at the protocol level. So looking at Things like in 477 00:30:25,500 --> 00:30:27,600 parade active directory as an example. 478 00:30:28,300 --> 00:30:34,100 Ntlm, Kerberos ldap held at best understanding and having the 479 00:30:34,100 --> 00:30:37,600 advantage to detect things that are, that just aren't as easy to 480 00:30:37,600 --> 00:30:41,200 detect when looking at logs, things like attacks. 481 00:30:41,200 --> 00:30:45,200 Like pass the hash ntlm relay, we talked about curb roasting 482 00:30:47,000 --> 00:30:52,500 log based analysis is going to always be primarily detection. 483 00:30:54,500 --> 00:30:57,900 Tried to take an action and stop something suspicious and 484 00:30:57,900 --> 00:31:02,000 potentially malicious, that happened minutes or hours ago. 485 00:31:02,200 --> 00:31:04,000 It's just, it's just way too late. 486 00:31:05,000 --> 00:31:09,900 You need to be able to, to, to Really prevent something from 487 00:31:09,900 --> 00:31:13,500 from happening or prevent it from continuing to happen 488 00:31:13,500 --> 00:31:16,400 quickly. You really need to, to be able 489 00:31:16,400 --> 00:31:19,000 to look at the the authentications as they're 490 00:31:19,000 --> 00:31:22,200 taking place. Yeah, I think this is where 491 00:31:22,200 --> 00:31:24,700 artificial intelligence and machine learning is really kind 492 00:31:24,700 --> 00:31:28,800 of become a Force multiplier for security operations and other 493 00:31:28,800 --> 00:31:32,400 folks who are looking at this because I know that my past one 494 00:31:32,400 --> 00:31:34,500 of the things that had been historically challenging as 495 00:31:34,500 --> 00:31:36,600 trying to find those needles in the haystack right? 496 00:31:37,000 --> 00:31:39,900 When we're looking at tons of logs all day long right? 497 00:31:39,900 --> 00:31:43,900 Need help and this is an area that you know, robots do really 498 00:31:43,900 --> 00:31:47,000 good at spotting patterns and helping kind of fluff things up 499 00:31:47,000 --> 00:31:51,200 the top not perfect, but if they can reduce the The chaff that's 500 00:31:51,200 --> 00:31:54,600 out there, it makes it easier to respond on approach to and you 501 00:31:54,600 --> 00:31:59,100 know in a fully mature and you know, Cutting Edge, I am system 502 00:31:59,400 --> 00:32:01,100 or I am program where you've got a bunch of different 503 00:32:01,100 --> 00:32:04,100 Technologies working together. You can even automate some of 504 00:32:04,108 --> 00:32:06,700 those things where, you know, maybe you do see a service 505 00:32:06,700 --> 00:32:10,500 account login through VPN for the first time ever, and you've 506 00:32:10,500 --> 00:32:13,500 got that connected up with your IGA, in your, your privileged 507 00:32:13,500 --> 00:32:15,600 access management systems and you do something about it, 508 00:32:15,600 --> 00:32:17,600 right? Maybe you change the password on 509 00:32:17,600 --> 00:32:21,100 it or you disable it or, you know, throught and Fay or 510 00:32:21,100 --> 00:32:24,700 something on those lines to try and mitigate those attacks. 511 00:32:26,100 --> 00:32:30,700 Yeah, it's it's something. Where you know, if you're if an 512 00:32:30,700 --> 00:32:35,400 analyst is receiving Ten Thousand Words a day, it's going 513 00:32:35,400 --> 00:32:40,200 to be hard for them to decide which ones to react to and 514 00:32:40,200 --> 00:32:46,300 respond to an investigate. It's much easier to after the 515 00:32:46,300 --> 00:32:50,000 fact, after the incidents occurred to look back and say, 516 00:32:50,000 --> 00:32:51,800 oh, okay. Oh, we did detect this in our 517 00:32:51,808 --> 00:32:55,100 logs, but it was one of 10,000, which we didn't catch. 518 00:32:56,000 --> 00:32:59,200 So the Fidelity of the different types of awards that you're 519 00:32:59,200 --> 00:33:01,500 receiving, has to be, has to be high. 520 00:33:02,900 --> 00:33:05,100 Yeah, absolutely. I think that's, I think, I think 521 00:33:05,100 --> 00:33:06,500 that's just, it's super important, right? 522 00:33:07,700 --> 00:33:10,200 If you can find it, you need to know what to do about it. 523 00:33:10,200 --> 00:33:13,000 And I think the f is a big part of the of the problem. 524 00:33:13,200 --> 00:33:16,400 Some are there, any specific types of threats that I'd any 525 00:33:16,400 --> 00:33:18,900 information that can help stop? Whether it's at the credential 526 00:33:18,900 --> 00:33:23,800 or the identity store level? Just looking at the Deep look at 527 00:33:23,800 --> 00:33:27,600 the identity store on its own provides, a ton of useful 528 00:33:27,600 --> 00:33:30,200 information. So just understanding that the 529 00:33:30,200 --> 00:33:34,800 basic ability to understand who your privileged users are not 530 00:33:34,800 --> 00:33:38,600 the ones, not just the ones that are easy to find, you know, in, 531 00:33:38,600 --> 00:33:41,300 well, defined groups like domain, admins Enterprise, 532 00:33:41,300 --> 00:33:44,700 admins account operators but also the ones that are 533 00:33:44,700 --> 00:33:48,200 considered, you know, what we call Shadow admins are stealthy 534 00:33:48,200 --> 00:33:50,600 admins ones that have been granted, privileges. 535 00:33:50,700 --> 00:33:55,100 Images, individual delegated privileges over time. 536 00:33:55,500 --> 00:33:57,200 Do they still need those privileges? 537 00:33:57,600 --> 00:34:01,200 You know, they might have had a role in a company where they 538 00:34:01,200 --> 00:34:04,400 were part of the helpdesk team and they were resetting 539 00:34:04,400 --> 00:34:07,100 passwords. Now, they've moved on to a, 540 00:34:07,800 --> 00:34:11,100 maybe a customer success for Professional Services role where 541 00:34:11,100 --> 00:34:14,699 they don't need that, that privileged anymore, but it was 542 00:34:14,699 --> 00:34:19,800 never taken away from them. So, being able to identify the 543 00:34:19,800 --> 00:34:25,100 Privileges of a you User of all your users and being able to 544 00:34:25,100 --> 00:34:27,300 decide. You know, does this user still 545 00:34:27,300 --> 00:34:29,400 need? This privilege is super 546 00:34:29,400 --> 00:34:32,800 important. Absolutely. 547 00:34:34,500 --> 00:34:37,600 I know we're coming up on time here and certainly appreciate 548 00:34:37,600 --> 00:34:40,300 you helping us out with this topic. 549 00:34:40,500 --> 00:34:43,400 I think cover roasting is the word of the day just because 550 00:34:43,400 --> 00:34:47,500 it's a great use of it. But before we wrap up here Jim, 551 00:34:47,500 --> 00:34:50,500 do you have any things you want to add to what we've discussed 552 00:34:50,500 --> 00:34:51,900 so far today? Yeah. 553 00:34:51,900 --> 00:34:54,800 And a couple thoughts on those holding onto your. 554 00:34:54,800 --> 00:34:58,900 So one of them is just, you know, I think we have a lot of, 555 00:34:58,900 --> 00:35:02,700 I am practitioners out there. And I, you know, I think about 556 00:35:02,700 --> 00:35:09,200 what your question there earlier of, you know, logging and to me 557 00:35:10,000 --> 00:35:12,700 where you get your value from logging as what goes into the 558 00:35:12,700 --> 00:35:15,300 logs, like, what are you, what are you collecting? 559 00:35:15,300 --> 00:35:20,000 Is it just basic information? Or is there more to it? 560 00:35:20,100 --> 00:35:21,900 I think, isn't I am practitioner. 561 00:35:22,100 --> 00:35:27,800 It's our responsibility to establish a self-service, or a 562 00:35:27,800 --> 00:35:33,600 shared service, that is clear. Easy for application teams to 563 00:35:33,600 --> 00:35:35,800 use. And to make sure that they're 564 00:35:35,800 --> 00:35:38,000 logging the information that we need. 565 00:35:38,100 --> 00:35:41,500 Once we have the data, we can start to use the technology in 566 00:35:41,500 --> 00:35:46,800 the AI in the machine learning to give us value, but there's 567 00:35:46,800 --> 00:35:50,400 the whole thing, which is that, as I am practitioners, we don't 568 00:35:50,400 --> 00:35:55,100 control the applications and we are beholden to the applications 569 00:35:55,100 --> 00:36:00,800 at some level to provide us, the data, the logs, and so I think 570 00:36:01,000 --> 00:36:04,700 It's our responsibility to make it available which also leads me 571 00:36:04,700 --> 00:36:07,700 to think about another responsibility that we have, 572 00:36:07,700 --> 00:36:13,600 which is that, you know, we have audit using the air quotes 573 00:36:13,600 --> 00:36:16,100 because there's a lot of different names where audit 574 00:36:16,100 --> 00:36:19,100 professionals, whether it's, your security risk, whatever you 575 00:36:19,100 --> 00:36:22,700 want to call it professionals within our organization, who 576 00:36:22,700 --> 00:36:27,000 play an oversight role as a kind of checks. 577 00:36:27,000 --> 00:36:32,200 And balances to what we what we do in I am Or what applications 578 00:36:32,200 --> 00:36:35,400 are doing and we're kind of the middleman making it available 579 00:36:35,400 --> 00:36:38,500 for audit. So I just someone our listeners 580 00:36:38,500 --> 00:36:43,200 not to forget that we need to design system so that it serves 581 00:36:43,200 --> 00:36:47,800 the purposes of those checks and balances because ultimately at 582 00:36:47,800 --> 00:36:50,700 the end of the day it's providing services to 583 00:36:50,700 --> 00:36:54,400 Applications but it's also making it so that it's secure 584 00:36:54,400 --> 00:36:58,900 and the audit professionals play, a key role in that and 585 00:36:58,900 --> 00:37:00,800 kind of making sure that we understand their requirements. 586 00:37:00,900 --> 00:37:04,600 Moments, that usually, they're pretty technical people but not 587 00:37:04,600 --> 00:37:09,400 the most technical people. And so we need to kind of frame 588 00:37:09,400 --> 00:37:11,700 things in kind of their business language. 589 00:37:11,700 --> 00:37:16,400 So that they can take the security information and make 590 00:37:17,300 --> 00:37:21,100 and be able to perform their activity, which is a checks and 591 00:37:21,100 --> 00:37:24,000 balance over over what we're providing. 592 00:37:24,100 --> 00:37:27,000 The last thing I wanted to say was just, you know, on the whole 593 00:37:27,300 --> 00:37:31,400 Insider threat thing. I think what should be very Very 594 00:37:31,400 --> 00:37:33,500 clear take away. If it wasn't already in your 595 00:37:33,500 --> 00:37:37,900 mind is that you know the trusting of people is is 596 00:37:37,900 --> 00:37:41,000 Honorable, right? But within our industry and with 597 00:37:41,000 --> 00:37:46,600 in what we do for a living trust trust but verify I guess is you 598 00:37:46,600 --> 00:37:50,500 know it's a the catchphrase they often goes to this but trusting 599 00:37:50,500 --> 00:37:55,700 people is is not the way to go. I always go back to a story of I 600 00:37:55,700 --> 00:37:58,900 work for a company and there was a you know it's a little old 601 00:37:58,900 --> 00:38:01,000 lady. The grandmother brought in In 602 00:38:01,500 --> 00:38:03,900 chocolate chip, cookies and worked for the company for 20 603 00:38:03,900 --> 00:38:05,600 years. And everybody trusted her. 604 00:38:05,800 --> 00:38:08,100 And for 20 years, she was embezzling money from the 605 00:38:08,107 --> 00:38:11,800 company a little bit at a time. And that just goes to show you. 606 00:38:11,800 --> 00:38:14,600 If you can't trust her, you can't trust anybody. 607 00:38:14,900 --> 00:38:17,800 And when people have super administrative rights and 608 00:38:17,800 --> 00:38:20,200 they've been with the company for 10 15 years and they talk 609 00:38:20,200 --> 00:38:24,000 the talk and you just you still need to have the checks and 610 00:38:24,000 --> 00:38:27,600 balances and you still need to have the good governance 611 00:38:27,600 --> 00:38:30,800 processes over your identity and access management. 612 00:38:31,000 --> 00:38:33,900 Information security as a whole. So that's what The Insider 613 00:38:33,900 --> 00:38:36,500 threat thing is all about is just because somebody works for 614 00:38:36,500 --> 00:38:39,800 you just because they've been a loyal employee doesn't mean that 615 00:38:39,800 --> 00:38:43,800 they're not doing things in the background, like Phil said, 616 00:38:43,800 --> 00:38:49,400 maybe it's for fun, maybe it's 44 game and, you know, really 617 00:38:49,400 --> 00:38:52,300 doesn't matter. People should be, you know, 618 00:38:52,500 --> 00:38:56,200 following the rules. I'm not not breaking into 619 00:38:56,200 --> 00:38:59,300 systems and things like that. So that's all I had to say about 620 00:38:59,300 --> 00:39:01,700 that job, okay? Okay, I want to make sure that 621 00:39:01,700 --> 00:39:04,600 we're very clear here too. Is that chocolate chip chocolate 622 00:39:04,600 --> 00:39:05,800 chip? Cookies are totally fine to 623 00:39:05,800 --> 00:39:08,800 bring to the office. So don't take away that. 624 00:39:08,800 --> 00:39:11,300 That was that. That was - it was the embezzling 625 00:39:11,300 --> 00:39:13,800 part that was bad. The chocolate chunk, Ledger, 626 00:39:13,800 --> 00:39:18,100 good, glad you cleared that up. I'm sure people miss that point. 627 00:39:20,200 --> 00:39:23,900 All right, Phil anything you want to close up with, yeah, 628 00:39:23,900 --> 00:39:27,600 just to add to Jim's. Comment, a lot of times, 629 00:39:28,300 --> 00:39:30,800 insiders might be doing something. 630 00:39:31,000 --> 00:39:35,700 Suspicious, or malicious and intentional, but oftentimes, 631 00:39:35,700 --> 00:39:39,700 it's completely unintentional. It's a mistake, they access 632 00:39:39,700 --> 00:39:42,400 something. They did something that they 633 00:39:42,400 --> 00:39:45,700 shouldn't have done, but it's not something that they were 634 00:39:45,700 --> 00:39:49,100 doing on purpose. So, you know, like you said, 635 00:39:50,800 --> 00:39:53,600 trust. But verify, make sure that the 636 00:39:53,600 --> 00:39:57,700 the user is is what they're doing is even though they might 637 00:39:57,700 --> 00:40:00,100 not be trying to do something harmful. 638 00:40:01,400 --> 00:40:06,300 If you can proactively stop that from happening, that's that's 639 00:40:06,300 --> 00:40:08,200 ideal. I think trust. 640 00:40:08,200 --> 00:40:09,900 But verify is, is really important. 641 00:40:09,900 --> 00:40:13,300 And I like it, you said that, because I first heard that 642 00:40:13,400 --> 00:40:17,900 phrase many, many years ago from for mercy, so that I worked with 643 00:40:18,000 --> 00:40:22,400 Jim Kelly and that was kind of the motto at the time was trust. 644 00:40:22,400 --> 00:40:25,100 But verify, and I think that's stuck with me, you know, through 645 00:40:25,100 --> 00:40:28,400 the years is that trust is good, but you need to make sure that 646 00:40:28,400 --> 00:40:31,300 things are still being followed from a real perspective, I'm 647 00:40:31,300 --> 00:40:33,100 glad you brought that up. So that's good. 648 00:40:33,500 --> 00:40:35,100 With the hottest hitch. Phrase right now. 649 00:40:35,100 --> 00:40:38,800 Jeff is your trust zero? Trust is zero trust but verify. 650 00:40:40,100 --> 00:40:42,100 There you go. That's the next extension. 651 00:40:42,500 --> 00:40:44,100 Yeah. All right. 652 00:40:44,100 --> 00:40:46,100 Well I think that's a pretty good spot that we can leave it 653 00:40:46,100 --> 00:40:48,700 for this week. Phil appreciate you taking the 654 00:40:48,700 --> 00:40:52,700 time to spend with us. I know that you're on LinkedIn 655 00:40:52,700 --> 00:40:55,300 and I'll be sure to put that profile on our show notes so 656 00:40:55,308 --> 00:40:57,500 that way people out there have questions, you know, for 657 00:40:57,500 --> 00:41:00,700 yourself or for preempt, they can get a hold of you there. 658 00:41:00,900 --> 00:41:04,200 And looking forward to those findings getting published on 659 00:41:04,200 --> 00:41:07,800 the preamp website at some point and we'll provide a link to that 660 00:41:07,800 --> 00:41:10,900 as well. And the show notes and for folks 661 00:41:10,900 --> 00:41:12,900 who are falling off the show, you know, you can always visit 662 00:41:12,900 --> 00:41:16,700 us at identity the center.com and we'll go ahead and wrap it 663 00:41:16,700 --> 00:41:20,500 up for this week and stay happy and healthy, everybody, thanks 664 00:41:20,500 --> 00:41:30,700 for listening. You've been listening to the 665 00:41:30,700 --> 00:41:32,800 eye. Identity of the center podcast 666 00:41:32,900 --> 00:41:35,800 for more episodes of visit identity at the center.com.