1 00:00:00,040 --> 00:00:02,560 When you're picking a security vendor, you have to trust that 2 00:00:02,840 --> 00:00:04,560 they're going to help you sleep better at night and they're 3 00:00:04,560 --> 00:00:06,560 going to continually be at the forefront battling the 4 00:00:06,560 --> 00:00:09,400 adversaries, identifying their latest tools, their latest 5 00:00:09,400 --> 00:00:11,760 techniques and what they're doing and being able to build 6 00:00:11,760 --> 00:00:14,400 that into the product so that you can have those detection and 7 00:00:14,400 --> 00:00:17,200 prevention capabilities so you don't have to worry about it. 8 00:00:17,200 --> 00:00:19,240 And if you ask our customers, that's the number one thing they 9 00:00:19,240 --> 00:00:22,240 say to us is like, I just sleep better at night knowing you guys 10 00:00:22,520 --> 00:00:24,440 have our back and then you're monitoring all of our 11 00:00:24,440 --> 00:00:33,280 identities. This is identity at the center 12 00:00:33,800 --> 00:00:36,920 if it has anything to do with IAM. 13 00:00:36,920 --> 00:00:43,480 This is the go to podcast now your hosts Jim McDonald and Jeff 14 00:00:43,480 --> 00:00:51,360 Stedman. Welcome to the Identity at the 15 00:00:51,360 --> 00:00:53,120 Center podcast. I'm Jeff, and that's Jim. 16 00:00:53,120 --> 00:00:55,080 Hey, Jim. Hey, Jeff, how are you? 17 00:00:55,400 --> 00:00:57,520 Oh, not so bad yourself. I'm doing great. 18 00:00:57,520 --> 00:00:59,880 You know why I think identity is at the center? 19 00:01:00,440 --> 00:01:05,080 Because I think it's at the center of information security. 20 00:01:05,400 --> 00:01:10,280 One of the things that I find so fascinating is when you get into 21 00:01:10,720 --> 00:01:14,920 kind of how exploits happen, and usually it's centered on some 22 00:01:14,920 --> 00:01:20,080 kind of, you know, evil activity, if you will, when it 23 00:01:20,080 --> 00:01:22,880 comes to identity. And we're going to talk a lot 24 00:01:22,880 --> 00:01:24,800 about that today with our guests. 25 00:01:25,360 --> 00:01:27,760 I just want to say I think it's going to be a really fascinating 26 00:01:27,760 --> 00:01:29,840 episode. Yeah, this is going to be a fun 27 00:01:29,840 --> 00:01:31,600 one. And yeah, just to make it clear, 28 00:01:31,600 --> 00:01:34,800 this is a sponsored episode. We call these sponsor spotlights 29 00:01:34,800 --> 00:01:38,160 and basically we create these in collaboration with our partners 30 00:01:38,160 --> 00:01:40,840 out there and helps get their viewpoints on and we can get a 31 00:01:40,840 --> 00:01:43,520 little more in depth into specific vendors and 32 00:01:43,520 --> 00:01:45,920 technologies and their viewpoints, which is something 33 00:01:45,920 --> 00:01:48,080 we actually try to stay away from on our normal episodes 34 00:01:48,080 --> 00:01:50,600 where it's more vendor neutral. So that is not today. 35 00:01:50,880 --> 00:01:54,560 Make it clear this is a fully sponsored episode and today's 36 00:01:54,560 --> 00:01:58,760 sponsor is Permiso and you can find them at permiso dot IO 37 00:01:58,920 --> 00:02:00,840 slash IDAC. We'll have link in our show 38 00:02:00,840 --> 00:02:01,800 notes. People check it out. 39 00:02:02,600 --> 00:02:04,440 Their website is I'm looking at it right now. 40 00:02:04,800 --> 00:02:07,360 First of all, I love the design of it, but it has cool. 41 00:02:07,480 --> 00:02:10,880 Yeah, it has a tagline of real time identity security for all 42 00:02:10,880 --> 00:02:13,160 environments. That sounds like a mouthful. 43 00:02:13,200 --> 00:02:14,800 I want to find out more about what that means. 44 00:02:14,800 --> 00:02:18,160 So to help us with that, we've got the Co founder and Co CEO 45 00:02:18,160 --> 00:02:20,920 from Permiso, Paul Wynn. Welcome to the show, Paul. 46 00:02:21,760 --> 00:02:23,840 Thanks for having me. I'm honored to be a guest of 47 00:02:23,840 --> 00:02:27,080 this. Well, the honor is all yours of 48 00:02:27,120 --> 00:02:33,080 as as you just said, we like to find more out about the people 49 00:02:33,080 --> 00:02:35,120 in this space. I know we're going to talk about 50 00:02:35,120 --> 00:02:37,800 Permiso and you know what you guys bring to the table, but I'm 51 00:02:37,800 --> 00:02:41,040 always curious, how did people get into this space of identity? 52 00:02:41,880 --> 00:02:45,560 How did you get into IAM? Do you think you're an IAM or 53 00:02:45,560 --> 00:02:47,360 maybe it's a something adjacent? I'm not sure. 54 00:02:47,920 --> 00:02:50,280 Is it something that you chose or did it choose you? 55 00:02:52,080 --> 00:02:56,680 I think I came into it late in my career because I started in 56 00:02:56,680 --> 00:02:59,520 security. So I started as a snot nosed 57 00:02:59,520 --> 00:03:02,480 hacker who broke into things 20 some odd years ago. 58 00:03:03,040 --> 00:03:05,360 And I could tell you definitely I've been compromising 59 00:03:05,360 --> 00:03:07,760 credentials for a very, very long time, all the way back to 60 00:03:07,760 --> 00:03:11,400 like NTLM hashes and pass the hash on on Windows machines from 61 00:03:11,400 --> 00:03:13,560 way back when. So I think I've always been 62 00:03:13,560 --> 00:03:16,680 around identity, but I, I never really like focused on it until 63 00:03:16,680 --> 00:03:18,760 the last five years. And I have a different 64 00:03:18,760 --> 00:03:21,880 appreciation for folks that are dealing with it day in and day 65 00:03:21,880 --> 00:03:24,080 out, especially as I am professionals. 66 00:03:24,080 --> 00:03:26,440 So I'm, I can't say I am an expert at it. 67 00:03:26,760 --> 00:03:28,920 I am learning it and I'm learning a lot from all these 68 00:03:28,920 --> 00:03:32,320 folks as I talk to them and as I go to different shows and and 69 00:03:32,400 --> 00:03:34,360 and try to school up as as much as I can. 70 00:03:35,560 --> 00:03:38,320 I feel like identity is kind of having a moment in the sun here 71 00:03:38,400 --> 00:03:41,000 for like the last, I don't know, five years or so. 72 00:03:41,000 --> 00:03:44,560 I mean, it's always been important, but do you feel like, 73 00:03:44,560 --> 00:03:46,840 hey, identity is so hot right now, right? 74 00:03:46,840 --> 00:03:49,520 Like the meme are there, is there? 75 00:03:49,520 --> 00:03:51,120 What like what is it that's coming out there? 76 00:03:51,120 --> 00:03:52,640 Is it just as becoming more well known? 77 00:03:52,640 --> 00:03:55,800 Is that people just recognizing it because it's not like we just 78 00:03:55,800 --> 00:03:59,240 invented I this this idea of identity and identity security 79 00:03:59,240 --> 00:04:02,360 right within the last couple years, I think for. 80 00:04:02,360 --> 00:04:04,520 Us. I came from a different angle, 81 00:04:04,520 --> 00:04:08,200 which was I felt like identity was being targeted more and more 82 00:04:08,200 --> 00:04:11,920 by the, the adversaries. And so traditional security 83 00:04:11,920 --> 00:04:15,960 controls were mostly focused on e-mail network endpoint. 84 00:04:15,960 --> 00:04:19,720 And I think identity was always a, a part of it, but it was kind 85 00:04:19,720 --> 00:04:22,680 of always a, a piece of all those different major focal 86 00:04:22,680 --> 00:04:24,520 points. And I think in the last five 87 00:04:24,520 --> 00:04:28,080 years, and the reason why I quit my nice cushy executive job at 88 00:04:28,080 --> 00:04:31,240 fire, I running product there and working for Kevin Mandy was 89 00:04:31,240 --> 00:04:34,880 like, I, I really felt like this is the area that needed to be 90 00:04:34,880 --> 00:04:36,960 focused on because no one was really serving it well. 91 00:04:37,320 --> 00:04:39,520 And so I said, you know what, let's take a leap of faith and 92 00:04:39,600 --> 00:04:42,880 and focus on the cross section of identity and security and, 93 00:04:42,880 --> 00:04:44,120 and let's see what we can find out. 94 00:04:45,520 --> 00:04:48,000 And so then you went off and Co founded Permiso. 95 00:04:48,480 --> 00:04:50,480 First of all, am I saying that correctly Permiso? 96 00:04:51,200 --> 00:04:54,960 You are yes, yes. And then oddly enough, I think, 97 00:04:55,000 --> 00:04:57,160 you know, it was definitely derived from us wanting to go 98 00:04:57,160 --> 00:04:59,640 into identity and said, oh, you don't like permissions, You 99 00:04:59,640 --> 00:05:03,120 know, that's cool. A funny aside, my my friend who 100 00:05:03,680 --> 00:05:06,760 I'll speak Spanish, obviously, and I do have a vanity plate on 101 00:05:06,760 --> 00:05:09,920 my car and and my friend said you, you do realize when you're 102 00:05:09,920 --> 00:05:12,520 speeding past people, it also could stand for excuse me. 103 00:05:12,560 --> 00:05:15,040 So I was like, oh, I guess I'm being kind of rude with this, 104 00:05:15,360 --> 00:05:17,880 this vanity plate and it's not a sports car. 105 00:05:17,880 --> 00:05:20,200 It's a minivan. So I can't even say like it's, 106 00:05:20,200 --> 00:05:22,880 it's a cool, it's a cool like vanity plate on a cool car. 107 00:05:23,960 --> 00:05:26,680 Well, you've got, I think it's, I think it's very polite, like, 108 00:05:26,680 --> 00:05:29,600 excuse me, you're, you just got passed by a minivan. 109 00:05:29,640 --> 00:05:32,040 I, you know, that's, that's one way to look at it for sure. 110 00:05:32,440 --> 00:05:35,280 I guess now that we've mentioned sort of the, you know, the name, 111 00:05:35,920 --> 00:05:38,240 tell us about Permisa. What is it that you guys are 112 00:05:38,240 --> 00:05:41,400 bringing to the market? And then, you know, how do you 113 00:05:41,400 --> 00:05:43,680 guys set yourself apart for maybe others that are in that 114 00:05:43,680 --> 00:05:44,720 space? Give me some idea, because I 115 00:05:44,720 --> 00:05:48,080 mentioned this tag line of, you know, identity, you know, for 116 00:05:48,080 --> 00:05:50,600 all environments, identity security for all environments. 117 00:05:51,280 --> 00:05:55,640 That's a lot, man. It, it is I, I actually asked 118 00:05:55,640 --> 00:05:59,440 this provocative question to some of the, the folks on the, 119 00:05:59,440 --> 00:06:02,760 on the customer side, Cisos in particular, are CIOs and I asked 120 00:06:02,760 --> 00:06:05,800 them, can you tell me who your top 10 riskiest identities are 121 00:06:05,800 --> 00:06:09,160 right now at this very minute? I think a lot of people try to 122 00:06:09,160 --> 00:06:13,200 answer that question by, oh, well, the inherent risk is Paul 123 00:06:13,200 --> 00:06:15,280 has a lot of permissions in the environment, therefore he must 124 00:06:15,280 --> 00:06:17,320 be the most risky. And that is a part of the 125 00:06:17,320 --> 00:06:19,400 equation. But I think what we realized was 126 00:06:19,680 --> 00:06:23,560 if you bring in the real time aspect is the real time aspect 127 00:06:23,560 --> 00:06:26,360 is behavior changes pretty quickly, especially let's as an 128 00:06:26,360 --> 00:06:28,680 example, you get fished or there's a business e-mail 129 00:06:28,680 --> 00:06:30,720 compromise. Well, that just changed from 5 130 00:06:30,720 --> 00:06:32,680 minutes ago when you got phishing that, that credential 131 00:06:32,680 --> 00:06:36,280 is now compromised and that, that identity is now acting 132 00:06:36,280 --> 00:06:39,480 erratically and logging in from random places and accessing 133 00:06:39,520 --> 00:06:42,320 resources never accessed. And I think this is what we were 134 00:06:42,320 --> 00:06:44,160 observing the, the adversary side. 135 00:06:44,320 --> 00:06:48,160 And so we've, we're, we're talking about real time security 136 00:06:48,160 --> 00:06:52,320 for identities in cloud and on Prem, because it is a hard job 137 00:06:52,480 --> 00:06:55,000 in our largest customer, we're monitoring close to 8 million 138 00:06:55,320 --> 00:06:57,760 human or non human identities at any given moment. 139 00:06:58,160 --> 00:07:00,440 And to be able to do that real time monitoring, you have to be 140 00:07:00,440 --> 00:07:02,760 able to have a full understanding of what they're 141 00:07:02,760 --> 00:07:05,880 doing at every second and be able to determine whether that 142 00:07:05,880 --> 00:07:08,480 behavior is malicious or not. So I think that's really where 143 00:07:08,480 --> 00:07:11,400 we've we've built our superpowers is coming from our 144 00:07:11,400 --> 00:07:13,680 backgrounds, from Mandiant, which if you're familiar with 145 00:07:13,680 --> 00:07:15,760 Mandiant, you know, there's, there's some of the best 146 00:07:15,760 --> 00:07:19,320 responders in the world. We worked a lot of breaches with 147 00:07:19,320 --> 00:07:23,400 identity as a core of the of the attack and we'll go into more 148 00:07:23,400 --> 00:07:25,760 details around that. And that's really where I 149 00:07:25,760 --> 00:07:28,240 believe the inflection point for us was three years ago was some 150 00:07:28,240 --> 00:07:30,920 of these attacks that really brought to light the fact that 151 00:07:30,920 --> 00:07:33,240 the identity infrastructure was under attack and you needed real 152 00:07:33,240 --> 00:07:35,640 time monitoring to be able to detect that as fast as you can. 153 00:07:36,800 --> 00:07:40,200 So how does this work? Is it pulling in data from all 154 00:07:40,200 --> 00:07:43,000 of your different applications and your cloud environments and 155 00:07:43,000 --> 00:07:46,720 saying, OK, let's throw this all together and then figure out who 156 00:07:46,720 --> 00:07:49,440 is Paul and you know what is risky? 157 00:07:49,440 --> 00:07:51,000 Like what? How does how does this work? 158 00:07:52,000 --> 00:07:54,920 That's a great question. So you're, you're absolutely 159 00:07:54,920 --> 00:07:56,680 right. The first thing we need to 160 00:07:56,680 --> 00:07:59,480 understand is, well, what are all the identities operating in 161 00:07:59,480 --> 00:08:01,000 the environment? So you need an accurate 162 00:08:01,000 --> 00:08:03,720 inventory. So whether it is at the, let's 163 00:08:03,720 --> 00:08:07,280 say cloud service provider level with AWS, Azure, GCP or it's at 164 00:08:07,280 --> 00:08:10,880 the SAS level, which we believe SAS is probably one of the most 165 00:08:12,160 --> 00:08:14,720 untouched areas right now in the middle of the wild, Wild West. 166 00:08:15,400 --> 00:08:17,720 And then you need to integrate with any on Prem as well. 167 00:08:17,720 --> 00:08:19,880 So Active Directory, your traditional authentication 168 00:08:19,880 --> 00:08:22,280 sources. And so unless you have that 169 00:08:22,280 --> 00:08:24,840 visibility of where those identities are living, what 170 00:08:24,840 --> 00:08:27,320 permissions they have. And the third part, which you 171 00:08:27,320 --> 00:08:29,520 mentioned as well, is we have to be able to pull all the activity 172 00:08:29,520 --> 00:08:31,680 logs across all those different sources. 173 00:08:32,280 --> 00:08:34,799 And one of the things we, we do is we, we're essentially like a 174 00:08:34,799 --> 00:08:36,120 flight recorder for every identity. 175 00:08:36,120 --> 00:08:39,480 So I could say, you know what, Jeff, I saw you log in at 10:03 176 00:08:39,480 --> 00:08:41,159 AM yesterday. Here's how you logged in with 177 00:08:41,159 --> 00:08:43,039 this device with this MFA factor. 178 00:08:43,440 --> 00:08:46,440 Oh, and I saw you download these documents at 365 and then you 179 00:08:46,440 --> 00:08:49,640 logged into Jira and you created some tickets, and then you went 180 00:08:49,640 --> 00:08:51,840 into Slack and you sent some messages and you downloaded some 181 00:08:51,840 --> 00:08:53,840 docs. Or I could record all of that 182 00:08:54,320 --> 00:08:57,960 and then I could look at that activity and determine, was Jeff 183 00:08:57,960 --> 00:09:00,840 acting normally or was he potentially a compromised 184 00:09:00,840 --> 00:09:02,440 credential from an external threat actor? 185 00:09:02,960 --> 00:09:05,200 Or is he ever acting normally? That's probably the first thing 186 00:09:05,200 --> 00:09:08,560 right there. Well, you know, funny enough, 187 00:09:08,560 --> 00:09:11,120 the, the, the one that's been really hot and especially at the 188 00:09:11,120 --> 00:09:14,360 rippling deal, if you saw that lawsuit that's happening, it's 189 00:09:14,360 --> 00:09:17,040 an insider threat case. And so I think insider threat 190 00:09:17,040 --> 00:09:19,880 now is becoming a bigger one, especially with layoffs. 191 00:09:20,200 --> 00:09:22,920 So that's that's been a big, big topic in the last couple. 192 00:09:22,920 --> 00:09:26,040 Months for us, I mean, that's got to be just an enormous 193 00:09:26,040 --> 00:09:28,760 amount of data to pull from all these sources, right? 194 00:09:28,760 --> 00:09:32,360 And each source is its own complication, right to the to 195 00:09:32,360 --> 00:09:34,560 the amount of data pulling in. Then you try to add a real time 196 00:09:34,560 --> 00:09:36,960 on top of that. What does it take to run this 197 00:09:36,960 --> 00:09:39,120 sort of thing? Is this something that I can set 198 00:09:39,120 --> 00:09:41,040 up and run, you know, pretty easily? 199 00:09:41,040 --> 00:09:43,240 Does it take a couple weeks? I imagine you've got to 200 00:09:43,240 --> 00:09:46,360 establish baselines as far as you know, what is normal or at 201 00:09:46,360 --> 00:09:47,720 least normal for that individual. 202 00:09:47,720 --> 00:09:52,440 And then start to apply some of those heuristics to the the 203 00:09:52,440 --> 00:09:55,760 access profile to say, OK, yeah, this is normal for Jeff. 204 00:09:55,760 --> 00:09:58,080 Or maybe no, this is not normal because he's travelling. 205 00:09:58,080 --> 00:10:00,400 Or maybe he's he is accessing different things that he 206 00:10:00,400 --> 00:10:04,240 normally wouldn't be. Well, I'll tell you from past 207 00:10:04,240 --> 00:10:06,680 experience of having to do this for 20 years and and running 208 00:10:06,680 --> 00:10:10,520 the, the fire eye product business, I wanted the anti on 209 00:10:10,520 --> 00:10:14,440 Prem software profile. So we had two principles when we 210 00:10:14,440 --> 00:10:17,160 we built the platform 1 was it's completely SAS delivered. 211 00:10:17,680 --> 00:10:22,120 So it's fast time to onboard was a big principle for us. 212 00:10:22,120 --> 00:10:25,000 Super easy has to get on board within you know, 10 to 15 213 00:10:25,000 --> 00:10:27,560 minutes depending upon the integration that can happen 214 00:10:27,560 --> 00:10:29,440 pretty easily and it's all read only. 215 00:10:29,440 --> 00:10:31,600 So we're not trying to be intrusive in terms of that. 216 00:10:32,280 --> 00:10:36,160 The other principle was fast time to value because I always 217 00:10:36,160 --> 00:10:39,200 struggled where customers had to plug it in, they had to wait 218 00:10:39,200 --> 00:10:41,440 some time and then they said oh, OK, it's interesting. 219 00:10:41,440 --> 00:10:43,120 Couple things lit up. Fantastic. 220 00:10:44,080 --> 00:10:47,320 To answer your question, because we have come in from an instant 221 00:10:47,320 --> 00:10:50,560 response standpoint in the past, we've had to go and ingest 222 00:10:50,560 --> 00:10:52,800 historical logs. So if you have logs for the last 223 00:10:53,160 --> 00:10:56,640 two to three years, I can ingest those and think of it as like a, 224 00:10:57,280 --> 00:10:59,960 a, a replay button. I can replay every identity 225 00:10:59,960 --> 00:11:02,440 session over the last two years if you had two years worth of 226 00:11:02,440 --> 00:11:04,400 data. And I can reconstruct all of 227 00:11:04,400 --> 00:11:07,160 that pretty quickly and allow you now to get visibility 228 00:11:07,160 --> 00:11:09,000 around. Oh yeah, you know, just six 229 00:11:09,000 --> 00:11:11,520 months ago, although I just plugged in premiso right now, I 230 00:11:11,520 --> 00:11:15,520 could see six months ago Jim went and he ran these sets of 231 00:11:15,520 --> 00:11:18,720 malicious operations and we know exactly which credential was 232 00:11:18,720 --> 00:11:20,960 compromised first and all the subsequent credentials that were 233 00:11:20,960 --> 00:11:23,000 created because of that. So I think that's that's 234 00:11:23,000 --> 00:11:25,200 something that I learned in the past of doing this is like, I 235 00:11:25,200 --> 00:11:27,280 can't have something that's going to take forever to deploy 236 00:11:27,280 --> 00:11:29,760 and forever to get value. And so you get up and running 237 00:11:29,760 --> 00:11:32,440 anywhere from 10 to 15 minutes, depending on how complex it is, 238 00:11:32,440 --> 00:11:34,720 all the way to, you know, a couple hours and within a day. 239 00:11:35,560 --> 00:11:38,240 I love that ability to show something sooner rather than 240 00:11:38,240 --> 00:11:41,000 later because, you know, the world doesn't work on a, you 241 00:11:41,000 --> 00:11:43,040 know, give me money and I'll show you something in two years. 242 00:11:43,040 --> 00:11:45,080 Like, no, we need to see value sooner than that. 243 00:11:45,480 --> 00:11:49,040 What is something that you think has really set you apart from, 244 00:11:49,120 --> 00:11:51,120 you know, others that might be playing in the same space? 245 00:11:51,120 --> 00:11:53,520 Like what is, what is the thing that you point in and say, yeah, 246 00:11:53,520 --> 00:11:56,040 This is why we're different than so and so. 247 00:11:57,000 --> 00:11:58,200 So you brought up one of them, right. 248 00:11:58,200 --> 00:12:02,040 And this is something I, I purposely tried to focus on with 249 00:12:02,040 --> 00:12:05,520 Jason early on was we need to be completely different from a 250 00:12:05,520 --> 00:12:07,200 branding standpoint that we stood out. 251 00:12:07,200 --> 00:12:11,480 So yes, that is a a Yeti with a towel around its rear end 252 00:12:11,640 --> 00:12:15,040 because one of our monikers and campaigns that we ran was for me 253 00:12:15,040 --> 00:12:17,320 for me. So covers your star AAS in the 254 00:12:17,320 --> 00:12:19,920 cloud. So you know, I as SAS is a 255 00:12:19,920 --> 00:12:22,000 little bit of a plan. So we do we are a little bit 256 00:12:22,000 --> 00:12:23,520 tongue in cheek and we're pretty bold. 257 00:12:23,840 --> 00:12:25,840 If you go to our website, there's actually Easter eggs on 258 00:12:25,840 --> 00:12:27,680 there too. So pretty funny, I'd say 259 00:12:27,680 --> 00:12:31,720 probably like 12 year old maturity level Easter eggs on 260 00:12:31,720 --> 00:12:35,520 there definitely because of me. But I, I think just joking 261 00:12:35,520 --> 00:12:38,240 aside, our branding definitely has been useful, but the number 262 00:12:38,240 --> 00:12:41,560 one thing that we've tried to do, because I can actually feel 263 00:12:41,560 --> 00:12:44,520 this from a customer standpoint, I used to be a, a CSO back in 264 00:12:44,520 --> 00:12:46,680 the day as well. There's way too many vendors. 265 00:12:46,680 --> 00:12:48,000 Like how do you know who you can trust? 266 00:12:48,200 --> 00:12:50,960 And, and so one of these I did was let's go back to first 267 00:12:50,960 --> 00:12:55,520 principles of if you share your, your Intel, your research, your 268 00:12:55,520 --> 00:12:58,280 insights with the community, you build goodwill because at that 269 00:12:58,280 --> 00:13:00,240 point you're trying to raise the whole community up, right? 270 00:13:00,240 --> 00:13:02,960 It's not about me trying to keep proprietary information. 271 00:13:02,960 --> 00:13:04,920 So if you look at our blog in particular, and if you go to 272 00:13:04,920 --> 00:13:08,120 premiso dot IO slash blog, you'll see that we've open 273 00:13:08,120 --> 00:13:10,480 sourced about 12 tools in the last 12 months. 274 00:13:10,480 --> 00:13:12,480 We've shared a lot of our Intel, our insights. 275 00:13:13,040 --> 00:13:16,040 And there's the the one thing that really sets us apart is, is 276 00:13:16,040 --> 00:13:19,920 really that research that allows us to one, show that we are 277 00:13:19,920 --> 00:13:22,720 experts in terms of identifying these identity based attacks, 278 00:13:22,720 --> 00:13:26,240 but also it allows us to show that we're powering our product 279 00:13:26,240 --> 00:13:28,840 with this type of expertise. And we're doing this every day. 280 00:13:29,320 --> 00:13:32,640 And I tell a customer all the time you when you're picking a 281 00:13:32,640 --> 00:13:35,480 security vendor, you have to trust that they're going to help 282 00:13:35,480 --> 00:13:37,160 you sleep better at night. And they're going to continually 283 00:13:37,160 --> 00:13:40,160 be at the forefront battling the adversaries, identifying their 284 00:13:40,160 --> 00:13:42,600 latest tools, their latest techniques and what they're 285 00:13:42,600 --> 00:13:44,840 doing and being able to build that into the product so that 286 00:13:44,840 --> 00:13:48,000 you can have those detection and prevention capabilities so you 287 00:13:48,000 --> 00:13:50,240 don't have to worry about it. And if you ask our customers, 288 00:13:50,240 --> 00:13:52,640 that's the number one thing they say to us is like, I just sleep 289 00:13:52,640 --> 00:13:55,600 better at night knowing you guys have our back and then you're 290 00:13:55,600 --> 00:13:56,880 monitoring all of our identities. 291 00:13:57,800 --> 00:14:00,600 I love the website. I I got to ask that the art 292 00:14:00,600 --> 00:14:04,920 style is very unique and I I like who does the art for this 293 00:14:04,920 --> 00:14:09,520 stuff because it's awesome. We, we had a little bit, I'd say 294 00:14:09,520 --> 00:14:12,960 of a family advantage, which Jason's brother is actually a 295 00:14:12,960 --> 00:14:15,720 world class creative person. He's done Super Bowl ads, done 296 00:14:15,720 --> 00:14:19,040 stuff for Cameo Apple. And we said, hey, here's a 297 00:14:19,040 --> 00:14:20,400 couple shares. Can you help us come up with 298 00:14:20,400 --> 00:14:23,040 something crazy? And he came up with something 299 00:14:23,040 --> 00:14:25,400 absolutely crazy and he gave us a whole bunch of different ones. 300 00:14:25,400 --> 00:14:29,120 But this is definitely a unique styling that is more playful. 301 00:14:29,120 --> 00:14:31,440 It's, it's different than the doom and gloom, the, you know, 302 00:14:31,920 --> 00:14:34,600 guys in hoodies. It's, it's, it's like such 303 00:14:34,600 --> 00:14:36,160 cliche. It's such a cliche over the last 304 00:14:36,160 --> 00:14:38,200 27 years. I'm just frankly, I'm just kind 305 00:14:38,200 --> 00:14:42,640 of tired of this over overused kind of style. 306 00:14:42,640 --> 00:14:44,640 And, and I think the, the security market needs to have a 307 00:14:44,640 --> 00:14:46,080 little more fun. And we don't take ourselves 308 00:14:46,080 --> 00:14:47,320 seriously. And if you think, you look at 309 00:14:47,320 --> 00:14:49,520 our campaigns, we kind of make fun of things, right? 310 00:14:49,560 --> 00:14:52,640 And that's just my playful way of like, Hey, let's not take 311 00:14:52,640 --> 00:14:54,280 things too seriously. Let's have some fun while we're 312 00:14:54,280 --> 00:14:57,080 doing this. I totally agree on the the 313 00:14:57,080 --> 00:15:02,520 hoodies and the you know the scream 2 mask like or the I 314 00:15:02,520 --> 00:15:05,360 don't even know what you call that one where the the guy looks 315 00:15:05,360 --> 00:15:08,000 like the. Guy Fox mask, right from 316 00:15:08,000 --> 00:15:10,120 whatever it is, yeah. Yeah. 317 00:15:10,280 --> 00:15:12,560 With data flying in the background, right? 318 00:15:13,560 --> 00:15:21,800 Ones and zeros behind his head. So Paul, I'm wondering, I'm 319 00:15:21,800 --> 00:15:25,280 thinking about some of the big hacks that have come out that 320 00:15:25,280 --> 00:15:30,800 I'm sure all of our listeners have at least aware of in name 321 00:15:31,000 --> 00:15:35,520 scatter Spider, LLM jacking, like these are the things that 322 00:15:35,520 --> 00:15:38,320 are coming out and they're, you know, they're leveraging the 323 00:15:38,320 --> 00:15:42,320 identity. And maybe that's the answer, 324 00:15:42,320 --> 00:15:44,000 right? They're leveraging the identity 325 00:15:44,320 --> 00:15:47,840 to my question, but I'm wondering why you would need a 326 00:15:47,840 --> 00:15:51,160 new tool to catch these things and to stop these things. 327 00:15:51,160 --> 00:15:55,720 Why can't the traditional security tools get in the way of 328 00:15:55,720 --> 00:15:58,320 that? Well, I'll tell you one thing, 329 00:15:58,320 --> 00:16:01,720 having been on the other side where I was breaking into 330 00:16:01,720 --> 00:16:03,320 things. We're lazy. 331 00:16:03,800 --> 00:16:05,960 We want to take the the path of least resistance. 332 00:16:05,960 --> 00:16:09,800 So if you, you think about, I'll call prefederation of 333 00:16:09,800 --> 00:16:13,160 identities, if I was trying to break into 20 systems, I'd have 334 00:16:13,160 --> 00:16:16,080 to go break into one system and then try to move across and find 335 00:16:16,080 --> 00:16:19,080 the right credential that would allow me to, to walk through 336 00:16:19,080 --> 00:16:22,880 each of those doors. Now, the great side of identity 337 00:16:22,880 --> 00:16:25,640 federation was, you know what, we're going to eliminate that, 338 00:16:26,240 --> 00:16:28,840 that surface area for the number of credentials that are being 339 00:16:28,840 --> 00:16:31,320 used. But the dark side of that is if 340 00:16:31,320 --> 00:16:34,480 adversaries get a hold of those single sign on credentials, 341 00:16:34,480 --> 00:16:36,000 guess what? That just makes their job a lot 342 00:16:36,000 --> 00:16:38,720 easier. So the, the moniker today, 343 00:16:38,720 --> 00:16:41,240 especially as you, you deconstruct the, the modern 344 00:16:41,240 --> 00:16:44,000 architecture and, and by the way, this is, I'm gonna, this is 345 00:16:44,000 --> 00:16:47,400 a little odd, but I actually started my career as an, as a 346 00:16:47,440 --> 00:16:50,560 programmer out of mainframe. So if I look at the mainframe, 347 00:16:50,560 --> 00:16:52,160 everything was centralized on the mainframe. 348 00:16:52,480 --> 00:16:56,800 We're using RACF, you know, ACF two top secret for our access 349 00:16:56,800 --> 00:16:58,120 controls. Back then, you know, I was 350 00:16:58,120 --> 00:17:01,840 running my JCL jobs, I was programming in PO1 a little bit 351 00:17:01,840 --> 00:17:03,240 different. So if you, if you look at it and 352 00:17:03,240 --> 00:17:05,280 it's almost like food, right? You talk about these Michelin 353 00:17:05,280 --> 00:17:07,839 star restaurants that deconstruct food into, I think 354 00:17:07,839 --> 00:17:10,599 we've deconstructed the, the tech stack right now. 355 00:17:10,599 --> 00:17:13,480 So it used to be data centers and we were standing up servers 356 00:17:13,960 --> 00:17:15,160 and building our own data centers. 357 00:17:15,160 --> 00:17:18,680 Now you're now you're breaking out the data center into cloud, 358 00:17:18,800 --> 00:17:20,960 cloud service providers providing the infrastructure. 359 00:17:20,960 --> 00:17:23,200 Then you have services that are being delivered by different SAS 360 00:17:23,200 --> 00:17:24,880 vendors. So what's stitching that all 361 00:17:24,880 --> 00:17:26,560 together now that we've deconstructed it? 362 00:17:26,560 --> 00:17:29,520 AP is and credentials. That's really what's stitching 363 00:17:29,520 --> 00:17:32,640 it together in a bunch of code. So I think that movement to 364 00:17:32,640 --> 00:17:37,040 cloud and that deconstruction has created a greater emphasis 365 00:17:37,040 --> 00:17:39,800 on identity. And I, I think also with 366 00:17:39,800 --> 00:17:42,640 federation and, and we, we talk about bad guys don't hack in 367 00:17:42,640 --> 00:17:44,080 anymore. It's not like they're using 368 00:17:44,080 --> 00:17:46,720 malware to hack in, in this modern stack. 369 00:17:46,880 --> 00:17:49,760 They log in. So they're buying credentials. 370 00:17:49,760 --> 00:17:51,880 They're, you know, finding any, which way to get those. 371 00:17:51,880 --> 00:17:54,320 They'll pay you for your credentials and they'll get, 372 00:17:54,320 --> 00:17:56,280 they'll get access and they'll bypass MFA. 373 00:17:56,280 --> 00:17:58,560 And once they're in, they're in, it's a little bit of a different 374 00:17:59,240 --> 00:18:02,560 approach than it was 1015 years ago with malware and and 375 00:18:02,560 --> 00:18:04,800 viruses. If you remember old school, if 376 00:18:04,800 --> 00:18:07,280 you had Symantec and Norton Antivirus, like you're good, 377 00:18:07,280 --> 00:18:08,320 right? That was security. 378 00:18:08,640 --> 00:18:10,320 So I think it's evolved quite a bit since then. 379 00:18:10,320 --> 00:18:12,360 And I do believe identity's at the center of it all. 380 00:18:13,160 --> 00:18:17,640 Yeah, absolutely. So, OK, talk about some of those 381 00:18:17,640 --> 00:18:22,520 monitor attacks, Scatter Spider, like I said, most people I think 382 00:18:22,520 --> 00:18:25,880 have heard of it, but can you tell us a little bit more about 383 00:18:25,880 --> 00:18:30,440 what it was and what the impact was for companies that 384 00:18:30,800 --> 00:18:32,840 unfortunately got hammered by this thing? 385 00:18:33,440 --> 00:18:35,600 Sure. And and by the way, this is 386 00:18:35,600 --> 00:18:39,440 something that we we do all the time, which is we provide no 387 00:18:39,440 --> 00:18:41,920 strings attached, no salespeople threat briefings. 388 00:18:42,360 --> 00:18:45,600 So I'll give you a bit of a mini version of that threat briefing 389 00:18:45,600 --> 00:18:47,400 because we've been doing it quite a bit for the last two 390 00:18:47,400 --> 00:18:50,360 years. The probably the poster children 391 00:18:50,360 --> 00:18:52,440 for, for that one was Caesar's MGM. 392 00:18:52,640 --> 00:18:54,640 In terms of Scattered Spider in particular. 393 00:18:55,600 --> 00:18:58,560 Now I, I could say that was a great event for us because I 394 00:18:58,560 --> 00:19:01,800 think it really created a lot of education around the identity 395 00:19:01,800 --> 00:19:04,800 infrastructure. But if you, you look back at 396 00:19:04,800 --> 00:19:07,320 what they were trying to focus on, one, they were buying 397 00:19:07,320 --> 00:19:09,600 credentials off a Russian marketplace and they were 398 00:19:09,600 --> 00:19:12,560 focused on specific people that they believed had a lot of 399 00:19:12,560 --> 00:19:15,840 privileges into the environment. And so they're going after Octo, 400 00:19:15,840 --> 00:19:17,840 they're going after Entre, they're going after Ping. 401 00:19:17,840 --> 00:19:21,520 So that was their, the IDP was a great source because you assume 402 00:19:21,520 --> 00:19:24,080 if you get an IDP credential, you're going to have access to a 403 00:19:24,080 --> 00:19:26,400 whole lot of things. I have to do less in terms of 404 00:19:26,400 --> 00:19:27,960 lateral movement within the environment. 405 00:19:28,280 --> 00:19:30,400 Perfect. So that's where it's starting. 406 00:19:30,880 --> 00:19:33,200 Let's focus on compromising an IDP credential. 407 00:19:33,600 --> 00:19:36,200 That group was also behind the T-Mobile breach as well. 408 00:19:36,680 --> 00:19:39,200 And why does that matter? That matters because SIM 409 00:19:39,200 --> 00:19:41,520 swapping makes it easy to bypass MFA. 410 00:19:41,880 --> 00:19:45,120 And so it was a multi pronged approach in which they were, 411 00:19:45,120 --> 00:19:47,920 they happened to be, you know, compromising T-Mobile 412 00:19:47,920 --> 00:19:51,200 previously, one that gave them an opportunity now to bypass 413 00:19:51,200 --> 00:19:53,280 MFA. They've also resorted to some 414 00:19:53,280 --> 00:19:57,600 more heavy-handed tactics, I'd say swatting, you know, physical 415 00:19:57,600 --> 00:20:00,160 threats, you know, they find out what your wife's name is, your 416 00:20:00,160 --> 00:20:03,280 kids names and they say, hey, if you don't accept this, you know, 417 00:20:03,280 --> 00:20:05,280 we're going to, we're going to do some harm to your children, 418 00:20:05,280 --> 00:20:07,360 to your wife, and they'll follow it up with swatting. 419 00:20:07,360 --> 00:20:10,240 So there's different ways of persuade people to, to give up 420 00:20:10,240 --> 00:20:13,200 their credentials. So if you assume once you're 421 00:20:13,200 --> 00:20:16,000 past that door, right, the authentication side of it, what 422 00:20:16,000 --> 00:20:20,360 happens then while you're riding that identity highway into all 423 00:20:20,360 --> 00:20:23,680 the SAS applications that are Federated into it like 365, 424 00:20:23,680 --> 00:20:26,840 Jira, Confluence? And then you're also going into 425 00:20:26,840 --> 00:20:29,760 the infrastructure, right? So AWS, Azure, even on Prem as 426 00:20:29,760 --> 00:20:31,880 well if there's AVPN. So what was the what was the 427 00:20:31,880 --> 00:20:34,520 major mission for them? The major mission for them was 428 00:20:34,520 --> 00:20:37,000 actually to steal intellectual property and they would extort 429 00:20:37,000 --> 00:20:38,880 you. So in some cases, some of the 430 00:20:38,880 --> 00:20:41,760 largest extortions we saw were about $50 million. 431 00:20:41,760 --> 00:20:44,240 He said. If you don't pay us $50 million, 432 00:20:44,240 --> 00:20:47,000 we'll release your source code and there goes your competitive 433 00:20:47,000 --> 00:20:48,600 advantage. And now your competitors have 434 00:20:48,600 --> 00:20:50,560 your source code big impact, right? 435 00:20:51,440 --> 00:20:54,160 Caesar's MGM was a little bit different where there was some 436 00:20:54,160 --> 00:20:57,680 disruption, obviously to the, to the services that the, the 437 00:20:57,680 --> 00:20:59,960 hospitality hospitality industry was providing. 438 00:21:00,720 --> 00:21:02,560 So they had different outcomes. But at the end of the day, it 439 00:21:02,560 --> 00:21:04,440 was still extortion, right? Pay me 10s of millions of 440 00:21:04,440 --> 00:21:06,680 dollars. So why is that important? 441 00:21:07,160 --> 00:21:10,480 I think it's important because that's one of the most high 442 00:21:10,480 --> 00:21:13,640 profile cases where they, they really focus on the identity 443 00:21:13,640 --> 00:21:18,360 infrastructure to get access. And the second was if you've 444 00:21:18,360 --> 00:21:20,840 been following this Rippling Deal lawsuit, that's been 445 00:21:20,840 --> 00:21:23,040 happening because it was an insider threat and it was 446 00:21:23,040 --> 00:21:29,120 focused on essentially setting up honeypots where they would go 447 00:21:29,120 --> 00:21:31,120 find out. OK, well, clearly Deal has an 448 00:21:31,120 --> 00:21:33,560 insider somewhere at Rippling that's providing them 449 00:21:33,560 --> 00:21:35,800 information and they're trying to ferret out who this insider 450 00:21:35,800 --> 00:21:37,440 was. And the way that they detected 451 00:21:37,440 --> 00:21:40,480 it actually was because they were monitoring the search terms 452 00:21:40,680 --> 00:21:44,280 and they, they set a honeypot up with specific search specific 453 00:21:44,280 --> 00:21:46,680 terms in a document. And so once they knew someone 454 00:21:46,680 --> 00:21:49,040 was searching for those terms, they knew who the, who the 455 00:21:49,040 --> 00:21:51,280 culprit was. And so if you look at Scattered 456 00:21:51,280 --> 00:21:54,000 spider, one of the most interesting and novel things 457 00:21:54,000 --> 00:21:56,320 that we saw in that and that we actually pioneered this 458 00:21:56,320 --> 00:22:00,280 technique was, and you everyone uses Google or perplexity or 459 00:22:00,280 --> 00:22:02,520 name your, your, your latest search right now, right? 460 00:22:02,880 --> 00:22:06,200 Well, search actually gives you a sense of intent because I'm 461 00:22:06,200 --> 00:22:08,480 searching for, let's say, a car. Well, I'm probably looking to 462 00:22:08,480 --> 00:22:11,160 buy a car. The unique part of this 463 00:22:11,160 --> 00:22:14,320 adversary group was they were using search for about 70 hours 464 00:22:14,320 --> 00:22:17,200 to Recon the environment they're looking for, AKA they're looking 465 00:22:17,200 --> 00:22:19,800 for others credentials, they're looking for secrets, they're 466 00:22:19,800 --> 00:22:22,120 looking for other access keys, they're looking for 467 00:22:22,120 --> 00:22:23,400 infrastructure deployment guides. 468 00:22:23,400 --> 00:22:25,680 And that was an interesting new area that we saw in the SAS 469 00:22:25,680 --> 00:22:28,080 world that was like, wow, this is a new technique that we're 470 00:22:28,160 --> 00:22:30,440 that we're identifying right now right here on the front lines. 471 00:22:31,000 --> 00:22:33,560 And that deal that does deal with exactly what we're seeing 472 00:22:33,560 --> 00:22:35,920 now in the rippling deal effect as well on the insider threat 473 00:22:35,920 --> 00:22:37,760 side. But yeah, I think that's it, 474 00:22:37,760 --> 00:22:38,880 right? Use identity. 475 00:22:39,640 --> 00:22:42,200 Let's go log into all the different applications that it 476 00:22:42,200 --> 00:22:43,760 has access to. Let's steal information. 477 00:22:43,760 --> 00:22:46,520 Let's get away with it. And these were not sophisticated 478 00:22:46,520 --> 00:22:48,800 adversaries, by the way. These were keyboard jockeys that 479 00:22:48,800 --> 00:22:51,280 didn't know how to script, and they were logging in into 480 00:22:51,280 --> 00:22:53,360 websites. So this was not like some nation 481 00:22:53,360 --> 00:22:54,720 state. These are a bunch of actually 482 00:22:54,720 --> 00:22:57,120 teenagers that were doing this. Yeah, right. 483 00:22:57,480 --> 00:23:01,320 And OK, you said they searched for a Kia. 484 00:23:02,280 --> 00:23:04,520 What is that? It's actually a prefix for an 485 00:23:04,760 --> 00:23:07,600 AWS Access key, so. Right, right, right. 486 00:23:07,600 --> 00:23:10,040 Yeah. And they're, they're searching 487 00:23:10,040 --> 00:23:13,480 for code signing certs. So dot PFX. 488 00:23:13,480 --> 00:23:16,120 So because code signing certs are obviously an issue, right 489 00:23:16,120 --> 00:23:18,400 for for tech companies, if they lose their code signing cert, 490 00:23:18,800 --> 00:23:20,640 it's fascinating. When you look at their search 491 00:23:20,640 --> 00:23:24,200 terms and we published it actually on our blog, it's clear 492 00:23:24,200 --> 00:23:25,800 that they had no idea what the heck they were doing because 493 00:23:25,800 --> 00:23:26,760 they're searching for everything. 494 00:23:28,240 --> 00:23:30,720 Yeah. Well, that that kind of puts a 495 00:23:30,720 --> 00:23:34,760 bull's eye on their on their back potentially, but they look 496 00:23:34,760 --> 00:23:39,080 how much damage they did. There's another big incident 497 00:23:39,080 --> 00:23:42,240 that hit the news, the LLM jacking incident. 498 00:23:42,520 --> 00:23:46,400 Tell us about that one and kind of what was behind it and again, 499 00:23:46,400 --> 00:23:49,680 impact too. So this one's going to be a 500 00:23:49,680 --> 00:23:53,480 little bit, I'll cut a little more seedy just in terms of like 501 00:23:53,480 --> 00:23:57,120 what they did. I mean compromised access keys 502 00:23:57,120 --> 00:24:01,480 are not new by any means. We actually were observing some 503 00:24:01,760 --> 00:24:05,080 abnormal behavior related to some AWS infrastructure or 504 00:24:05,080 --> 00:24:07,360 clients and it was specific to Bedrock. 505 00:24:07,360 --> 00:24:10,000 And if you're familiar with Bedrock, Bedrock is the, the AI 506 00:24:10,000 --> 00:24:13,520 infrastructure service for, for hosting things like anthropic 507 00:24:13,520 --> 00:24:15,720 models, etcetera. And we're like, what are they 508 00:24:15,720 --> 00:24:17,720 doing with with Bedrock? Like this doesn't make any 509 00:24:17,720 --> 00:24:18,920 sense. And once we started to pull the 510 00:24:18,920 --> 00:24:23,400 thread on it, what we realized was they're actually using 511 00:24:23,840 --> 00:24:27,520 access keys, like stolen access keys to, to then abuse Bedrock 512 00:24:27,520 --> 00:24:30,640 to steal free Bedrock services. And then they were jailbreaking 513 00:24:30,640 --> 00:24:32,520 anthropic models and other AI models. 514 00:24:32,520 --> 00:24:34,760 What were they doing? They're creating role-playing 515 00:24:34,760 --> 00:24:37,000 sex bots that they could go sell subscriptions to. 516 00:24:37,000 --> 00:24:40,840 And and so of course this was an interesting one because this 517 00:24:40,840 --> 00:24:44,920 involves essentially non human identity in the AWS access key. 518 00:24:44,920 --> 00:24:48,600 Now you're looking at AI services and AI infrastructure. 519 00:24:48,600 --> 00:24:50,640 So you have a cross section of NHI and AI. 520 00:24:51,120 --> 00:24:53,960 And we, we were actually one of the first ones to disclose this 521 00:24:53,960 --> 00:24:55,560 in Brian Krebs. If you're familiar with Brian 522 00:24:55,560 --> 00:24:57,960 Krebs, he breaks a lot of the latest breaches, right? 523 00:24:57,960 --> 00:25:01,320 So he had the exclusive on, on our story and he did the 524 00:25:01,320 --> 00:25:02,960 investigation. He's like, wow, this was 525 00:25:02,960 --> 00:25:04,840 fascinating. And subsequently we've been 526 00:25:04,840 --> 00:25:07,600 referenced several times by a lot of other, other big vendors 527 00:25:07,600 --> 00:25:09,600 like Wiz and other folks in their blogs. 528 00:25:09,600 --> 00:25:12,800 And I think that's a cool thing about what we're trying to do is 529 00:25:12,800 --> 00:25:15,360 we're, we're trying to be always at the forefront of fighting 530 00:25:15,360 --> 00:25:18,960 these unique things like the LM jacking or some of the search 531 00:25:18,960 --> 00:25:21,680 term indicators and ways of detection. 532 00:25:22,080 --> 00:25:24,640 And that's I, I think that's going back to your question on 533 00:25:24,640 --> 00:25:26,720 differentiation is if I continually show like we're at 534 00:25:26,720 --> 00:25:29,200 the forefront of this and we're finding things that no one else 535 00:25:29,200 --> 00:25:30,760 is finding. I think that just helps to 536 00:25:30,760 --> 00:25:33,080 demonstrate that you're going to sleep better at night just 537 00:25:33,080 --> 00:25:35,400 knowing that we're, we're going to be doing this for you instead 538 00:25:35,400 --> 00:25:37,240 of you having to do this 24 by 7. 539 00:25:37,720 --> 00:25:41,720 And I think the LM jacking 1 is interesting now that the advent 540 00:25:41,720 --> 00:25:43,680 of Gen. AI and the adoption of AI is 541 00:25:43,680 --> 00:25:45,960 going to increase significantly in the enterprise. 542 00:25:45,960 --> 00:25:49,760 And then the genetic AI I. I have to admit I'm a little 543 00:25:49,760 --> 00:25:52,320 worried about Skynet I and that's not something I ever 544 00:25:52,320 --> 00:25:54,640 thought I'd worry about. But boy, I've watched all those 545 00:25:54,640 --> 00:25:56,320 Terminator movies and I am scared. 546 00:25:57,400 --> 00:26:00,440 So you talked about honeypots a little bit. 547 00:26:00,440 --> 00:26:04,000 Is that something that you recommend people use? 548 00:26:05,480 --> 00:26:07,560 So I, I think it depends for what purpose. 549 00:26:07,560 --> 00:26:10,280 And we've set up our own honeypots as well, just because 550 00:26:10,280 --> 00:26:15,000 we, we, as an example, tried to, in the vein of being in at the 551 00:26:15,000 --> 00:26:17,200 forefront of identifying what the adversaries are doing. 552 00:26:17,680 --> 00:26:20,600 We'll leak access keys, you know, we'll, we'll, we'll leak a 553 00:26:20,600 --> 00:26:22,480 couple things just to see what the behavior is. 554 00:26:22,800 --> 00:26:25,440 And actually in that LLM jacking, because some of our 555 00:26:25,440 --> 00:26:28,280 customers didn't have the proper logging on, we couldn't actually 556 00:26:28,280 --> 00:26:30,600 see what the prompts that they were submitting to the AI 557 00:26:30,600 --> 00:26:32,160 models. So we end up sending a honeypot 558 00:26:32,160 --> 00:26:34,240 up. And of course, we were able to, 559 00:26:34,240 --> 00:26:37,120 to pull them in and we were able to observe well, what were the, 560 00:26:37,120 --> 00:26:39,160 the prompts that were being submitted to the models. 561 00:26:39,160 --> 00:26:42,000 And so we use honey pots all the time just for our own research 562 00:26:42,000 --> 00:26:44,240 purposes. I think if it makes sense for a 563 00:26:44,240 --> 00:26:46,160 customer, it's hard to maintain, right, because you have to 564 00:26:46,160 --> 00:26:48,680 continually create new content and make sure that you're 565 00:26:48,680 --> 00:26:50,040 observing and, and monitoring it. 566 00:26:50,040 --> 00:26:52,040 Otherwise it's just. Not to do it. 567 00:26:52,640 --> 00:26:55,640 Exactly, exactly. And, and that's a tough part is, 568 00:26:56,000 --> 00:26:58,600 is just maintaining and keeping up and, and watching what 569 00:26:58,600 --> 00:27:00,880 they're doing at all times. For us, it's a little bit easier 570 00:27:00,880 --> 00:27:03,360 when you're doing it for research purposes and, and not 571 00:27:03,360 --> 00:27:06,760 in a concern of losing anything per SE or understanding that 572 00:27:06,760 --> 00:27:09,840 they're going to attack us. So that's, I, I, you know, I, if 573 00:27:09,840 --> 00:27:11,120 you have the resources, go for it. 574 00:27:11,120 --> 00:27:14,360 If not, I think a lot of other vendors do do it as well on your 575 00:27:14,360 --> 00:27:18,160 behalf. Yeah, I think it's a good topic. 576 00:27:18,160 --> 00:27:20,520 I think you just mentioned the point there, right? 577 00:27:21,280 --> 00:27:23,920 If you have a honeypot out there and you're not monitoring 578 00:27:23,920 --> 00:27:26,920 whether or not it's getting hit, then it's not doing you any 579 00:27:26,920 --> 00:27:29,800 good. Kind of in the same vein, you 580 00:27:29,800 --> 00:27:34,680 know, we've seen some ridiculous numbers in terms of how long 581 00:27:34,680 --> 00:27:39,280 after breach it takes for an organization to realize they've 582 00:27:39,280 --> 00:27:42,400 been breached. You had something, a statistic 583 00:27:42,400 --> 00:27:44,800 on your website and I don't remember what it was, but how 584 00:27:44,800 --> 00:27:49,560 long was that? So I, I think the, if you go 585 00:27:49,560 --> 00:27:53,680 with the, the real big vendors who have, you know, the typical 586 00:27:53,680 --> 00:27:56,120 Verizon reports or crowd strike reports, they'll probably say 587 00:27:56,120 --> 00:27:59,320 anywhere between 10 to 15 days for dwell time, which is the 588 00:27:59,320 --> 00:28:02,880 amount of time that an adversary sits in an environment and gets, 589 00:28:03,080 --> 00:28:07,200 goes undetected. So I think what we're seeing 590 00:28:07,200 --> 00:28:10,320 right now in the, in the most recent Scattered Spider incident 591 00:28:10,320 --> 00:28:13,840 was about 74 hours from beginning to execution of the, 592 00:28:14,560 --> 00:28:18,000 of the attack itself. And the 7070 of the 74 hours was 593 00:28:18,000 --> 00:28:21,400 the, the Recon time. So they executed that mission in 594 00:28:21,400 --> 00:28:23,800 about 3 days. So not very sophisticated, 595 00:28:23,800 --> 00:28:25,920 right? You're able to go and to to pull 596 00:28:25,920 --> 00:28:29,040 this off because 1, I don't think people have proper 597 00:28:29,040 --> 00:28:30,960 visibility to be able to detect it in the first place. 598 00:28:30,960 --> 00:28:34,280 So if you were, and this is, this is a part of the, the 599 00:28:34,280 --> 00:28:36,600 formula, right? So over time, now let's think 600 00:28:36,600 --> 00:28:39,280 about just passwords in general. Like what was the complexity of 601 00:28:39,280 --> 00:28:40,200 the passwords? You started with? 602 00:28:40,480 --> 00:28:41,840 There's like a couple characters, right? 603 00:28:41,960 --> 00:28:44,720 And then you started getting into 16 characters because we 604 00:28:44,720 --> 00:28:47,360 used to read about tables and password cracking back in the 605 00:28:47,360 --> 00:28:50,200 day with, with different tools. And then then you added 606 00:28:50,200 --> 00:28:51,840 complexity, you added characters. 607 00:28:52,080 --> 00:28:54,640 So I, I think this is the same game that's, that's being played 608 00:28:54,640 --> 00:28:57,880 with, with these folks is right now, I think the level of 609 00:28:57,880 --> 00:29:02,200 maturity in terms of being able to monitor identities across all 610 00:29:02,200 --> 00:29:05,400 these different layers is, is not quite unified right now. 611 00:29:05,400 --> 00:29:07,760 And that allows you now to kind of hide in those gaps. 612 00:29:08,200 --> 00:29:11,680 And you'll see shards of like, OK, we saw something happening 613 00:29:11,680 --> 00:29:14,400 in, in GitHub, but OK, is that correlated to something else 614 00:29:14,400 --> 00:29:17,240 that happened in, in Jira? I think it's hard to stitch that 615 00:29:17,240 --> 00:29:19,600 picture together. And I think that's where we've 616 00:29:19,600 --> 00:29:22,160 noticed in the breaches that we've worked where they hide, 617 00:29:22,160 --> 00:29:23,520 right? It was in between those gaps. 618 00:29:24,720 --> 00:29:27,560 I'm wondering, I mean you work with a lot of clients, you get 619 00:29:27,560 --> 00:29:32,640 to see what team gets brought to the table, roles and 620 00:29:32,640 --> 00:29:34,720 responsibilities within the organization. 621 00:29:34,720 --> 00:29:37,080 I'm wondering most of our listeners are identity 622 00:29:37,080 --> 00:29:40,440 practitioners. Are they the folks who are, you 623 00:29:40,440 --> 00:29:44,760 know, just the buck stock with them for dealing with these or 624 00:29:44,760 --> 00:29:47,680 getting ahead of these issues or is it somewhere else within the 625 00:29:47,680 --> 00:29:51,840 organization? I would tell you probably the 626 00:29:51,840 --> 00:29:56,880 most advance, I'll call it organizational behavioral 627 00:29:56,880 --> 00:30:00,120 structure that I've seen is a customer of ours created an 628 00:30:00,120 --> 00:30:03,680 identity security team, which is essentially a overlay cross 629 00:30:03,680 --> 00:30:06,720 functional team that was working across the IAM teams as well as 630 00:30:06,720 --> 00:30:10,200 the security teams to create more unified visibility for 631 00:30:10,200 --> 00:30:13,120 identity. Because I don't think this is a, 632 00:30:13,320 --> 00:30:16,200 an either or type of responsibility. 633 00:30:16,200 --> 00:30:19,840 Because if you think about I am professionals, I didn't have a 634 00:30:19,880 --> 00:30:23,840 full deep appreciation for how complex and how hard it is to, 635 00:30:23,840 --> 00:30:26,760 to stand up and manage and maintain that infrastructure 636 00:30:26,760 --> 00:30:29,200 and, and try to get everyone bought into the standards like 637 00:30:29,200 --> 00:30:30,680 that. That's a hard job. 638 00:30:31,120 --> 00:30:33,480 So I look at that as prevention, right? 639 00:30:33,480 --> 00:30:35,480 So you're, you're, you're putting in place the proper 640 00:30:35,480 --> 00:30:38,400 controls and the proper prevention to ensure you have 641 00:30:38,400 --> 00:30:40,360 the right authentication, right authorization. 642 00:30:41,200 --> 00:30:43,440 But guess what? Controls fail as we see in 643 00:30:43,440 --> 00:30:45,320 breaches. So you do need the security team 644 00:30:45,320 --> 00:30:47,840 to monitor that when all else fails. 645 00:30:47,840 --> 00:30:51,120 Are we able to, to your question, Jim, are we able to 646 00:30:51,120 --> 00:30:53,600 detect when that happens? Because you can't expect you're 647 00:30:53,600 --> 00:30:56,960 100% secure at all times. That's just not reasonable. 648 00:30:57,280 --> 00:31:00,440 So you need both sides to continually work with each other 649 00:31:00,440 --> 00:31:02,800 because there might be things that are happening on the threat 650 00:31:02,800 --> 00:31:06,480 environment that helps inform the IM team that, hey, you know 651 00:31:06,480 --> 00:31:08,440 what, we need to put these types of controls in place because 652 00:31:08,440 --> 00:31:10,920 we're starting to see emerging attacks around this area. 653 00:31:11,240 --> 00:31:15,440 So let's say as an example, NHI is a big one, not human 654 00:31:15,440 --> 00:31:16,880 identities, kind of a big one right now, right? 655 00:31:16,880 --> 00:31:19,240 So we're seeing a rise in attacks around NHIS. 656 00:31:19,480 --> 00:31:22,240 So what do we need to do better on NHISNHIS have been around for 657 00:31:22,240 --> 00:31:24,640 a long time, service accounts, service principles been around 658 00:31:24,640 --> 00:31:26,680 for a long time. But you don't have to worry 659 00:31:26,680 --> 00:31:29,680 about the problem until it becomes a real, real pressing 660 00:31:29,680 --> 00:31:32,040 issue. So I, I think it's a, it's a 661 00:31:32,040 --> 00:31:34,880 joint effort, honestly. And if you look at our 662 00:31:34,880 --> 00:31:37,960 engagements with our customers, yes, we might have come in from 663 00:31:37,960 --> 00:31:40,960 an incident that happened and we helped them respond to that 664 00:31:40,960 --> 00:31:42,640 incident. Then we helped build detection 665 00:31:42,640 --> 00:31:45,840 capabilities to ensure that if the adversary comes back, we're 666 00:31:45,840 --> 00:31:47,960 able to detect it. But our biggest engagement 667 00:31:47,960 --> 00:31:51,720 actually has been IM teams. So we, we just launched a whole 668 00:31:51,720 --> 00:31:54,720 prevention part of our platform. And was it because we wanted to 669 00:31:54,720 --> 00:31:56,600 go into prevention? It was because the customer 670 00:31:56,600 --> 00:31:57,880 said, I can't have this happen again. 671 00:31:58,360 --> 00:32:01,880 So if you look at the symptoms of what happened, 1 is there's a 672 00:32:01,880 --> 00:32:07,000 lot of orphaned and stale counts and unknown risks around access 673 00:32:07,000 --> 00:32:10,000 keys that were exposed to our human and non human identities. 674 00:32:10,320 --> 00:32:11,840 And then there's a lot of over permissioning. 675 00:32:11,840 --> 00:32:13,680 So in the example of an Octa credential that gets 676 00:32:13,680 --> 00:32:16,360 compromised, one thing we observed is this credential 677 00:32:16,360 --> 00:32:18,720 never accessed GitHub for three years. 678 00:32:19,280 --> 00:32:21,200 So you could argue at that point, if you had removed the 679 00:32:21,200 --> 00:32:23,200 access would have completely stopped the attack. 680 00:32:23,200 --> 00:32:25,160 Probably not. It probably would just create 681 00:32:25,160 --> 00:32:27,280 enough friction where they're go, you know, this is kind of 682 00:32:27,280 --> 00:32:28,320 annoying. They don't have access to 683 00:32:28,320 --> 00:32:30,000 GitHub. I'll find another way around to 684 00:32:30,000 --> 00:32:32,840 get to get access to GitHub. So I, I think it's a joint 685 00:32:32,840 --> 00:32:35,240 effort. I, I do believe the construct 686 00:32:35,240 --> 00:32:37,400 that I talked about, which is like an A unified identity 687 00:32:37,400 --> 00:32:41,280 security team is a little bit of a lesser minority 688 00:32:41,520 --> 00:32:44,360 implementation, but I do feel like there's a large convergence 689 00:32:44,360 --> 00:32:46,280 happening with, with those, those teams. 690 00:32:46,280 --> 00:32:49,280 Just it's just my gut. Yeah, no, it makes a lot of 691 00:32:49,280 --> 00:32:50,760 sense. So as you're talking about all 692 00:32:50,760 --> 00:32:55,960 these things, and again, the website is permiso dot IO, we 693 00:32:56,440 --> 00:33:00,960 also say slash IDAC. If you go there, Paul's going to 694 00:33:00,960 --> 00:33:03,360 put something there for you to get for free. 695 00:33:03,360 --> 00:33:07,320 And hopefully, I'm hoping there's an Easter egg there. 696 00:33:07,440 --> 00:33:12,760 I also wanted to go through the spelling is PERMISO like miso 697 00:33:12,760 --> 00:33:19,240 soup, PERMISO dot IO. But I think at this point in the 698 00:33:19,240 --> 00:33:23,160 conversation, Paul, people probably asking like, OK, you 699 00:33:23,160 --> 00:33:25,920 sold us. There's all this that we need to 700 00:33:25,920 --> 00:33:29,480 be worried about. How's permiso help? 701 00:33:29,480 --> 00:33:31,920 How's permiso help me to solve this problem? 702 00:33:33,240 --> 00:33:37,080 I, I will tell you this, the only way to, to kind of prove 703 00:33:37,080 --> 00:33:39,800 out, are we really worth the time and effort? 704 00:33:39,800 --> 00:33:41,440 Because I get it. And I think, you know what, it's 705 00:33:41,440 --> 00:33:44,320 annoying talking to vendors. Vendors call you, they're, 706 00:33:44,320 --> 00:33:47,000 they're nagging you with emails, LinkedIn messages, I mean, you 707 00:33:47,000 --> 00:33:49,280 name it. I, I, I think the first thing I 708 00:33:49,280 --> 00:33:52,720 would ask anyone that would want to talk to us is, is just look 709 00:33:52,720 --> 00:33:55,040 at our research, right? Just just determine whether you 710 00:33:55,040 --> 00:33:57,920 think we know what we're talking about or we just put a bunch of 711 00:33:57,920 --> 00:34:00,440 words on our website and tried to say, Oh, you know, we do all 712 00:34:00,440 --> 00:34:02,720 these things because guess what? There's a lot of people that go 713 00:34:02,720 --> 00:34:04,920 out there and can easily put words out and say they do a 714 00:34:04,920 --> 00:34:07,200 whole lot of things. I think the proof is in the 715 00:34:07,200 --> 00:34:09,719 pudding in terms of what we've been able to do in the past. 716 00:34:11,719 --> 00:34:14,560 You know, I, I, I think the best way that we, we try to prove 717 00:34:14,560 --> 00:34:17,360 value is if I'm not giving you unique insights into your 718 00:34:17,360 --> 00:34:18,920 environment and all that you didn't know about. 719 00:34:18,920 --> 00:34:20,480 And I call that unknown risk, right? 720 00:34:20,600 --> 00:34:24,199 So if you already know what risk you're managing, there's a, 721 00:34:24,239 --> 00:34:27,000 there's a certain percentage, call it 10 to 15% of unknown 722 00:34:27,000 --> 00:34:28,800 risks that you don't know about because you don't have the right 723 00:34:28,800 --> 00:34:31,719 visibility or you don't have the right monitoring in place to 724 00:34:31,719 --> 00:34:33,639 determine whether those things are happening. 725 00:34:33,639 --> 00:34:37,320 So what is it that we're we're looking for on the detection 726 00:34:37,320 --> 00:34:39,639 side, the response side, it's really 2 simple questions we're 727 00:34:39,639 --> 00:34:42,840 trying to answer. 1 is, do we believe that there's any 728 00:34:42,840 --> 00:34:45,560 compromised credentials in the environment, human or non human, 729 00:34:45,679 --> 00:34:48,719 from an external threat actor? The other, which is a harder 730 00:34:48,719 --> 00:34:51,040 problem to solve, is the insider threat issue. 731 00:34:51,040 --> 00:34:53,280 So they have legitimate access into the environment. 732 00:34:53,280 --> 00:34:56,120 So the pattern of detection is a little bit different because 733 00:34:56,120 --> 00:34:58,040 they are going to come from a valid device, they're going to 734 00:34:58,040 --> 00:35:01,520 come from a valid MFA factor, they're going to look normal. 735 00:35:01,520 --> 00:35:03,760 So how do you start to determine when people are starting, 736 00:35:03,760 --> 00:35:07,280 starting to act abnormally? I'll give you 2 examples. 737 00:35:07,280 --> 00:35:09,720 So the actually compromised credential, that was the 738 00:35:09,720 --> 00:35:11,200 scattered spider use case, right? 739 00:35:11,200 --> 00:35:14,200 It was an outside threat actor that was compromising a valid 740 00:35:14,200 --> 00:35:16,840 credential and then they gained access into the environment. 741 00:35:17,320 --> 00:35:21,240 One of the more recent examples for us is let's say you had to 742 00:35:21,240 --> 00:35:26,320 lay off 1000 people tomorrow. What are the things that you 743 00:35:26,320 --> 00:35:29,720 need to worry about? 1 is did I remove all access 744 00:35:30,160 --> 00:35:33,480 number one. The second is can I detect if 745 00:35:33,480 --> 00:35:37,280 they're exhibiting any kind of destructive behavior that could 746 00:35:37,280 --> 00:35:41,040 be impactful to the company? And I will tell you when you're, 747 00:35:41,040 --> 00:35:43,880 you're trying to lay off people at that scale, things will fall 748 00:35:43,880 --> 00:35:45,840 to the cracked. And then this is what we 749 00:35:45,840 --> 00:35:49,360 observed is people downloading mass downloading documents from 750 00:35:49,360 --> 00:35:51,720 SharePoint, right, downloading documents with Salesforce 751 00:35:52,000 --> 00:35:54,920 hurrying up to, you know, to get until they got their access cut 752 00:35:54,920 --> 00:35:56,680 off. That's a big problem right on 753 00:35:56,680 --> 00:35:58,440 the inside or threat side. And then, of course, this 754 00:35:58,440 --> 00:36:01,640 rippling deal lawsuit is an another indication of that 755 00:36:01,640 --> 00:36:03,440 inside of threat. So that's on the detection side. 756 00:36:03,440 --> 00:36:05,560 That's what we care about. So if you move left of that 757 00:36:05,560 --> 00:36:07,840 problem, what precipitating those issues? 758 00:36:08,280 --> 00:36:10,960 I think that's the hygiene side or the posture side, right? 759 00:36:10,960 --> 00:36:12,800 You know, how do I start to prevent this from happening, 760 00:36:12,800 --> 00:36:15,640 which is let's clean up all the attacks surface around the 761 00:36:15,640 --> 00:36:17,720 identity. Any, any orphaned accounts, Dale 762 00:36:17,720 --> 00:36:21,160 accounts, zombie accounts that may exist in your infrastructure 763 00:36:21,160 --> 00:36:25,600 in SAS on Prem with your Active Directory, you name it, that's 764 00:36:25,600 --> 00:36:27,440 number one. Second is you've got to deal 765 00:36:27,440 --> 00:36:29,720 with authorization risks around least privilege and over 766 00:36:29,720 --> 00:36:31,640 permissioning. So I gave you that example in 767 00:36:31,640 --> 00:36:33,400 Scattered Spider where the credentials that were 768 00:36:33,400 --> 00:36:36,000 compromised had access to resources that they hadn't 769 00:36:36,000 --> 00:36:39,320 touched in a long time. So if you look at the, the, the 770 00:36:39,320 --> 00:36:42,200 real root cause of all this, it's a, it's a multi pronged 771 00:36:42,200 --> 00:36:44,960 issue, which is both you could do prevention, but you do need 772 00:36:44,960 --> 00:36:46,520 monitoring together at the same time. 773 00:36:46,920 --> 00:36:49,480 I think what we're noticing is a lot of vendors are focusing on 774 00:36:49,480 --> 00:36:52,000 one or the other without bringing the two together. 775 00:36:52,000 --> 00:36:53,960 I think that what's that's what makes us unique is that 776 00:36:53,960 --> 00:36:57,360 visibility for both prevention and detection, for human and non 777 00:36:57,360 --> 00:37:00,440 human identities, for your cloud and for your on Prem. 778 00:37:00,440 --> 00:37:03,600 So we're actually trying to save our customers some money instead 779 00:37:03,600 --> 00:37:06,800 of having to buy five different solutions, you know, we'll cover 780 00:37:06,800 --> 00:37:09,880 all your identity security needs from one place as as best as we 781 00:37:09,880 --> 00:37:10,720 can. Are we perfect? 782 00:37:11,080 --> 00:37:13,400 No, I'm not going to sell you snake oil and say, you know, 783 00:37:13,400 --> 00:37:16,000 we're the best at everything. But I I think the one area I can 784 00:37:16,000 --> 00:37:19,640 claim we are the absolute best at is the the detection and the 785 00:37:19,640 --> 00:37:22,040 response line given our background of of dealing with 786 00:37:22,040 --> 00:37:25,120 frontline attacks against some of these adversaries. 787 00:37:26,160 --> 00:37:29,640 And so, Paul, I mean, when you talk about Permiso, do you call 788 00:37:29,640 --> 00:37:33,920 it a platform? Is it a couple different 789 00:37:33,920 --> 00:37:35,640 solutions or products? How? 790 00:37:35,800 --> 00:37:38,680 How do we think about it? Let let me approach it in a 791 00:37:38,680 --> 00:37:41,840 little bit of a different way. I'll, and I'm going to use non 792 00:37:41,840 --> 00:37:45,520 marketing words because I, I, I think actually the word identity 793 00:37:45,520 --> 00:37:47,680 security is a little bit of a bastardized term right now 794 00:37:47,680 --> 00:37:50,560 because what, what is security in the 1st place? 795 00:37:51,280 --> 00:37:53,640 And I was a CSO, right? And I had a fixed amount of 796 00:37:53,640 --> 00:37:55,760 budget and I can only spend so much. 797 00:37:55,760 --> 00:37:58,520 And what, what's my job? My job is to buy down risk, 798 00:37:59,080 --> 00:38:02,560 deploying that, that money into people process or technologies. 799 00:38:02,920 --> 00:38:05,440 So security fundamentally is a risk management function. 800 00:38:05,680 --> 00:38:09,240 So what is it that I care about? I care about helping our 801 00:38:09,240 --> 00:38:13,160 customers manage the risks to their identities, which means I 802 00:38:13,160 --> 00:38:15,840 need to enumerate all the things that I talked about, right? 803 00:38:15,840 --> 00:38:18,680 So all the vulnerabilities of the potential gaps that could be 804 00:38:18,680 --> 00:38:22,000 exploited by a threat actor that could turn into an incident. 805 00:38:22,720 --> 00:38:26,200 So I, I, I think that's, it's, it's more about identity risk 806 00:38:26,240 --> 00:38:28,720 management. Do I want to be an IGA solution? 807 00:38:28,720 --> 00:38:32,360 No, I don't think that makes sense for us because I think we 808 00:38:32,360 --> 00:38:36,040 need to end up being almost like an Equifax or, or Trans Trans 809 00:38:36,040 --> 00:38:39,800 Union or, you know, an Experian around understanding, Oh, I need 810 00:38:39,800 --> 00:38:42,880 to understand all the attributes of risk related to an identity 811 00:38:42,880 --> 00:38:45,000 and be that that clearing house for understanding. 812 00:38:45,240 --> 00:38:47,200 You know what Paul's the riskiest identity in the 813 00:38:47,200 --> 00:38:48,920 environment. One, because he's over 814 00:38:48,920 --> 00:38:52,960 permissioned, but two, he's logging in from Vietnam and he 815 00:38:52,960 --> 00:38:56,360 just switched from an Android device for his MFA factor to an 816 00:38:56,360 --> 00:38:58,920 iOS, which never happens, by the way, very rarely. 817 00:38:59,320 --> 00:39:03,960 Or he downgraded from iOS 18.2 to, you know, iOS 16.1 rarely 818 00:39:03,960 --> 00:39:05,720 happens. These are all signals and 819 00:39:05,720 --> 00:39:06,760 symptoms. And all of a sudden he's 820 00:39:06,760 --> 00:39:09,400 starting to create users and, and exhibit this weird behavior. 821 00:39:09,720 --> 00:39:13,280 I think those are all signals you need to capture and be able 822 00:39:13,280 --> 00:39:16,000 to understand what Paul is now the riskiest identity because 823 00:39:16,320 --> 00:39:19,600 both inherently he has a lot of permissions, but his behavior is 824 00:39:19,600 --> 00:39:21,800 quite erratic and now he's exhibiting symptoms of 825 00:39:21,800 --> 00:39:23,120 potentially a compromised credential. 826 00:39:23,840 --> 00:39:26,840 Jeff, I think we need to cut Paul off from our podcasting 827 00:39:26,840 --> 00:39:29,760 platform once this podcast is recorded. 828 00:39:29,760 --> 00:39:32,520 Like kill his credentials for life. 829 00:39:33,240 --> 00:39:35,000 Why would we do that? Paul's our friend. 830 00:39:35,240 --> 00:39:37,480 He's our friend, but he's so risky. 831 00:39:37,480 --> 00:39:40,400 We're in the opposite market, right for podcast growth is we 832 00:39:40,400 --> 00:39:43,320 want everybody to get out there. Absolutely. 833 00:39:43,640 --> 00:39:44,720 It's true. It's true. 834 00:39:46,080 --> 00:39:49,440 So Paul, one of the things that you talk about with Permiso is 835 00:39:49,440 --> 00:39:53,840 the universal identity graph. And I wanted to be, is this like 836 00:39:53,840 --> 00:39:55,560 front and center on your website? 837 00:39:57,240 --> 00:39:59,280 Why is that? Why is that front and center? 838 00:39:59,280 --> 00:40:02,520 Why is that the first thing you think about or read about? 839 00:40:02,840 --> 00:40:06,720 When you go to permissive dot IO slash IDAC. 840 00:40:08,240 --> 00:40:10,920 Well, I always, I, I think I talked about it a little bit 841 00:40:10,920 --> 00:40:14,960 before, which was some of the core principles that I learned 842 00:40:14,960 --> 00:40:18,480 in security is, is 1, you need to know what you're protecting. 843 00:40:18,880 --> 00:40:23,120 So if you don't have an accurate inventory of the identity, a tax 844 00:40:23,120 --> 00:40:25,840 surface, then it's hard for you to know, you know what I need to 845 00:40:25,840 --> 00:40:28,000 protect this credential because Paul owns his credential. 846 00:40:28,000 --> 00:40:30,280 But one of the harder problems that we're trying to solve is 847 00:40:31,360 --> 00:40:33,920 let's say if you're going to get rid of me tomorrow, right, how 848 00:40:33,920 --> 00:40:36,360 would you know which credentials that I've used or owned in the 849 00:40:36,360 --> 00:40:38,880 environment? It's easy if you were saying 850 00:40:38,880 --> 00:40:41,400 everything was Federated and if I just cut off my Federated 851 00:40:41,400 --> 00:40:45,080 identity, all's good, right? The challenge is there's a lot 852 00:40:45,080 --> 00:40:47,520 of non Federated identities that are operating in the right 853 00:40:47,520 --> 00:40:49,520 because I may have local access to something that wasn't 854 00:40:49,520 --> 00:40:51,680 Federated through to let's say Octa. 855 00:40:52,400 --> 00:40:55,760 The the third problem is I may also own non human identity. 856 00:40:55,760 --> 00:41:00,360 So I may have secrets or Oauth tokens that I've authorized or 857 00:41:00,400 --> 00:41:02,880 you know, long lived access keys that belong to me. 858 00:41:03,560 --> 00:41:06,520 So you need an accurate inventory of what is the 859 00:41:06,520 --> 00:41:10,080 composite identity surface area for Paul, including all the 860 00:41:10,080 --> 00:41:12,680 credentials he uses and all the permissions that he has. 861 00:41:12,920 --> 00:41:15,960 So that graph is really about just maintaining that that a 862 00:41:15,960 --> 00:41:19,760 proper state of who is Paul as a human entity and then all the 863 00:41:19,760 --> 00:41:21,240 credentials and permissions that he owns. 864 00:41:22,000 --> 00:41:23,920 And we also do this for non human identities as well. 865 00:41:25,280 --> 00:41:27,280 Yeah. I mean, that's a really good 866 00:41:27,280 --> 00:41:29,560 point. So I totally agree. 867 00:41:29,560 --> 00:41:32,320 You had me solve right when you said you have to have an 868 00:41:32,320 --> 00:41:37,400 inventory of your attack surface, which almost seems like 869 00:41:37,760 --> 00:41:41,040 impossible. So is it that Permiso helps you 870 00:41:41,040 --> 00:41:43,560 develop that? Because I doubt there's been the 871 00:41:43,560 --> 00:41:46,800 clients that you go into and like they're like, here's our 872 00:41:46,800 --> 00:41:48,960 spreadsheet, here's our attack surface. 873 00:41:49,360 --> 00:41:54,760 No, I, I think it's a part of not just if they have, do you 874 00:41:54,760 --> 00:41:56,920 have that information? So as an example, we've had a 875 00:41:56,920 --> 00:41:58,680 lot of requests to integrate with work day. 876 00:41:59,040 --> 00:42:02,200 So work day is a bit of their authoritative source for full 877 00:42:02,200 --> 00:42:04,760 time employees and contractors. And we use that as a starting 878 00:42:04,760 --> 00:42:08,320 point through that integration. So it, it, it's both 879 00:42:08,800 --> 00:42:12,880 integrations into the IDP 1st and into HR systems like that to 880 00:42:12,880 --> 00:42:16,080 give us a sense of what's the baseline inventory, because the 881 00:42:16,080 --> 00:42:19,240 majority of the credentials, at least for mature customers that 882 00:42:19,240 --> 00:42:22,000 have Federated access, that's the easy low hanging fruit. 883 00:42:22,760 --> 00:42:26,280 The second ring around that would be you need direct access 884 00:42:26,280 --> 00:42:29,360 and integration into all the sources that, that where there 885 00:42:29,360 --> 00:42:31,200 are credentials, let's say local credentials. 886 00:42:31,600 --> 00:42:33,720 So I'll have to integrate with every SAS application, 887 00:42:33,960 --> 00:42:37,880 Salesforce, ServiceNow, Jira, GitHub, I'll have to integrate 888 00:42:37,880 --> 00:42:39,320 with Amazon. So there's a bit of an 889 00:42:39,320 --> 00:42:42,360 integration coverage you have to do as well because if you can't 890 00:42:42,360 --> 00:42:45,600 enumerate the local credentials and even have access to the 891 00:42:45,600 --> 00:42:48,000 activity logs and and where they're accessing those things, 892 00:42:48,000 --> 00:42:49,480 it's hard for you to get that visibility. 893 00:42:49,880 --> 00:42:53,480 So unfortunately I think it is very similar to to things in the 894 00:42:53,480 --> 00:42:57,240 past where one we will use the let's say 80% roll. 895 00:42:57,240 --> 00:43:00,120 Let's get as much as we can from the right sources like the IDP 896 00:43:00,120 --> 00:43:04,000 or from HRIS systems and then let's fill in the rest by 897 00:43:04,000 --> 00:43:06,120 enumerating the the local credentials from there. 898 00:43:07,440 --> 00:43:09,760 So that enumeration I think is where I was thinking is when I 899 00:43:09,760 --> 00:43:15,040 hear integration, I think of gaps because nobody knows where 900 00:43:15,040 --> 00:43:17,840 that they might have identities is, is this one of the 901 00:43:17,840 --> 00:43:20,680 challenges that we're that we need to try to solve for is OK, 902 00:43:20,680 --> 00:43:23,880 we know what, we know what applications we have, but you 903 00:43:23,880 --> 00:43:26,120 know, the business is going to go in business, they're going to 904 00:43:26,120 --> 00:43:29,280 go out and sign up for a SAS app or some other thing, right? 905 00:43:29,280 --> 00:43:31,720 And they're not being centrally managed. 906 00:43:32,160 --> 00:43:35,960 Is there a way or an opportunity to use Permiso to maybe discover 907 00:43:35,960 --> 00:43:39,200 some of that usage and say, hey, we've got some shadow IT 908 00:43:39,200 --> 00:43:41,960 problems over here and oh, by the way, someone spun up their 909 00:43:41,960 --> 00:43:44,760 own entire AWS environment or whatever it might be, right? 910 00:43:44,760 --> 00:43:47,120 That is not being that. First of all, it's not even 911 00:43:47,120 --> 00:43:49,760 being aware of that like a government standpoint from 912 00:43:49,760 --> 00:43:52,400 security standpoint. But is are there opportunities 913 00:43:52,400 --> 00:43:55,320 to leverage this information to do some of that discovery, to 914 00:43:55,320 --> 00:43:57,960 find the things that we don't know about our environment? 915 00:43:58,720 --> 00:44:02,360 That's a great point because you can only protect what you know, 916 00:44:02,360 --> 00:44:03,560 right? Sometimes there's a lot of 917 00:44:03,560 --> 00:44:06,320 unknowns and I, I always talk about the unknown risk because 918 00:44:07,080 --> 00:44:09,320 you don't have 100% visibility into your environment. 919 00:44:09,320 --> 00:44:13,040 And I think this is where we have that real time or runtime 920 00:44:13,040 --> 00:44:15,920 monitoring because there are things you observe when you're 921 00:44:15,920 --> 00:44:19,280 seeing a, a set of activity. Let's say for example, someone 922 00:44:19,280 --> 00:44:23,080 signs up for some SAS application as an example, you 923 00:44:23,080 --> 00:44:25,440 may not see the initial registration workflow, but 924 00:44:25,440 --> 00:44:28,560 you'll see shards of activity where, where all of a sudden we 925 00:44:28,560 --> 00:44:31,560 see people accessing certain websites that are abnormal for 926 00:44:31,560 --> 00:44:33,200 what they, they normally go to, right. 927 00:44:33,200 --> 00:44:36,680 So that then starts a signal to us, OK, maybe someone's signing 928 00:44:36,680 --> 00:44:38,440 up for this particular SAS application. 929 00:44:38,760 --> 00:44:42,760 We put that into what we consider an unknown state for, 930 00:44:42,760 --> 00:44:45,960 for in our inventory that needs to be reconciled because now we 931 00:44:45,960 --> 00:44:48,720 don't know if that's authorized or unauthorized and we don't 932 00:44:48,720 --> 00:44:52,840 know if that's a, a potential user that we know about or not. 933 00:44:53,200 --> 00:44:55,000 So that's, that's potentially some ways. 934 00:44:55,280 --> 00:44:58,080 Are we perfect at like identifying shadow SAS? 935 00:44:58,080 --> 00:45:00,160 No, I think there's, there's a lot of other solutions that are 936 00:45:00,160 --> 00:45:04,560 more focused on the, the SAS security side or Casby or SAS E 937 00:45:04,560 --> 00:45:06,360 that can detect it from a network standpoint. 938 00:45:07,040 --> 00:45:10,200 That won't be our strongest suit per SE, but there are methods 939 00:45:10,200 --> 00:45:13,680 that we use that again, like think of it as like, I hate to 940 00:45:13,680 --> 00:45:16,120 call it Big Brother, but I am kind of like Big Brother in the 941 00:45:16,120 --> 00:45:18,000 environment, right? Monitoring every user, every 942 00:45:18,000 --> 00:45:19,840 identity, just watching what they're doing. 943 00:45:20,120 --> 00:45:22,160 And there are signals that we pick up sometimes that are 944 00:45:22,160 --> 00:45:24,560 saying, hey, this is unknown activity that we need to go 945 00:45:24,560 --> 00:45:26,440 investigate. That could be indicative of 946 00:45:26,440 --> 00:45:29,680 shadow SAS or or shadow IT as a as an example. 947 00:45:31,640 --> 00:45:36,440 That's a very important concept. One other thing that came to 948 00:45:36,440 --> 00:45:39,440 mind was I remember our gardener, I'm not sure if it's a 949 00:45:39,440 --> 00:45:42,120 Venn diagram. If it's only two circles, we can 950 00:45:42,120 --> 00:45:46,600 call it intersecting circles. It was SPM, security, posture 951 00:45:46,600 --> 00:45:52,480 management and ITDR, and most products fell into one of the 952 00:45:52,480 --> 00:45:54,640 other. I would say the SPM was kind of 953 00:45:54,640 --> 00:45:59,320 more the network vendors of Palo Altos, things like that. 954 00:45:59,320 --> 00:46:04,880 ITDR was kind of pureplay ITDRI don't remember if you guys were 955 00:46:04,880 --> 00:46:09,120 on that specific diagram, but it feels like, you know, based on 956 00:46:09,120 --> 00:46:13,040 the research I've done looking at the website, you kind of in 957 00:46:13,040 --> 00:46:15,320 that section where those two overlap. 958 00:46:15,320 --> 00:46:21,120 So you're SPM, but I'd say you're, it's like identity SPM, 959 00:46:21,120 --> 00:46:25,120 which I think that I'd love to hear you clarify on that a 960 00:46:25,120 --> 00:46:28,600 little bit and then talk about ITDR and what you bring to the 961 00:46:28,600 --> 00:46:34,600 table in terms of ITDR. It's, it's a hot space, but what 962 00:46:34,600 --> 00:46:38,400 I've seen like as have investigated different ITDRS is 963 00:46:38,920 --> 00:46:43,400 it's almost like a, a major bucket containing a bunch of 964 00:46:43,400 --> 00:46:46,640 different types of solutions. They don't all do the same 965 00:46:46,640 --> 00:46:48,960 thing. So I'd like to understand what 966 00:46:48,960 --> 00:46:53,120 you guys bring to the table in terms of the ITDR and then what 967 00:46:53,120 --> 00:46:58,720 is this identity SPM piece and why do you call it that and and 968 00:46:58,720 --> 00:47:01,080 why what does PERMISA bring to the table there? 969 00:47:01,800 --> 00:47:05,640 That's a great question. In terms of the acronym soup of 970 00:47:05,680 --> 00:47:09,520 ISPM&ITDRI could probably throw in a couple more IGA. 971 00:47:09,520 --> 00:47:12,000 We don't do IGA, but might as well throw in all the acronyms. 972 00:47:12,520 --> 00:47:16,120 But in terms of identity threat detection, what was it that the 973 00:47:16,120 --> 00:47:19,160 outcomes that you really care about 1 is real time monitoring 974 00:47:19,160 --> 00:47:21,720 of your identities to determine when they're compromised either 975 00:47:21,720 --> 00:47:23,840 by an external threat actor like we talked about with Scanned 976 00:47:23,840 --> 00:47:27,560 Spider or some of the insider threat use cases where you start 977 00:47:27,560 --> 00:47:31,840 to see, you know, in mass layoffs or potentially in the, 978 00:47:31,840 --> 00:47:34,760 the corporate espionage or the the rippling deal effect. 979 00:47:35,160 --> 00:47:37,120 I think that's really what we care about is like we want to do 980 00:47:37,120 --> 00:47:39,760 the real time monitoring of your identities so you can sleep 981 00:47:39,760 --> 00:47:42,400 better knowing that no one's abusing those credentials. 982 00:47:43,040 --> 00:47:45,680 And if you go to the left of that, that's really the quote of 983 00:47:45,680 --> 00:47:49,000 quote ISPN or the posture I, I call that more prevention and 984 00:47:49,000 --> 00:47:52,440 hygiene management, which is you're trying to reduce the 985 00:47:52,440 --> 00:47:55,560 probability of an identity being compromised. 986 00:47:55,560 --> 00:47:59,040 So what do you need to do there? 1 is of course, we're monitoring 987 00:47:59,040 --> 00:48:03,720 for behaviors like people using weak MFA methods or I, I call 988 00:48:03,720 --> 00:48:07,000 them weak authentication controls that allows it to be 989 00:48:07,000 --> 00:48:08,720 easier to compromise a credential. 990 00:48:09,440 --> 00:48:13,280 So we, we monitor for all those. We identify any cases where MFA 991 00:48:13,280 --> 00:48:15,880 is not being enforced. As an example, we try to 992 00:48:15,880 --> 00:48:20,160 identify any residual unknown accounts that may exist that 993 00:48:20,160 --> 00:48:22,920 people forgot about because either, you know, people left or 994 00:48:22,920 --> 00:48:24,680 whatever may be. So zombie accounts, Dale 995 00:48:24,680 --> 00:48:27,240 accounts, that's surface area. That's pretty low hanging fruit 996 00:48:27,240 --> 00:48:30,560 that you can go after and you could feel comfortable that you 997 00:48:30,560 --> 00:48:32,240 can remove those. Because a part of what we do is 998 00:48:32,240 --> 00:48:35,480 we also understand when that credential was last used and how 999 00:48:35,480 --> 00:48:36,920 it was used. So I could replay that 1000 00:48:36,920 --> 00:48:40,840 credential and tell you it was last used a year ago and Paul 1001 00:48:40,840 --> 00:48:42,520 used it. And when he used it, he went 1002 00:48:42,520 --> 00:48:45,280 into 365 and he downloaded a bunch of documents. 1003 00:48:45,520 --> 00:48:47,560 So we give you a lot more context than I think a lot of 1004 00:48:47,560 --> 00:48:49,640 other folks would just say, oh, it's an unused account. 1005 00:48:49,960 --> 00:48:52,640 We could tell you it's an unused account, but it was used last 1006 00:48:52,640 --> 00:48:55,000 year On this date at this time. And here's what it did. 1007 00:48:55,720 --> 00:48:59,160 The the other piece too is the least privileged side, which 1008 00:48:59,160 --> 00:49:01,200 frankly like least privileged we've been chasing forever. 1009 00:49:01,640 --> 00:49:04,720 It's it, it seems like it's a never ending problem with people 1010 00:49:04,720 --> 00:49:08,120 moving jobs and roles. And I think what we see with 1011 00:49:08,120 --> 00:49:11,280 developers, especially in this new infrastructures code world, 1012 00:49:11,640 --> 00:49:13,360 they give permissions until it works. 1013 00:49:13,720 --> 00:49:16,880 So it's not about, I think, paring down permissions for 1014 00:49:16,880 --> 00:49:19,560 security purposes, like how do I make this stupid piece of code 1015 00:49:19,560 --> 00:49:21,280 work? And I will say I am guilty of it 1016 00:49:21,280 --> 00:49:24,920 myself because I am a hack developer compared to what I 1017 00:49:24,920 --> 00:49:26,440 used to be. And I'll write code and like, 1018 00:49:26,440 --> 00:49:28,920 what the heck, I don't know why isn't this working? 1019 00:49:28,920 --> 00:49:31,000 It says access denied or permission's not allowed. 1020 00:49:31,000 --> 00:49:33,320 I'm like, OK, I'm just going to keep loading up permissions 1021 00:49:33,320 --> 00:49:35,280 until it works. So I think that's really the 1022 00:49:35,280 --> 00:49:37,880 prevention side or the ISPM. And, and I think that's where 1023 00:49:37,880 --> 00:49:41,360 we're unique is you'll have other vendors that are doing 1024 00:49:41,360 --> 00:49:45,320 just posture but not detection. And some vendors are just doing 1025 00:49:45,320 --> 00:49:48,880 detection but not posture and some that are doing posture in 1026 00:49:48,880 --> 00:49:52,760 cloud only, but not on Prem. So you, I think the hardest part 1027 00:49:52,760 --> 00:49:55,200 for a customer's I, I think I, I put it together. 1028 00:49:55,200 --> 00:49:58,040 If you, if you think about the, the stack that I just talked 1029 00:49:58,040 --> 00:50:01,320 about ISPMITDR, I'll use the acronyms for descriptive 1030 00:50:01,320 --> 00:50:05,640 purposes for human and non human identities in cloud and on Prem. 1031 00:50:06,520 --> 00:50:08,600 That's probably 6 different solutions that you have to buy 1032 00:50:08,600 --> 00:50:10,280 and then you have to stitch those together to get the 1033 00:50:10,280 --> 00:50:13,440 visibility that you need. And I think that's where we try 1034 00:50:13,440 --> 00:50:16,240 to make it simpler for customers to get that unified visibility 1035 00:50:16,240 --> 00:50:20,960 for all your identities in one place, human, non human, cloud 1036 00:50:20,960 --> 00:50:23,560 and on Prem, so you can help manage that risk as effectively 1037 00:50:23,560 --> 00:50:26,320 as possible. Yeah, I think this is this 1038 00:50:26,320 --> 00:50:29,480 highlights, I think the importance of visibility and 1039 00:50:29,480 --> 00:50:33,520 observability and being able to understand who is your, who is 1040 00:50:33,520 --> 00:50:35,640 in your environment, what are they doing with it? 1041 00:50:36,520 --> 00:50:38,600 And then you can start to make intelligent decisions around, 1042 00:50:38,600 --> 00:50:40,320 OK, well, what do you want to do about the information that's 1043 00:50:40,320 --> 00:50:43,560 been presented to you? So I love this idea of, of 1044 00:50:43,680 --> 00:50:46,880 again, that this combining that visibility and observability and 1045 00:50:46,880 --> 00:50:51,040 then give me, give me data so that I can figure out, OK, is 1046 00:50:51,040 --> 00:50:54,600 Paul being weird again? Or is this just normal Paul 1047 00:50:54,600 --> 00:50:57,360 behavior And, you know, his six kids running around his house 1048 00:50:57,360 --> 00:50:59,520 and like, oh, that is normal for that, for that house. 1049 00:50:59,520 --> 00:51:03,160 So I love that idea of combining both of those things. 1050 00:51:03,160 --> 00:51:04,960 And it definitely want to encourage people, you know, go 1051 00:51:04,960 --> 00:51:09,160 off the website, check it out, permiso dot IO slash IGC. 1052 00:51:09,240 --> 00:51:10,880 We'll have a link in our show notes for people to check that 1053 00:51:10,880 --> 00:51:13,640 out. But definitely a, a powerful 1054 00:51:13,640 --> 00:51:15,960 message there. I know you've been very, you 1055 00:51:15,960 --> 00:51:17,560 know, generous with your time here today. 1056 00:51:18,080 --> 00:51:19,880 I did mention that you have 6 kids. 1057 00:51:20,240 --> 00:51:24,000 That is a lot of kids man. Tell me a little bit about your 1058 00:51:24,000 --> 00:51:28,720 environment there and and how much ISPN and ITDR and identity 1059 00:51:28,720 --> 00:51:30,920 graphing are you doing even just in your own home to try and 1060 00:51:30,920 --> 00:51:33,640 manage all this? I. 1061 00:51:33,640 --> 00:51:36,920 Constantly have to inventory that I have all my kids because 1062 00:51:37,520 --> 00:51:41,160 I have lost a couple of Disney World and the good thing is 1063 00:51:41,160 --> 00:51:43,040 Disney World's really good at tracking down kids. 1064 00:51:43,040 --> 00:51:47,720 But I, I was an only child and I guess what, I married an, an 1065 00:51:47,720 --> 00:51:50,280 Irish Catholic from Pittsburgh and I ended up with six kids. 1066 00:51:50,280 --> 00:51:53,200 So clearly I, I did not read that contract very well when I, 1067 00:51:53,760 --> 00:51:58,800 when I said I do, but I, they're, they're 16 to to 9 and 1068 00:51:58,800 --> 00:52:02,480 we jammed them in pretty tight and good Lord, sometimes I feel 1069 00:52:02,480 --> 00:52:05,120 like I'm a, I'm an Uber driver more than I am anything else. 1070 00:52:05,120 --> 00:52:07,520 So I I'm not sure what I'm Well, yeah. 1071 00:52:07,520 --> 00:52:08,960 You know, you talk about like ITDR. 1072 00:52:09,400 --> 00:52:11,320 Yes. I'm trying to detect nefarious 1073 00:52:11,400 --> 00:52:14,160 activity from my kids all the time, especially as they have 1074 00:52:14,160 --> 00:52:16,360 devices and I don't know what the heck they're doing on their 1075 00:52:16,360 --> 00:52:18,920 devices. That's the scary part of the the 1076 00:52:18,920 --> 00:52:20,720 Internet. Now that I have kids, it's like, 1077 00:52:20,720 --> 00:52:24,320 what the heck are they doing? So knowing what you know and 1078 00:52:24,320 --> 00:52:27,320 sort of your background in cybersecurity, do you think that 1079 00:52:27,320 --> 00:52:31,760 makes you a better dad or are you just an absolute nightmare 1080 00:52:31,760 --> 00:52:35,200 of a dad because it is harder to get things past you maybe? 1081 00:52:36,680 --> 00:52:39,920 I, I don't think I have enough time to be able to effectively 1082 00:52:39,920 --> 00:52:42,760 monitor them. So I, I use the old school fun 1083 00:52:42,760 --> 00:52:45,560 approach, which is I scare them and say, you know what your 1084 00:52:45,560 --> 00:52:47,520 father does. You know, your father monitors 1085 00:52:47,520 --> 00:52:50,000 people all the time and I know exactly what they're doing. 1086 00:52:50,000 --> 00:52:52,280 So if you think you're going to pull one on me, you can try. 1087 00:52:52,280 --> 00:52:55,920 I, I have had kids who try, who've tried so and they 1088 00:52:55,920 --> 00:52:57,520 probably didn't do it successfully. 1089 00:52:57,560 --> 00:52:59,520 And unfortunately that means that they think they can keep 1090 00:52:59,520 --> 00:53:01,360 doing it. But I told them eventually I'll 1091 00:53:01,360 --> 00:53:02,120 catch you. Don't. 1092 00:53:02,120 --> 00:53:05,160 Don't worry about it. Jim, you've got a couple kids. 1093 00:53:05,480 --> 00:53:08,720 How do how do you approach that your your identity threat 1094 00:53:08,720 --> 00:53:11,880 detection response and identity security posture management for 1095 00:53:11,880 --> 00:53:17,280 your kids? You, you keep your, you keep 1096 00:53:17,280 --> 00:53:19,520 your attack surface as small as possible. 1097 00:53:19,680 --> 00:53:22,880 So Paul didn't get that memo. You don't want to be 1098 00:53:22,880 --> 00:53:25,240 outnumbered, so you keep it small. 1099 00:53:26,080 --> 00:53:29,400 You still have to have fault tolerance for passing on your 1100 00:53:29,400 --> 00:53:32,800 genetics. So I got to didn't let them 1101 00:53:32,800 --> 00:53:36,160 outnumber me. So I, I, I feel like I set the 1102 00:53:36,160 --> 00:53:38,320 strategy. I stuck to the strategy. 1103 00:53:38,680 --> 00:53:41,800 Now we've been in operations for a while, but guess what? 1104 00:53:42,000 --> 00:53:45,960 Having kids operations isn't always the the funnest sport. 1105 00:53:47,760 --> 00:53:50,920 Did you just use fault tolerance with with the idea of your 1106 00:53:50,920 --> 00:53:53,320 children? Genetics. 1107 00:53:53,360 --> 00:53:55,480 Yeah, I know. It's it's actually, when you 1108 00:53:55,480 --> 00:53:59,000 think about it as it was not a good analogy, but we do. 1109 00:53:59,120 --> 00:54:01,640 We do this thing live, Jeff. So it's out there now. 1110 00:54:01,640 --> 00:54:03,120 Yeah. Oh, This is why we end on a 1111 00:54:03,120 --> 00:54:05,080 lighter note. Or also, you're going to hear a 1112 00:54:05,080 --> 00:54:07,200 fault tolerance in genetics. That's a good one. 1113 00:54:07,560 --> 00:54:11,080 Identity threat to text response all in one, One cohesive, nice 1114 00:54:11,080 --> 00:54:13,120 tiny little package of a of an. I love it. 1115 00:54:14,320 --> 00:54:15,680 I love. It Paul, you've been great. 1116 00:54:16,200 --> 00:54:18,280 Definitely interested in learning more about what you 1117 00:54:18,280 --> 00:54:19,760 guys have going on. Looking forward to seeing you 1118 00:54:19,760 --> 00:54:22,440 guys maybe at some conferences that will be probably at 1119 00:54:22,560 --> 00:54:24,120 together over the next year or so. 1120 00:54:24,760 --> 00:54:27,720 Definitely get people out there for the website permiso dot 1121 00:54:27,720 --> 00:54:35,080 IO/ID A/C that's PERMISO dot IO slash IDAC Speaking of letters 1122 00:54:35,080 --> 00:54:36,320 and acronyms and things like that. 1123 00:54:36,600 --> 00:54:40,640 Miso soup. So I guess final thoughts, Paul, 1124 00:54:40,680 --> 00:54:42,840 what is something that if somebody's listening to this, 1125 00:54:43,240 --> 00:54:46,040 what is your elevator pitch or your final thought that you want 1126 00:54:46,040 --> 00:54:47,920 people to take away from this conversation before we close 1127 00:54:47,920 --> 00:54:50,960 things out? Disclaimer, I'm sorry if you 1128 00:54:50,960 --> 00:54:54,160 lost 30 to 40 minutes of your life and like you can't get it 1129 00:54:54,160 --> 00:54:59,160 back, but I, like I said, I we just want to be good 1130 00:54:59,160 --> 00:55:00,840 contributing members of the community. 1131 00:55:00,840 --> 00:55:04,280 I think evaluate whether you, you feel like we can do that for 1132 00:55:04,280 --> 00:55:05,720 you. And just again, based upon our 1133 00:55:05,720 --> 00:55:08,400 research and, and what we've talked about, and if you feel 1134 00:55:08,400 --> 00:55:12,400 like you want to learn more, no strings attached, I promise 1135 00:55:12,400 --> 00:55:15,480 we're not super salesy people. We like to share what we do. 1136 00:55:15,480 --> 00:55:17,960 If you, if you just check out on social media and LinkedIn, I 1137 00:55:17,960 --> 00:55:20,280 think you'll see that a lot of people appreciate what we do in 1138 00:55:20,280 --> 00:55:22,240 the community. And we're happy to give you a 1139 00:55:22,240 --> 00:55:24,400 threat briefing, give you a demo, whatever you want. 1140 00:55:24,400 --> 00:55:27,560 If you want to learn more, I promise I'll keep my my sales 1141 00:55:27,560 --> 00:55:29,240 folks at Bay and I'll I'll be the ones. 1142 00:55:29,240 --> 00:55:32,880 To personally deliver it. OK, So that's that is a very 1143 00:55:32,880 --> 00:55:34,880 powerful message. I hope people take advantage of 1144 00:55:34,880 --> 00:55:36,760 that for sure. All right, we're going to go 1145 00:55:36,760 --> 00:55:38,000 ahead and wrap it up for this week. 1146 00:55:38,160 --> 00:55:40,000 Thanks, Paul, for joining us. I'll have links in our show 1147 00:55:40,000 --> 00:55:42,400 notes for people to check out, including your LinkedIn profile 1148 00:55:42,400 --> 00:55:47,120 as well as the permiso dot IO slash IDAC landing page. 1149 00:55:47,480 --> 00:55:49,680 And then of course, you can always visit us on the web at 1150 00:55:49,680 --> 00:55:53,600 idacpodcast.com, do all the cool things like subscribe, share 1151 00:55:53,600 --> 00:55:55,080 with your friends, share with your enemies. 1152 00:55:55,480 --> 00:55:58,840 And in the opposite of Paul, and we want everyone to get it to 1153 00:55:58,840 --> 00:56:01,760 our episodes. So it is a wide open door for 1154 00:56:01,760 --> 00:56:04,560 people to check out. So with that, thanks everybody 1155 00:56:04,560 --> 00:56:07,520 for watching and or listening and we'll talk with you all in 1156 00:56:07,520 --> 00:56:11,440 the next one. You've been listening to 1157 00:56:11,520 --> 00:56:15,400 Identity at the Center. We hope you've enjoyed the show. 1158 00:56:15,560 --> 00:56:19,680 Make sure to like, rate and review, and we'll be back soon. 1159 00:56:19,960 --> 00:56:22,240 But in the meantime, hit the website at 1160 00:56:22,240 --> 00:56:28,600 identity@thecenter.com. See you next time on Identity at 1161 00:56:28,600 --> 00:56:29,480 the Center.