1 00:00:04,880 --> 00:00:11,280 This is identity at the center. Welcome to the Identity at the 2 00:00:11,280 --> 00:00:12,920 Center podcast. I'm Jeff, and that's Jim. 3 00:00:12,920 --> 00:00:15,000 Hey, Jim. Hey, Jeff, how are you? 4 00:00:15,400 --> 00:00:18,040 Oh, not so bad yourself. Doing great, man. 5 00:00:18,040 --> 00:00:20,600 Some of the exciting things going on in our industry right 6 00:00:20,600 --> 00:00:24,480 now, You've got all the stuff that's NH is, you've got all the 7 00:00:24,480 --> 00:00:27,920 stuff with identity security in general. 8 00:00:28,320 --> 00:00:32,640 And then you've got this whole AI emergence that's happening 9 00:00:32,640 --> 00:00:35,240 now. It's going to, I mean, we don't 10 00:00:35,240 --> 00:00:37,120 even know what it's going to be like in the future. 11 00:00:37,120 --> 00:00:41,480 So it's just an exciting time to be in this industry. 12 00:00:41,960 --> 00:00:46,000 I'm excited for the younger folks who have a lot more career 13 00:00:46,000 --> 00:00:49,760 years ahead of them, decades ahead of them than than we do. 14 00:00:51,280 --> 00:00:55,880 Excited and a little scared for them that thinks they'll be 15 00:00:55,880 --> 00:00:58,720 automated away. But I think that the best thing 16 00:00:58,720 --> 00:01:02,600 you can do at this point is like embrace the fact that a 17 00:01:02,600 --> 00:01:06,600 technology changes things, incorporate AI, become 18 00:01:06,600 --> 00:01:11,400 extradited, and then, you know, try to stand, stand out, stand 19 00:01:11,400 --> 00:01:12,720 apart. What do you think? 20 00:01:13,480 --> 00:01:16,040 No, I think you, you said it. We've, we've had disruptive 21 00:01:16,040 --> 00:01:18,280 technologies before. This is just the latest. 22 00:01:18,320 --> 00:01:20,520 Is it more disruptive or less than others? 23 00:01:21,040 --> 00:01:22,400 Arguable. I think it's probably more 24 00:01:22,400 --> 00:01:24,200 disruptive, but we've been here before, right? 25 00:01:24,200 --> 00:01:26,720 We had indoor plumbing and electricity and the Internet 26 00:01:26,720 --> 00:01:29,400 and, you know, computers in general. 27 00:01:29,400 --> 00:01:30,960 So we just have to figure out how it is. 28 00:01:30,960 --> 00:01:36,000 And you know, I think, you know, today is when open AI launched 29 00:01:36,000 --> 00:01:38,600 ChatGPT 5, for example. So I have not had a chance to 30 00:01:38,600 --> 00:01:41,000 play without a new one, but that's supposed to be a a pretty 31 00:01:41,000 --> 00:01:43,280 good leap forward. And so there's just a lot of 32 00:01:43,280 --> 00:01:45,040 things going on. But you said it right. 33 00:01:45,040 --> 00:01:47,080 I feel like we could just stop the recording there and then 34 00:01:47,080 --> 00:01:50,080 play like the, the more, you know, you know, symbol that goes 35 00:01:50,080 --> 00:01:52,520 across the screen, you know, what you're watching on TV or 36 00:01:52,520 --> 00:01:56,000 something like that. But yeah, it's, it's, it's 37 00:01:56,040 --> 00:01:58,160 really a cool time. I think there's just so much 38 00:01:58,160 --> 00:02:02,120 going on and we get into these like periods of like, I don't 39 00:02:02,120 --> 00:02:06,000 know, hyper innovation where it's like, OK, it's been kind of 40 00:02:06,000 --> 00:02:09,160 ho hum for a while and then boom, like a bunch of new things 41 00:02:09,160 --> 00:02:11,120 kind of all come out once and then they'll be another, you 42 00:02:11,120 --> 00:02:13,600 know, kind of through and then boom, some more things will come 43 00:02:13,600 --> 00:02:15,080 out. So it's super cool. 44 00:02:15,080 --> 00:02:18,280 I I, I dig it. I'm I'm all in on AI as everyone 45 00:02:18,320 --> 00:02:20,160 probably at this point is sick of me hearing because we called 46 00:02:20,160 --> 00:02:21,560 her this AI at the center sometimes. 47 00:02:22,160 --> 00:02:26,000 Yeah, really. I will say that one thing that 48 00:02:26,000 --> 00:02:30,360 hasn't been automated away is in person conferences, spending 49 00:02:30,360 --> 00:02:32,040 time with people, getting to know them. 50 00:02:33,160 --> 00:02:35,120 But it has created a whole lot more track. 51 00:02:35,120 --> 00:02:38,440 So I think, you know, over time more and more people are going 52 00:02:38,440 --> 00:02:41,720 to get brought into the space and hopefully be able to go to 53 00:02:41,720 --> 00:02:44,920 the conferences as well. You've got a few lined up here 54 00:02:44,920 --> 00:02:46,920 in the next month or two that you're heading to. 55 00:02:47,400 --> 00:02:48,960 Yeah, I'm going to be a busy boy here. 56 00:02:48,960 --> 00:02:52,680 Through August, September, October, September, December, 57 00:02:53,720 --> 00:02:56,520 I'll be at the cybersecurity summits in Chicago and Philly. 58 00:02:56,520 --> 00:02:58,880 So this is put on by our friends at Cyber Risk Alliance. 59 00:02:58,880 --> 00:03:03,640 So we have discount codes, free discount codes, the rare 100% 60 00:03:03,640 --> 00:03:05,960 off discount code. So head to our website, 61 00:03:05,960 --> 00:03:08,280 idacpodcast.com. Scroll down. 62 00:03:08,280 --> 00:03:10,360 I just updated the website the other day with kind of all the 63 00:03:10,360 --> 00:03:11,560 codes that I know about at the moment. 64 00:03:12,080 --> 00:03:13,440 We still have all the ones coming out there. 65 00:03:13,440 --> 00:03:16,560 So those are in September. And then we've got Ideniverse 66 00:03:16,560 --> 00:03:19,400 happening again in DC. So this is kind of a smaller 67 00:03:19,400 --> 00:03:22,280 Identiverse event than the one that's in Vegas, but we'll be 68 00:03:22,280 --> 00:03:23,640 there. At least I'll be there. 69 00:03:23,640 --> 00:03:26,200 I'm not sure if you'll be there yet, but we're planning on doing 70 00:03:26,200 --> 00:03:27,520 another kind of game show type thing. 71 00:03:27,520 --> 00:03:29,880 So I don't know if it'll be a Dennis wobble or this other new 72 00:03:29,880 --> 00:03:33,040 game show that we're still putting together, but that's 73 00:03:33,040 --> 00:03:35,520 something that's coming up. And then we've got Gartner as 74 00:03:35,520 --> 00:03:37,800 well. So Gartner's in December, we are 75 00:03:37,800 --> 00:03:41,160 doing a game show for that one. So if we there will be a game 76 00:03:41,160 --> 00:03:44,360 show happening at either of those events and we should have 77 00:03:44,360 --> 00:03:47,080 a a discount code for Gartner coming up here. 78 00:03:47,160 --> 00:03:49,640 Probably I think in October time frame is kind of when those get 79 00:03:49,640 --> 00:03:51,360 released. So check our website for that. 80 00:03:51,360 --> 00:03:54,240 But hopefully we'll see lots of friendly faces and in any of 81 00:03:54,240 --> 00:03:57,760 those locations and come up and say hi and that kind of thing. 82 00:03:58,400 --> 00:04:00,280 Yeah. I think, you know, using the 83 00:04:00,280 --> 00:04:04,520 discount codes really it helps us from the perspective that the 84 00:04:04,520 --> 00:04:07,480 folks putting on the conferences know that, hey, people are out 85 00:04:07,480 --> 00:04:12,080 there listening to the podcast and they are the folks that kind 86 00:04:12,080 --> 00:04:16,680 of come to the conferences. And you know, that means they 87 00:04:16,680 --> 00:04:20,800 want us to be at the conference. They want us to do the game 88 00:04:20,800 --> 00:04:23,320 shows and record podcasts while we're there. 89 00:04:23,320 --> 00:04:27,080 So, and that's one of the things that I just love doing about the 90 00:04:27,080 --> 00:04:30,760 podcast is, you know, being at the at the conferences and 91 00:04:31,000 --> 00:04:33,520 meeting folks. Yeah, get to meet all kinds of 92 00:04:33,520 --> 00:04:36,440 cool people and there are a lot of cool people in identity, 93 00:04:36,440 --> 00:04:40,280 which is super neat. One thing I'm very excited and 94 00:04:40,280 --> 00:04:43,520 is a major milestone for us coming up is we are about to hit 95 00:04:43,520 --> 00:04:48,000 1,000,000 downloads for this podcast, which is absolutely 96 00:04:48,000 --> 00:04:51,000 bonkers considering it's just the two of us doing it for six 97 00:04:51,000 --> 00:04:53,840 years. But we've seen just crazy growth 98 00:04:53,840 --> 00:04:56,800 the last couple years. And yeah, we're, we're, we're 99 00:04:56,800 --> 00:04:57,960 getting pretty close to 1,000,000. 100 00:04:57,960 --> 00:05:00,520 So I'm looking forward to, you know, celebrating that on on 101 00:05:00,520 --> 00:05:02,320 LinkedIn, which is kind of where I post stuff like that. 102 00:05:02,880 --> 00:05:06,240 So how many lists do we have at the end of year one, do you 103 00:05:06,240 --> 00:05:08,320 know? I would have to look it up and 104 00:05:08,320 --> 00:05:10,360 see but. Like 20,000. 105 00:05:10,440 --> 00:05:13,320 Maybe yeah, I I don't even think we had that many. 106 00:05:13,440 --> 00:05:15,440 It's been a slow time. We don't do any advertising. 107 00:05:15,440 --> 00:05:18,560 So it's all been word of mouth and, you know, definitely, you 108 00:05:18,560 --> 00:05:21,080 know, people who have listened, supported, you know, guests on 109 00:05:21,080 --> 00:05:24,080 the show, sponsors, right, all that stuff is definitely 110 00:05:24,080 --> 00:05:26,200 contribute to it. But definitely appreciate, you 111 00:05:26,200 --> 00:05:28,920 know, kind of the audience that we've been able to build and, 112 00:05:28,920 --> 00:05:31,360 you know, hopefully a cool, fun place to where you can be 113 00:05:31,640 --> 00:05:34,680 edutained about identity is you'd like to say, Jim, how? 114 00:05:35,400 --> 00:05:40,160 Many listens or downloads have we had on average like per week. 115 00:05:41,520 --> 00:05:45,440 Well, I think right now we're in 10 to 20,000 I think a week 116 00:05:45,440 --> 00:05:47,880 right now. So a lot for an identity 117 00:05:47,880 --> 00:05:49,360 podcast. I mean, it's pretty niche. 118 00:05:49,720 --> 00:05:52,440 I mean, this is not Kill Tony or Joe Rogan, but you know, we seem 119 00:05:52,440 --> 00:05:54,840 to be doing OK. But I've known you for a long 120 00:05:54,840 --> 00:05:58,760 time and you're probably like padding low, right? 121 00:05:58,760 --> 00:06:01,080 You're coming in. You don't want to, you don't 122 00:06:01,080 --> 00:06:04,240 want to overestimate the number. So when I hear that I'm taking 123 00:06:04,240 --> 00:06:07,400 25. No, I'm pretty, I try to be OK 124 00:06:07,400 --> 00:06:09,000 with it. It's look podcast stats are hard 125 00:06:09,000 --> 00:06:13,080 to get, especially with all the different players and vendors 126 00:06:13,080 --> 00:06:16,960 that kind of syndicate it. So things like Apple and Spotify 127 00:06:16,960 --> 00:06:20,040 and Google all have different ways to do it and all have 128 00:06:20,040 --> 00:06:23,280 various levels of reporting. The best that I can tell is, 129 00:06:23,280 --> 00:06:25,000 yeah, we're, you know, we're going to hit 1,000,000 130 00:06:25,000 --> 00:06:28,160 downloads. And maybe it's more maybe, but 131 00:06:28,560 --> 00:06:30,560 the minimum number is kind of what I've I've been going with. 132 00:06:31,280 --> 00:06:32,600 Yeah. Oh, it's pretty cool. 133 00:06:32,920 --> 00:06:35,640 Yeah. So what are we going to talk 134 00:06:35,640 --> 00:06:37,320 about today, Jim? This is kind of like a series 135 00:06:37,320 --> 00:06:41,040 that we started way, way, way back in January of this year. 136 00:06:41,280 --> 00:06:45,000 Our first guest was Ghazi from our our employers RSM, our day 137 00:06:45,000 --> 00:06:48,120 jobs and we have this kind of series. 138 00:06:48,120 --> 00:06:50,400 We talked about the intersection of sort of like X. 139 00:06:50,640 --> 00:06:52,560 With. Digital identity. 140 00:06:52,560 --> 00:06:54,040 So what do we have lined up for today? 141 00:06:54,640 --> 00:06:56,720 Yeah. So we have a, a conversation 142 00:06:56,720 --> 00:07:00,960 around the intersection of attack service management and 143 00:07:00,960 --> 00:07:03,520 identity. And I think it's a really cool 144 00:07:03,520 --> 00:07:07,640 topic because I think we're all, we read the, the breach reports 145 00:07:07,640 --> 00:07:10,480 and kind of everything, everything seems to be tying 146 00:07:10,480 --> 00:07:12,880 back to identity. I, I say everything, not 147 00:07:12,880 --> 00:07:16,400 everything, but it's a very large percentage and it's it's. 148 00:07:16,440 --> 00:07:18,840 At the center, man, come on. They're like it's in the name. 149 00:07:19,440 --> 00:07:23,560 Yeah, Yeah, absolutely. So it's definitely a trend that 150 00:07:23,560 --> 00:07:25,760 is growing and growing. And when you talk about the 151 00:07:25,760 --> 00:07:31,520 space of identity security, to me, it seems like half the time 152 00:07:31,520 --> 00:07:34,560 or more than half the time you're talking about a security, 153 00:07:34,560 --> 00:07:38,840 traditionally an information security or cybersecurity tool 154 00:07:39,120 --> 00:07:41,240 that now has an identity element. 155 00:07:41,600 --> 00:07:45,800 And so as identity practitioners, it, you know, 156 00:07:46,040 --> 00:07:49,080 it's probably not just like an expansion of our duties unless 157 00:07:49,080 --> 00:07:53,240 you're at a very small firm, but it's, we're playing an important 158 00:07:53,240 --> 00:07:57,360 role in different aspects of the overall information security or 159 00:07:57,360 --> 00:08:00,480 cybersecurity program. So it's exciting stuff. 160 00:08:00,800 --> 00:08:04,080 I do recommend people go back and listen to that episode with 161 00:08:04,080 --> 00:08:07,960 Ghazi and all these, you know, our entire catalog. 162 00:08:07,960 --> 00:08:10,240 You can celebrate our entire catalog. 163 00:08:10,840 --> 00:08:13,960 But I think that was a good one that kind of kicked off this 164 00:08:14,320 --> 00:08:18,120 mindset, which is if you look at the overall cybersecurity 165 00:08:18,120 --> 00:08:22,000 landscape, identity is part of it, but there's interconnection 166 00:08:22,000 --> 00:08:24,400 between identity and all these different areas. 167 00:08:24,400 --> 00:08:28,000 So we're very fortunate to have a guest on today to help us out 168 00:08:28,000 --> 00:08:29,360 with that. Yeah. 169 00:08:29,360 --> 00:08:31,920 These are these are fun things. I'd like to branch out a little 170 00:08:31,920 --> 00:08:33,799 bit past normal sort of identity talk. 171 00:08:34,240 --> 00:08:36,400 And I think, you know, it's important to be somewhat low 172 00:08:36,400 --> 00:08:38,640 rounded to be able to talk through through not just 173 00:08:38,640 --> 00:08:42,360 identity, but adjacent security topics and the business side of 174 00:08:42,360 --> 00:08:44,560 things. So let me go ahead and welcome 175 00:08:44,800 --> 00:08:47,320 to the show for the first time, Dan Loritsen. 176 00:08:47,320 --> 00:08:49,480 He's a fellow director with us here at RSM. 177 00:08:49,480 --> 00:08:52,120 He's part of the RSM defense team, which is really our 178 00:08:52,120 --> 00:08:55,040 managed security team. So welcome to Idea at the 179 00:08:55,040 --> 00:08:57,280 center, Dan. Good afternoon. 180 00:08:57,280 --> 00:08:59,240 Thank you for having me. Yeah. 181 00:08:59,240 --> 00:09:02,760 So thanks for joining us. I, we have a bunch of stuff that 182 00:09:02,760 --> 00:09:04,800 we want to talk about and I think this is such an 183 00:09:04,800 --> 00:09:06,160 interesting area. We're going to have a good 184 00:09:06,160 --> 00:09:09,240 conversation, but we kind of have a tradition here where we 185 00:09:09,240 --> 00:09:10,880 always like to find out backgrounds of people and kind 186 00:09:10,880 --> 00:09:13,920 of how they got into normally we'd ask identity. 187 00:09:13,920 --> 00:09:15,680 I don't know if you consider yourself an identity person, 188 00:09:15,680 --> 00:09:18,520 Maybe by the end of this conversation you might be, but 189 00:09:18,520 --> 00:09:21,000 how did you get into the cybersecurity space? 190 00:09:22,200 --> 00:09:25,280 Yeah, sure, in some ways it was a relatively simplistic 191 00:09:25,280 --> 00:09:28,600 entrance, but in other ways it took a bit of the long route to 192 00:09:28,600 --> 00:09:31,760 get here. And funnily enough, I don't 193 00:09:31,760 --> 00:09:35,480 consider myself an identity practitioner, but in my prior 194 00:09:35,920 --> 00:09:40,080 company before coming to RSMI was a campus higher and I was in 195 00:09:40,080 --> 00:09:43,040 the identity practice for roughly 36 hours. 196 00:09:43,520 --> 00:09:46,920 So I was almost immediately grabbed and pulled over into 197 00:09:46,920 --> 00:09:49,280 what I do now, which is detection and response and 198 00:09:49,280 --> 00:09:52,840 security monitoring. But to go back to your question, 199 00:09:52,840 --> 00:09:56,760 like where did I start coming out of high school kind of 200 00:09:56,760 --> 00:09:58,360 figuring out what I wanted to do with my life? 201 00:09:58,360 --> 00:10:01,200 I wasn't the guy that you would necessarily assume would have 202 00:10:01,200 --> 00:10:03,480 gotten my way into cybersecurity. 203 00:10:03,480 --> 00:10:06,560 So most of my colleagues in this field, particularly in the 204 00:10:06,560 --> 00:10:10,000 defense side of things like to like take apart their vacuum 205 00:10:10,000 --> 00:10:12,080 cleaners and figure out how they worked or they were building 206 00:10:12,080 --> 00:10:14,800 their own computers or whatever. That was never me. 207 00:10:16,160 --> 00:10:20,400 But I did join the military after high school and I got some 208 00:10:20,400 --> 00:10:26,480 good experience in, you know, a broader defense and security 209 00:10:26,480 --> 00:10:29,720 context and got to serve overseas and things like that. 210 00:10:29,720 --> 00:10:32,640 So when I was coming back from deployment, trying to figure out 211 00:10:32,640 --> 00:10:34,960 what I wanted to do with myself, I was originally thinking I 212 00:10:34,960 --> 00:10:38,760 wanted to go into the FBI, something in international law 213 00:10:38,760 --> 00:10:40,320 enforcement, something along those lines. 214 00:10:40,320 --> 00:10:43,640 And I kind of wanted to parlay my military experience into that 215 00:10:43,640 --> 00:10:47,400 next phase. So I took a history degree, 216 00:10:47,400 --> 00:10:51,080 probably ill advised because I just needed a degree to get into 217 00:10:51,080 --> 00:10:53,160 the FBI, but it was my favorite subject. 218 00:10:54,280 --> 00:10:57,240 Got all the way up to my senior year and said, I don't want to 219 00:10:57,240 --> 00:11:02,040 do this anymore and I don't want to be a curator or write a book 220 00:11:02,360 --> 00:11:05,520 or work at a museum. So what am I going to do? 221 00:11:06,160 --> 00:11:09,920 So I, I jumped into a, you know, I, I, I researched a bit, I 222 00:11:09,920 --> 00:11:11,880 figured out a career I thought would be interesting to me. 223 00:11:11,880 --> 00:11:15,040 I jumped into a master's program that was specifically focused on 224 00:11:15,040 --> 00:11:18,240 cybersecurity, gained some skills, little bit of coding, 225 00:11:18,240 --> 00:11:21,400 little bit of lightweight red teaming, system internals, 226 00:11:21,400 --> 00:11:24,480 things of that nature. Got my feet wet and that was 227 00:11:24,480 --> 00:11:27,080 kind of my springboard. So I jumped into a consulting 228 00:11:27,080 --> 00:11:30,040 firm to kind of get that broad base of experience. 229 00:11:30,040 --> 00:11:32,960 A lot of clients, a lot of industries thinking I would then 230 00:11:32,960 --> 00:11:35,520 jump out. And here I am 13 years later, 231 00:11:35,760 --> 00:11:38,440 still in consulting, you know, still enjoying it. 232 00:11:38,440 --> 00:11:40,840 So. We're lucky to have you, lucky 233 00:11:40,840 --> 00:11:44,280 to have you here today, Tan. So we're going to talk about 234 00:11:44,280 --> 00:11:47,920 this intersection of a tax service management and identity 235 00:11:48,160 --> 00:11:51,760 only start off with kind of a simple question of what is a tax 236 00:11:51,760 --> 00:11:53,480 service management? Sure. 237 00:11:53,480 --> 00:11:57,000 So attack service management, particularly, particularly 238 00:11:57,000 --> 00:12:00,640 within the domain of detection and response, which is where I 239 00:12:00,640 --> 00:12:05,480 sit, is this continuous process of identifying and managing 240 00:12:05,680 --> 00:12:08,560 assets so that you can protect them, right? 241 00:12:08,560 --> 00:12:11,880 So you need to continuously identify where things sit that 242 00:12:11,880 --> 00:12:14,920 you maybe didn't know about. You need to continuously 243 00:12:14,920 --> 00:12:16,960 fingerprint them so you understand what they are. 244 00:12:17,760 --> 00:12:20,880 And then you constantly have to assess and analyze them to 245 00:12:20,880 --> 00:12:23,320 determine where they fit in business operations. 246 00:12:23,320 --> 00:12:26,360 And if they don't fit, expunge them from the environment. 247 00:12:26,400 --> 00:12:29,400 And if they do fit, bring them under, you know, under your, 248 00:12:29,480 --> 00:12:34,040 your security practices, right? And I think I'm sorry, go ahead. 249 00:12:34,560 --> 00:12:36,800 Yeah. I'm sorry you use the term there 250 00:12:36,800 --> 00:12:41,120 assets, I'm just kind of wanting to understand like at the very 251 00:12:41,120 --> 00:12:43,440 basis, what are you talking about with assets? 252 00:12:44,120 --> 00:12:47,120 Yeah, yeah. But there's, I mean, there's so 253 00:12:47,120 --> 00:12:49,560 many ways to use that term in different contexts. 254 00:12:49,560 --> 00:12:53,080 And like in my field, you will often times use that an asset as 255 00:12:53,080 --> 00:12:55,720 a computing resource that needs to be protected. 256 00:12:55,720 --> 00:12:57,280 But to me, it's broader than that, right? 257 00:12:57,280 --> 00:12:59,920 It's it's anything that's got value to the business. 258 00:13:00,320 --> 00:13:03,520 That could be a system, that could be a specific computing 259 00:13:03,520 --> 00:13:06,440 resource. I definitely think identities 260 00:13:06,440 --> 00:13:08,720 fit into that because it's something that has value. 261 00:13:09,360 --> 00:13:11,520 You know, it drives a business process. 262 00:13:11,520 --> 00:13:14,520 It's individually identifiable and you can kind of inventory 263 00:13:14,520 --> 00:13:16,800 it. There are dependencies within 264 00:13:16,800 --> 00:13:21,240 the system that require those validations and authentications 265 00:13:21,240 --> 00:13:26,320 to, to make a process happen. So those identities are critical 266 00:13:26,320 --> 00:13:28,520 assets in my opinion, and you need to really think about it. 267 00:13:28,520 --> 00:13:30,960 I think a legacy way of thinking about it is that those 268 00:13:30,960 --> 00:13:33,320 identities that are tied to authentication, that's kind of 269 00:13:33,320 --> 00:13:35,400 an IT control. It's a static thing. 270 00:13:35,400 --> 00:13:37,960 I think the modern way to think about it is it's an attack 271 00:13:37,960 --> 00:13:41,000 surface and those identities kind of live across multiple 272 00:13:41,000 --> 00:13:43,280 domains. So therefore they should be 273 00:13:43,280 --> 00:13:46,440 treated as such. Yeah, I see your point there. 274 00:13:46,440 --> 00:13:50,960 I mean, treating the identities as assets, does that mean that 275 00:13:50,960 --> 00:13:54,280 if you have just like a identity sprawl, that you have more 276 00:13:54,280 --> 00:13:57,680 assets and you're just a, a richer company? 277 00:13:58,120 --> 00:13:59,480 It's kind of tongue in cheek there. 278 00:13:59,480 --> 00:14:05,000 But I mean, I, I, no, yeah, I've only, I've only you that that 279 00:14:05,000 --> 00:14:09,360 mess actually had some value. But I'm wondering, do you 280 00:14:09,360 --> 00:14:13,720 sometimes interface with clients and you're trying to incorporate 281 00:14:13,720 --> 00:14:18,280 that Intelli identity intelligence into the detection 282 00:14:18,280 --> 00:14:22,320 and response function? Is it, is that difference 283 00:14:22,320 --> 00:14:26,280 between somebody who's invested in identity or organization that 284 00:14:26,280 --> 00:14:29,880 has versus has not? Does that become very apparent 285 00:14:29,880 --> 00:14:33,280 where it's like, hey, we can't correlate the actions across 286 00:14:33,280 --> 00:14:36,760 these multiple systems because the identities haven't been tied 287 00:14:36,760 --> 00:14:39,120 together? Yeah, yeah. 288 00:14:39,120 --> 00:14:44,640 I mean, that's one of probably multiple ways that identity in 289 00:14:44,640 --> 00:14:47,400 the management of identity intersects with what we do in 290 00:14:47,400 --> 00:14:50,800 the detection and response base. And I think in a lot of ways 291 00:14:50,800 --> 00:14:54,880 this kind of dovetails with a bigger trend in our industry. 292 00:14:55,480 --> 00:14:58,720 It's not new and quite frankly, it's kind of a buzzword that 293 00:14:58,960 --> 00:15:01,160 irritates a lot of people on the detection and response 294 00:15:01,160 --> 00:15:03,600 community. But this whole XDR concept of 295 00:15:03,600 --> 00:15:06,880 thinking beyond the endpoints or thinking beyond, you know, 296 00:15:06,880 --> 00:15:10,280 servers, laptops and bringing in more data, right? 297 00:15:10,280 --> 00:15:16,320 So that could include things like IoT, so like your physical 298 00:15:16,320 --> 00:15:21,000 building management systems, HVAC, you know, it could be OT. 299 00:15:21,000 --> 00:15:23,840 So you know, you're going past that border into logic 300 00:15:23,840 --> 00:15:26,920 controllers and things that are managing control processes for 301 00:15:27,000 --> 00:15:31,240 production and manufacturing. And it could also, you know, 302 00:15:31,240 --> 00:15:33,640 cross that boundary into the domain of identity, right? 303 00:15:33,640 --> 00:15:38,200 So your identity managers unfortunately I find more often 304 00:15:38,200 --> 00:15:41,320 than not are a little bit siloed off from the people that I 305 00:15:41,320 --> 00:15:45,320 operate with and you know, the clients that I serve and and 306 00:15:45,320 --> 00:15:47,280 deal with on a regular basis. And I think that's something 307 00:15:47,280 --> 00:15:48,600 that definitely should be remedied. 308 00:15:49,040 --> 00:15:53,040 But I do think that identity, you know, kind of the question 309 00:15:53,040 --> 00:15:56,600 you was at, you were asking was, you know, how does it tie into 310 00:15:56,600 --> 00:15:59,800 what we do and and you know, how do we use identity essentially? 311 00:16:01,040 --> 00:16:03,640 I think one of the key core concepts there and why it's so 312 00:16:03,640 --> 00:16:05,840 important is are you guys familiar with the concept of the 313 00:16:05,840 --> 00:16:07,160 kill chain, the cyber kill chain? 314 00:16:08,080 --> 00:16:09,600 Yes, I am. OK. 315 00:16:10,160 --> 00:16:12,360 I mean, it's it's kind of like a little bit of a mantra for 316 00:16:12,360 --> 00:16:14,280 everybody in the detection response base. 317 00:16:14,280 --> 00:16:17,400 It's a six step process of the things that an attacker will try 318 00:16:17,400 --> 00:16:19,880 to do to get it into an environment, right. 319 00:16:19,880 --> 00:16:22,960 So reconnaissance weaponization, which is where they're building 320 00:16:22,960 --> 00:16:26,400 the exploit or the the weigh in building the breach mechanism 321 00:16:26,880 --> 00:16:29,560 delivery. So you get it into the target 322 00:16:29,560 --> 00:16:32,520 systems exploitation, you make it actually do what it's 323 00:16:32,520 --> 00:16:35,760 supposed to do so you can gain access command and control. 324 00:16:35,760 --> 00:16:38,880 So you want to remotely manage, you know, whatever you're trying 325 00:16:38,880 --> 00:16:40,920 to do and then actions on objective, I want to steal 326 00:16:40,920 --> 00:16:42,520 something, I want to destroy something. 327 00:16:42,520 --> 00:16:45,920 I want to, you know, free something up using ransomware. 328 00:16:46,280 --> 00:16:49,200 Well, identity, if you abuse those identities, you can jump 329 00:16:49,200 --> 00:16:51,640 start right into the exploitation phase, right? 330 00:16:52,240 --> 00:16:55,800 So you can, you can subvert four of those steps of the kill chain 331 00:16:55,960 --> 00:16:58,760 and get right in there if you're just like walking in the front 332 00:16:58,760 --> 00:17:01,440 door with an identity that's legitimate and already has some 333 00:17:01,560 --> 00:17:03,400 permissions associated with it. So. 334 00:17:04,200 --> 00:17:07,240 So damn, we're all, we're all sitting here trying to, to 335 00:17:07,240 --> 00:17:09,640 learn. I mean, there's a practitioner 336 00:17:09,640 --> 00:17:12,520 podcast from an identity standpoint anyway. 337 00:17:12,520 --> 00:17:14,800 I don't, I don't know the kill chain very well. 338 00:17:15,280 --> 00:17:18,440 Is that something you recommend that people do further research 339 00:17:18,440 --> 00:17:22,040 on and kind of where would someone want to start if they 340 00:17:22,040 --> 00:17:24,720 want to understand that? And then you're talking about 341 00:17:24,720 --> 00:17:29,320 some different aspects where identity can can play a role in 342 00:17:29,320 --> 00:17:32,640 that Kill Jane. I think it contextually seems to 343 00:17:32,640 --> 00:17:36,200 make sense for identity practitioners to understand 344 00:17:36,200 --> 00:17:38,160 that. Yeah. 345 00:17:38,160 --> 00:17:41,280 I mean, it's a, it's a common enough concept at this point 346 00:17:41,280 --> 00:17:43,240 that I think, I mean, it's niche, right? 347 00:17:43,240 --> 00:17:45,960 You, you only really need to reference it if you're kind of 348 00:17:46,080 --> 00:17:48,880 in the business of trying to stop and attack midstream. 349 00:17:48,880 --> 00:17:52,560 So I'm not surprised if people outside of our community don't 350 00:17:52,560 --> 00:17:55,480 really know it very well. But if anyone were interested 351 00:17:55,480 --> 00:17:58,840 enough to, you know, to learn more about it, it's, you know, 352 00:17:58,880 --> 00:18:01,560 you could easily just just Google and there's a million 353 00:18:01,560 --> 00:18:04,760 references and resources online about it to at least get the 354 00:18:04,760 --> 00:18:07,640 core steps, those six that I just enumerated and kind of get 355 00:18:07,640 --> 00:18:08,920 an understanding of what those are. 356 00:18:09,800 --> 00:18:11,040 And I'll put a link in our show notes. 357 00:18:11,040 --> 00:18:13,320 There's a, there's a, you know, like anything else that's on the 358 00:18:13,320 --> 00:18:15,480 Internet. So I grabbed the Wikipedia kind 359 00:18:15,480 --> 00:18:17,600 of entry and I'll put in our show notes so that people can 360 00:18:17,600 --> 00:18:20,040 kind of check that out. I want to follow up something 361 00:18:20,040 --> 00:18:24,000 around you said around data and the different silos. 362 00:18:24,000 --> 00:18:28,040 I, you're, I will say you're not wrong that we tend to see like 363 00:18:28,040 --> 00:18:31,120 identity teams operating separate from maybe other parts 364 00:18:31,120 --> 00:18:34,440 of security apparatus, or at least not from a, separate from 365 00:18:34,440 --> 00:18:37,160 a data perspective. And you know, part of the reason 366 00:18:37,160 --> 00:18:40,240 this show is called Identity Center is because that's, that's 367 00:18:40,240 --> 00:18:44,280 legacy thinking, not incorporating identity data into 368 00:18:44,560 --> 00:18:48,000 your operation center to be able to, you know, treat those pieces 369 00:18:48,000 --> 00:18:52,080 of data as, you know, other indicators, other signals that 370 00:18:52,080 --> 00:18:54,360 you want to be able to act on or correlate, etcetera. 371 00:18:54,720 --> 00:18:58,480 Why do you think that isn't? Are you seeing a change where 372 00:18:58,880 --> 00:19:01,920 people and organizations and stuff like that are starting to 373 00:19:01,920 --> 00:19:06,560 incorporate more of their identity apparatus into the rest 374 00:19:06,560 --> 00:19:09,080 of their security operations? Yeah, yeah. 375 00:19:09,080 --> 00:19:11,560 So I'll try to break your question apart into two parts as 376 00:19:11,560 --> 00:19:14,120 to as to like why I think that is and then what I'm seeing 377 00:19:14,120 --> 00:19:19,480 changing presently. So I think it's probably the 378 00:19:19,480 --> 00:19:23,080 last like dying gasps of kind of a legacy way of thinking about 379 00:19:23,080 --> 00:19:25,680 the problem. So people can truly only 380 00:19:25,680 --> 00:19:28,920 specialize in, in it in a certain number of areas or 381 00:19:28,920 --> 00:19:34,760 domains, right. And in my field, people are 382 00:19:34,760 --> 00:19:39,440 particularly interested in all the creation use of malware 383 00:19:40,320 --> 00:19:42,720 tactics and techniques that are used by attackers to get a 384 00:19:42,720 --> 00:19:45,160 foothold in the environment and where they want to go after the 385 00:19:45,160 --> 00:19:47,200 fact. So if you get ahold of an e-mail 386 00:19:47,600 --> 00:19:50,400 and what you're legitimately and you're holding a legitimate 387 00:19:50,400 --> 00:19:51,680 e-mail, what are you going to do with it? 388 00:19:51,800 --> 00:19:54,280 Like what inbox roles are you going to create to stay silent, 389 00:19:54,280 --> 00:19:56,480 hidden? How are you going to spread by 390 00:19:56,520 --> 00:19:59,480 sending malicious emails out? Like knowing the, the guts of 391 00:19:59,480 --> 00:20:04,240 how attackers operate is more of what my community has generally 392 00:20:04,240 --> 00:20:06,320 been interested in. And then how do they stop that 393 00:20:06,320 --> 00:20:08,240 right? So I don't think that it's a 394 00:20:08,240 --> 00:20:13,320 lack of curiosity or lack of like legitimate context. 395 00:20:13,760 --> 00:20:16,720 It's just, you know, you can only focus in so many different 396 00:20:16,720 --> 00:20:20,160 areas. So what I think is changing to 397 00:20:20,160 --> 00:20:25,680 answer the second part of your question is I think tooling and 398 00:20:26,480 --> 00:20:30,600 the the ability to access data has changed so much and there's 399 00:20:30,600 --> 00:20:36,080 so much ability to automate and, and use, not exactly generative 400 00:20:36,200 --> 00:20:40,680 AI, but certainly assistive, you know, assistant AI to crawl over 401 00:20:40,680 --> 00:20:43,040 these massive treasure troves of data in different ways than we 402 00:20:43,040 --> 00:20:46,360 did before. And those systems like the ITDRS 403 00:20:46,680 --> 00:20:49,360 of the world are like the, you know, identity management 404 00:20:49,360 --> 00:20:53,000 systems of the world can actually provide better context 405 00:20:53,000 --> 00:20:55,120 and provide all that data over to us. 406 00:20:55,440 --> 00:20:58,160 So now we're not just getting an alert that says, hey, bad thing 407 00:20:58,160 --> 00:21:00,440 happened or misuse of an identity with no context. 408 00:21:00,440 --> 00:21:03,400 We have all the data and the system's actually helping us to 409 00:21:03,400 --> 00:21:06,560 make make hay out of it, you know, getting some context out 410 00:21:06,560 --> 00:21:10,400 of it that we can plug into all of our core security knowledge 411 00:21:10,760 --> 00:21:14,360 and say, OK, the system's telling me this is an identity 412 00:21:14,360 --> 00:21:16,760 that's used in a certain way regularly. 413 00:21:17,000 --> 00:21:20,760 This is outside of the bounds of that regular in a regular usage. 414 00:21:20,920 --> 00:21:23,720 OK, I can couple that with a couple of weird process calls, 415 00:21:23,760 --> 00:21:27,400 you know, and weird accesses of data in the environment, and now 416 00:21:27,400 --> 00:21:29,480 I can start to tell a story. So piercing all that stuff 417 00:21:29,480 --> 00:21:31,680 together, that is that XDR concept, right? 418 00:21:31,840 --> 00:21:35,080 Don't silo, don't think about, you know, just actions on 419 00:21:35,360 --> 00:21:37,800 objective or just an exploitation of a certain type 420 00:21:37,800 --> 00:21:39,960 of malware thinking about the broader picture. 421 00:21:40,240 --> 00:21:41,920 So that's what's changing in my opinion. 422 00:21:42,840 --> 00:21:45,800 So there's a kind of a movement that's starting to take hold 423 00:21:45,800 --> 00:21:48,400 right now in the identity space around this concept of 424 00:21:48,400 --> 00:21:51,200 continuous identity. So shout out to, you know, our 425 00:21:51,200 --> 00:21:54,840 friend Sean, you know, out there, he's he's did a lot of 426 00:21:54,840 --> 00:21:56,760 things identity versus kind of around this concept of 427 00:21:56,760 --> 00:21:59,720 continuous identity management. And the whole concept kind of 428 00:21:59,720 --> 00:22:03,440 revolves around things like shared signals framework and 429 00:22:03,480 --> 00:22:07,840 other components like Cape CAP, continuous excess evaluation 430 00:22:08,080 --> 00:22:09,120 profile. Think you got it right. 431 00:22:09,120 --> 00:22:11,640 If not a tool, probably slap me next time he sees me, which I 432 00:22:11,680 --> 00:22:15,680 would totally deserve. But that kind of data, you know, 433 00:22:16,320 --> 00:22:18,960 first of all, it requires a lot of data and it requires 434 00:22:19,720 --> 00:22:22,280 applications and systems to be talking to each other. 435 00:22:22,680 --> 00:22:27,320 So my focus so far on the SSF and sort of that Cape framework, 436 00:22:27,320 --> 00:22:30,200 shared signals framework is it's been more focused on the 437 00:22:30,200 --> 00:22:33,280 identity space. But are there similar concepts 438 00:22:33,280 --> 00:22:36,960 maybe that apply to be able to take, you know, let's say your 439 00:22:36,960 --> 00:22:40,360 Octo, your Microsoft, your Ping, your sale point, your Cyber Ark, 440 00:22:40,360 --> 00:22:42,480 your Savient, your Delineia, blah, blah, blah, right? 441 00:22:42,480 --> 00:22:45,520 All these different identity tools, if they're all speaking 442 00:22:45,520 --> 00:22:49,000 the same language via something like shared signals framework, 443 00:22:49,200 --> 00:22:53,160 that theoretically makes it easier to consume that data into 444 00:22:53,640 --> 00:22:55,680 a larger system. Maybe to be able to do those 445 00:22:55,680 --> 00:22:58,320 things like machine learning or pattern recognition or, you 446 00:22:58,320 --> 00:23:01,040 know, behavior analysis. Because I would love to be able 447 00:23:01,040 --> 00:23:02,440 to take that data. And that was another thing that 448 00:23:02,440 --> 00:23:04,240 we've always kind of been talking about was like a lot of 449 00:23:04,240 --> 00:23:06,680 identity teams sit on their data. 450 00:23:07,120 --> 00:23:09,440 It's like, Oh yeah, we have an identity program and it does 451 00:23:10,040 --> 00:23:12,320 access reviews and it does on boarding, off boarding and then 452 00:23:12,320 --> 00:23:15,800 all that data just kind of sits in some database and never gets 453 00:23:15,800 --> 00:23:18,240 acted on. Those types of things today, you 454 00:23:18,640 --> 00:23:21,280 know, can feed into what a SoC might seek, right, To be able to 455 00:23:21,280 --> 00:23:24,440 correlate and and get smarter, better, faster alerts. 456 00:23:25,120 --> 00:23:27,400 I don't know if you want to comment on that, but that's that 457 00:23:27,400 --> 00:23:28,720 seems to be a trend that's taking right now. 458 00:23:29,160 --> 00:23:31,240 I think you're really on to something and and I think that 459 00:23:31,240 --> 00:23:34,400 the I think that everything that you're talking about with the 460 00:23:34,560 --> 00:23:37,400 condensation of data into like common formats that could be 461 00:23:37,400 --> 00:23:41,280 used across the identity space, that could be really powerful If 462 00:23:41,280 --> 00:23:45,040 you have different use cases in different platforms. 463 00:23:45,040 --> 00:23:47,040 If you've got your privileged identity being managed through 464 00:23:47,040 --> 00:23:50,240 cyber Ark, then you've got your core title means management 465 00:23:50,240 --> 00:23:53,240 being done through something like an Octa or cell punct or 466 00:23:53,240 --> 00:23:55,280 whatever. And if you've got all that tying 467 00:23:55,280 --> 00:23:57,960 back to Kate, that's great. And I could see that, you know, 468 00:23:57,960 --> 00:24:00,440 tremendous value for the identity management teams 469 00:24:00,440 --> 00:24:05,720 themselves, but we even kind of layer on one additional layer 470 00:24:05,720 --> 00:24:08,640 because everything that we do from a detection and response 471 00:24:08,640 --> 00:24:11,560 space has to come back to the data set that's got disparate 472 00:24:11,560 --> 00:24:14,160 information coming in from multiple different systems. 473 00:24:14,640 --> 00:24:17,560 So there's a lot of next generation tool sets. 474 00:24:17,560 --> 00:24:20,240 It I say next generation just because it's such a buzz term, 475 00:24:20,240 --> 00:24:23,120 But I mean, at this point it's like generation has gone to 476 00:24:23,120 --> 00:24:25,080 college and is like buying my first house. 477 00:24:25,080 --> 00:24:29,400 Not necessarily the next generation, but they, you know, 478 00:24:29,400 --> 00:24:33,320 that that actually have a core common schema on the back end. 479 00:24:33,320 --> 00:24:36,000 So they say this is, you know, I'm taking this thing in from 480 00:24:36,000 --> 00:24:38,680 Octa. Well, this is an identity event 481 00:24:38,680 --> 00:24:41,360 first and foremost. It's of a certain type. 482 00:24:41,480 --> 00:24:44,440 You know, it's a, it's a suspicious login against the 483 00:24:44,440 --> 00:24:48,000 baseline, right? And it shows this kind of 484 00:24:48,000 --> 00:24:49,680 misuse. I'm going to file that away in 485 00:24:49,680 --> 00:24:53,640 the schema so that my logic in my detection and response system 486 00:24:53,640 --> 00:24:57,440 can access those things and plug it into a timeline, right? 487 00:24:57,440 --> 00:25:02,200 So there's XTR platforms like Stellar Cyber or Chronicle or, 488 00:25:02,560 --> 00:25:05,560 you know, all these different, you know, Google SEC OPS 489 00:25:05,880 --> 00:25:08,720 platform, all these different platforms that have that common 490 00:25:08,720 --> 00:25:11,960 schema on the back end. And that's what they're doing. 491 00:25:11,960 --> 00:25:14,560 So they're taking all those disparate, disparate pieces of 492 00:25:14,560 --> 00:25:18,280 information and doing that again for the security community to 493 00:25:18,280 --> 00:25:21,600 use. And it sounds maybe a little bit 494 00:25:21,600 --> 00:25:24,320 duplicative or it sounds maybe a little bit like, you know, multi 495 00:25:24,360 --> 00:25:26,760 steps. But we have the horsepower and 496 00:25:26,760 --> 00:25:30,040 we have the systems that can do it now and can do it seamlessly 497 00:25:30,040 --> 00:25:34,600 quickly, you know, affordably. So it's, it's great. 498 00:25:34,600 --> 00:25:38,040 Yeah, I, I, I see that as a massive trend of, you know, 499 00:25:38,120 --> 00:25:42,440 massive benefit for us. Can you have too much data? 500 00:25:43,440 --> 00:25:47,640 Yes, yes you can. Yes, you can. 501 00:25:48,440 --> 00:25:53,120 And the reason why you can have too much data is if there's no 502 00:25:53,560 --> 00:25:58,240 is for reasons unrelated to necessarily the core mission. 503 00:25:58,720 --> 00:26:03,240 So if you ask a hardcore data scientist, data engineer or 504 00:26:03,240 --> 00:26:05,680 security practitioner, they might say, yes, there's, you 505 00:26:05,680 --> 00:26:08,280 know, there's no such thing as too much data to send it out to 506 00:26:08,280 --> 00:26:10,880 me. Well, I unfortunately have to 507 00:26:10,880 --> 00:26:14,760 sit in the intersection of of our clients needs and what our 508 00:26:14,760 --> 00:26:17,760 service can provide. And there are cloud 509 00:26:17,760 --> 00:26:20,920 transportation costs, there's storage costs, there's 510 00:26:20,920 --> 00:26:25,480 processing costs, there's legal and compliance ramifications of 511 00:26:25,480 --> 00:26:30,600 housing and storing data. So if it's not, if it's not 512 00:26:30,600 --> 00:26:33,560 necessary for the mission, you don't need it. 513 00:26:34,680 --> 00:26:38,480 You can take a lot more of it, like a good example of this is 514 00:26:38,480 --> 00:26:44,680 in our space DNS data like IPS being divvied out or I'm sorry, 515 00:26:45,040 --> 00:26:47,400 IPS being accessed, you know, the Internet. 516 00:26:48,160 --> 00:26:50,000 Thousands and thousands and thousands and thousands of 517 00:26:50,000 --> 00:26:53,480 entries of data used to be impossible to to gather in like 518 00:26:53,480 --> 00:26:55,720 legacy SIM. Now you can't because of the 519 00:26:55,720 --> 00:26:57,800 combination of cloud and next generation SIM. 520 00:26:57,840 --> 00:27:01,480 So yes, it is possible to have too much data, but for unsexy 521 00:27:01,480 --> 00:27:02,720 reasons. Yeah. 522 00:27:02,720 --> 00:27:06,000 I, I actually want to add on to that because I thought I spoke 523 00:27:06,000 --> 00:27:12,680 to another practitioner actually somebody using consulting and he 524 00:27:12,680 --> 00:27:18,240 worked on a UEBA implementation or it was kind of a discovery 525 00:27:18,240 --> 00:27:22,000 process number of years ago. And you know with UEBA it was 526 00:27:22,000 --> 00:27:25,480 about understanding here is normal patterns of access and 527 00:27:25,480 --> 00:27:30,840 then identifying abnormal access and triggering some kind of 528 00:27:30,840 --> 00:27:34,720 event. And the problem was the amount 529 00:27:34,720 --> 00:27:40,320 of log data that was needed to serve that function was 530 00:27:41,160 --> 00:27:43,280 petabytes of data, though. And you're talking about a 531 00:27:43,280 --> 00:27:47,560 really large global organization and just the Active Directory 532 00:27:47,560 --> 00:27:52,360 logs can be just humongous. And they have to the point where 533 00:27:52,360 --> 00:27:54,680 it's like, we just don't have that much storage. 534 00:27:54,880 --> 00:27:56,960 We don't want to buy that much storage. 535 00:27:57,880 --> 00:28:01,920 Yeah, petabytes, petaflops of data plus a long time horizon of 536 00:28:01,920 --> 00:28:04,240 interest, right? So you have to have it go for 537 00:28:04,240 --> 00:28:10,160 six months, nine months, a year with minimal, with reduced value 538 00:28:10,160 --> 00:28:13,600 of the findings because you're going to have to teach it. 539 00:28:13,600 --> 00:28:16,120 And then you also have to kind of tune it and tweak it based on 540 00:28:16,120 --> 00:28:18,680 your specific environment. And then you have to factor in, 541 00:28:18,880 --> 00:28:21,920 what about my third parties that only access things a couple 542 00:28:21,920 --> 00:28:23,480 times a year? You know, what about my 543 00:28:23,480 --> 00:28:26,120 transient employees that only log in to check their benefits 544 00:28:26,120 --> 00:28:29,280 because they're not IT knowledge workers, You know, all these 545 00:28:29,280 --> 00:28:32,120 things that just make that that much harder to build patterns 546 00:28:32,120 --> 00:28:34,560 around. So it's a huge investment of 547 00:28:34,560 --> 00:28:37,240 time, a huge investment of money and a huge investment data to 548 00:28:37,240 --> 00:28:40,080 get that to work appropriately. Yeah. 549 00:28:40,080 --> 00:28:44,600 And I think this conversation, Dan, is just so timely because I 550 00:28:44,600 --> 00:28:48,920 talked about that identity security and it's really like 551 00:28:48,920 --> 00:28:55,960 all these detection and response type systems that are having an 552 00:28:55,960 --> 00:29:00,880 identity component that that's really where this industry is 553 00:29:00,880 --> 00:29:05,000 kind of focused on lately is, you know, not just to managing 554 00:29:05,000 --> 00:29:09,960 access, but detecting in real time when access is being 555 00:29:10,280 --> 00:29:15,600 misappropriated, if you will. It makes it to me, it puts a 556 00:29:15,600 --> 00:29:21,000 finer point on the fact that we can't live in an identity silo. 557 00:29:21,360 --> 00:29:25,280 We need to collaborate as practitioners with our 558 00:29:25,280 --> 00:29:31,240 colleagues, our counterparts in the SoC, for example, and, and 559 00:29:31,240 --> 00:29:34,640 by the way, when I say our colleagues, our counterparts, 560 00:29:35,000 --> 00:29:37,800 they don't necessarily work for the same company either, right? 561 00:29:39,080 --> 00:29:41,920 The identity practitioner may work for the firm. 562 00:29:42,640 --> 00:29:46,120 The SoC may be outsourced, I guess potentially vice versa 563 00:29:46,120 --> 00:29:49,200 too. But it it all comes down to kind 564 00:29:49,200 --> 00:29:54,360 of in my book collaborating with those teams to make sure that 565 00:29:55,120 --> 00:29:59,400 one identity is able to serve that purpose, but also to the 566 00:29:59,520 --> 00:30:03,480 the dissection response can serve the purposes of identity. 567 00:30:03,720 --> 00:30:05,480 You have any thoughts there? Yeah, So I. 568 00:30:05,600 --> 00:30:08,760 I definitely think that there there's a lot of meat on the 569 00:30:08,760 --> 00:30:11,760 bone, so to speak and, and how we can increase collaboration 570 00:30:11,760 --> 00:30:14,440 between the identity management teams and the SoC themselves. 571 00:30:14,440 --> 00:30:19,560 And you know, I think there's probably 3-3 areas that I would 572 00:30:19,560 --> 00:30:22,960 think would be good, you know, kind of tactical ways that those 573 00:30:22,960 --> 00:30:25,600 teams can increase their collaboration and get mutual 574 00:30:25,600 --> 00:30:28,720 benefit out of it. So the first one is probably the 575 00:30:28,720 --> 00:30:32,040 simplest, which is just increase that bi directional sharing of 576 00:30:32,040 --> 00:30:35,360 information. So the identity teams should be 577 00:30:35,360 --> 00:30:38,640 sharing the types of personas that they're managing, the types 578 00:30:38,640 --> 00:30:40,880 of identities that they're managing, you know, the 579 00:30:40,880 --> 00:30:44,960 credential use expectations and maybe perhaps most importantly 580 00:30:44,960 --> 00:30:48,640 the risk score. So which identities and which 581 00:30:48,640 --> 00:30:51,400 prudential payers had the greatest business impact. 582 00:30:51,680 --> 00:30:56,360 So that can influence the scoring and the response timing 583 00:30:56,560 --> 00:30:58,640 of the security operations center, right? 584 00:30:58,760 --> 00:31:02,160 So that makes this the security mission stronger if we have a 585 00:31:02,160 --> 00:31:04,920 better idea of the context of the identities that the ID 586 00:31:04,920 --> 00:31:08,640 teams. On the flip side, the SoC is 587 00:31:08,640 --> 00:31:12,360 going to be continuous and gathering, alerting relevant to 588 00:31:12,360 --> 00:31:14,840 relative to identities and identity management. 589 00:31:15,240 --> 00:31:18,920 So what we can do is we can continue to share the 590 00:31:19,360 --> 00:31:22,000 investigations themselves, but more specifically the false 591 00:31:22,000 --> 00:31:25,640 positives that we're seeing. So here's a rule that we have, 592 00:31:25,920 --> 00:31:28,400 it's triggering on XYZ conditions. 593 00:31:28,800 --> 00:31:31,920 And we've noticed in the last month, we've escalated 25 of 594 00:31:31,920 --> 00:31:33,680 these things to you guys. You've shot them all down. 595 00:31:33,680 --> 00:31:36,360 It's false positives. Help me collaborate better to 596 00:31:36,360 --> 00:31:38,200 make sure that I'm not sending these to you all the time, 597 00:31:38,760 --> 00:31:40,120 right? So how do we tune this thing? 598 00:31:40,760 --> 00:31:44,360 So that bi directional communication, I think it's, you 599 00:31:44,360 --> 00:31:46,320 know, listen, I'm a realist. It's not going to happen every 600 00:31:46,320 --> 00:31:48,160 single week. But if you're having quarterly 601 00:31:48,160 --> 00:31:51,200 meetings that are, you know, between the two groups, between 602 00:31:51,200 --> 00:31:53,880 leaders of the two groups, that can probably make some positive 603 00:31:53,880 --> 00:31:57,000 benefit. I think that kind of gracefully 604 00:31:57,000 --> 00:31:59,520 transitions into the second one, which is mutual playbook 605 00:31:59,520 --> 00:32:02,160 development. So as I already said, tuning and 606 00:32:02,160 --> 00:32:03,920 threshold development is one part of that. 607 00:32:04,360 --> 00:32:06,840 But another part of that is who do I escalate something to? 608 00:32:07,200 --> 00:32:10,240 If I see an anomalous travel indicator, somebody's logging in 609 00:32:10,240 --> 00:32:13,880 from outside of the country, who do I escalate that to? 610 00:32:13,960 --> 00:32:15,760 Is that to like people management? 611 00:32:15,760 --> 00:32:20,280 Is that to to you guys in the identity office as we live and 612 00:32:20,280 --> 00:32:22,040 die with our escalation procedures? 613 00:32:22,240 --> 00:32:26,760 So having identities like input into those is is very helpful, 614 00:32:27,200 --> 00:32:29,680 right. And then probably the last thing 615 00:32:29,680 --> 00:32:33,000 I would say is, you know, one of our core missions in the sock is 616 00:32:33,000 --> 00:32:36,520 to identify shadow orphaned IT to in the the core attack 617 00:32:36,520 --> 00:32:40,000 surface management mission. A lot of the tools that we have 618 00:32:40,000 --> 00:32:42,600 now, whether they're attack surface management tools 619 00:32:42,600 --> 00:32:46,120 themselves or whether they're things like CNAP, which is cloud 620 00:32:46,120 --> 00:32:49,520 native application protection platforms, they can actually 621 00:32:49,520 --> 00:32:54,120 identify the misuse of things like secrets like hard coded 622 00:32:54,120 --> 00:33:00,320 passwords and CIC pipelines, you know, password secrets, API keys 623 00:33:00,320 --> 00:33:03,520 being stored out on insecure buckets out of the cloud. 624 00:33:04,680 --> 00:33:08,040 Sometimes they can even that detect misuse across different 625 00:33:08,040 --> 00:33:10,960 platforms in the cloud for addition, you know, different 626 00:33:10,960 --> 00:33:15,400 cloud assets or cloud resources. So I think there's a 627 00:33:15,400 --> 00:33:18,080 collaborative mission there as well to say, hey, we're doing 628 00:33:18,080 --> 00:33:20,560 this continuous attack service management mission. 629 00:33:20,920 --> 00:33:22,760 It dovetails what you guys are doing. 630 00:33:23,080 --> 00:33:25,360 Let's talk about that. Like maybe we can find some 631 00:33:25,480 --> 00:33:28,160 orphaned identities or some things flowing out there that 632 00:33:28,160 --> 00:33:31,200 you didn't even know, Rob. It's an opportunity to get 633 00:33:31,200 --> 00:33:33,480 creative with some of that data they might be collecting. 634 00:33:33,480 --> 00:33:36,440 And so we, we've solved collaboration, right? 635 00:33:36,480 --> 00:33:38,720 Talk to each other. We've talked about the 636 00:33:38,720 --> 00:33:40,680 importance of the data, but now it comes like it's time for the 637 00:33:40,680 --> 00:33:42,480 tool. And I feel like this is an area 638 00:33:42,480 --> 00:33:46,520 where like SIM tends to be like the default choice, but we've 639 00:33:46,520 --> 00:33:49,120 also got a bunch of new tools in his space that are commonly 640 00:33:49,120 --> 00:33:52,160 called, I guess, ITDR, identity threat Detection and response. 641 00:33:52,960 --> 00:33:55,160 You've got XDR, which you mentioned, you know, as well. 642 00:33:55,680 --> 00:33:59,560 There's, you know, other things like UBA user behaviour analysis 643 00:33:59,680 --> 00:34:02,200 or UEBA user and entity behaviour analysis. 644 00:34:02,200 --> 00:34:05,240 We just so many acronyms. Where do these tools fit 645 00:34:05,240 --> 00:34:07,440 together? Is it still what I would call 646 00:34:07,440 --> 00:34:09,440 like a traditional SIM type approach? 647 00:34:09,960 --> 00:34:14,120 Is ITDR the new SIM, or is there some middle ground or 648 00:34:14,120 --> 00:34:16,400 collaborative space where there's room for all of those 649 00:34:16,400 --> 00:34:19,520 types of tools? We're in an awkward place right 650 00:34:19,520 --> 00:34:26,000 now in the, you know, in the security tools industry because 651 00:34:26,000 --> 00:34:29,400 so many of the platforms have grown so much to to cover a lot 652 00:34:29,400 --> 00:34:32,840 of different ground. So it creates a lot of overlap 653 00:34:32,840 --> 00:34:37,520 and a lot of difficult conversations that our clients 654 00:34:37,520 --> 00:34:40,000 particularly have to ask themselves around where they 655 00:34:40,000 --> 00:34:46,120 want to get certain, you know, capabilities that come along 656 00:34:46,120 --> 00:34:49,480 with maybe their legacy partner that would have done something 657 00:34:50,000 --> 00:34:51,159 that that would they were more niche. 658 00:34:51,159 --> 00:34:52,880 But now they've grown and grown again, right? 659 00:34:52,880 --> 00:34:55,520 So like a good example probably being Crunch Trake, they would 660 00:34:55,520 --> 00:34:58,240 have been the gold standard on point tool for a long time. 661 00:34:58,680 --> 00:35:01,240 They've grown into a lot of their cloud workload protections 662 00:35:01,240 --> 00:35:04,520 if they've got an ITDR, you know, capability in NASA. 663 00:35:05,640 --> 00:35:10,520 So I guess it's a it's a kluge way of saying that it's not a 664 00:35:10,520 --> 00:35:15,080 replacement for SIM, right? SIM as a concept or as a tool, 665 00:35:15,720 --> 00:35:19,800 particularly in its legacy stage, was get a whole bunch of 666 00:35:19,800 --> 00:35:25,120 data into a single platform, run some rules to continuously churn 667 00:35:25,120 --> 00:35:26,880 over it. So you're finding things in real 668 00:35:26,880 --> 00:35:29,560 time, right? And then do something with it on 669 00:35:29,560 --> 00:35:31,800 the back end. And that in in its early stages, 670 00:35:31,800 --> 00:35:34,040 it wasn't really clear what you were going to do on the back end 671 00:35:34,040 --> 00:35:35,960 of it. Now things have grown and 672 00:35:35,960 --> 00:35:39,480 evolved, so you're taking that core data engine, but you're 673 00:35:39,480 --> 00:35:42,000 building a better skin over the top of it of a common data 674 00:35:42,000 --> 00:35:45,000 schema. You've got a MAIML crawling over 675 00:35:45,000 --> 00:35:47,560 the top of that, detecting things and and doing things in a 676 00:35:47,560 --> 00:35:50,200 more intelligent way, you know, with more heuristics. 677 00:35:50,840 --> 00:35:52,480 You've got all those different plug insurance, you've got the 678 00:35:52,480 --> 00:35:54,920 cloud plug in, you've got the identity plug, you've got the 679 00:35:54,920 --> 00:35:58,200 endpoint plug in, right. And all these things are feeding 680 00:35:58,200 --> 00:36:02,440 back into that same data set. And then and the additional 681 00:36:02,440 --> 00:36:04,800 layer on top of it, or now there's an automated response 682 00:36:04,800 --> 00:36:07,920 capability because maybe there's an inbuilt sore or maybe there's 683 00:36:07,920 --> 00:36:10,840 other, you know, integration capabilities to go out and 684 00:36:10,840 --> 00:36:13,640 actually touch an identity management system and, and 685 00:36:13,640 --> 00:36:17,200 sideline something, you know, sandbox a profile or a user or 686 00:36:17,200 --> 00:36:19,920 whatever. So it's not a replacement. 687 00:36:19,920 --> 00:36:21,800 Certainly to that part of the question. 688 00:36:22,240 --> 00:36:25,120 Their legacy platforms just they can't keep up. 689 00:36:25,120 --> 00:36:26,520 They're they're bad at scaling data. 690 00:36:26,520 --> 00:36:29,680 In order to clunky to manage, you have to tell it exactly what 691 00:36:29,680 --> 00:36:31,840 logic you're working for. It doesn't have the AIML 692 00:36:31,840 --> 00:36:33,800 components that kind of help you in that mission. 693 00:36:35,200 --> 00:36:38,640 So not a sin, you know, same as a different thing in and of 694 00:36:38,640 --> 00:36:41,560 itself these new XDR platforms. To the second part of your 695 00:36:41,560 --> 00:36:47,840 question, ITDR specifically is 1 component of many that all these 696 00:36:47,840 --> 00:36:52,560 vendors are trying to condense. So it's part of a broader set of 697 00:36:52,560 --> 00:36:55,960 capabilities that everybody's bringing together into into 698 00:36:55,960 --> 00:37:00,080 platforms. And the challenge we have now is 699 00:37:00,240 --> 00:37:03,040 identifying the core capabilities you need and then 700 00:37:03,040 --> 00:37:06,600 kind of doing a vendor analysis to see who have you had for 10 701 00:37:06,600 --> 00:37:09,120 years for endpoint and who have you had for identity and who 702 00:37:09,120 --> 00:37:11,920 have you, who did you deploy five years for cloud and what 703 00:37:11,920 --> 00:37:14,760 are they totally off for? How do we kind of declutter that 704 00:37:15,960 --> 00:37:19,000 to kind of stream on vendor management that's it's an 705 00:37:19,000 --> 00:37:22,000 interesting intersection in the security tool space right now? 706 00:37:23,200 --> 00:37:29,480 So Dan, I'm thinking about how a tax service management evolves 707 00:37:29,480 --> 00:37:32,080 into the future. And I also want to make this, 708 00:37:32,440 --> 00:37:35,440 you know, kind of pragmatic with some takeaways for the 709 00:37:35,440 --> 00:37:37,680 practitioner. So I'm kind of thinking like, 710 00:37:37,680 --> 00:37:41,000 what are the what are some of the strategies that we could put 711 00:37:41,000 --> 00:37:42,960 out there? But I do want to interject 712 00:37:42,960 --> 00:37:46,520 something first, which is talked about this conversion of 713 00:37:46,800 --> 00:37:49,240 identity and endpoint threat detection. 714 00:37:49,800 --> 00:37:52,720 But it seems to me every time we hear about like a really big 715 00:37:52,720 --> 00:37:56,960 breach usually starts by somebody getting fished or a 716 00:37:56,960 --> 00:37:59,280 help desk getting socially engineered. 717 00:37:59,560 --> 00:38:03,000 So it seems to me like no matter what we talk about in terms of 718 00:38:03,000 --> 00:38:07,560 strategies, it's like we've got to do a better job at like not 719 00:38:07,560 --> 00:38:11,560 letting that happen because you know, we're talking about 720 00:38:11,560 --> 00:38:16,080 identity as like the the gate, the door, usually it's they're 721 00:38:16,240 --> 00:38:19,640 walking through the front door. They're just take in the account 722 00:38:19,640 --> 00:38:20,960 they got. So I don't know if that 723 00:38:20,960 --> 00:38:24,080 resonates with you, but then if you can kind of talk about in 724 00:38:24,080 --> 00:38:28,360 terms of like pragmatic strategies that people can can 725 00:38:28,360 --> 00:38:31,720 invoke. Yeah, I mean, identities are 726 00:38:31,720 --> 00:38:34,240 tied to people and you can't patch people, right? 727 00:38:34,640 --> 00:38:36,800 There's that old like problem between chair and keyboard. 728 00:38:36,960 --> 00:38:39,440 That's the that's the issue, right? 729 00:38:39,440 --> 00:38:43,640 So until you figure solve that problem, like we're never going 730 00:38:43,640 --> 00:38:46,600 to be out of the calling up the help desk and saying, can you 731 00:38:46,600 --> 00:38:49,640 please just pretty, pretty please reset my password so I 732 00:38:49,640 --> 00:38:52,000 can get in and having somebody do it for you. 733 00:38:53,320 --> 00:38:57,600 But having said that, you know, things that you can do. 734 00:38:57,840 --> 00:39:01,080 I mean, treating identities, like I said at the beginning, as 735 00:39:01,080 --> 00:39:05,760 an asset that allows you to unlock things across the now 736 00:39:05,760 --> 00:39:10,360 sprawling multi environmental corporate, you know, bohemus 737 00:39:10,360 --> 00:39:15,760 that we have, you can take kind of a zero trust approach and and 738 00:39:15,960 --> 00:39:19,160 not take anything for granted. Reduce permissions as much as 739 00:39:19,160 --> 00:39:23,040 humanly possible, introduce borders and barriers between 740 00:39:23,040 --> 00:39:26,320 trust zones, you know, locked down to the even down to like 741 00:39:26,320 --> 00:39:29,720 the cloud side workload level. You know, you have to 742 00:39:29,720 --> 00:39:31,560 authenticate in all those different instances. 743 00:39:32,200 --> 00:39:36,000 Not easy to do, takes a long time, takes a lot of investment 744 00:39:36,000 --> 00:39:39,880 and in a lot of cases you can't necessarily bolt that on on top. 745 00:39:39,880 --> 00:39:42,920 You kind of have to refresh your architecture to make that work. 746 00:39:43,640 --> 00:39:47,400 So that's like the Nirvana state, but very, very few of us 747 00:39:47,400 --> 00:39:48,800 can get to that Nirvana state, right? 748 00:39:49,440 --> 00:39:53,440 So I think what you do is, you know, you do the best with what 749 00:39:53,440 --> 00:39:56,600 you've got. So one thing that I think a lot 750 00:39:56,600 --> 00:40:01,840 of practitioners fall into the the trap of with in my industry. 751 00:40:02,240 --> 00:40:04,600 Is they're constantly chasing the next shiny thing that's 752 00:40:04,600 --> 00:40:06,680 going to make everything work better. 753 00:40:07,440 --> 00:40:10,240 Just really do that deep thinking around what vendors do 754 00:40:10,240 --> 00:40:12,720 I have in place what tools do I have in place? 755 00:40:12,720 --> 00:40:16,120 What value can I get out of it? How do I stretch to the maximum 756 00:40:16,120 --> 00:40:18,560 value with all those capabilities that, you know, 757 00:40:18,880 --> 00:40:21,440 that vendor brings to me? And then how do I make my 758 00:40:21,440 --> 00:40:24,560 processes rock solid? So I'm actually sharing 759 00:40:24,560 --> 00:40:27,200 information between my sock and my my identity team. 760 00:40:27,560 --> 00:40:31,400 How am I actually like making sure that I'm putting in the 761 00:40:31,400 --> 00:40:35,680 hours to have all of my vendors, you know, have the same level of 762 00:40:35,680 --> 00:40:38,520 rigor as my internal users when it comes to identity? 763 00:40:38,520 --> 00:40:43,200 Like, it's not, there's no magic, you know, so sexy magic 764 00:40:43,200 --> 00:40:45,640 bullet that's going to make it all go away, unfortunately. 765 00:40:45,640 --> 00:40:49,000 Yeah. I mean, you know in the as a 766 00:40:49,000 --> 00:40:52,440 practitioner too, we get allocated a certain amount of 767 00:40:52,680 --> 00:40:57,040 funds to go and apply to our program. 768 00:40:57,840 --> 00:41:02,280 But ultimately usually have to kind of show like, hey, we got 769 00:41:02,280 --> 00:41:05,000 value out of this, but it's hard with security. 770 00:41:05,000 --> 00:41:07,960 It's kind of like saying, I started working out at the gym 771 00:41:07,960 --> 00:41:11,040 and I haven't been robbed in two years. 772 00:41:11,120 --> 00:41:12,920 It's like, well, maybe you wouldn't have been robbed 773 00:41:12,920 --> 00:41:16,720 anyway, right? So do you have any 774 00:41:16,720 --> 00:41:20,160 recommendations there in terms of like trying to tie back the 775 00:41:20,160 --> 00:41:25,200 value to these investments? Metrics should be few and should 776 00:41:25,200 --> 00:41:26,880 be, you know, valuable. They should. 777 00:41:26,880 --> 00:41:30,080 They should, they should enable decision making and they should 778 00:41:30,080 --> 00:41:36,080 be, you know, coherent, concise. But some of the best security 779 00:41:36,080 --> 00:41:39,320 metrics from a sock standpoint have to do with coverage and 780 00:41:39,320 --> 00:41:41,840 devices under management. I think you could do something 781 00:41:41,840 --> 00:41:45,720 similar with identity, right? So from a foundational 782 00:41:45,720 --> 00:41:50,240 standpoint, how much has multi factor authentication been 783 00:41:50,240 --> 00:41:52,840 deployed without the environment and and set some gold standards 784 00:41:52,880 --> 00:41:55,520 for that. How much privilege account use 785 00:41:55,520 --> 00:41:57,360 do you have? And if you're really going to 786 00:41:57,360 --> 00:42:01,120 start a campaign to limit privilege account use or over 787 00:42:01,120 --> 00:42:03,680 privileged machine accounts, right? 788 00:42:03,680 --> 00:42:07,120 So like non human accounts that are that are performing back in 789 00:42:07,120 --> 00:42:10,200 functions. So how much privilege account 790 00:42:10,200 --> 00:42:11,960 use do you have? How much machine account use do 791 00:42:11,960 --> 00:42:14,680 you have? And can you drive a trend of 792 00:42:14,800 --> 00:42:19,920 like my campaign has driven that down right and identity 793 00:42:19,920 --> 00:42:22,360 inventory, right? So you have X number of 794 00:42:23,040 --> 00:42:26,080 corporate users, you have wide number of of vendors that should 795 00:42:26,080 --> 00:42:30,320 track to a certain number of assumed identities and, and 796 00:42:30,320 --> 00:42:32,920 accounts. And then you know for your 797 00:42:32,920 --> 00:42:36,520 workloads, how many different permissions, whether they be API 798 00:42:36,520 --> 00:42:40,520 keys or whether they be, you know, otherwise secrets that you 799 00:42:40,520 --> 00:42:41,960 need to have to make all those things wrong. 800 00:42:42,360 --> 00:42:45,000 So like, are you actually identifying them and are you 801 00:42:45,040 --> 00:42:46,840 actually inventorying them? That's kind of like your 802 00:42:46,840 --> 00:42:49,600 foundational level level if you want to get into something more 803 00:42:49,600 --> 00:42:53,200 advanced, like how do you start having trailing indicators to 804 00:42:53,200 --> 00:42:56,000 show that entitlement creep? So I went through this whole, 805 00:42:56,480 --> 00:42:58,360 you know, I went through this whole initiative. 806 00:42:58,480 --> 00:43:02,360 I inventoried and identified all my, you know, all my identities. 807 00:43:03,560 --> 00:43:06,920 I got a derived A trend for my privileged account use. 808 00:43:06,920 --> 00:43:08,720 OK, but now I'm starting to see that tick. 809 00:43:08,840 --> 00:43:10,680 Why is that? You know, what's happening? 810 00:43:10,680 --> 00:43:13,960 Is that actually legitimate? Another thing is the unneeded or 811 00:43:13,960 --> 00:43:15,760 non compliant identities that are being found. 812 00:43:15,760 --> 00:43:18,280 This ties into what I said about using the attack surface 813 00:43:18,280 --> 00:43:20,400 management and CNAP tools or partnering with this. 814 00:43:21,120 --> 00:43:23,160 Am I seeing an increase in orphaned accounts? 815 00:43:23,160 --> 00:43:26,920 Am I seeing an increase in, you know, identities or secrets 816 00:43:26,920 --> 00:43:28,640 floating out there that I didn't know about before? 817 00:43:28,720 --> 00:43:31,000 Like that's when you really start getting into the more 818 00:43:31,080 --> 00:43:34,200 advanced levels of metrics around your identity management 819 00:43:34,200 --> 00:43:36,360 program. So I think if you do that, if 820 00:43:36,360 --> 00:43:39,520 you do those things and you can really preach the value of what 821 00:43:39,520 --> 00:43:43,120 you're doing. So final question from the The 822 00:43:43,120 --> 00:43:48,080 Great Inquisition of 2025 here. What is the biggest 823 00:43:48,080 --> 00:43:52,120 misconception that you see when people start to think about, OK, 824 00:43:52,440 --> 00:43:56,080 here's what my attack surface looks like and how do I start to 825 00:43:56,080 --> 00:43:57,960 reduce that? Like what is something that 826 00:43:58,520 --> 00:44:01,560 people maybe can start to do or things that you see people do 827 00:44:01,560 --> 00:44:03,160 wrong? Like I would not have started 828 00:44:03,160 --> 00:44:04,680 with that way? Like what's the biggest thing 829 00:44:04,680 --> 00:44:06,600 from your perspective that people listening to this go out 830 00:44:06,600 --> 00:44:09,160 and say, OK, here's how I start to tackle this problem? 831 00:44:09,680 --> 00:44:11,960 Specifically because of the way that you asked the question 832 00:44:11,960 --> 00:44:15,880 around misconception, I think the biggest misconception would 833 00:44:15,880 --> 00:44:20,840 be that it has to be a comprehensive program. 834 00:44:21,400 --> 00:44:24,440 Like all the little singles that you can hit all contribute. 835 00:44:25,120 --> 00:44:28,080 So like pick a problem today, work on it for a couple months, 836 00:44:28,800 --> 00:44:31,440 turn your attention to another problem in another couple ones 837 00:44:31,480 --> 00:44:33,200 right? You're not going to solve like 838 00:44:33,200 --> 00:44:36,680 the ASM problem in a grand campaign. 839 00:44:37,800 --> 00:44:42,080 Just identify things, catalog things, get them under wraps, 840 00:44:42,080 --> 00:44:44,040 move on to something else. Just be iterative. 841 00:44:44,040 --> 00:44:47,240 And then when you don't take that approach, you never get 842 00:44:47,240 --> 00:44:49,720 anywhere because you just analysis paralysis. 843 00:44:50,760 --> 00:44:53,680 And you can't really ever truly solve it right? 844 00:44:53,680 --> 00:44:56,640 It's really just about getting skinny, getting small small 845 00:44:56,640 --> 00:44:58,880 target to hit. But it's not like your attack 846 00:44:58,880 --> 00:45:01,880 surface is over 0. Is that a proper way to think 847 00:45:01,880 --> 00:45:03,520 about it? Yeah, 100%. 848 00:45:03,640 --> 00:45:05,240 Yeah. I'd absolutely agree with that. 849 00:45:06,440 --> 00:45:08,520 Well, Dan, you've been really generous with your time. 850 00:45:08,840 --> 00:45:11,600 I do want to get into a little bit of your your background. 851 00:45:11,600 --> 00:45:12,920 And I know you have some military background. 852 00:45:12,920 --> 00:45:14,840 You've referenced mission several times throughout this 853 00:45:14,840 --> 00:45:17,880 conversation as well. One of the roles that I saw as I 854 00:45:17,880 --> 00:45:21,520 was, you know, stalking you on LinkedIn is human intelligence 855 00:45:21,520 --> 00:45:24,360 collector. So I want to dive into that a 856 00:45:24,360 --> 00:45:26,120 little bit here to kind of end the show. 857 00:45:26,120 --> 00:45:29,040 But tell me, what is a human intelligence collector for 858 00:45:29,040 --> 00:45:30,520 people who aren't familiar with that role? 859 00:45:30,560 --> 00:45:32,880 And then I want to ask you some follow up questions around it. 860 00:45:33,680 --> 00:45:36,600 Sure, sure. So human intelligence collector 861 00:45:36,600 --> 00:45:40,760 is particularly in the Army, which is where I was, is the 862 00:45:40,760 --> 00:45:43,600 lowest man on the totem pole for the intelligence community. 863 00:45:45,240 --> 00:45:48,960 So we're the guys out there in in Army uniforms trying to 864 00:45:49,000 --> 00:45:51,800 trying to get secrets or information that could be 865 00:45:51,800 --> 00:45:53,840 helpful and then pass people chain. 866 00:45:53,840 --> 00:45:56,400 But there's kind of two sides to that mission. 867 00:45:56,400 --> 00:46:01,840 There's the classic like booth interrogation style of 868 00:46:01,840 --> 00:46:03,480 questioning that everyone would think of it. 869 00:46:03,480 --> 00:46:06,240 They've seen in movies or you know, I've seen in TV shows 870 00:46:06,240 --> 00:46:09,360 where somebody is a detainee, they've been captured. 871 00:46:09,640 --> 00:46:12,080 You've got them for an hour with an interpreter in the room and 872 00:46:12,160 --> 00:46:14,920 you get to ask them all the questions about, you know, 873 00:46:15,160 --> 00:46:17,240 whatever topic of interest we have in for. 874 00:46:18,280 --> 00:46:21,080 Then the other side of the mission is more elicitation on 875 00:46:21,080 --> 00:46:24,240 what they call source operations, which is more around 876 00:46:25,160 --> 00:46:28,320 making friends with locals and building connections in a 877 00:46:28,320 --> 00:46:31,320 community and trying to get people to want to provide 878 00:46:31,320 --> 00:46:35,560 information for either their own benefit or for the community 879 00:46:35,560 --> 00:46:38,280 benefit. So I was more on the on the 880 00:46:38,280 --> 00:46:41,240 source operations and elicitation side of things. 881 00:46:42,560 --> 00:46:45,240 So that be kind of like a for the people in the US here like 882 00:46:45,280 --> 00:46:49,160 neighborhood watch, for example, kind of like partnership or kind 883 00:46:49,160 --> 00:46:50,320 of a band of people who are willing. 884 00:46:50,320 --> 00:46:54,840 To provide information. So in, in I'm from Chicago. 885 00:46:54,840 --> 00:46:58,240 So in Chicago there was this program 20 years ago at this 886 00:46:58,240 --> 00:46:59,840 point that was like it was called CHAPS. 887 00:46:59,840 --> 00:47:02,360 That was an acronym called CHAPS, but it was, you know, 888 00:47:02,360 --> 00:47:05,080 Community Action policing. And that's exactly what it was. 889 00:47:05,080 --> 00:47:08,280 Is they were going to go around and kind of deputize people in 890 00:47:08,280 --> 00:47:10,680 the community and say, you know, you're a liaison. 891 00:47:10,680 --> 00:47:13,080 If you see something or, you know, come and say something to 892 00:47:13,080 --> 00:47:16,000 the police, like let us know what's going on here. 893 00:47:16,760 --> 00:47:19,600 Similarly, Yeah, you'd say, OK, you're a village elder. 894 00:47:19,920 --> 00:47:22,480 You know, you're, you know, you have a position at the mosque 895 00:47:22,680 --> 00:47:24,800 or, you know, position of influence. 896 00:47:25,080 --> 00:47:26,240 You probably see what's going on. 897 00:47:26,240 --> 00:47:28,640 You know, everybody in the community, you know, help me 898 00:47:28,640 --> 00:47:30,920 understand what's going on here. Help me understand the problems 899 00:47:30,920 --> 00:47:33,000 you guys are chasing. Help me understand who could be 900 00:47:33,000 --> 00:47:35,160 causing trouble. Yeah, it's that concept. 901 00:47:36,160 --> 00:47:40,240 So would you consider Jim and I human intelligence collectors by 902 00:47:40,240 --> 00:47:43,800 way of this podcast or something similar? 903 00:47:43,800 --> 00:47:46,440 Like how do I how do I get an honorary title on this? 904 00:47:47,160 --> 00:47:49,560 I'm sure there's been a lot of intelligence collected on your 905 00:47:49,560 --> 00:47:53,280 podcast, maybe not in the last hour, but in other episodes I'm 906 00:47:53,280 --> 00:47:57,040 sure that's been the case. I think we'd be the troublemaker 907 00:47:57,040 --> 00:47:59,040 chef. Somebody would be like, yeah, 908 00:47:59,080 --> 00:48:00,760 Jimmy, Jeff, this. Guy good trouble. 909 00:48:00,760 --> 00:48:03,000 Know about them? Good trouble, good trouble. 910 00:48:03,000 --> 00:48:05,720 Like that's, you know, we're asking questions and, you know, 911 00:48:05,720 --> 00:48:08,800 eliciting responses. I think, you know, one of the 912 00:48:08,800 --> 00:48:12,040 things that I, I'd love to hear from your perspective, Dan, is 913 00:48:12,360 --> 00:48:15,440 what are, what are some tips that maybe Jim and I can take 914 00:48:15,440 --> 00:48:17,520 away for future conversations because it's too late for this 915 00:48:17,520 --> 00:48:19,800 one where we can ask better questions. 916 00:48:19,800 --> 00:48:22,200 Or maybe for people who are listening right out there, 917 00:48:22,200 --> 00:48:25,720 they're in probably an identity that they can ask their 918 00:48:25,720 --> 00:48:30,200 stakeholders or, you know, other people that they need to either 919 00:48:30,200 --> 00:48:33,400 influence or try to get some better information out of other 920 00:48:33,400 --> 00:48:36,320 tips that you can share with, you know, us peons in that 921 00:48:36,320 --> 00:48:39,520 space. Oh, too harsh on yourself? 922 00:48:40,200 --> 00:48:44,800 A couple of things. The first thing I would say is 923 00:48:46,240 --> 00:48:49,640 conversation is it's easy, it's fluid. 924 00:48:49,640 --> 00:48:51,320 It's kind of a natural thing everyone does. 925 00:48:51,640 --> 00:48:54,080 But when you specifically want to get information out of 926 00:48:54,080 --> 00:48:58,040 someone, whether it's because you're defying a mutual goal or 927 00:48:58,040 --> 00:49:00,120 you're it's a client situation and you need to know how to 928 00:49:00,120 --> 00:49:03,280 better serve them, have a plan about the questions you're going 929 00:49:03,280 --> 00:49:05,560 to ask and how you're going to ask them to get to a certain 930 00:49:05,560 --> 00:49:09,080 conclusion, right? So plan out your conversations, 931 00:49:09,360 --> 00:49:11,160 important ones anyway, is the first tip. 932 00:49:11,640 --> 00:49:15,040 The second tip is definitely ask open-ended questions. 933 00:49:15,040 --> 00:49:19,960 Far too many people I hear ask a question that ultimately ends up 934 00:49:19,960 --> 00:49:23,200 in a one word answer or a yes or no and you don't get anything 935 00:49:23,200 --> 00:49:24,560 out of it. So make sure all of your 936 00:49:24,560 --> 00:49:27,040 questions are open-ended and force the other person to talk a 937 00:49:27,040 --> 00:49:29,240 little bit. Gives you more to pin it off of. 938 00:49:30,000 --> 00:49:33,240 And I think the third thing is it's just like really actively 939 00:49:33,240 --> 00:49:35,320 listen, right? Because people say so much 940 00:49:35,320 --> 00:49:39,120 between the lines in the way they see something or the thing 941 00:49:39,120 --> 00:49:42,080 that they don't say that you would expect them to say that 942 00:49:42,080 --> 00:49:44,360 tells you that they may be apprehensive about something or 943 00:49:44,360 --> 00:49:48,000 they're worried. So really become good at 944 00:49:48,040 --> 00:49:52,040 understanding the people's tics and like paying attention to how 945 00:49:52,040 --> 00:49:54,640 they talk and what they don't say. 946 00:49:55,640 --> 00:49:57,280 And that's just good in all walks of life. 947 00:49:57,280 --> 00:50:01,040 I mean friendships, your family, client relationships. 948 00:50:01,040 --> 00:50:03,080 Like just you'll be a better communicator. 949 00:50:04,920 --> 00:50:10,720 Yeah, I've heard the scenario where they say it's how to make 950 00:50:10,720 --> 00:50:13,840 the person that you're talking to think it was their idea. 951 00:50:13,840 --> 00:50:18,480 So if you have an idea, Dan, that was a great idea that you 952 00:50:18,480 --> 00:50:20,000 had. Even though. 953 00:50:20,200 --> 00:50:22,840 Maybe really it was my idea. Incepted. 954 00:50:25,320 --> 00:50:26,440 I love that idea. Exception. 955 00:50:26,440 --> 00:50:28,720 Like, yeah, plant the seed and let them think it's there. 956 00:50:29,120 --> 00:50:30,480 They're a great idea. That's great. 957 00:50:30,760 --> 00:50:32,280 That's great. All right, well, this has been a 958 00:50:32,280 --> 00:50:33,960 fun conversation. I learned a lot. 959 00:50:33,960 --> 00:50:36,400 I think this is an area, This is why we are very fortunate to 960 00:50:36,400 --> 00:50:39,120 work with a bunch of people here at our some lots of access to 961 00:50:39,120 --> 00:50:41,160 the really smart people. So Dan, thank you so much for 962 00:50:41,160 --> 00:50:43,800 being part of this. I will have links in our show 963 00:50:43,800 --> 00:50:46,320 notes to your LinkedIn profile. People have questions around 964 00:50:46,320 --> 00:50:48,400 that want to get, you know, in touch with you. 965 00:50:48,920 --> 00:50:51,440 I'll have a link to the attack kill chain as well for people 966 00:50:51,440 --> 00:50:54,040 coming on that spoiler. It's going to be the Wikipedia. 967 00:50:54,560 --> 00:50:56,800 Like that's the one that's probably the easiest one to go 968 00:50:56,800 --> 00:50:59,680 for. And yeah, so appreciate you 969 00:50:59,680 --> 00:51:02,680 being here, part of this. You can find us on the web, IDAC 970 00:51:02,680 --> 00:51:06,240 podcast.com, like subscribe, help us hit that million and 971 00:51:06,240 --> 00:51:08,120 then maybe the next two next million after that. 972 00:51:08,920 --> 00:51:10,520 But appreciate everyone who has supported us. 973 00:51:10,520 --> 00:51:12,680 And, you know, thank you all for watching and or listening. 974 00:51:12,680 --> 00:51:15,080 So with that, we'll go ahead and leave it there for this week. 975 00:51:15,560 --> 00:51:17,000 Thanks. And we'll talk with you all in 976 00:51:17,000 --> 00:51:20,920 the next one. You've been listening to 977 00:51:20,920 --> 00:51:24,840 Identity at the Center. We hope you've enjoyed the show. 978 00:51:25,040 --> 00:51:29,160 Make sure to like, rate and review, and we'll be back soon. 979 00:51:29,400 --> 00:51:31,680 But in the meantime, hit the website at 980 00:51:31,680 --> 00:51:38,040 identity@thecenter.com. See you next time on Identity at 981 00:51:38,040 --> 00:51:38,960 the Center.