In this podcast, Frank Briguglio, Global Public Sector Strategist at SailPoint Technologies, Wes Dunnington, Senior Director or Architecture at Ping Identity, Wade Ellery, Director of Solution Architects and Senior Technical Evangelist at Radiant Logic, Rashaad Steward, Systems Engineering Director for U.S. Public Sector at Exabeam, and Matt Topper, President and Solutions Architect at UberEther will discuss how to radically enhance security by integrating industry-proven solutions you probably already have.
Speaker 1: On behalf of Sailpoint Technologies, Ping Identity, Radiant Logic, Exabeam and Carahsoft, we would like to welcome you to today's podcast focused around strengthening the mission with identity centric security, where Frank Bergoglio, global public sector strategist at Sailpoint Technologies West Dunnington, Senior Director of architecture at ping identity. Wade Ellery, Director of solution architects and Senior Technical evangelist at radiant logic, Rashaad Steward, systems engineering director for us public sector at Exabeam and Matt Topper, President and Solutions Architect at Uberether, we'll discuss how to radically enhance security by integrating industry proven solutions you probably already have.
Matt Topper: We really want to chat a little bit about some of the major changes in the identity access management today. Over the last few months, we've seen numerous supply chain attacks against the government publicly announced in the media, things precious last week. Previously, many organizations focused on phishing and social engineering attacks. Even the OPM attack, which was almost 10 years ago now came down to a lack of strong authentication and lateral movement within the networks. No matter what the attack vector has been over the last 10 years, every single attacker, after they've breached, the front door immediately goes after the keys to the castle, the identity and access management systems, they know that they'll have a greater rate of success hitting their internal targets, if they can gain access to the most privileged and sensitive accounts within an organization. For the last 20 years, we've been promising as security professionals to bring the real time power buried within our security Operation Center and the business visibility buried within our identity and access management centers to get systems together to create the pinnacle of protections for the organizations we serve. Up until recently, a lot of that has been a pipe dream and a lot of promises without a lot of ability to show it working all together. So today, we want to talk about some major changes in those areas that the team here has brought to bear and with some of the world's leading experts in cybersecurity, to describe best how we're going to strengthen your mission through identity centric security. So we've already done the introductions. Thank you, Katie. So I'm going to just lead it off with Frank, we've known each other as long as this has been a topic, I think, and have always talked about the real time data that gets trapped in the sock and the value it brings and can bring to the identity and access management world. Can you talk a little bit about how the world has changed in the last three, four or five years and how some of the tools are being used with an identity and access management?
Frank Briguglio: Absolutely, Matt. And before that, you know, the identity tools have changed as well. They've gotten smarter, you know, things we're doing with native change detection, for example, being able to trigger an event, a lifecycle event with something in an authoritative source changes outside of the governance process is critical. But then to extend that right out into the sim soar environment, and being able to one provide that context to the sock analyst that's picked up an event in the queue. And, you know, in most cases is not going to understand anything beyond the user ID that it's he's looking at any event that's occurred. So, you know, we're seeing a lot of integration, bi directional, where the identity platform can enrich the security operations tool. And then on the flip side, when that event occurs, it can trigger automatically or through, you know, the actions of a sock analyst, the ability to, you know, trigger a lifecycle event, whether it's a deep provision, removal of access, whatever it might be. So I think we're gonna continue to see more of this integration. And you know, the tools continue to get smarter. So this is absolutely critical. It's great to finally see this, you know, you go back was longer than 10 years ago. Matt, you want to feel older, that we had this discussion way back when and you know, it's great to see it coming to fruition.
Matt Topper: Yeah, absolutely. The, the advancements in technology, the availability of the cloud services to be able to actually turn this data without organizations having to make major investments. It's been critical. So Rashaad, one of the benefits that Exabeam has brought to the identity and access management world is user behavior analytics, a lot of us in identity and access management. This is new, and things that are just starting to get applied in near real time. Can you talk to us a little bit about user and entity behavior analytics, and how you're seeing I can tools being used with it?
Rashaad Steward: Sure. Thanks, Matt. So Exabeam specifically ingest is both dynamic data sources from event logs threat intelligence and leverages identity attributes such as user department role, title as context from ICANN solutions. Through the integration with those tools. exabeam can collect and analyze the data for user or an asset to establish which profile. And based on that for normal behavior. Once we've established that from a UVA perspective with an extreme, that normal behavioral baseline, we can employ machine learning, statistical based behavior analytics across both the user and entity employs what we call session objects to detect and score that abnormal activity that may suggest a user compromise or other malicious activity. Within that session object. anomalies in their scores are aggregated and reflected within a risk score. And this risk score can be used in the policy in our policy decision process hooked in with the ICANN tools and people to decide to grant access, maybe prompt for additional authentication or even to block or suspend a user. So as we get further into this, you'll be able to bet with zero trust architecture, etc. Yeah, I came is going to be a critical piece within VBA.
Matt Topper: We have loved to see over the last year working with Exabeam ability that even on a person's first day with that peer group analysis, the tool does to be able to say, hey, based on what this person has access to the attributes, what HR department they're part of what contracts are part of this is how they should behave from day one, really getting that great profile user and where they should be even if we don't have a long term history on them. So wait, we've joked that radiant logic has been the great connector for everything identity, whether it's web services, databases, LDAP active directories in the back end, pushing all the way out to every single cloud environment, SAS providers to synchronize that data. Can you talk a little bit how radiants been able to take some of that data that Rashaad talked about, and expose that or use within the ICAM tools?
Wade Ellery: Yes, definitely. And that's a critical area. If you think of Exabeam and Sailpoint. And Ping is engines that consume identity data as fuel, they need to have that information available at the speed of decision. And they need to have an accurate and they need to have it span in the enterprise. If you're looking at one small piece of the organization, you're not seeing the big picture. So radiant logic provides you is that one place to go to get all the identity information, correlated, aggregated, normalized, and available in a common format across each of the different platforms that's consuming it. So you're building policy, based on the same data you're making access decisions about based on the same data you're using for risk scoring. So it's critical that information be accurate to change in the environment, but also be able to be delivered in exactly the way that it's needed. But in addition to that, if you're running an authentication and authorization traffic from ping through radiant to the backend sources, that information is also logged in our access logs, we can feed that over to exit mean, who can now both see transactional information from the log side, plus a full rich profile of information, add those together, and then apply the policies in the Sailpoint environment for control over that feed that up to Ping, and you've got a holistic environment here where the same data is being used everywhere, but optimized for each endpoints requirements.
Matt Topper: I've really enjoyed watching, as soon as somebody appears on a watch list inside of Exabeam, right, somebody that has a blocked account that might be blocked at the VPN, those appearing on groups that immediately are being surfaced through radiant logic, and then being taken advantage of by paying. So you might be getting a user blocked at the VPN. And then immediately they go try and log in, they realize they're blocked there. And they immediately try and go log in directly through paying through a web interface. And then they're already locked, right? There's no second, third, fourth, fifth chance, and they keep hopping around your environment. Wes ping, as active acted as a front door for billions of users accessing their corporate networks, as well as Internet services, as well as which I don't think a lot of people realize not only for human users, but non person entities and services and API's behind the scenes. Can you talk about some of the trends ping has seen and access security and some of the emerging capabilities that we're seeing as orgs move towards zero trust and start bringing in some of these concepts?
Wes Dunnington: Sure. So I mean, one of the things I think that's really heartening to me is that the level of maturity is people starting to think about zero trust is rising. So I think to a lot of people with zero trust means is zero implied trust, that there's always a control point, you know, getting access to any resource. And that access could be as you said, human or machine or script, um, said that there's always an explicit authorization decision that takes into account as many of the factors that we've just talked about, as you think makes sense in your scenario, but then they also sort of start walking back from there. So it's like, well, yes, I want to involve a bunch of, you know, good authorization and contextual factors, you VBA, etc. But to have a good sense of what the roles this person is supposed to be having access to, to make my authorization decision. And then once you've got that, it's like, well, am I actually confident that the person authenticated properly, because obviously, if they're using an insecure authentication method, then once again, all the roles and you know, things like that start falling down. And then finally, you know, even in the workforce and government, we see how confident am I really, that this identity is really who they say they are. So it's really just building that, you know, layers and layers of trust up. So you can make those intelligent informed decisions to bounce off, you know, the usability and the security.
Matt Topper: Yeah. The amount of factors that ping is able to bring to the table to write not only pulling from static variables from the back end, whether those are roles and entitlements that have been given dynamic variables from things like Exabeam, or even from the devices and behaviors of those devices and locations in the world, bringing that all together, being able to make those sub millisecond decisions, and do this authorization, it's really quite amazing. All of that coming together so quickly in the big engines. So I think that gets a little bit into some of what I wanted to talk about next is we're bringing the SOC world and the identity worlds together, exposing this data in really near real time with huge sets of data that are coming together, if you think about all the logs that are going across your sock all of the lateral movement, people Sue doing going from server to server, and then being able to make those decisions in real time. I guess for everybody, can you talk a little bit about the technology and shifts in the market that are allowing us to make the leap to this next level. so quickly?
Wade Ellery: I'll take a little bit of that to start with. One of the things that I've been really happy about the industry in general is we've moved more and more towards standards, that every vendor out there is adopting standards. And that allows us to communicate much more easily than the old days of either a black box or some obscure API that had to be customized for every implementation. So the capability of moving this data around the environment, sharing it between applications, that the four of us is an excellent example, we can do pretty much out of the box. So this is an a three year professional services integration scenario. This is a product ready to integrate, we talked to each other already natively. And now you're just looking at how do I collect the information? How do I process it? And then in what way do I want to present it in most effectively at the highest rate and speed that I can deliver. Because as Wes mentioned, you're making millisecond decisions, you don't want to put a delay in the user's authentication authorization process, but you want to enhance your security. So being able to integrate quickly deliver that information exactly as it's needed. And then again, feed it everywhere, really is a benefit of this new set of standards that we're all able to adopt and implement, makes us much easier to do.
Wes Dunnington: So I think it was going to elaborate a little bit on what we've said is because one of the things we also hear is, I'm not getting any more identity and security people and you know, they're getting harder and harder and demand, and we're paying really well and you know, but how do we put the decisions and the ability to build things in front of the people who are maybe the most natural rather than requiring everything to be gated through security in cases where it doesn't make sense. So I think we've all invested massively in making our tools easier to use and quicker time to value so that, you know, you can build the widgets and then have business people where appropriate, build the policies. And the funny thing is, is that once you've got these things available as easily consumable chunks, people tend to use them more and use them more effectively. So this raises the security water level, I think.
Frank Briguglio: Yeah, absolutely. I mean, just think of, you know, secure cross domain identity management, the skin protocol that makes it very easy for all of us to integrate, basically, that has taken, you know, the integration of the identity ecosystem, like Matt said, or Wade said, What used to take years now takes minutes, platforms, whether they're SAS or on premise, have matured now, where they're wizard driven configuration. I mean, 10 years ago, a certain vendor I worked for, there was a lot of coding that went into that connector, and you know, the operations for identity management. And now we think my God, I can bring up a wizard and configure the app and configure policies and the attributes I want to share and where I want to put them in in how I wanted audited and policies, you know, that just didn't exist before. And then take it to the next level with artificial intelligence, machine learning and the analytics that we're able to do one peer group analysis and access history and these things. I mean, that's really where we're going. And it just lends to your shot who's going to come up next and talk about AI as well. I mean, all of this is just the perfect and I won't call it storm, perfect rainbow coming together.
Rashaad Steward: Yeah, just to add to that question, Matt and team so I to believe continued use of API's for faster integration, also open framework access to machine learning data models. And finally, the shift to cloud first or cluster based architectures help to make all this happen. Open Access to models, are those machine learning models allow organizations to adopt custom algorithms to their attack surfaces, if you will. And then cloud a cluster based operational platforms allow for detection and response assumptions to be developed faster on top of those employing more scalable and resilient systems. So I think, collectively as we grow, and these two worlds come together, try to shift to faster new real time detection exposure to data. Those are key elements as well.
Matt Topper: Yeah, but after we started, so seeing the solar wind, solera, gate, whatever name we're going to use, depending on what vendor you tie yourself closely to, right, I saw Exabeam very quickly come out and say, Hey, we saw the patterns, we saw the lateral movement we saw, right? Microsoft has published a great article about taking the on premise OAuth or authen. Federation keys, though it was getting stolen and seeing it coming from other parts of the world with the same keys or quickly adding a new Federation provider and exit being like within a couple days of some of those reports coming out or immediately updating their rule sets and rule engines and able to tell customers, hey, this happened to you. Also, that immediately got put into the platform that protected people, it's sadly the same things we've been doing for decades with hate to say it right virus protection on our desktops, but coming to your enterprise services and tools that has made things extremely powerful. And I think going back to some of the standards, the new continuous access evaluation protocol that I will say, every single vendor on this board is supporting are on the board who start supporting as it's being finalized, right, the ability to have the different pieces of your organization, actually tip off your access control systems and say, hey, there's something going on odd with this person. It gives us an endpoint to tip it off and turn things off immediately without having to build these integrations. Right. So LDAP has been around for 20 plus years, Frank talked about skim and the restful API's, the OAuth API's. And now we're bringing that continuous access evaluation capability. I'm excited for the next 10 years of identity and access management. And we're going I love this industry, as I think everybody knows, but we're starting to be able to do some really cool stuff to make it super hard on the bad guys, more than just promises and fluff that we've talked about in the past. So I guess along those lines, Frank, Sailpoint has invested heavily into AI and machine learning, right, and being able to pull some of typical slow roll management, we've done on premises, looking at the pure analysis through your autonomous identity and intelligence insight products. Can you tell us a little bit about how Sailpoint is using those products to better enable customers to protect themselves and be more secure?
Frank Briguglio: Definitely, you know, typical day of the life, right is we're used to having birthright provisioning and access requests and things like that with a policy model or an access model based on roles. And we're not going to get away from those anytime soon, right? We'd all love to, but we're just not there yet, as an industry. So as we deal with this, we have to figure out a way to fit in this, this zero trust model better identity has finally gotten its seat at the zero trust table, it's beyond the device beyond just access, it really is become we need to manage the identity better. So some of the investments we've made, are focused around making the identity lifecycle process autonomous, making recommendations faster, understanding our organizations that our roles and our access model better. So we're doing this through access history. So as we see access history, or access history change over time, there can be some good tidbits of alerts in there. Why is someone's axis changing? Are they headed in the right direction or the wrong direction? When we look at peer group analysis, you know, one of the major problems with role based access management is one building the model. And you know, as soon as you build that model, one thing changes not models destroyed. It's there's a Greek mythology. You know, the guy that pushed the boulder up the hill every day and he got to the top, the boulder would roll down and the next day he'd start pushing the boulder again, that's roll management. So we're making that autonomous. We're headed that way where we're looking at peer groups, we're looking at access of settlements and building these cluster groups. And as cluster groups change, make recommendations to change those cluster groups of access. And then also in, you know, we're in the government, we need access approvals, we're not going to get away from that too easily. And while we still have these humans in the process of making an approval decision, whether it's new access, or review access, or removing access, using AI, and that same set of data, the access history, access histories, the peer group analysis, the insights, all together to give the approver a better chance of making a better Yes, no answer. So it's just gonna continue to grow the use cases for identity data, and analytics will continue to evolve. And they're evolving at the pace where the zero trust world can't deny the analytics that, you know, between user behavior analytics, and what we're doing in identity analytics is not absolutely the foundation of zero trust.
Matt Topper: Yeah, that's been one of the really cool benefits I've seen for customers in the last year with the AI and machine learning both on the X beam and the sale point side is from an access certification perspective, right? We've all had that access certification, where you've got hundreds of people that need to be approved. And Sailpoint, about a year, year and a half ago started saying, okay, based on peer group analysis, here's the 20% ish, right, you could tweak those up and down, here's all the people that look the same. But you can pretty much ignore the rest of these. And then in the last, really, it's been fixed nine months being able to pull. So that was great, because we knew what people looked like towards their peers. But then we were able to start bringing in the data from EXA beam. Okay, they look like their peers, but they use that stuff, and acts more than the next person. And right, so we've got the not only how do you compare to what everyone else has, but how are you also using it in comparison. So we're really able to pre delegate those certifications ago, you might have had 300 users last quarter, this quarter, here's the 20 people that you really need to pay attention about. And it just makes things so much more powerful, and actually makes people pay attention to security and doing the right thing versus just like it saying, done. Wade radiant has been pivotal for many more organizations, not only on premises and bringing their identity and access management data together to be used, but also as people have moved out into the cloud environments. And now we're going to see the continued cloud smart hybrid operations across the government, can you talk a little bit of some of the challenges that Radiant, and the tools have been helping customers with and how they've enabled them to operate in a hybrid world more securely?
Wade Ellery: Definitely. And I think you keyed on the key word there, which is hybrid. If you go back far enough to the beginning of the cloud, you'll find large organizations saying they're never going to move to the cloud. They don't trust it. And there was a wave of word cloud only. And everything is going into the cloud, we're leaving behind our on premise, I think everyone has realized now we're going to be in a hybrid world, you're going to have things that are going to remain on premise, you're going to have applications and sources of identity and systems that are going to be on premise. And then you're going to have a cloud infrastructure, and it's working across those two worlds. That's the challenge for organizations. And if you look at the underlying layer for, for those challenges, it's identity information, I can move an application up into the cloud, but I need to bring with it, the identities that I need, I need to bring my governance processes and my log analysis and my access controls with me, so that users coming in from the internet into a hybrid cloud model, get the same level of control and management as the people that were doing that on premise activity. But at the same time, I need to make sure that I'm moving the right information in the right locations. And I may have multiple sources of truth. Now I may have data in the cloud that I need to enhance locally in the cloud and use for certain operations that I don't need on premise, I may have on premise data that I need to share with my cloud organizations and my cloud applications. And I need to be able to move that data freely across those borders in a seamless manner. And that's what radiant logic gives you is an abstraction layer that disconnects you or decouples you from the infrastructure you're on. Radiant logic doesn't know if you're sitting in the cloud, or you're sitting on premise. For us. It's identity data. You provided it to us, we process that we delivered it, and it can be ubiquitously available everywhere. And across multiple clouds now. So we see more and more customers that are in Amazon, they're going to share their in Google, all for different purposes. But it's the same people or some subset of the same people that are accessing those resources. So I need to make that information available and control it. But also then turn around and expose all those actions back to my management plane, so that the Exabeam can see what people are doing in all these environments. So Sailpoint can enforce the policies across those environments and create a universal or a global view. That's really platform agnostic at that point, and it doesn't rely on a location for the way that operates.
Matt Topper: Yeah, it's been not a simple problem to solve. But Radiant definitely is making it a lot easier. So Wes, we've seen, we're just over a year from all having this COVID work from home hybrid environment. So not only do we have hybrid clouds, but extremely hybrid working environments that we're trying to work with it as well. At the same time. I know a ton of the work that pig has been doing with customers over the last year has been helping them move to work from home and environments out of the traditional office silos of the past, which forced many organizations to push many of the zero trust concepts to the forefront. Could you talk to us a little bit about how the last year's been some of those challenges that you've helped customers overcome and kind of where we are today and what you think's next, or access control across organizations?
Wes Dunnington: Sure. So I mean, I think, you know, we've covered a lot of the basics of zero trust, and what people had to do is the head to say, what controls and what context would make me comfortable exposing these assets, which previously were behind a firewall or accessible via VPN, only two identities on the internet, and we've talked about them already, you know, strong authentication, device, posture, IP, reputation, all of those things. I think one of the newer things to you know, ping, that we've put a lot of work into, as well as our customers are starting to also get excited about is being able to also look at the actual data. So for example, yes, you have access to a particular kind of record. But if the record is specific to the EU, when you're trying to access it from outside of the EU, maybe you can't get to it. Or maybe you're going through a bunch of press releases or documents or something, but one of them contains a topic that is embargoed from release, you know, for another three weeks or until somebody consents. So not only looking at the roles, but actually looking at the actual data itself is, I think, an additional aspect of context, that has really helped a lot of our customers strengthen their posture, because not only are they able to say I know who can get to things, but I also know what very fine grained aspects of those resources, people should be able to see or should be redacted or potentially just even blocked. So when you add them all together, you've got, like I said, the ability to build something where people are confident that they are only allowing access, when it makes sense, without unnecessarily burdening every user.
Matt Topper: Everyone's home network has become an attack point very quickly, and building that trust. And whether you're at home in the coffee shop on a plane or crossing the border, to get the heck out of home for a little while. It's all become much more complex, but things definitely making it a lot easier. So one of the things that we really haven't talked about, and some might say is more on the traditional side of identity and access management. But I don't think we as an Identity and Access industry have done a great job solving it yet is the insider threat. And lateral movement within networks. And being able to see that I might have logged into my VPN is one account, I SSH into a different account, I suit into an account. I dropped cribs by suing from route into another account, SSH over to another box. And we've completely lost track of who's actually logging into that box over there from where and who. And that's actually one of the places Exabeam has, I'll just say it soared in terms of that verbiage, but and figuring out with the bad behavior and being able to track nefarious users back, Rashaad, can you talk to us a little bit about Exabeam's secret sauce and how you guys are able to do that so effectively. And then some of the actions that have been built out over the last year with it Exabeam that can be taken within the camp systems to mitigate those threats.
Rashaad Steward: Sure. abstain upon some of the session activity I talked about in the earlier comment. So insider threats can be detected by understanding, you know how machines and humans normally behave as you know. And so there's me touching many systems that you just gave a description, you know, switching accounts, SSH, etc. to detect that such activity an activity will collect log data integrated through different lock silos throughout the organization. Integrate with ICAM data points, and then employ baseline techniques. We talked about peer group analysis that's one technique bullet point. Also along with histogram shaping, it's monitor underlying categorical and different types of machinery techniques that we employ. Once normal data is established within Exabeam data models, if you will, Exabeam's rule detection. And we'll evaluate conditions that represent activities of insider threat, if you will. All those activities are then placed into an x mu smart timeline with context, known as a session object. That's what we refer to as. And within that session object, abnormal activity, whether it's malicious insider compromised credentials, or an external threat, whatever it may be a score within a subset of risk points based on the activity of a user entity has performed. So think of the daily life of that user an activity that we're capturing and baselining. And comparing that baseline to our machine learning techniques, statistical techniques under the hood, the activity assessment objects, then provide all that data to the end user with the risk reasons and will stitch all the event data, providing the host IP mapping, and assigning risk reasons and scores to help uncover lateral movement or activity, if you will indicative of insider threat. If a session has an aggregate score of 90 or higher, we do that as a vertical session. Now, one key critical piece with exit being we're not relying on static or predefined rules to detect insider threats. It's all about data model floors, machine learning, statistical analysis, going back to that baseline behavior profile, if you will, along with that not being reliant on the predefined or kin correlation rules. This allows us to scale from under seeing new security attack techniques from both the inside or external. And, you know, we're able to determine day to day legitimate activity versus abnormal activity, which occurs, you know, heavily throughout the operational environment. And then finally, a good last question was in regards to some of the integrations with icanvas. So, here today, we have Sailpoint, you know, one activity that we can do is visit that notable session in the context and response action within the ICAMs. Shown within sell point. Specifically, we can pass local sessions as a candidate for mediation, and then actions to disable an account of interest to take place through such an integration.
Matt Topper: Yeah, Rashaad. One of the really interesting things we were able to do for a customer was see not only the risk scores were increasing, but then give notifications to the managers that said, Hey, this person, compared to all the people that report to you is acting a little bit funny, not only are they different to their peers, but also they're different to their normal behavior, and immediately kick off a certification in Sailpoint. That said, we're gonna hold you accountable as the manager, go look at the dashboard, look at what they've done in the last couple of weeks, look at the events that have caused this to raise up. But as the manager, we're gonna hold you accountable, and actually make you certify their access, or you Sailpoint to take some things away for a certain period of time until you have an opportunity to go talk to them and really understand what's going on. And just that ability to bring some of that visibility to the line level managers, because we all know the sock analysts are as I call it, looking for needles in a needle stack, and don't really know what these people are supposed to be doing and raising that out to the manager. So it's just really changed how the organizations are thinking about security, and making it everyone's problem to solve like we've been trying to do for over a decade. So I'm going to call a little bit of an audible, I think we can all tell that this is a little bit of a geekier side of the panel. So with the identity and access management, the SOC user behavior, analytics, all of this coming together, what are each of you all excited about for the next three to five years? Because anything beyond that is, we're going to have flying cars, finally. Right. So I'll start left to right on my screen. Frank, what are you excited for?
Frank Briguglio: I think this webinar with our great team that we've kind of developed here, where we've come together, as vendors, you know, five years ago, this probably wouldn't have happened 10 years ago, definitely wouldn't have happened. I think industry needs to continue to do this, right? We need to pull up our big boy pants, and really understand we need to make these things easier for customers. And I think that's probably what drives me on a daily basis. I mean, Matt, you kind of expose, we've known each other for 10 years, I'll add another 15 to that, that I've been doing identity in the federal government. And I've watched a lot of maturity. And really, you know, as I've seen this, you know, back from way back when, when we were first considering CAC, India, D, in the late 90s, to where we're at today, and it's the growth that really keeps me going. It's the maturity yet slow, yet it's painful. But I feel like you know, on a daily basis, I get up to make the government successful. I think we'll continue to see changes in industry technology, you know, that are just going to continue to allow us to do our jobs better as security practitioners to make our customers successful.
Matt Topper: So we'll go next to Rashaad, you're probably coming from a very different part of the industry and your thoughts on how this is all gonna come together. So I'm excited to hear what your thoughts are.
Rashaad Steward: Okay, putting me on the spot there. So just from a maturity aspect, that what we're talking about today. Yeah, ICAM integration with you, either. For the year, I'll express, I'm just excited to see where that's going to go. kind of think of the movie Minority Report where they did all the crazy stuff on the screen. Hopefully one day, we get to a point where these solutions bolster, you know, come together with continuous development through the open API integration, things that we talked about, were going to scale, at the click of buttons, take of action, have a full remote Minority Report of everything that's going on, and be able to mitigate that in a much faster space and time. It won't be today. We're making great progress today in that space, but yeah, that would be kind of on my bucket list, or, if you will, to see in the future.
Matt Topper: I think Frank already said he's got to 15 years, at least doing this in the industry. And I think we're sad, you're probably closer to me. So let's hope we get it fixed by the time Frank retires, for sure, by the time we do it.
Frank Briguglio: Well, I was adding 15 to our already 10, Matt. I think you were still in high school.
Matt Topper: So Wade, what are your thoughts, Radiant brings a very unique perspective to this being able to connect everything the way it does.
Wade Ellery: I'm what I'm excited about. And actually, you know, if we're looking at it right now, we've achieved video phones, which was something that 20 years ago, we're supposed to have any minute. So I'm hopeful for flying cars, I think it's around the corner. But in terms of identity management, what I'm actually excited about is that we have as an industry now, a buzzword that actually has a chance to impact everyone and increase security. And so zero trust architecture, it's still early in the in the growth and adoption, but we have people commit to customers, we have vendors, as the folks on these screens are committed to, to supply the architecture that's necessary to deliver that idea of zero trust. And I think as we move in that direction, as we get towards applications that understand the granularity necessary to deploy zero trust architecture, from end to end, we're gonna see a monumental shift in the level of security we can deliver to customers and the amount of assurance we can design into the applications and into the infrastructure. And that, again, for us is exciting, because it builds the value of all of our solutions, the ability to have a rich, full contextual view of the user to make really granular decisions about their access and be confident in the right user doing the right things at the right time. But also be able to do enough behavior, an analytics and collect enough behavioral data to be able to recognize that anomaly when it happens. Or you mentioned it, you know, on a day one, you can do peer comparisons. And now we're getting closer and closer to those things where we can actually look at someone's daily activities and predict reliably what they should be doing. And notice when they're not, or it's not them. The one I go back to is the water company in Florida, right around the Superbowl where their water system was hacked. And somebody was changing the sodium carbonate in parts per billion on the water poisoning the water, basically, luckily, an attendant was sitting there watching his screen be moved by somebody else. But if we were gotten to a point of behavior analytics and implemented that platform there, on that level, the system itself would recognize this is an anomaly outside of the scope. I've got controls in my policy enforcement engine that says, No, you can't do this. And that would have been halted right on the screen, regardless of how compromised the external system may have been. So I'm really excited that we're moving towards that model where we're going to be able to build in levels of assurance that are dreamed about today that are really within reach, I think.
Matt Topper: Yeah, absolutely. And as you said, right, I think we'll get to the user models very quickly. But the non-person entity models will be very fast behind it, because of the way we've modeled that data, right, Wes, you all at Ping already have a very strong API protection tool to do some of that stuff. And I've seen it deployed and within days, like patterns are already being applied that are stopping things in real time. I'm not going to kiss your butt, but like incredibly impressive stuff in the field that we would not have detected in the past. What are you excited about though?
Wes Dunnington: So as we've talked about, there's a couple different things. And there are different corners, but they all sort of coalesce together. And one of them is, as we talk about UVA, or any sort of probabilistic analysis, you know, which is like what ping intelligence is, you're looking for patterns. And you're looking, there's certain things which are indications of compromise that are clear, like, you know, access tokens suddenly zooming across 15 different IP ranges, but attackers are also getting smarter. There's a little bit of a spy versus spy thing going on. But one of the things that has also made me happy is that customers are getting comfortable with tools that are probabilistic. Because three years ago when you talk to a customer, and they say, Well, what is it going to trigger at is it not under what conditions as in when it's like, well, I don't know you know, you have to 72 different conditions come together with tunable confidence factors. And at that point, they were just hearing the Charlie Brown parents talking, you know, what, wah, wah. And now they get it that everything, frankly, is probabilistic. I mean, you're probably mad, but you know, the mat could have been replaced by a space alien yesterday, and you know, you're just doing a good job. So what is your level of confidence, and either that something is what it says it is, or, frankly, that something's wrong. And then you should now analyze it, or block on it or whatever. So that whole just getting more customers getting more comfortable with that is important. The other ones is the I'll put a plug in there for what are the standards, the small miracle that is, you know, Phyto and webauthn, where you now have in your phones, an authenticator that uses biometrics, it's low friction, and can actually prevent people from doing what they actually wanted to do, which was to enter their credentials on a phishing site. You know, and so that's a big lift. And so the improvement in security around that is, you know, not to be, you know, trivialized. And then last but not least, is there sort of riff on a point that Frank made is that the standards continue to evolve, they continue to take us to newer and better places, I mean, a couple of years ago, was weird, I think we reached that low point where it's like, it didn't feel like a lot was going on. And now I just see a huge acceleration. You know, I think one of the you guys talked about cape and risk as a way we can all collaborate on signals. There's things like fast fed, where you can very easily set up a secure connection, for provisioning or for single sign on without having to be you know, the business expert. There's all kinds of ways of getting more, you know, contextual data with power and raw. So once again, the standards bodies are looking at what people need and want to do. And, you know, we're all sitting there, you know, I sit on a bunch of the committees with, you know, my brethren from Sailpoint, and everywhere else, and we're looking to make people's lives better, but also to cooperate, you know, in the best possible way between our products. So I think you'll continue to see that evolution of new ways that we can collaborate and add value, because of these emerging and maturing standards. So that's the things that excite me right now.
Matt Topper: So I am is predicated on unsolvable math problems, right? At the end of the day, the encryption we use, what happens, and we've already seen it, right, our keys keep getting stronger, the digits keep getting longer if some of those problems get solved. And the hardware side gets to a point where we can start solving these things extremely fast. And we essentially lose trust in those hack based authenticators that we've built many of the government things on, Wes, I think you're by far the best answer this.
Wes Dunnington: Yeah. I mean, certainly, as people look at things like block chain, don't put anything on the block chain, that you're not willing to make public because people will have all of time and compute resources to crack it. So along that line of thinking, you look at how much data do I have? How secure is that data? And how long do I want to hang on to it or render invalid, and there are ways to re encrypt stuff, one of the things we're actually working on is having distributed identity. So if you don't want information stored centrally, and you've got appropriate secure enclaves that can be trusted by, you know, third parties, you store it locally. So you know, people can't get to it, they can't crack it, and you're exchanging it, you know, one time in a sort of transitional manner where it's not persisted anywhere, except between you and the other guy. And hopefully, the other guy is smart enough to get rid of it as soon as they backed it on it, which I think is also a good thing for anybody out there. His first rule of security is, people can't steal from you things you didn't hold on to in the first place. So don't hold on to data, excessively think about what your data retention policy is and what you truly need. So that's really how I answer that, yes. How do we, you know, when we get to quantum, you know, computing, and we can crack all of the ECC curves and everything, we will evolve both the better encryption, as well as being smarter about not having the data hang around for as long. So that's really my perspective.
Matt Topper: So we'll just add more math problems to the math problems to make it harder to solve them.
Wes Dunnington: There are a lot of surprising people. I mean, I'm in Boston, you come out of MIT, but you know, Stanford generates a few two who loves solving hard math problems. So we got to give them something to do moving forward.
Wade Ellery: I think, Matt, to that same question. There's, there's something I'm starting to see now coming out of the DoD, which is the concept of buildup, tear down. Don't leave data laying around for someone to find over a period of time I have a mission. It's got a duration, I build my environment for the mission. I operate that mission. I tear it all down and it never existed. And now my attack surfaces are getting much smaller. I can spend more time building very tight controls around my centralized data that I build from, but I'm not distributing it and copying it everywhere leaving telltale sets of it around for people to attack. So that seems to be another paradigm where that can apply in many scenarios where I start to look at just on time data, provided for a purpose, and then taken away when it's no longer needed.
Matt Topper: Yeah, but absolutely. So as we're getting towards the end here, I'm gonna throw one question out, we were actually all on a recent customer call, where we presented the combined architecture. And the person on the customer side said, Wow, you guys really do have the zero trust reference architecture for the federal government already put together. And I know Frank, and I both kind of went, yeah, I guess you're right. Like, it doesn't hit us that way. And this kind of goes back to some of the other things we've said in the past of, there's a ton of building blocks already within the organizations that we all support, whether it's from the vendors that are here on the panel today, or other ones that do similar things. So don't throw the baby out with the bathwater, and just say, I, we're going to replace everything, because we have to go to zero trust. A lot of organizations already have those building blocks in place, don't let some vendor tell you, we're gonna spend three years replacing everything and promises it'll work, then bringing that back a little bit is as organizations are moving forward with the zero trust model, the beyond Corp, beyond prod models, what is one piece of advice that each of you would give the people watching this webinar? Of course, starting down that path to make sure they're starting off on the right foot?
Frank Briguglio: Yeah. And, you know, I think you nailed it, Matt, I think in our industry, we've been saying, you know, as identity practitioners, we've been thinking the identity is the center of security for quite some time to hear the rest of the security community say identities, the new perimeter is actually a, you know, a tip of the hat to all of us, you know, to get started in in I know, it's going to jump on this one. It's all about the data, right? It's all about the identity data, we can't get to dynamic authorization of any format with any kind of confidence, unless the data we're using in those policies is current, accurate, audited, controlled. And in really, that's the foundation. So my recommendation, and I've heard this on calls with Department of Defense, federal civilian intelligence community, I work globally. So you know, literally, I had this conversation in Australia last night, about the processes, the controls, the policies are only as good as your data is, if you're saying blue shirt lets me in, you better ensure that I'm wearing a blue shirt every day. If something about me changes, then my access needs to change too. So that's gonna be my leave behind is yes, the identities the new perimeter. And it's all about how we use the data and the data is accurate.
Matt Topper: Amen to that. My history, but for identity, it was data warehousing, so we'll go to Rashaad next to talk about his thoughts on zero trust and how to move forward.
Rashaad Steward: So as you look at zero trust, from, particularly from a UVA perspective, from that lens, I would suggest you your architecture integrates with an analytic solution that has the ability to show normal behavior that is very critical and crucial. In addition to showing normal, this chosen solution should have the ability to execute actions that we've talked about before the integration itself when detection is part of storage, responding to the threat is the second part of that you still need to be able to respond your threats and employment remediation techniques fairly fast. So those would be my two takeaways, as you can as eta approach.
Matt Topper: So Rashaad, I'm gonna ask you real quick, when you all are going into new customers, right majority of the time, they either have Exabeam as a sim product or another one of the competitors, when you're laying some of this user behavior analytics tools on top, how quickly Are you able to start seeing some of these changes that then can be used by the ICAM tools.
Rashaad Steward: It's right away. So it's all dependent on how fast they can get the data to us? Typically, you know, for looking at two scenarios, from a pilot perspective, you know, 14 to 30 days of baseline activity, if you will, we go into production, it's more of a 30 day side, but all that's catered upon how fast they can get the data to us. So if you look at it from a sim augmentation, but we can hook right on top of some of the vendors out there like Splunk, etc, sit on top of those make API calls, they already have, you know, months and years of data centers, we can pull that data in, we can start to build the baseline and then automatically score within a couple of hours.
Matt Topper: So I mean, amazingly enough, right, you can get the data pulled in from however long the history is for most sim tools, you can get the what the people have been granted access to data from Sailpoint within the same amount of time, as quick as you can shove the data over an API, and then use radiant logic to expose that data. So Wes and the Ping team can actually use it to start enforcing policies, literally, like, face the insanity that we can actually say that today is the lesson
Rashaad Steward: That goes back to my Minority Report, which was right. Rapid response. So.
Matt Topper: Yeah, so Wade. Wade, I think Frank stole your thunder, because it's always been all about the data and getting it right. But what are your thoughts?
Wade Ellery: Well, I will give a shout out to Frank to thank him for pointing that out. And again, I agree that having the right information is critical. But also say for people that are looking at a zero trust architecture, as you mentioned earlier, take a look around what you have already. If you're looking at the folks on a screen, you've got an IGA platform like Sailpoint in place, you've got a big chunk of this available to you already. If you've got SIEM systems that are pulling in log data and correlating that building this data lake of audit trails, you got the feel for Exabeam to start doing things day one, if you've got ping in place, already, you've got a enforcement tool to be able to take this information and act on it at the perimeter very quickly. So it's a journey, you're not going to do zero trust day one. But you've already got pieces to play with, you're not looking at start over, you're looking at how do I take what I have? Integrate it more efficiently, and then enrich it as I go along? How do I add what pieces Am I missing? Where am I weak? How can I fill that data? And do I need more sources of identity data integrated into my platform? Do I need a better set of policies for my access control? Do I want to expand my Access Management layer to more applications and more customers and then move this as a as a journey as opposed to just a one-time process? Because this is a continuous improvement model that as the technology improves, and your implementation improves, your results will improve. And that's available to everybody even wherever you're starting today.
Matt Topper: And Wes, I will let you wrap us up.
Wes Dunnington: Yeah, unfortunately, Wade mostly was looking inside my head is saying that it's a journey. Think of it as a staircase, you're rarely starting from scratch. We're what are the rickety steps, you know, fix those up, you know, the weakest steps, and then go back and build a really cool granite staircase. Don't just try to start from you know, zero unless you really have to. So that's it for me.
Matt Topper: Awesome. Well, I know I had a ton of fun chatting with everybody today. Thank you everybody for your time.
Speaker 1: Thanks for listening. If you would like more information on how Carahsoft, SailPoint Technologies, Ping Identity, Radiant Logic, or Exabeam can assist your organization, please visit www.carahsoft.com or email us at Corisha.Smith@carahsoft.com. Thanks again for listening and have a great day!