You're listening to the identity of the center podcast. This is a show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast, I'm Jeff. And that's Jim. Hey, Jim hey, Jeff, how are you? Oh, not so bad yourself. I'm good. I was wondering, who is it too?
Late to say, Happy New Year, you know, I was like a call yesterday and I feel like, you know, all last week it was happy New Year and this this was words of Williams, I think it was Brian. And I was talking to is like well you know I kind of said happy New Years that way, are we still doing that in the second year of the of the new year? He's like well last week was a short week because most people had Monday off. So Going to wow it.
As far as Monday. Now, what I don't know is I'm going to do it today Tuesday or if we were just kind of we've moved on. Yes it's the new year. Let's just keep it as it is. Yeah. It's like about this, right? We're recording it advance. So we say happy new year. Now it really is dated by the time this goes live and then by the time somebody maybe listens to it, it's like you know, could be summer.
I mean that's that's how people listen, as I think this will go out, probably like January 23rd episode 196. Theoretically, unless something changes in scenes, but, yeah, it's tough to be timely on some of the stuff. So, we're getting close to 200, and I'm gonna do we ever have a conversation about Christmas gifts? I think we did. I think we touched on it, right? But one thing I didn't didn't mention this.
Yeah, that's right. Your Sweetwater talked about my stickers, but I never talked about my chair and the reason I thought of it about it this morning is that, you know, I've been getting by for about a here with a squeaky chair and I bought a Herman Miller chair. And I talked about it on the show before because most like, embarrassed, I spent 1600 dollars u.s. on the chair and this was before inflation. So it is an expensive chair. So that's like 40 Grand chair
now. Yeah. Right. Exactly, exactly. I could treat it in for a BMW or something, but you know, the issue with the chairs, like it was squeaking and I tried to hit it. Yeah. You know, I tried hitting it with the WD-40. It didn't solve the problem and what happened was I contacted Herman Miller was under warranty.
So get this, you know, rather than saying well what you need to do is XYZ, they used FedEx to send a box to my house, I put the chair Inside. The Box FedEx, came picked up the box with the chair in it. Brought it back to Herman Miller, they replaced the part that was squeaking. Another going to ship it back to me. Now, the good and bad. I mean, like, it's like wow.
Like they spared. No, expense to fix my darn chair but, you know, I'm also without a chair for like two weeks while this is all happening, and it just kind of seems like an odd way to go about fixing the problem. Yeah, I guess, I guess Advanced replacement, maybe that's something that I've done to pass for like laptops or stuff.
Like that would have kind of physical issues that can't be solved for software, like yeah, okay, send the chair and then take your chair and put it in the same box and then send that back would seem to me to make the most sense laptops are kind of small chairs for big. Yeah. Oh yeah. I know, I I treated myself to a chair as well. Yeah. Yeah. So anyway, I'm excited about the new year kicking off. Really looking forward to the
conference's. I mean, we talk about this every week, but let me get the word out and get people thinking about like setting their conference schedule or agenda for the year. I think, you know anyone who follows us on LinkedIn realizes by now you and I are are co-hosting a session along with Henry K you know head Becky from Gartner that's Going to be during the Gartner conference Gardner. I am Summit in Grapevine Texas
March 20th through 22nd. I'm not even sure exactly what day our session is within that that range but certainly don't happen within that range and we are super excited about that. Yeah we'll have 30 minutes somewhere in there to bring the identity of the sender show to the Gartner stage which is a
very cool. I think it's a point where I start start to crowdsource some questions here from our audience and What we want to do about you know, we're gonna have an opportunity to really Grill Enrique and Becky so we can get tough and we can have a good conversation about it and you know maybe and the goal is to have really something different than your normal sort of Gartner presentation or session, whatever may be especially if it's sort of like off to the
side and it's not really like a keynote. So I'm hopeful that we'll have a very good time and it'll be a little bit different flavor and kind of be. And if it's the right word, but like, the like the anti session, if that makes sense, a are the normal programming. You may not learn anything, but I hope will be entertained like the unconference. I was popular for a while or so like you show up. You have no idea what you're going to talk about. I don't think we'll do that
though. No I will have will have a good time at this. We got Gartner coming up, we've got the European identity conference. We talked to Martin cougar, a couple weeks ago, we've got identifiers coming up. So yeah, I think Now's the Time to get those budget requests in, try to point out that calendar or, and you know, see what you can do to attend stuff like that. So it seems like it's very
heavily. Front-loaded this year, for some reason, and our essays coming up as well, in April, I think it is, or maybe it's May. So I'm going to try and I think is April actually, so I'm going to try and hit that as I kind of usually do. But yeah, put it, I put the bug and I put a bug in Daniels here. Daniel is our partner within our SM, who Jeff and I both report to and, you know, I take the lead on, kind of like trying to help put together the strategy
for external marketing. So, That includes like conferences so I'm like let's let's all good RSA obviously it's not like an endless budget for going to conferences but it's a fantastic opportunity to network and know what's going on within the industry. So I mean it's dollars well invested but you know, gets expensive after a while especially with all the the travel and entertainment that goes along with it. Yeah. So we don't do normally commercials for ourselves.
But yeah, if you need, identity Consulting, come talk to Jim and I That helps us get to conferences which means we can bring the identity of Center podcast to those conferences, typically, and do some sort of, you know, I'm on location recording. So Shameless plug there. Anything else coming up that we want to get to, or should we get to our guests? Why don't we get to our guest? I don't want to like, you know, eat up all of our time with our banter. Yeah are Mindless banter.
Let's talk with Mickey but I he's the CEO and co-founder of transmit security. Welcome to the show Mickey. Thank you, Jeff. Thank you, Jim. It's great being here. Actually like listening to your opening statement. So first of all, like I'm sitting on probably the most uncomfortable chair that was ever built, but it's part of the office design and the designer is my wife. So you know, I'm stuck with this chair but I kind of like learned to to like it.
You know, the other thing that you've mentioned is Gardner conference, which is obviously a great conference. And this is probably, you know, a good opportunity for us to introduce David Maddie who was previously, Gartner identity and access management analyst, who is just joined transmitted and he's starting in about a week. So I think by the time that this is going to air, it will be, you know, part of our team. And, lastly, you mentioned our say, which is very funny.
But like I I the first RSA I attended. The first conference was in 1993, I believe, which was probably one of the first RSA conference has ever. It was so tiny back then and you know, I think the last one I actually, you know, I attended was about like, you know, just just before covid and it was so huge.
Like, you know, this one, and I keep kind of like looking at the RSA conference has I kind of like it's interesting to see how the entire industry of cybersecurity as evolved since like you know the early 90s to, you know, these days, it's pretty amazing. What keeps growing and growing. You mentioned are saving so small and now it's a huge thing. I think it's something like 20 or 30,000 people sort of all descend into downtown San Francisco.
And yeah, I was there at the same one right before. Sort of the pandemic sort of hit it was like right at the very, very beginning and I remember getting that notifications, okay? Someone was at the conference and there was, you know, an infection. So that was sort of like, I think the, the closing Ceremonies for the conference circuit and that kind of reopened maybe, like, around this time. Last year when I was at RSA, you last year, as well.
And it felt like it was, there was excitement. I think, I think people were kind of, like, okay, we've been cooped up for a couple of years. Now, let's kind of get out there and, you know, No. Yeah manually. Yeah yeah it's pretty amazing. Like and everything's getting back to normal like even China is getting back to normal you know. Like that's that's a big event. Yeah. So I want to touch on something.
You mentioned, you mentioned about your uncomfortable chair and that's sort of like the office design and I got to ask questions. So if your wife design the office and the chair is uncomfortable. Is that so that it's like forces you to like, stand up, move around KT, KT office all day. No come home or was, is that like a subtle nod? Like, hey, you can't work 24 hours a day. Let's do other things too.
Look, it's, it's probably the cheapest share that you could imagine, but it goes well, with the decor of the office, like the entire design. So it's all about how it looks rather than, you know how it feels. But yeah, you know, like, I'm mom mostly when I'm in the office. So I'm you know, moving around between meetings. So you know this is probably going to be the longest that I I'm sitting on this chair today.
So you know. Well let's keep on Pace here so your back thinks this later or doesn't blame us later. Anyway, this is the first time you've been on the show with us and one things I like to do when we talked with new guest is we kind of find a little bit about their identity background and how they got sort of into the infosec space and identity at large. Can you take us through sort of your journey from the beginning? Did you get into identity?
And I don't think we need the whole Wikipedia entry, but maybe something that kind of explains, you know, here's the context that you're coming from. Because obviously, you've started up a couple companies. Now this point and now you're a transmit security. I'm just curious if if something is identity something that you chose or did it choose you? All right so you know this story goes back to when I was 18 years
old. I'm 50 now so as you probably know in Israel we have like mandatory military service and you started that when you're 18. So I joined the military. When I was 18 in this part of like the process, I was screened for its cyber security unit in the, in the military, I then went to learn computer engineering and the first thing that I was assigned to when you know my first day in in the unit was this like huge book and this book was right.
Kits. For those of you, no doubt, it's like the axis control system for mainframes. So like, you know, for I remember that for a month, I was like, you know, reading the book, trying to figure out what's going on there. So this is mostly identity access management and then my first project in the military was implementing Rock. If like kind of like Concepts on Unix Systems. Right it was like you know before Lee Newton was like Unix systems.
So since then I move between like different disciplines of cybersecurity in the military, firewalls intrusion detection, systems data security and then write it that like the last two years was around application, security, web security.
So when I got out of the military, the first thing I did was Starting, you know, company around application security and it's kind of like started my low whether intrapreneur but yes, identity was the first thing I ever touched in my career and it's a rough entrance rack f. I remember that back in the early 2000s, I guess would have been for me administrating rack F access for for that. Not my most favorite thing to do in the world. Nah not at all.
Like yeah. Took me a while to get back to Identity. Yeah. So those for those not familiar transmit security, I guess help for the folks are listening out there. What's the 32nd or 60? Second elevator pitch for what
transmit security does, right? So Travis is security provides end-to-end customer identity Services, mainly for large Enterprises, so our customers are alike, you know, City Bank HSBC, JP Morgan Roger is a lot of these large down Giants and the services include user management or ization advanced advanced certification Reese trust and fraud identity document verification identity orchestrations of pretty much.
Anything around customer identity and what's unique about us is that we're experts in cybersecurity.
So our platform is built ground up for Enterprises want to keep secure yet, move very very fast in terms of their identity Journey. So we're going to get probably to talk a little bit more about the the see, I am aspect here, especially on the risk as read an article where you were mentioned in it. And it mentioned I think there was a quote and maybe can kind of help me understand the context of this was you mentioned being kind of thought
of as they're at least the goal was to be the Google or meta of personal security in the digital world can you? Me what you meant by that or maybe there was context that was missing from the conversation. Well yeah, thanks for for this question, Jeff. It's it's a good opportunity to clarify but up, I'm not comparing ourselves to Google or meta but what I'm like saying is that I'm inspired by the way
they build their brand. So for example with Google, right it's like googly is a term rights like you know you're not searching the web so So you know the way. Yeah, I do you think about being Google is Google search and search is Google. So for me to kind of like set goals for transmit security around identity, what I really want to happen eventually is that large Enterprises when they think about their customer identity, they think about
transmit security. So that's kind of like the way I present it to, you know, everyone wants to listen to the video. Well, you picked a good name and transmit because you think about it was like, okay well we're transmitting our identity where transmit security so I'm not going to your marketing for you definitely.
Don't want that. But anyway you're based in Israel and you know, been very gracious with your time with us and I'm curious because we talked with a lot of folks in the infosec space and it seems like Israel such a hotbed for different cybersecurity startups and things like that. I guess why, is that what? You know, what is The the culture there or whatever other you know, winds kind of that help with that, right? So I think it's a combination of
probably two main main things. The first one would be the, the military, as I said, like no, we have a mandatory military service, which means that everyone at the age of 18 goes to the military and then in the military, the different units just decide. Where are you go? So you know, some of them become Pilots, you know, they they they want to but also the military needs to to decide that, you know, this is, you know, a good seat for them.
But then like, you know, cyber security units within the technical units are, you know, typically the most prestigious units in the military and they get to pick their talent first So if you think about it, the entire talent that we have in Israel, the cybersecurity military, I get to choose the ones that they want, so everyone goes there like know, the best talents and then in the military you really get an opportunity to work on projects that you would never get a chance to work on in
your civilian lives by the things that we do in the military. We are liking almost on comparable to, you know, what private companies are doing. So, you get like a lot of experience very, very fast. Definitely for someone who is a junior developer or Junior researcher, they will never get the chance to do that in any other part of the world. So you know military service could be anywhere between like you know three years 26-year. This is this is like where most people most Years and up.
So after like, you know, four five, six years in the military with a lot of experience, you know, this guy's just go out and start their civilian career. And typically, what they want to do is to keep on doing the things that they're good at, which is our security. So, you see a lot of cybersecurity startups in Israel, you see a lot of big companies that Out, you know are in cybersecurity.
So you know I think it's kind of like culture right now in Israel where you see most of the technical Talent going into cyber. So Mickey we I mean, transmitters been around for quite a while. I mean, the buzz, I think lately that I've heard is really, you know, Pastor Liz for customer identity and access management or we that's, you know, probably if somebody asked me what Schmidt does that's where my mind would go right away.
But early on, it was a focus on orchestration orchestration, can mean different things to different people. They, for example, we had Jerry Gable and the show in November talking about what they're doing over shraddha and they're doing orchestration. It's quite different. I've encourage anybody who's listening who's interested to understand the difference to go back and listen to that episode.
But you know, I think the orchestration that transmitted was focused on early on and probably, you know, still makes up a big part of the stack is what we call security, orchestration and automated response or soar, as kind of a product area. Is that, what am I getting that right? Or is it something else? It's not exactly that about like you not to really understand what identity orchestration is. It's better to understand like, you know, kind of like the history and where we come from.
So it's around 2007, my co-founder Rakesh in Ankara myself. We, we started a company called trusteer now, trusteer was eventually got acquired by IBM and it's not part of IBM security, but what we did there, There is like we identified very early on that on the next big thing in terms of attacks against organizations and specifically financial institutions is going to be
malware and financial malware. Now, this was even before sentential malware was even invented and that was probably a year here and asking for the first one like Zeus was invented. So we started a company, we started building like, you know, the defense's around it. And you know, then when the axle, you know, let's say the the actual attacks against Banks started to happen, you know, like organizations were looking for Solutions.
And this is where we basically came in with the ability to identify fraudsters and, you know that that are Leveraging malware against Banks consumers and be able to alert to the bank. That for example, a certain consumer who is now trying to Bank online is infected with a financial malware that could eventually still credentials or, you know, make transactions and things like that.
So the signal was very strong and You know, was we were very successful with that but as we kind of like wanted to build that into mitigation controls, okay? Like you know, you get a signal, you understand that there is something bad happening how do you stop it right? The way to stop it is true, perhaps stronger authentication or restricted access. So these are kind of like you know, what you want to to do as actions because when you look at
Consumer identity, right? It's different than Workforce identity because you still need to like allow your consumers to to log in and do stuff so you can just keep blocking People based on, you know, all these signals. And we're talking about Millions sometimes of tens of millions of users per organization or per application. So to automate all that we had to kind of like blend our signals with Authentication. Shen's and authorization actions
and we wanted to to do that. But you know based on the architectures that our customers add back then it was really really hard to do. Like how do you blend their? I am stack into the signals that we're giving them and change the authentication on the Fly based on these signals. So it could be like, okay, when the user comes to trans day, Doctor do something during the session.
You need to challenge them just because your seat you're picking up different signals or when the user is opening an account. During the process, you want to change the experience and introduce more friction because you're picking up these signals and it was impossible to do. So it was like, okay, we need to do a lot of coding in the application and deserve very difficult. Nations to touch. And these are very sensitive places to touch and like you know you need to buy cast the entire.
I am architecture to do that. So you know, for years I think like three or four years that we we actually try to implement this concept. It was impossible for us to do it. So eventually, what we decided to do is we want to start a new company. Where we can glue together, all sorts of signals about risk with authentication with authorization in a very easy way
for the application. So think about it is kind of like an abstraction layer that sits between the application and the iin stack, and most organizations that have a lot of Solutions in our I am. So we sit in between and we Can take the signals and then operate the different actions like, okay, you need to do this type of authentication or we need to restrict your access to specific parts of the of the
application. So this is our, the concept was born and when we started to present the concept to customers and to to analysts, you know, I think David was like, you know, the gal that I mentioned. Earlier they came up with the kind of like, the category of identity orchestration, okay. So this is like, you know, you're orchestrating the entire I am stack and this is how it all started.
Yeah, that's really interesting. You mentioned a couple key terms, I want to pick on but overall the impression that I'm getting is really, you know, this is all comes back to risk and gauging the risk of the Authentication. Fashion Event and let's be frank, different organizations, different Industries, have a different tolerance for risk. You mentioned, you know, if you're in the customer identity, you don't want to just keep sending people away because they
represent some level of risk. You know, as a Workforce people are going to keep trying until they get in, right for whatever reason, will call the help desk but if it's somebody wants to buy a sweater or sign up for a cell phone service, Or transact with their Bank. Those are three different levels of risk and they probably want to turn people away based on different levels or make sure I'm getting that right?
And then talk to me a little bit about how these signals that you talk about, what are some of the examples of signals and how does that play into determining that risk? Yeah. So first of all you're, you know, absolutely right that different verticals have different tolerance to to risk and you know, account Takeover
in general. So traditionally the financial sector was much more sensitive or is much more sensitive to Therese and this is why you see like all the controls and much better or stronger authentication process. As with financial institutions, then you see, for example, with retail. But even, you know, we three till what we're seeing recently is that there are two main reasons why in there trying to look at that more seriously.
The first one is customer experience so think about like you know, your account, you know, getting and or you know, your credentials are stolen, someone gets in Your account with a certain retailer, you start getting like, you know, these emails about like is EQ, is it? Not you? Do you want to stop it? We had a breach, we had something so it's like it.
There is damage to the brand and this is something that they want to to avoid and the frequency and the kind of like, you know, the amount of attacks that they're seeing today in retail is Not comparable to what they used to see, probably five, six, seven years ago. So as this increases their starting to look at this more seriously to, you know, improve their other brand and like, you know, their entire operational,
you know, cost. But you know, in terms of the attacks themselves, it's a lot about, you know, account takeover so account. Typically you would see, you know, someone like they're kind of like typical ways of doing account takeover. So we're reading a lot of bad
data breaches, right? It's like almost on a daily basis that were saying even the, you know, the biggest brands being rich and like, you know, customer data is going out and, you know, is probably available in the dark web and what current cyber those are doing is just like, you know, downloading this data and, you know, starting to do things like credential stuffing, which is for those of you don't know.
It's like, you know, you're taking a database of usernames like typically email addresses and their passwords from a specific website and then you go and try the same credentials with other websites. And the assumption is that customers are Using their credentials across multiple websites, which is typically correct assumption.
And so they go and just try these across multiple applications with huge databases of customers and they're able to, you know, get into your into your account even though you did nothing wrong. Other than using the same password across multiple applications.
So this is one attack Vector for Example, the other would be another one which is very interesting would be social engineering and this is something that we're seeing more and more which is like, you know, someone colds you pretending to be your, you know, someone from the bank or someone from law enforcement agencies or you know, even your Telco provider and they tell you a story that you believe eventually that you need to do. And this something could be, you
know, as bad as like you need to move money from your account to this account because, you know, this is a backup account and something happened and for security reason you need to do that, it really, it really depends on the creativity of the, you know, if the attacker of cyber criminals and there are quite successful in that. So, obviously the more practice they get the better, They become in telling these stories and finding the right victims for it.
So this would be like, you know, a couple of the attacks that we're seeing today. Also you know, you're seeing things that are more geared toward bypassing two-factor
authentication. So it you know this is funny like you know, when two Factor authentication is kind of like you know, recent in terms of the adoption rate of two Factor Authentication Station. Even though it's been with us for many many years only, you know, probably in the last five years or so. We're starting to see organizations really adapting two-factor authentication and typically with an OTP typically over you know SMS or email or not specific application to do that.
And you know as soon as you know fraudsters realized that you know, this is this This is what organizations are doing. They immediately came up with men in the middle attacks like, you know, stuff like they invented it, right? Like this attack vectors. I can tell you that, you know, we've been experimenting with them like 20 years ago.
So, everything was known but like, you know, sometimes like the motion is, it's like, always like, you know, for me, it's like you're watching something in slow motion, right? It's like when you're watching something in slow motion, you know what's To come next because you get like a lot of time to
think. So with, you know, for example, with two-factor authentication was pretty obvious that as soon as everyone is, you know, starts to adopt it, you know, fraudsters will be able to bypass it very easily. So we're seeing a lot kind of like men in the middle phishing websites where like you know the phishing website asks you for the the OTP code and then the fraudster goes and completes
that and let slightly more. Advanced attack would be a seem swap which is becoming easier to do now, with a seam and the fact that you don't need like a physical seem to, to pretend to be, you know, to take over a different phone number. So the the actual mobile operators are being a part or being you know a step in the attack itself.
So we're seeing a lot of that typically yeah you hear a lot about Out the evolving threat landscape and I think evolving may or may not be the right word, but evolving to me is like it's not Revolution, right? There's not a whole different set of you know, from year to year how these threats are Manifesting, it's interesting. Every time you look at one of these reports of, hey, let's recap the year. The data breaches that have occurred. It's fishing as social engineering.
It's like the most common denominator, and it's kind of sad that it always kind of seems to boil back to those those Basics. But it's interesting because I was thinking as you're talking, there's, you know, if we just want to Super simplify it, there's really kind of two. Types of actors. There's the single actor that you talked about. That's how to be the harder one to stop, right? Because now neither, they're hitting it from a normal browser.
They've got a regular IP address might be out, you know, that they probably have some Shadow of Doubt behind them but they're probably harder to detect. The other type. The other bucket is the campaign. It's we just Downloaded 50,000 accounts from the dark web and now we're going to try to hammer every website and you can do. So they've really have a shadow behind them, right? Maybe it's the same IP address, maybe it's a thousand login
attempts per minute. Talk to me a little bit about those kind of scenarios because I think that that's what the signaling is all about, right? It's identifying or detecting. That That hey, this is a malicious actor or you know, a campaign that's going on, right? So you know it with campaigns.
If it all comes to automation, when you want to do something like a thousand times ten thousand times sometimes millions of times against a specific application or across applications websites you need good Automation and you know the signals that you want to pee During the, you know, the detection phase are all around automation. So you mentioned, you know, frequency you mentioned, you know, the ability to understand that, you know, perhaps they're
coming from the same IP address. I would say that like, you know, they're much smarter today then, you know, then then just at. So like you know, these kind of like basic signals or not enough to take these campaigns. What you actually need to understand is how automation tools work. So you need to like, you know, map, the different automation tools that are available to cybercriminals. You need to research them, you need to figure out. How do you identify the specific behavior of each?
One of these tools and build kind of like, not the right, you know, the right, Detection capabilities for these. So it involves, you know, if you think about it, it involves two parts. The first part is more around
threat intelligence. How do you keep up with the sybers criminal community and everything they do because almost none of them is lacking on making their own tools or building their own optic Technologies, the whole reused by from each other, and use kind of like, you know, the same Tools and, you know, so this would be the first.
The second is like, okay, we need to analyze all that and build the right ability to build the ability to detect these signals as the tools are being used against, you know, a specific application, specific website. So, these are kind of like another two parts there. So this is around, automation when goes to single, Attackers it is much harder to do than just detecting automation but again it involves a lot of understanding of how these cyber criminals out is fraudsters operate.
How they think? What are they going to look for? And which tools are going to use and eventually the tactics that they're using are very similar across. Cyber criminals and Crosse, Regional. Ins around the world. So you know once you once you understand that and you know how to build the kind of like the ride detection mechanisms around it what what are the things that you need to profile water than the things that would trigger an
anomaly? How do you connect different anomalies together and understand that there are part of an actual attack as opposed to just you know, false false positives then then you get a chance to You know, detect and stop the the real attacks. Yeah, just observation that this is everything you just mentioned. I'm sure all of our lists are thinking the same thing, which is that, you know, this would for an individual company to kind of build these capabilities is threat intelligence.
It's just something that doesn't make sense to try to build your own, I think, you know, my early days of it, that was the question. Question like build versus by today. It seems like you can bypass that and go right to which one do we buy? Because everything, you just laid out unless you are not even a tech company, to me. If you're a tech company, you still need to buy, unless you want to become an authentication
company. If you're an authentication company, that made me spill versus by. But, you know, to me this model of relying on, especially when you're talking about the threat intelligence, the intelligence is built. Across hundreds, or thousands of customers into, and seeing these signals repeat themselves, and building into the, you know, the Borg of understanding of what a what an attack looks like. Because it's like you said, it's not the basics. It's not.
Oh, you're just, you know, we're getting 1,000 hits from one IP address, obviously, that's how I simplified it but it's that the attackers already know that that's getting us knocked out. So how do we get around that? You know, they're they're trying to To stay one step ahead, the authentication companies like transmit. Try to stay one step ahead. So it's a constant battle if you're not in that business. Why would you want to be in that business?
Yeah, exactly. And up look, it's a very big operation like an offer transmit. We have around 200 to close to 250 people, you know, talents that specialize in, you know, this type of attack. Actors. And this is what they do all day long. So you look at a typical organization, even a very large organization.
They, you know, they may have people who know how to do some of this stuff, but you know, it doesn't scale to like, you know, hundreds of people, which is what they actually need to provide in a very good protection. So eventually you would see, even, you know, even even Enterprises with a very good talent, they would go and you know, by Technologies from companies like transmit that specializing in fraud identity because this is something that is very hard to to build yourself.
I like for example, other parts of, you know, identity such as like know building a user store, you know, you can build your users or yourself or you can, you know, you can buy it. It's really a question of what's, what is easier for you? What is cheaper? What is faster?
In each one of the each customer has their own kind of like priorities around it. But when it comes to risk fraud, actual security Technologies, you know, it's very, very hard to build it yourself and the other part that we're seeing that is also kind of like similar to it is when it comes to account opening in highly regulated markets such as the financial Market, It. So you get a lot of light, you know, document scanning and things like that, which are
really, you know, to prevent fraud account opening fraud where someone is pretending to be like, you know, Jim were Jeff and trying to open an account on your behalf. Like this is a typical attack, right? Like, Eye-Fi convince the bank that, you know, I'm Jim. And they open an account for Jim and then like, you know, I do some basic stuff in the account and then, Take like a 60k loan and I disappear. The bank is going to go after Jim is not going to go out after after me, right?
It's like so I'll even yeah it is. So in the u.s. we, you know, the big regulation is anti-money laundering am L. The idea is like, okay, I'm making cash through some illegal business, and I'm laundering it by trying to make it legal dollars at this point and put it into a bank account. So, you know, obviously, if you take Dollars and run away. You make fifty thousand dollars.
But if you're taking millions of dollars of cash from no legal operation and, you know, now making it legal by putting it, into the system, paying taxes on it, things like that. Yeah, so definitely account opening is a major attack. Yeah. And as a major attack like, you know, that Victory, you need to like nav, very, very good skills in like your ability to actually detect. And, you know, detecting these attacks, involve a lot of
understanding or not. These fraudsters operate, how they try to bypass the different controls that the bank's put in place? So, you know, this level of expertise is is very, very hard to obtain. When we talk about build versus by always go back to, you know, a company. Like let's just pick something, fictional hopefully Larry's Tire Shop, Right? Do you want to be in the business of creating risk fraud? Technologies, or do you want to focus on selling or, you know,
installing tires, right? Think that's, that's the question. Take a lot of organizations they end up struggling with sometimes is like, okay, well, they started down this slippery slope of identity because you're totally right. You stolen my thunder was thinking. Okay. Well there are probably certain components of identity that are I won't say easy. But relatively easy to do on your own, you can stand up your own open ldap and create an
identity store. Maybe we could do some light provisioning through Powershell and things like that, if you're, you know, an active directory. You're a sure, something like that. But I think the further you go to the right when it comes to maturity, things like, intelligence risk, fraud signals there is no way that you would ever be able to compete against someone who does this day in day
out. If you try to do it yourself, even the largest companies in the world would struggle with us. Imagine, I mean you're you're you know, transmits working with a bunch of Banks. Banks typically have a lot of cyber security budget and resources because you know, they need to keep money secure and safe and do the anti-money laundering. Do the know your customer, right? All that stuff to make sure that things have the appropriate risk
and protections around them. So, you know, I think about this from like, okay, well we're going to go off and do it. Ourselves really is that really the business you want to be in because I think you're being a little bit more. You can chew. Nah, definitely something. Not something that, you know, a lot of these, a lot of, you know, the the organizations that we're seeing at least or Trying to do themselves. You know, some of them are not trying to do this at all which is, which is okay.
It depends really on the level of risk and the attacks that you're actually seeing, you know, from my 30-something years in in in the space. I know that which is really funny like, you know, you know, that these attacks are going to come but then like, you know, organizations really prefer to I
first see the loss for CDI. You know, the problem first see themselves bleeding before they actually, you know, by solution and I remember and this goes back like, you know, 20-something years ago when I was the co-founder of a global web application security company. And, you know, we kind of like, you know, where the first to introduce the web application firewall concept.
And one of the The first prospects we add was a bank and, you know, they knew like, you know, most of our customers back then knew nothing about, you know, application security web application security. And what we did back then is to do like penetration testing, application, Level penetration testing to show them that a problem exists. So they would buy, you know, our solution.
So I remember this like, you know, One Bank in the US, you know, it's it wasn't a all Bank was pretty like no big bang and we went there and we'd like a penetration testing against the online banking application and I think it was like within like one hour we're able to get to the entire database. Love their customers and like, you know, do transactions on behalf of customers and they're kind of like conclusion was. Okay. So we got like a couple of bucks in the application will fix that.
Thank you. We don't need any other control. So you know, eventually obviously all the bank's today have a web application firewall. And this is kind of like you know, part of the standard but just demonstrate that until they actually start bleeding and that's true for you know I guess everyone you don't go and just buy Solutions. I think there's two types of people in the world.
There's the ones that they get a cut and they go by a by a bandage and then There's others who have just, you know a couple bandages laying around the house in case they get cut. All right I know we've been really pretty generous with your time. I want to ask a question about password list because I feel like this is a question that comes up every year. You know, is this the year that the password eyes that's been I think something has been happening for the last 10 years now.
And, you know, Jim you I think you kind of coin is one of our previous episode this year is like, is this the decade that passwords died because I feel like there is you know it's a freight train. We're talking about really changing the direction of one of the core principles, or one of the core things that drives sort of security. It's the password is this, is this the year password eyes? Is this the decorated? Password dies is the century.
That's weird. Eyes, I guess, where do you feel like we are in that journey to eventually at some point get rid of the password. So I think, you know, we need to, you know, split the question into two different. Current domains. The first one is Workforce and a second one is consumers. When it comes to Workforce.
I think like, you know, even though many of the projects that we've seen last year for password less were in Workforce or for the workforce, I think that it's going to take a while until we see the password die, you know, in these environments and the reason is Legacy systems. Well, we got a lot of Legacy systems in these environments that should do when it comes to large Enterprises.
And you know, you go to large Enterprise, and, and amount of systems they have that are like, no, probably 15, 20 years old, you know, it's like, you know, it's huge huge and you know, these systems do not support any password less capabilities and they will not support any Casper. Let's Capabilities, like I still have like, you know, organizations with as400 and obviously main friends. And so it's going to take a while.
You'll see, you'll see a mix of systems where you can go, you know, passing that's definitely all these SAS applications. Everything that is in the cloud relatively easy to go password this. But, you know, a lot of the on Prime stuff. Just, you know, it's not going to go away that that fast on the Consumer side actually on Mom, you know, much more positive that we can get rid of passwords
relatively faster. And the reason is the, you know, first the Readiness of the the protocols the support that we're getting as an industry from Apple.
Google and Microsoft with task keys and you know the technologies that they're building into the operating system Eames and the browsers and the fact that most of the endpoint devices, whether these are mobile devices that desktops are now coming with support for device Biometrics, whether its face recognition fingerprint scanning like this support, all that. So you know, and they support all that for the past few years. So I'm you know, I'm much more
bullish about that. I I think that organizations that want to go password Less on now to do this in 2023 and we'll start seeing like, you know what, eventually it will be like, you know, you don't want to stay behind, right?
It's like you don't want your customers to stand with passwords when all the other organizations are offering Castle these Technologies. So for example like you know, City Bank, which is A customer of ours or not in a very big project to deploy password list technology to like, you know, 200 and users across the across the globe and we're seeing quite a few large institutions, doing odds doing the same.
So I think that Mike, you know, second half of the year, we'll see many more projects around Castle. Des, I think that a lot of the organization's It to plan for Paso. Robles last year continued to plan for password less this year, second half of the Year. Beginning of next year are going to be will see a very big move toward Castle desk on the consumer side. Okay, so you heard it here first, the password eyes, / Mickey would I let no later than 2020 for.
So we're going to hold you to that. I can tell that we're getting short on time because your background is getting slowly and slowly darker as the sun, Sets over Israel Sky there, which is very cool. I want to end on a lighter note, we were kind of talking before
we hit record about. I think our love of travel and restaurants and food sort of around the world and things like that is. It's one of the things I think all three of us look forward to after a long day especially after travel and I want to ask each of you give me us like a small town restaurant or meal or some other. Sort of, you know, similar sort of activity like that, that you just really enjoyed or conversely.
If you have a really memorable, one that you just did not enjoy, because I think that's one of the things that really fascinates me specifically about travel is being able to visit all these different places. And, you know, I remember my first trip to New York City and it was like, you mean, there's like this Deli, like every other block and there's like this amazing food in there and it was like nothing high-end but which
is good stuff. That's not my example, but I'll start with you Mickey. Like, do you have an example like a surreal? Get small town restaurant, something, maybe something local to you or something. You've encountered in your travels.
Wow, you mentioned travel. And, you know, I've been traveling a lot for the past like, and I don't know, like, 20, something years and you know, many of my troops were to, to do not Estates. And it's pretty, it's pretty long flight from Tel Aviv to sell these to New York is about, you know, between 10 and 12 hours. So typically you get, you know, you get or either late at night or very early in the morning and I remember liking a couple of
times. So first of all like you know for for perhaps a day kid every time I got into the state's, I was like you know the first thing I was doing I did was to go and get a burger because like you know, back then the burgers were so much better than the one that we had in the Israel, you know, now we're alike. I think like, you know, we're
very good at it as well. But, you know, I remember this like, you know, one time that I landed in Newark and I stayed at your hotel at one of the hotels in the in the airport it was like a pretty shitty hotel rights. Like you know, something that you know I would not do right now but back then You know, I was on a very tight budget and I said, that'll tell and I went to like the until bar and I ordered a burger and it was I don't know why it was the best burger I had
in my entire life. Really. And then I am still a story that, you know, this one is from the Bay Area and you know, very similar like shitty hotel. And I remember like, you know being like you know it was you just tell that probably You know, probably like a got a room there for. I don't know like, 60 bucks and night and, you know, went to, you know, went to the bar in the evening and I ordered soup. And this was like, you know, the best soup, add my entire life. And I don't know why.
But, you know, these are two things that I remember for like, in a war than 20 years now. Jim, hi yourself. We got some memorable meals. Yeah, I mean it. It's it's along the same lines as Mickey, right? Like When you start are still talking about a meal that you had years ago or Mickey's case decades ago, it deserves
mention. So there's a restaurant in the Caesars like this is not like hey, this is a quarter place and you can spend 20 bucks and get a good meal know, this is hundred dollar plus steaks, but the stakes are so good. So Old Homestead in Caesars Palace. So if you're going to Will Gardner you, so always Hold their conferences there. So I've been to Caesars a bunch of times. Anyway, this you were there with me Jeff. I sure wise in that, yeah, that Wagyu steak was just ma perfect. Yeah.
And like it's like 120 bucks for a steak and they come out and it's a plate with a piece of meat on it. Nothing else, right? It's taking up late at stake in a plate and but boy was it worth every penny? Yeah. That was that was a darn good meal and I think it was. Yeah I think it's it's not just the food. It's usually the Ambiance is everything kind of goes around it. That sort of forms, that memory. And I've got a few.
I'm thinking of another meal. It seems like there's a theme like Jim and I had that great steak. We went to a restaurant called, fang in San Francisco. It's a Chinese place next to Moscow. Nice enter. And I don't know what it was, but that was just a darn good food, man. I mean, they come out with the fried rice. They do the whole like swirling scrambled egg, right there at the, at the table. I mean, the whole place.
Stunk. Oh yeah, it was like, oh, we couldn't like see or breathe but the food was really, really good. Yeah, that what it was was that scrambled egg mixture that they put down has some kind of pepper sauce in it and when it heats up, it's like tear gas. Yep. I've used to better link to holds the whole restaurant starts coughing, anytime someone rotors fried rice because it's like tear gas throughout the place. So yeah, really strange, but
excellent food. Yeah. And everybody orders it because it's okay. One of the one of the I guess the other Specialties, you know, the other one I was thinking about was this is not I my I guess this is travel but not like exotic.
I actually had to go into Charlotte North Carolina and not too long ago, to work on some stuff and I found this tiny little barbecue place and like this strip mall, it's called The Q Shack. It's like on the Southeast side, kind of like past Matthews area for people who are familiar with it, and this is just the place that just doesn't look anything like special, but I tell you, it might be. The best barbecue I've ever had. I mean it was fantastic and I'm
planning on going in there. Thursday, have to go back to Charlotte this week so it's just one of those little things that kind of popped up and I was like, oh yeah, we'll just try it, you know, kind of there with my wife and we walked out like super impressed and it was just, you know, it just a regular day is like, okay, that was really good stuff. So did you put her did you put a review on Yelp or anything? I did, you know, five stars and so, Is like, this is this is
darn good stuff, man. I've another story which is kind of like another the opposite, which I think was like, also, like, not probably 15 years ago Scottsdale Arizona, I was during a conference and then like no one of my cells guys told me like live, there is, you know, really, really good. Mexican restaurant. It's just like an old 30 minutes drive for me or let's go. You have to go and we went to
this place. Lace and this was like, you know, hardcore Mexican restaurant like you know only Mexicans there and you know, they're like okay we can serve you these poor very, very hot. What do you prefer? I was like you know, The least hot that you can make that's good for me and I couldn't take more than two steps, right?
It's like it was, it was so hot. Like, you know, I was starting to sweat from places that I didn't even exist and, you know, people were looking at me and I was like, okay, what do I do now? You know, I can still imagine that like even 15 years later, it's like was Horrible. Yeah. You know if here it's hot interior seats. Wet. I Rise. We are. I mean II could go out a couple different things but I had a
chicken sandwich. We went out for burgers in Chennai about 10 years ago with a team as working with out there and you know, I wasn't thinking at the time and their burger means chicken sandwich is like, okay, that's fine, right? No. Big deal. And this might be, it might have been liquid lava, that was I took like one bite and I was trying to be respectful and polite so way that Mike I'm really sorry, but if I eat this,
I will die. Well, the funny thing is we were in Nashville recently, and now everything is like, Nashville chicken. And you get National chicken anywhere in the United States. Yeah. The higher the day I was in the freezer section at the grocery store and it was Nashville style shrimp. I was like I think you made that up anyway. You love Hattie B's which is like the national chicken spot. I like it. Yeah, it's good.
Yeah. But you You get you don't get him National. Yeah you know chickens good. I don't like super spicy. There's a difference between spicy good and spicy just for the experience like I want flavor it's is almost like that show that hot ones on YouTube which has gotten over you know famous over the last several years like there is a difference between yeah that's a little bit of spice. It amplifies and helps the flavor versus this is a trial that I must pass to become a
warrior. Of spice or whatever it may be, right? Like, I'm not a fan. Like, I'm not interested becoming a warrior spice. I want delicious flavorful food and I feel like there's a lot of places when they do the hot chicken is they just throw spice at it just to make it hot and there's no flavor to it. It's just hot for hot sake rather than trying to actually have a flavor, which bugs me. Yeah. That's myself box. I'm going to see you.
All right. It is now dark outside of Mickey's window so we're going to let him go make it really appreciate the time that you spent with us here. Today we're going to have a whole bunch of links in the show notes, you know, to connect with Mickey on LinkedIn. If you've got questions concerns, or if you want to, maybe share a good or bad meal that you've had, we'll have a link to transmit security as well. We'll go ahead and wrap things up for this week.
You find us on the web idac. Test.com. We're on Twitter at idea. See podcasts. We're on Mastodon at. Idac podcast at infosec that exchange mastodons. Got to get way easier to take off Jim and I are on LinkedIn and don't forget to subscribe and and you know like the episodes and stuff like that that way, you know, when new ones are coming out. So Mickey, thank you so much for your time and we'll talk with you all in the next one. Thank you.
Just thank you, Jim. I'm going to get some dinner right now. So I got really angry right on. Take care of. Thanks for listening to the identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.