#339 - Sponsor Spotlight - Permiso

When you're picking a security vendor, you have to trust that they're going to help you sleep better at night and they're going to continually be at the forefront battling the adversaries, identifying their latest tools, their latest techniques and what they're doing and being able to build that into the product so that you can have those detection and prevention capabilities so you don't have to worry about it.

And if you ask our customers, that's the number one thing they say to us is like, I just sleep better at night knowing you guys have our back and then you're monitoring all of our identities. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the

Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. I'm doing great. You know why I think identity is at the center? Because I think it's at the center of information security. One of the things that I find so fascinating is when you get into kind of how exploits happen, and usually it's centered on some kind of, you know, evil activity, if you will, when it comes to identity. And we're going to talk a lot about that today with our guests.

I just want to say I think it's going to be a really fascinating episode. Yeah, this is going to be a fun one. And yeah, just to make it clear,

this is a sponsored episode. We call these sponsor spotlights and basically we create these in collaboration with our partners out there and helps get their viewpoints on and we can get a little more in depth into specific vendors and technologies and their viewpoints, which is something we actually try to stay away from on our normal episodes where it's more vendor neutral. So that is not today.

Make it clear this is a fully sponsored episode and today's sponsor is Permiso and you can find them at permiso dot IO slash IDAC. We'll have link in our show notes. People check it out. Their website is I'm looking at it right now. First of all, I love the design of it, but it has cool. Yeah, it has a tagline of real time identity security for all environments. That sounds like a mouthful. I want to find out more about what that means.

So to help us with that, we've got the Co founder and Co CEO from Permiso, Paul Wynn. Welcome to the show, Paul. Thanks for having me. I'm honored to be a guest of this. Well, the honor is all yours of as as you just said, we like to find more out about the people in this space. I know we're going to talk about Permiso and you know what you guys bring to the table, but I'm always curious, how did people get into this space of identity?

How did you get into IAM? Do you think you're an IAM or maybe it's a something adjacent? I'm not sure. Is it something that you chose or did it choose you? I think I came into it late in my career because I started in security. So I started as a snot nosed hacker who broke into things 20 some odd years ago. And I could tell you definitely I've been compromising credentials for a very, very long time, all the way back to like NTLM hashes and pass the hash on on Windows machines from

way back when. So I think I've always been around identity, but I, I never really like focused on it until the last five years. And I have a different appreciation for folks that are dealing with it day in and day out, especially as I am professionals. So I'm, I can't say I am an expert at it. I am learning it and I'm learning a lot from all these folks as I talk to them and as I go to different shows and and and try to school up as as much as I can.

I feel like identity is kind of having a moment in the sun here for like the last, I don't know, five years or so. I mean, it's always been important, but do you feel like, hey, identity is so hot right now, right? Like the meme are there, is there? What like what is it that's coming out there? Is it just as becoming more well known?

Is that people just recognizing it because it's not like we just invented I this this idea of identity and identity security right within the last couple years, I think for. Us. I came from a different angle, which was I felt like identity was being targeted more and more by the, the adversaries. And so traditional security controls were mostly focused on e-mail network endpoint.

And I think identity was always a, a part of it, but it was kind of always a, a piece of all those different major focal points. And I think in the last five years, and the reason why I quit my nice cushy executive job at fire, I running product there and working for Kevin Mandy was like, I, I really felt like this is the area that needed to be focused on because no one was really serving it well.

And so I said, you know what, let's take a leap of faith and and focus on the cross section of identity and security and, and let's see what we can find out. And so then you went off and Co founded Permiso. First of all, am I saying that correctly Permiso? You are yes, yes. And then oddly enough, I think, you know, it was definitely derived from us wanting to go into identity and said, oh, you don't like permissions, You

know, that's cool. A funny aside, my my friend who I'll speak Spanish, obviously, and I do have a vanity plate on my car and and my friend said you, you do realize when you're speeding past people, it also could stand for excuse me. So I was like, oh, I guess I'm being kind of rude with this, this vanity plate and it's not a sports car. It's a minivan. So I can't even say like it's, it's a cool, it's a cool like vanity plate on a cool car.

Well, you've got, I think it's, I think it's very polite, like, excuse me, you're, you just got passed by a minivan. I, you know, that's, that's one way to look at it for sure. I guess now that we've mentioned sort of the, you know, the name,

tell us about Permisa. What is it that you guys are bringing to the market? And then, you know, how do you guys set yourself apart for maybe others that are in that space? Give me some idea, because I mentioned this tag line of, you know, identity, you know, for all environments, identity security for all environments.

That's a lot, man. It, it is I, I actually asked this provocative question to some of the, the folks on the, on the customer side, Cisos in particular, are CIOs and I asked them, can you tell me who your top 10 riskiest identities are right now at this very minute? I think a lot of people try to answer that question by, oh, well, the inherent risk is Paul has a lot of permissions in the environment, therefore he must be the most risky. And that is a part of the

equation. But I think what we realized was if you bring in the real time aspect is the real time aspect is behavior changes pretty quickly, especially let's as an example, you get fished or there's a business e-mail compromise. Well, that just changed from 5 minutes ago when you got phishing that, that credential is now compromised and that, that identity is now acting erratically and logging in from random places and accessing

resources never accessed. And I think this is what we were observing the, the adversary side. And so we've, we're, we're talking about real time security for identities in cloud and on Prem, because it is a hard job in our largest customer, we're monitoring close to 8 million human or non human identities at any given moment.

And to be able to do that real time monitoring, you have to be able to have a full understanding of what they're doing at every second and be able to determine whether that behavior is malicious or not. So I think that's really where we've we've built our superpowers is coming from our backgrounds, from Mandiant, which if you're familiar with Mandiant, you know, there's, there's some of the best

responders in the world. We worked a lot of breaches with identity as a core of the of the attack and we'll go into more details around that. And that's really where I believe the inflection point for us was three years ago was some of these attacks that really brought to light the fact that the identity infrastructure was under attack and you needed real time monitoring to be able to detect that as fast as you can.

So how does this work? Is it pulling in data from all of your different applications and your cloud environments and saying, OK, let's throw this all together and then figure out who is Paul and you know what is risky? Like what? How does how does this work? That's a great question. So you're, you're absolutely right. The first thing we need to understand is, well, what are all the identities operating in the environment? So you need an accurate

inventory. So whether it is at the, let's say cloud service provider level with AWS, Azure, GCP or it's at the SAS level, which we believe SAS is probably one of the most untouched areas right now in the middle of the wild, Wild West. And then you need to integrate with any on Prem as well. So Active Directory, your traditional authentication sources. And so unless you have that visibility of where those identities are living, what

permissions they have. And the third part, which you mentioned as well, is we have to be able to pull all the activity logs across all those different sources. And one of the things we, we do is we, we're essentially like a flight recorder for every identity. So I could say, you know what, Jeff, I saw you log in at 10:03 AM yesterday. Here's how you logged in with this device with this MFA factor.

Oh, and I saw you download these documents at 365 and then you logged into Jira and you created some tickets, and then you went into Slack and you sent some messages and you downloaded some docs. Or I could record all of that and then I could look at that activity and determine, was Jeff acting normally or was he potentially a compromised credential from an external threat actor? Or is he ever acting normally? That's probably the first thing

right there. Well, you know, funny enough, the, the, the one that's been really hot and especially at the rippling deal, if you saw that lawsuit that's happening, it's an insider threat case. And so I think insider threat now is becoming a bigger one, especially with layoffs. So that's that's been a big, big topic in the last couple. Months for us, I mean, that's got to be just an enormous

amount of data to pull from all these sources, right? And each source is its own complication, right to the to the amount of data pulling in. Then you try to add a real time on top of that. What does it take to run this sort of thing? Is this something that I can set up and run, you know, pretty easily? Does it take a couple weeks? I imagine you've got to establish baselines as far as you know, what is normal or at least normal for that individual.

And then start to apply some of those heuristics to the the access profile to say, OK, yeah, this is normal for Jeff. Or maybe no, this is not normal because he's travelling. Or maybe he's he is accessing different things that he normally wouldn't be. Well, I'll tell you from past experience of having to do this for 20 years and and running the, the fire eye product business, I wanted the anti on

Prem software profile. So we had two principles when we we built the platform 1 was it's completely SAS delivered. So it's fast time to onboard was a big principle for us. Super easy has to get on board within you know, 10 to 15 minutes depending upon the integration that can happen pretty easily and it's all read only. So we're not trying to be intrusive in terms of that.

The other principle was fast time to value because I always struggled where customers had to plug it in, they had to wait some time and then they said oh, OK, it's interesting. Couple things lit up. Fantastic. To answer your question, because we have come in from an instant response standpoint in the past, we've had to go and ingest historical logs. So if you have logs for the last two to three years, I can ingest those and think of it as like a,

a, a replay button. I can replay every identity session over the last two years if you had two years worth of data. And I can reconstruct all of that pretty quickly and allow you now to get visibility around. Oh yeah, you know, just six months ago, although I just plugged in premiso right now, I could see six months ago Jim went and he ran these sets of malicious operations and we know exactly which credential was compromised first and all the subsequent credentials that were

created because of that. So I think that's that's something that I learned in the past of doing this is like, I can't have something that's going to take forever to deploy and forever to get value. And so you get up and running anywhere from 10 to 15 minutes, depending on how complex it is, all the way to, you know, a couple hours and within a day.

I love that ability to show something sooner rather than later because, you know, the world doesn't work on a, you know, give me money and I'll show you something in two years. Like, no, we need to see value sooner than that. What is something that you think has really set you apart from, you know, others that might be playing in the same space? Like what is, what is the thing that you point in and say, yeah, This is why we're different than so and so.

So you brought up one of them, right. And this is something I, I purposely tried to focus on with Jason early on was we need to be completely different from a branding standpoint that we stood out. So yes, that is a a Yeti with a towel around its rear end because one of our monikers and campaigns that we ran was for me for me. So covers your star AAS in the cloud. So you know, I as SAS is a little bit of a plan. So we do we are a little bit tongue in cheek and we're pretty bold.

If you go to our website, there's actually Easter eggs on there too. So pretty funny, I'd say probably like 12 year old maturity level Easter eggs on there definitely because of me. But I, I think just joking aside, our branding definitely has been useful, but the number one thing that we've tried to do, because I can actually feel this from a customer standpoint, I used to be a, a CSO back in the day as well. There's way too many vendors. Like how do you know who you can trust?

And, and so one of these I did was let's go back to first principles of if you share your, your Intel, your research, your insights with the community, you build goodwill because at that point you're trying to raise the whole community up, right? It's not about me trying to keep proprietary information. So if you look at our blog in particular, and if you go to premiso dot IO slash blog, you'll see that we've open sourced about 12 tools in the last 12 months.

We've shared a lot of our Intel, our insights. And there's the the one thing that really sets us apart is, is really that research that allows us to one, show that we are experts in terms of identifying these identity based attacks, but also it allows us to show that we're powering our product with this type of expertise. And we're doing this every day. And I tell a customer all the time you when you're picking a security vendor, you have to trust that they're going to help

you sleep better at night. And they're going to continually be at the forefront battling the adversaries, identifying their latest tools, their latest techniques and what they're doing and being able to build that into the product so that you can have those detection and prevention capabilities so you don't have to worry about it. And if you ask our customers, that's the number one thing they say to us is like, I just sleep better at night knowing you guys have our back and then you're

monitoring all of our identities. I love the website. I I got to ask that the art style is very unique and I I like who does the art for this stuff because it's awesome. We, we had a little bit, I'd say of a family advantage, which Jason's brother is actually a world class creative person. He's done Super Bowl ads, done stuff for Cameo Apple. And we said, hey, here's a couple shares. Can you help us come up with

something crazy? And he came up with something absolutely crazy and he gave us a whole bunch of different ones. But this is definitely a unique styling that is more playful. It's, it's different than the doom and gloom, the, you know, guys in hoodies. It's, it's, it's like such cliche. It's such a cliche over the last 27 years. I'm just frankly, I'm just kind of tired of this over overused kind of style. And, and I think the, the security market needs to have a

little more fun. And we don't take ourselves seriously. And if you think, you look at our campaigns, we kind of make fun of things, right? And that's just my playful way of like, Hey, let's not take things too seriously. Let's have some fun while we're doing this. I totally agree on the the hoodies and the you know the scream 2 mask like or the I don't even know what you call that one where the the guy looks like the. Guy Fox mask, right from

whatever it is, yeah. Yeah. With data flying in the background, right? Ones and zeros behind his head. So Paul, I'm wondering, I'm

thinking about some of the big hacks that have come out that I'm sure all of our listeners have at least aware of in name scatter Spider, LLM jacking, like these are the things that are coming out and they're, you know, they're leveraging the identity. And maybe that's the answer, right? They're leveraging the identity to my question, but I'm wondering why you would need a new tool to catch these things and to stop these things. Why can't the traditional security tools get in the way of

that? Well, I'll tell you one thing, having been on the other side where I was breaking into things. We're lazy. We want to take the the path of least resistance. So if you, you think about, I'll call prefederation of identities, if I was trying to break into 20 systems, I'd have to go break into one system and then try to move across and find the right credential that would allow me to, to walk through

each of those doors. Now, the great side of identity federation was, you know what, we're going to eliminate that, that surface area for the number of credentials that are being used. But the dark side of that is if adversaries get a hold of those single sign on credentials, guess what? That just makes their job a lot

easier. So the, the moniker today, especially as you, you deconstruct the, the modern architecture and, and by the way, this is, I'm gonna, this is a little odd, but I actually started my career as an, as a programmer out of mainframe. So if I look at the mainframe, everything was centralized on the mainframe. We're using RACF, you know, ACF two top secret for our access controls. Back then, you know, I was running my JCL jobs, I was programming in PO1 a little bit

different. So if you, if you look at it and it's almost like food, right? You talk about these Michelin star restaurants that deconstruct food into, I think we've deconstructed the, the tech stack right now. So it used to be data centers and we were standing up servers and building our own data centers. Now you're now you're breaking out the data center into cloud, cloud service providers providing the infrastructure. Then you have services that are being delivered by different SAS

vendors. So what's stitching that all together now that we've deconstructed it? AP is and credentials. That's really what's stitching it together in a bunch of code. So I think that movement to cloud and that deconstruction has created a greater emphasis on identity. And I, I think also with federation and, and we, we talk about bad guys don't hack in anymore. It's not like they're using malware to hack in, in this modern stack. They log in. So they're buying credentials.

They're, you know, finding any, which way to get those. They'll pay you for your credentials and they'll get, they'll get access and they'll bypass MFA. And once they're in, they're in, it's a little bit of a different approach than it was 1015 years ago with malware and and viruses. If you remember old school, if you had Symantec and Norton Antivirus, like you're good, right? That was security. So I think it's evolved quite a bit since then.

And I do believe identity's at the center of it all. Yeah, absolutely. So, OK, talk about some of those monitor attacks, Scatter Spider, like I said, most people I think have heard of it, but can you tell us a little bit more about what it was and what the impact was for companies that unfortunately got hammered by this thing? Sure. And and by the way, this is something that we we do all the time, which is we provide no strings attached, no salespeople threat briefings.

So I'll give you a bit of a mini version of that threat briefing because we've been doing it quite a bit for the last two years. The probably the poster children for, for that one was Caesar's MGM. In terms of Scattered Spider in particular. Now I, I could say that was a great event for us because I think it really created a lot of education around the identity

infrastructure. But if you, you look back at what they were trying to focus on, one, they were buying credentials off a Russian marketplace and they were focused on specific people that they believed had a lot of privileges into the environment. And so they're going after Octo, they're going after Entre, they're going after Ping. So that was their, the IDP was a great source because you assume if you get an IDP credential, you're going to have access to a

whole lot of things. I have to do less in terms of lateral movement within the environment. Perfect. So that's where it's starting. Let's focus on compromising an IDP credential. That group was also behind the T-Mobile breach as well. And why does that matter? That matters because SIM swapping makes it easy to bypass MFA.

And so it was a multi pronged approach in which they were, they happened to be, you know, compromising T-Mobile previously, one that gave them an opportunity now to bypass

MFA. They've also resorted to some more heavy-handed tactics, I'd say swatting, you know, physical threats, you know, they find out what your wife's name is, your kids names and they say, hey, if you don't accept this, you know, we're going to, we're going to do some harm to your children, to your wife, and they'll follow it up with swatting. So there's different ways of persuade people to, to give up

their credentials. So if you assume once you're past that door, right, the authentication side of it, what happens then while you're riding that identity highway into all the SAS applications that are Federated into it like 365, Jira, Confluence? And then you're also going into the infrastructure, right? So AWS, Azure, even on Prem as well if there's AVPN. So what was the what was the

major mission for them? The major mission for them was actually to steal intellectual property and they would extort you. So in some cases, some of the largest extortions we saw were about $50 million. He said. If you don't pay us $50 million, we'll release your source code and there goes your competitive advantage. And now your competitors have your source code big impact, right?

Caesar's MGM was a little bit different where there was some disruption, obviously to the, to the services that the, the hospitality hospitality industry was providing. So they had different outcomes. But at the end of the day, it was still extortion, right? Pay me 10s of millions of dollars. So why is that important? I think it's important because that's one of the most high profile cases where they, they really focus on the identity

infrastructure to get access. And the second was if you've been following this Rippling Deal lawsuit, that's been happening because it was an insider threat and it was focused on essentially setting up honeypots where they would go find out. OK, well, clearly Deal has an insider somewhere at Rippling that's providing them information and they're trying to ferret out who this insider

was. And the way that they detected it actually was because they were monitoring the search terms and they, they set a honeypot up with specific search specific terms in a document. And so once they knew someone was searching for those terms, they knew who the, who the

culprit was. And so if you look at Scattered spider, one of the most interesting and novel things that we saw in that and that we actually pioneered this technique was, and you everyone uses Google or perplexity or name your, your, your latest search right now, right? Well, search actually gives you a sense of intent because I'm searching for, let's say, a car. Well, I'm probably looking to

buy a car. The unique part of this adversary group was they were using search for about 70 hours to Recon the environment they're looking for, AKA they're looking for others credentials, they're looking for secrets, they're looking for other access keys, they're looking for infrastructure deployment guides. And that was an interesting new area that we saw in the SAS world that was like, wow, this is a new technique that we're that we're identifying right now right here on the front lines.

And that deal that does deal with exactly what we're seeing now in the rippling deal effect as well on the insider threat side. But yeah, I think that's it, right? Use identity. Let's go log into all the different applications that it has access to. Let's steal information. Let's get away with it. And these were not sophisticated adversaries, by the way. These were keyboard jockeys that didn't know how to script, and they were logging in into websites. So this was not like some nation

state. These are a bunch of actually teenagers that were doing this. Yeah, right. And OK, you said they searched for a Kia. What is that? It's actually a prefix for an AWS Access key, so. Right, right, right. Yeah. And they're, they're searching for code signing certs. So dot PFX. So because code signing certs are obviously an issue, right for for tech companies, if they lose their code signing cert,

it's fascinating. When you look at their search terms and we published it actually on our blog, it's clear that they had no idea what the heck they were doing because they're searching for everything. Yeah. Well, that that kind of puts a bull's eye on their on their back potentially, but they look how much damage they did. There's another big incident that hit the news, the LLM jacking incident. Tell us about that one and kind of what was behind it and again,

impact too. So this one's going to be a little bit, I'll cut a little more seedy just in terms of like what they did. I mean compromised access keys are not new by any means. We actually were observing some abnormal behavior related to some AWS infrastructure or clients and it was specific to Bedrock. And if you're familiar with Bedrock, Bedrock is the, the AI infrastructure service for, for hosting things like anthropic models, etcetera. And we're like, what are they

doing with with Bedrock? Like this doesn't make any sense. And once we started to pull the thread on it, what we realized was they're actually using access keys, like stolen access keys to, to then abuse Bedrock to steal free Bedrock services. And then they were jailbreaking anthropic models and other AI models. What were they doing? They're creating role-playing sex bots that they could go sell subscriptions to.

And and so of course this was an interesting one because this involves essentially non human identity in the AWS access key. Now you're looking at AI services and AI infrastructure. So you have a cross section of NHI and AI. And we, we were actually one of the first ones to disclose this in Brian Krebs. If you're familiar with Brian Krebs, he breaks a lot of the latest breaches, right? So he had the exclusive on, on our story and he did the investigation. He's like, wow, this was

fascinating. And subsequently we've been referenced several times by a lot of other, other big vendors like Wiz and other folks in their blogs. And I think that's a cool thing about what we're trying to do is we're, we're trying to be always at the forefront of fighting these unique things like the LM jacking or some of the search term indicators and ways of detection.

And that's I, I think that's going back to your question on differentiation is if I continually show like we're at the forefront of this and we're finding things that no one else is finding. I think that just helps to demonstrate that you're going to sleep better at night just knowing that we're, we're going to be doing this for you instead of you having to do this 24 by 7.

And I think the LM jacking 1 is interesting now that the advent of Gen. AI and the adoption of AI is going to increase significantly in the enterprise. And then the genetic AI I. I have to admit I'm a little worried about Skynet I and that's not something I ever thought I'd worry about. But boy, I've watched all those Terminator movies and I am scared.

So you talked about honeypots a little bit. Is that something that you recommend people use? So I, I think it depends for what purpose. And we've set up our own honeypots as well, just because we, we, as an example, tried to, in the vein of being in at the forefront of identifying what the adversaries are doing. We'll leak access keys, you know, we'll, we'll, we'll leak a couple things just to see what the behavior is.

And actually in that LLM jacking, because some of our customers didn't have the proper logging on, we couldn't actually see what the prompts that they were submitting to the AI models. So we end up sending a honeypot up. And of course, we were able to, to pull them in and we were able to observe well, what were the, the prompts that were being submitted to the models. And so we use honey pots all the time just for our own research

purposes. I think if it makes sense for a customer, it's hard to maintain, right, because you have to continually create new content and make sure that you're observing and, and monitoring it.

Otherwise it's just. Not to do it. Exactly, exactly. And, and that's a tough part is, is just maintaining and keeping up and, and watching what they're doing at all times. For us, it's a little bit easier when you're doing it for research purposes and, and not in a concern of losing anything per SE or understanding that they're going to attack us. So that's, I, I, you know, I, if you have the resources, go for it. If not, I think a lot of other vendors do do it as well on your

behalf. Yeah, I think it's a good topic.

I think you just mentioned the point there, right? If you have a honeypot out there and you're not monitoring whether or not it's getting hit, then it's not doing you any good. Kind of in the same vein, you know, we've seen some ridiculous numbers in terms of how long after breach it takes for an organization to realize they've been breached. You had something, a statistic on your website and I don't remember what it was, but how long was that? So I, I think the, if you go

with the, the real big vendors who have, you know, the typical Verizon reports or crowd strike reports, they'll probably say anywhere between 10 to 15 days for dwell time, which is the amount of time that an adversary sits in an environment and gets, goes undetected. So I think what we're seeing right now in the, in the most recent Scattered Spider incident was about 74 hours from beginning to execution of the, of the attack itself. And the 7070 of the 74 hours was

the, the Recon time. So they executed that mission in about 3 days. So not very sophisticated, right? You're able to go and to to pull this off because 1, I don't think people have proper visibility to be able to detect it in the first place. So if you were, and this is, this is a part of the, the

formula, right? So over time, now let's think about just passwords in general. Like what was the complexity of the passwords? You started with? There's like a couple characters, right? And then you started getting into 16 characters because we used to read about tables and password cracking back in the day with, with different tools. And then then you added complexity, you added characters.

So I, I think this is the same game that's, that's being played with, with these folks is right now, I think the level of maturity in terms of being able to monitor identities across all these different layers is, is not quite unified right now. And that allows you now to kind of hide in those gaps. And you'll see shards of like, OK, we saw something happening in, in GitHub, but OK, is that correlated to something else that happened in, in Jira? I think it's hard to stitch that

picture together. And I think that's where we've noticed in the breaches that we've worked where they hide, right? It was in between those gaps.

I'm wondering, I mean you work with a lot of clients, you get to see what team gets brought to the table, roles and responsibilities within the organization. I'm wondering most of our listeners are identity practitioners. Are they the folks who are, you know, just the buck stock with them for dealing with these or getting ahead of these issues or is it somewhere else within the organization? I would tell you probably the

most advance, I'll call it organizational behavioral structure that I've seen is a customer of ours created an identity security team, which is essentially a overlay cross functional team that was working across the IAM teams as well as the security teams to create more unified visibility for identity. Because I don't think this is a, an either or type of responsibility.

Because if you think about I am professionals, I didn't have a full deep appreciation for how complex and how hard it is to, to stand up and manage and maintain that infrastructure and, and try to get everyone bought into the standards like that. That's a hard job. So I look at that as prevention, right? So you're, you're, you're putting in place the proper controls and the proper prevention to ensure you have the right authentication, right authorization.

But guess what? Controls fail as we see in breaches. So you do need the security team to monitor that when all else fails. Are we able to, to your question, Jim, are we able to detect when that happens? Because you can't expect you're 100% secure at all times. That's just not reasonable.

So you need both sides to continually work with each other because there might be things that are happening on the threat environment that helps inform the IM team that, hey, you know what, we need to put these types of controls in place because we're starting to see emerging attacks around this area. So let's say as an example, NHI is a big one, not human identities, kind of a big one right now, right? So we're seeing a rise in attacks around NHIS.

So what do we need to do better on NHISNHIS have been around for a long time, service accounts, service principles been around for a long time. But you don't have to worry about the problem until it becomes a real, real pressing issue. So I, I think it's a, it's a joint effort, honestly. And if you look at our engagements with our customers, yes, we might have come in from an incident that happened and we helped them respond to that

incident. Then we helped build detection capabilities to ensure that if the adversary comes back, we're able to detect it. But our biggest engagement actually has been IM teams. So we, we just launched a whole prevention part of our platform. And was it because we wanted to go into prevention? It was because the customer said, I can't have this happen again.

So if you look at the symptoms of what happened, 1 is there's a lot of orphaned and stale counts and unknown risks around access keys that were exposed to our human and non human identities. And then there's a lot of over permissioning. So in the example of an Octa credential that gets compromised, one thing we observed is this credential never accessed GitHub for three years. So you could argue at that point, if you had removed the access would have completely stopped the attack.

Probably not. It probably would just create enough friction where they're go, you know, this is kind of annoying. They don't have access to GitHub. I'll find another way around to get to get access to GitHub. So I, I think it's a joint effort. I, I do believe the construct that I talked about, which is like an A unified identity security team is a little bit of a lesser minority implementation, but I do feel like there's a large convergence happening with, with those, those teams.

Just it's just my gut. Yeah, no, it makes a lot of

sense. So as you're talking about all these things, and again, the website is permiso dot IO, we also say slash IDAC. If you go there, Paul's going to put something there for you to get for free. And hopefully, I'm hoping there's an Easter egg there. I also wanted to go through the spelling is PERMISO like miso soup, PERMISO dot IO. But I think at this point in the conversation, Paul, people probably asking like, OK, you sold us. There's all this that we need to

be worried about. How's permiso help? How's permiso help me to solve this problem? I, I will tell you this, the only way to, to kind of prove out, are we really worth the time and effort? Because I get it. And I think, you know what, it's annoying talking to vendors. Vendors call you, they're, they're nagging you with emails, LinkedIn messages, I mean, you name it. I, I, I think the first thing I would ask anyone that would want to talk to us is, is just look

at our research, right? Just just determine whether you think we know what we're talking about or we just put a bunch of words on our website and tried to say, Oh, you know, we do all these things because guess what? There's a lot of people that go out there and can easily put words out and say they do a whole lot of things. I think the proof is in the pudding in terms of what we've been able to do in the past.

You know, I, I, I think the best way that we, we try to prove value is if I'm not giving you unique insights into your environment and all that you didn't know about. And I call that unknown risk, right?

So if you already know what risk you're managing, there's a, there's a certain percentage, call it 10 to 15% of unknown risks that you don't know about because you don't have the right visibility or you don't have the right monitoring in place to determine whether those things are happening. So what is it that we're we're looking for on the detection side, the response side, it's really 2 simple questions we're

trying to answer. 1 is, do we believe that there's any compromised credentials in the environment, human or non human, from an external threat actor? The other, which is a harder problem to solve, is the insider threat issue. So they have legitimate access into the environment. So the pattern of detection is a little bit different because they are going to come from a valid device, they're going to come from a valid MFA factor, they're going to look normal.

So how do you start to determine when people are starting, starting to act abnormally? I'll give you 2 examples. So the actually compromised credential, that was the scattered spider use case, right? It was an outside threat actor that was compromising a valid credential and then they gained access into the environment. One of the more recent examples for us is let's say you had to lay off 1000 people tomorrow. What are the things that you

need to worry about? 1 is did I remove all access number one. The second is can I detect if they're exhibiting any kind of destructive behavior that could be impactful to the company? And I will tell you when you're, you're trying to lay off people at that scale, things will fall

to the cracked. And then this is what we observed is people downloading mass downloading documents from SharePoint, right, downloading documents with Salesforce hurrying up to, you know, to get until they got their access cut off. That's a big problem right on the inside or threat side. And then, of course, this rippling deal lawsuit is an another indication of that inside of threat. So that's on the detection side.

That's what we care about. So if you move left of that problem, what precipitating those issues? I think that's the hygiene side or the posture side, right? You know, how do I start to prevent this from happening,

which is let's clean up all the attacks surface around the identity. Any, any orphaned accounts, Dale accounts, zombie accounts that may exist in your infrastructure in SAS on Prem with your Active Directory, you name it, that's number one. Second is you've got to deal with authorization risks around least privilege and over permissioning. So I gave you that example in Scattered Spider where the credentials that were compromised had access to resources that they hadn't

touched in a long time. So if you look at the, the, the real root cause of all this, it's a, it's a multi pronged issue, which is both you could do prevention, but you do need monitoring together at the same time. I think what we're noticing is a lot of vendors are focusing on one or the other without bringing the two together.

I think that what's that's what makes us unique is that visibility for both prevention and detection, for human and non human identities, for your cloud and for your on Prem. So we're actually trying to save our customers some money instead of having to buy five different solutions, you know, we'll cover all your identity security needs from one place as as best as we can. Are we perfect? No, I'm not going to sell you snake oil and say, you know,

we're the best at everything. But I I think the one area I can claim we are the absolute best at is the the detection and the response line given our background of of dealing with frontline attacks against some of these adversaries. And so, Paul, I mean, when you talk about Permiso, do you call it a platform? Is it a couple different solutions or products? How? How do we think about it? Let let me approach it in a

little bit of a different way. I'll, and I'm going to use non marketing words because I, I, I think actually the word identity security is a little bit of a bastardized term right now because what, what is security in the 1st place? And I was a CSO, right? And I had a fixed amount of budget and I can only spend so much. And what, what's my job? My job is to buy down risk, deploying that, that money into people process or technologies.

So security fundamentally is a risk management function. So what is it that I care about? I care about helping our customers manage the risks to their identities, which means I need to enumerate all the things that I talked about, right? So all the vulnerabilities of the potential gaps that could be exploited by a threat actor that could turn into an incident. So I, I, I think that's, it's, it's more about identity risk management. Do I want to be an IGA solution?

No, I don't think that makes sense for us because I think we need to end up being almost like an Equifax or, or Trans Trans Union or, you know, an Experian around understanding, Oh, I need to understand all the attributes of risk related to an identity and be that that clearing house for understanding. You know what Paul's the riskiest identity in the

environment. One, because he's over permissioned, but two, he's logging in from Vietnam and he just switched from an Android device for his MFA factor to an iOS, which never happens, by the way, very rarely. Or he downgraded from iOS 18.2 to, you know, iOS 16.1 rarely happens. These are all signals and symptoms. And all of a sudden he's starting to create users and, and exhibit this weird behavior.

I think those are all signals you need to capture and be able to understand what Paul is now the riskiest identity because both inherently he has a lot of permissions, but his behavior is quite erratic and now he's exhibiting symptoms of potentially a compromised credential. Jeff, I think we need to cut Paul off from our podcasting platform once this podcast is recorded. Like kill his credentials for life. Why would we do that? Paul's our friend. He's our friend, but he's so risky.

We're in the opposite market, right for podcast growth is we want everybody to get out there. Absolutely. It's true. It's true.

So Paul, one of the things that you talk about with Permiso is the universal identity graph. And I wanted to be, is this like front and center on your website? Why is that? Why is that front and center? Why is that the first thing you think about or read about? When you go to permissive dot IO slash IDAC. Well, I always, I, I think I talked about it a little bit before, which was some of the core principles that I learned in security is, is 1, you need to know what you're protecting.

So if you don't have an accurate inventory of the identity, a tax surface, then it's hard for you to know, you know what I need to protect this credential because Paul owns his credential. But one of the harder problems that we're trying to solve is let's say if you're going to get rid of me tomorrow, right, how would you know which credentials that I've used or owned in the environment? It's easy if you were saying everything was Federated and if I just cut off my Federated

identity, all's good, right? The challenge is there's a lot of non Federated identities that are operating in the right because I may have local access to something that wasn't Federated through to let's say Octa. The the third problem is I may also own non human identity. So I may have secrets or Oauth tokens that I've authorized or you know, long lived access keys that belong to me.

So you need an accurate inventory of what is the composite identity surface area for Paul, including all the credentials he uses and all the permissions that he has. So that graph is really about just maintaining that that a proper state of who is Paul as a human entity and then all the credentials and permissions that he owns. And we also do this for non human identities as well. Yeah. I mean, that's a really good point. So I totally agree.

You had me solve right when you said you have to have an inventory of your attack surface, which almost seems like impossible. So is it that Permiso helps you develop that? Because I doubt there's been the clients that you go into and like they're like, here's our spreadsheet, here's our attack surface. No, I, I think it's a part of not just if they have, do you have that information? So as an example, we've had a lot of requests to integrate with work day.

So work day is a bit of their authoritative source for full time employees and contractors. And we use that as a starting point through that integration. So it, it, it's both integrations into the IDP 1st and into HR systems like that to give us a sense of what's the baseline inventory, because the majority of the credentials, at least for mature customers that have Federated access, that's the easy low hanging fruit.

The second ring around that would be you need direct access and integration into all the sources that, that where there are credentials, let's say local credentials.

So I'll have to integrate with every SAS application, Salesforce, ServiceNow, Jira, GitHub, I'll have to integrate with Amazon. So there's a bit of an integration coverage you have to do as well because if you can't enumerate the local credentials and even have access to the activity logs and and where they're accessing those things, it's hard for you to get that visibility. So unfortunately I think it is very similar to to things in the past where one we will use the let's say 80% roll.

Let's get as much as we can from the right sources like the IDP or from HRIS systems and then let's fill in the rest by enumerating the the local credentials from there.

So that enumeration I think is where I was thinking is when I hear integration, I think of gaps because nobody knows where that they might have identities is, is this one of the challenges that we're that we need to try to solve for is OK, we know what, we know what applications we have, but you know, the business is going to go in business, they're going to go out and sign up for a SAS app or some other thing, right? And they're not being centrally managed.

Is there a way or an opportunity to use Permiso to maybe discover some of that usage and say, hey, we've got some shadow IT problems over here and oh, by the way, someone spun up their own entire AWS environment or whatever it might be, right? That is not being that. First of all, it's not even being aware of that like a government standpoint from

security standpoint. But is are there opportunities to leverage this information to do some of that discovery, to find the things that we don't know about our environment? That's a great point because you can only protect what you know, right? Sometimes there's a lot of unknowns and I, I always talk about the unknown risk because you don't have 100% visibility into your environment.

And I think this is where we have that real time or runtime monitoring because there are things you observe when you're seeing a, a set of activity. Let's say for example, someone signs up for some SAS application as an example, you may not see the initial registration workflow, but you'll see shards of activity where, where all of a sudden we see people accessing certain websites that are abnormal for what they, they normally go to, right.

So that then starts a signal to us, OK, maybe someone's signing up for this particular SAS application. We put that into what we consider an unknown state for, for in our inventory that needs to be reconciled because now we don't know if that's authorized or unauthorized and we don't know if that's a, a potential user that we know about or not. So that's, that's potentially some ways. Are we perfect at like identifying shadow SAS?

No, I think there's, there's a lot of other solutions that are more focused on the, the SAS security side or Casby or SAS E that can detect it from a network standpoint. That won't be our strongest suit per SE, but there are methods that we use that again, like think of it as like, I hate to call it Big Brother, but I am kind of like Big Brother in the environment, right? Monitoring every user, every identity, just watching what they're doing.

And there are signals that we pick up sometimes that are saying, hey, this is unknown activity that we need to go investigate. That could be indicative of shadow SAS or or shadow IT as a as an example. That's a very important concept. One other thing that came to mind was I remember our gardener, I'm not sure if it's a Venn diagram. If it's only two circles, we can call it intersecting circles. It was SPM, security, posture management and ITDR, and most products fell into one of the

other. I would say the SPM was kind of more the network vendors of Palo Altos, things like that. ITDR was kind of pureplay ITDRI don't remember if you guys were on that specific diagram, but it feels like, you know, based on the research I've done looking at the website, you kind of in that section where those two overlap.

So you're SPM, but I'd say you're, it's like identity SPM, which I think that I'd love to hear you clarify on that a little bit and then talk about ITDR and what you bring to the table in terms of ITDR. It's, it's a hot space, but what I've seen like as have investigated different ITDRS is it's almost like a, a major bucket containing a bunch of different types of solutions. They don't all do the same

thing. So I'd like to understand what you guys bring to the table in terms of the ITDR and then what is this identity SPM piece and why do you call it that and and why what does PERMISA bring to the table there? That's a great question. In terms of the acronym soup of ISPM&ITDRI could probably throw in a couple more IGA. We don't do IGA, but might as well throw in all the acronyms.

But in terms of identity threat detection, what was it that the outcomes that you really care about 1 is real time monitoring of your identities to determine when they're compromised either by an external threat actor like we talked about with Scanned Spider or some of the insider threat use cases where you start to see, you know, in mass layoffs or potentially in the, the corporate espionage or the the rippling deal effect.

I think that's really what we care about is like we want to do the real time monitoring of your identities so you can sleep better knowing that no one's abusing those credentials. And if you go to the left of that, that's really the quote of quote ISPN or the posture I, I call that more prevention and hygiene management, which is you're trying to reduce the probability of an identity being compromised.

So what do you need to do there? 1 is of course, we're monitoring for behaviors like people using weak MFA methods or I, I call them weak authentication controls that allows it to be easier to compromise a credential. So we, we monitor for all those. We identify any cases where MFA is not being enforced. As an example, we try to identify any residual unknown accounts that may exist that people forgot about because either, you know, people left or whatever may be. So zombie accounts, Dale

accounts, that's surface area. That's pretty low hanging fruit that you can go after and you could feel comfortable that you can remove those. Because a part of what we do is we also understand when that credential was last used and how it was used. So I could replay that credential and tell you it was last used a year ago and Paul used it. And when he used it, he went into 365 and he downloaded a bunch of documents.

So we give you a lot more context than I think a lot of other folks would just say, oh, it's an unused account. We could tell you it's an unused account, but it was used last year On this date at this time. And here's what it did. The the other piece too is the least privileged side, which frankly like least privileged we've been chasing forever. It's it, it seems like it's a never ending problem with people

moving jobs and roles. And I think what we see with developers, especially in this new infrastructures code world, they give permissions until it works. So it's not about, I think, paring down permissions for security purposes, like how do I make this stupid piece of code work? And I will say I am guilty of it myself because I am a hack developer compared to what I used to be. And I'll write code and like, what the heck, I don't know why isn't this working?

It says access denied or permission's not allowed. I'm like, OK, I'm just going to keep loading up permissions until it works. So I think that's really the prevention side or the ISPM. And, and I think that's where we're unique is you'll have other vendors that are doing

just posture but not detection. And some vendors are just doing detection but not posture and some that are doing posture in cloud only, but not on Prem. So you, I think the hardest part for a customer's I, I think I, I put it together. If you, if you think about the, the stack that I just talked about ISPMITDR, I'll use the acronyms for descriptive purposes for human and non human identities in cloud and on Prem.

That's probably 6 different solutions that you have to buy and then you have to stitch those together to get the visibility that you need. And I think that's where we try to make it simpler for customers to get that unified visibility for all your identities in one place, human, non human, cloud and on Prem, so you can help manage that risk as effectively

as possible. Yeah, I think this is this highlights, I think the importance of visibility and observability and being able to understand who is your, who is in your environment, what are they doing with it? And then you can start to make intelligent decisions around, OK, well, what do you want to do about the information that's

been presented to you? So I love this idea of, of again, that this combining that visibility and observability and then give me, give me data so that I can figure out, OK, is Paul being weird again? Or is this just normal Paul behavior And, you know, his six kids running around his house and like, oh, that is normal for that, for that house. So I love that idea of combining both of those things.

And it definitely want to encourage people, you know, go off the website, check it out, permiso dot IO slash IGC. We'll have a link in our show notes for people to check that out. But definitely a, a powerful message there. I know you've been very, you know, generous with your time here today.

I did mention that you have 6 kids. That is a lot of kids man. Tell me a little bit about your environment there and and how much ISPN and ITDR and identity graphing are you doing even just in your own home to try and manage all this? I. Constantly have to inventory that I have all my kids because I have lost a couple of Disney World and the good thing is Disney World's really good at tracking down kids.

But I, I was an only child and I guess what, I married an, an Irish Catholic from Pittsburgh and I ended up with six kids. So clearly I, I did not read that contract very well when I, when I said I do, but I, they're, they're 16 to to 9 and we jammed them in pretty tight and good Lord, sometimes I feel like I'm a, I'm an Uber driver more than I am anything else. So I I'm not sure what I'm Well, yeah. You know, you talk about like ITDR.

Yes. I'm trying to detect nefarious activity from my kids all the time, especially as they have devices and I don't know what the heck they're doing on their devices. That's the scary part of the the Internet. Now that I have kids, it's like, what the heck are they doing? So knowing what you know and sort of your background in cybersecurity, do you think that makes you a better dad or are you just an absolute nightmare of a dad because it is harder to get things past you maybe?

I, I don't think I have enough time to be able to effectively monitor them. So I, I use the old school fun approach, which is I scare them and say, you know what your father does. You know, your father monitors people all the time and I know exactly what they're doing. So if you think you're going to pull one on me, you can try. I, I have had kids who try, who've tried so and they probably didn't do it successfully.

And unfortunately that means that they think they can keep doing it. But I told them eventually I'll catch you. Don't. Don't worry about it. Jim, you've got a couple kids. How do how do you approach that your your identity threat detection response and identity security posture management for your kids? You, you keep your, you keep your attack surface as small as possible. So Paul didn't get that memo. You don't want to be outnumbered, so you keep it small.

You still have to have fault tolerance for passing on your genetics. So I got to didn't let them outnumber me. So I, I, I feel like I set the strategy. I stuck to the strategy. Now we've been in operations for a while, but guess what? Having kids operations isn't always the the funnest sport. Did you just use fault tolerance with with the idea of your children? Genetics. Yeah, I know. It's it's actually, when you think about it as it was not a good analogy, but we do.

We do this thing live, Jeff. So it's out there now. Yeah. Oh, This is why we end on a lighter note. Or also, you're going to hear a fault tolerance in genetics. That's a good one. Identity threat to text response all in one, One cohesive, nice tiny little package of a of an. I love it. I love. It Paul, you've been great.

Definitely interested in learning more about what you guys have going on. Looking forward to seeing you guys maybe at some conferences that will be probably at together over the next year or so. Definitely get people out there for the website permiso dot IO/ID A/C that's PERMISO dot IO slash IDAC Speaking of letters and acronyms and things like that.

Miso soup. So I guess final thoughts, Paul, what is something that if somebody's listening to this, what is your elevator pitch or your final thought that you want people to take away from this conversation before we close things out? Disclaimer, I'm sorry if you lost 30 to 40 minutes of your life and like you can't get it back, but I, like I said, I we just want to be good contributing members of the community. I think evaluate whether you, you feel like we can do that for

you. And just again, based upon our research and, and what we've talked about, and if you feel like you want to learn more, no strings attached, I promise we're not super salesy people. We like to share what we do. If you, if you just check out on social media and LinkedIn, I think you'll see that a lot of people appreciate what we do in the community. And we're happy to give you a threat briefing, give you a demo, whatever you want.

If you want to learn more, I promise I'll keep my my sales folks at Bay and I'll I'll be the ones. To personally deliver it. OK, So that's that is a very powerful message. I hope people take advantage of that for sure. All right, we're going to go ahead and wrap it up for this week. Thanks, Paul, for joining us. I'll have links in our show notes for people to check out, including your LinkedIn profile as well as the permiso dot IO slash IDAC landing page.

And then of course, you can always visit us on the web at idacpodcast.com, do all the cool things like subscribe, share with your friends, share with your enemies. And in the opposite of Paul, and we want everyone to get it to our episodes. So it is a wide open door for people to check out. So with that, thanks everybody for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.

Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.