#367 - RSM & IDAC Present - The Intersection of Attack Surface Management and Identity

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great, man. Some of the exciting things going on in our industry right now, You've got all the stuff that's NH is, you've got all the stuff with identity security in general. And then you've got this whole AI emergence that's happening

now. It's going to, I mean, we don't even know what it's going to be like in the future. So it's just an exciting time to be in this industry. I'm excited for the younger folks who have a lot more career years ahead of them, decades ahead of them than than we do. Excited and a little scared for them that thinks they'll be automated away. But I think that the best thing you can do at this point is like embrace the fact that a

technology changes things, incorporate AI, become extradited, and then, you know, try to stand, stand out, stand apart. What do you think? No, I think you, you said it. We've, we've had disruptive technologies before. This is just the latest. Is it more disruptive or less than others? Arguable. I think it's probably more disruptive, but we've been here before, right? We had indoor plumbing and electricity and the Internet and, you know, computers in general.

So we just have to figure out how it is. And you know, I think, you know, today is when open AI launched ChatGPT 5, for example. So I have not had a chance to play without a new one, but that's supposed to be a a pretty good leap forward. And so there's just a lot of things going on. But you said it right. I feel like we could just stop the recording there and then play like the, the more, you know, you know, symbol that goes across the screen, you know, what you're watching on TV or

something like that. But yeah, it's, it's, it's really a cool time. I think there's just so much going on and we get into these like periods of like, I don't

know, hyper innovation where it's like, OK, it's been kind of ho hum for a while and then boom, like a bunch of new things kind of all come out once and then they'll be another, you know, kind of through and then boom, some more things will come out. So it's super cool. I I, I dig it. I'm I'm all in on AI as everyone probably at this point is sick of me hearing because we called her this AI at the center sometimes.

Yeah, really. I will say that one thing that hasn't been automated away is in person conferences, spending time with people, getting to know them. But it has created a whole lot more track. So I think, you know, over time more and more people are going to get brought into the space and hopefully be able to go to the conferences as well. You've got a few lined up here in the next month or two that you're heading to. Yeah, I'm going to be a busy boy here.

Through August, September, October, September, December, I'll be at the cybersecurity summits in Chicago and Philly. So this is put on by our friends at Cyber Risk Alliance. So we have discount codes, free discount codes, the rare 100% off discount code. So head to our website, idacpodcast.com. Scroll down. I just updated the website the other day with kind of all the codes that I know about at the moment. We still have all the ones coming out there.

So those are in September. And then we've got Ideniverse happening again in DC. So this is kind of a smaller Identiverse event than the one that's in Vegas, but we'll be there. At least I'll be there. I'm not sure if you'll be there yet, but we're planning on doing another kind of game show type thing. So I don't know if it'll be a Dennis wobble or this other new game show that we're still putting together, but that's something that's coming up. And then we've got Gartner as

well. So Gartner's in December, we are doing a game show for that one. So if we there will be a game show happening at either of those events and we should have a a discount code for Gartner coming up here. Probably I think in October time frame is kind of when those get released. So check our website for that. But hopefully we'll see lots of friendly faces and in any of those locations and come up and say hi and that kind of thing. Yeah. I think, you know, using the

discount codes really it helps us from the perspective that the folks putting on the conferences know that, hey, people are out there listening to the podcast and they are the folks that kind of come to the conferences. And you know, that means they want us to be at the conference. They want us to do the game shows and record podcasts while we're there. So, and that's one of the things that I just love doing about the podcast is, you know, being at the at the conferences and

meeting folks. Yeah, get to meet all kinds of cool people and there are a lot of cool people in identity, which is super neat. One thing I'm very excited and is a major milestone for us coming up is we are about to hit 1,000,000 downloads for this podcast, which is absolutely bonkers considering it's just the two of us doing it for six years. But we've seen just crazy growth the last couple years. And yeah, we're, we're, we're getting pretty close to 1,000,000.

So I'm looking forward to, you know, celebrating that on on LinkedIn, which is kind of where I post stuff like that. So how many lists do we have at the end of year one, do you know? I would have to look it up and see but. Like 20,000. Maybe yeah, I I don't even think we had that many. It's been a slow time. We don't do any advertising.

So it's all been word of mouth and, you know, definitely, you know, people who have listened, supported, you know, guests on the show, sponsors, right, all that stuff is definitely contribute to it. But definitely appreciate, you know, kind of the audience that we've been able to build and, you know, hopefully a cool, fun place to where you can be edutained about identity is you'd like to say, Jim, how? Many listens or downloads have we had on average like per week.

Well, I think right now we're in 10 to 20,000 I think a week right now. So a lot for an identity podcast. I mean, it's pretty niche. I mean, this is not Kill Tony or Joe Rogan, but you know, we seem to be doing OK. But I've known you for a long time and you're probably like padding low, right? You're coming in. You don't want to, you don't

want to overestimate the number. So when I hear that I'm taking 25. No, I'm pretty, I try to be OK with it. It's look podcast stats are hard to get, especially with all the different players and vendors that kind of syndicate it. So things like Apple and Spotify and Google all have different ways to do it and all have various levels of reporting. The best that I can tell is, yeah, we're, you know, we're going to hit 1,000,000

downloads. And maybe it's more maybe, but the minimum number is kind of what I've I've been going with.

Yeah. Oh, it's pretty cool. Yeah. So what are we going to talk about today, Jim? This is kind of like a series that we started way, way, way back in January of this year. Our first guest was Ghazi from our our employers RSM, our day jobs and we have this kind of series. We talked about the intersection of sort of like X. With. Digital identity. So what do we have lined up for today? Yeah. So we have a, a conversation around the intersection of attack service management and

identity. And I think it's a really cool topic because I think we're all, we read the, the breach reports and kind of everything, everything seems to be tying back to identity. I, I say everything, not everything, but it's a very large percentage and it's it's. At the center, man, come on. They're like it's in the name. Yeah, Yeah, absolutely. So it's definitely a trend that

is growing and growing. And when you talk about the space of identity security, to me, it seems like half the time or more than half the time you're talking about a security, traditionally an information security or cybersecurity tool that now has an identity element.

And so as identity practitioners, it, you know, it's probably not just like an expansion of our duties unless you're at a very small firm, but it's, we're playing an important role in different aspects of the overall information security or cybersecurity program. So it's exciting stuff. I do recommend people go back and listen to that episode with Ghazi and all these, you know, our entire catalog. You can celebrate our entire catalog.

But I think that was a good one that kind of kicked off this mindset, which is if you look at the overall cybersecurity landscape, identity is part of it, but there's interconnection between identity and all these different areas. So we're very fortunate to have a guest on today to help us out with that. Yeah. These are these are fun things. I'd like to branch out a little bit past normal sort of identity talk.

And I think, you know, it's important to be somewhat low rounded to be able to talk through through not just identity, but adjacent security topics and the business side of things. So let me go ahead and welcome to the show for the first time, Dan Loritsen. He's a fellow director with us here at RSM. He's part of the RSM defense team, which is really our managed security team. So welcome to Idea at the center, Dan. Good afternoon. Thank you for having me. Yeah.

So thanks for joining us. I, we have a bunch of stuff that

we want to talk about and I think this is such an interesting area. We're going to have a good conversation, but we kind of have a tradition here where we always like to find out backgrounds of people and kind of how they got into normally we'd ask identity. I don't know if you consider yourself an identity person, Maybe by the end of this conversation you might be, but how did you get into the cybersecurity space?

Yeah, sure, in some ways it was a relatively simplistic entrance, but in other ways it took a bit of the long route to get here. And funnily enough, I don't consider myself an identity practitioner, but in my prior company before coming to RSMI was a campus higher and I was in the identity practice for roughly 36 hours. So I was almost immediately grabbed and pulled over into what I do now, which is detection and response and

security monitoring. But to go back to your question, like where did I start coming out of high school kind of figuring out what I wanted to do with my life? I wasn't the guy that you would necessarily assume would have gotten my way into cybersecurity. So most of my colleagues in this field, particularly in the defense side of things like to like take apart their vacuum cleaners and figure out how they worked or they were building their own computers or whatever. That was never me.

But I did join the military after high school and I got some good experience in, you know, a broader defense and security context and got to serve overseas and things like that. So when I was coming back from deployment, trying to figure out what I wanted to do with myself, I was originally thinking I wanted to go into the FBI, something in international law enforcement, something along those lines. And I kind of wanted to parlay my military experience into that

next phase. So I took a history degree, probably ill advised because I just needed a degree to get into the FBI, but it was my favorite subject. Got all the way up to my senior year and said, I don't want to do this anymore and I don't want to be a curator or write a book or work at a museum. So what am I going to do? So I, I jumped into a, you know, I, I, I researched a bit, I figured out a career I thought would be interesting to me.

I jumped into a master's program that was specifically focused on cybersecurity, gained some skills, little bit of coding, little bit of lightweight red teaming, system internals, things of that nature. Got my feet wet and that was kind of my springboard. So I jumped into a consulting firm to kind of get that broad base of experience. A lot of clients, a lot of industries thinking I would then jump out. And here I am 13 years later, still in consulting, you know, still enjoying it.

So. We're lucky to have you, lucky to have you here today, Tan. So we're going to talk about this intersection of a tax service management and identity only start off with kind of a simple question of what is a tax service management? Sure. So attack service management, particularly, particularly within the domain of detection and response, which is where I

sit, is this continuous process of identifying and managing assets so that you can protect them, right? So you need to continuously identify where things sit that you maybe didn't know about. You need to continuously fingerprint them so you understand what they are. And then you constantly have to assess and analyze them to determine where they fit in business operations. And if they don't fit, expunge them from the environment.

And if they do fit, bring them under, you know, under your, your security practices, right? And I think I'm sorry, go ahead. Yeah. I'm sorry you use the term there assets, I'm just kind of wanting to understand like at the very basis, what are you talking about with assets? Yeah, yeah. But there's, I mean, there's so many ways to use that term in different contexts. And like in my field, you will often times use that an asset as a computing resource that needs to be protected.

But to me, it's broader than that, right? It's it's anything that's got value to the business. That could be a system, that could be a specific computing resource. I definitely think identities fit into that because it's something that has value. You know, it drives a business process. It's individually identifiable and you can kind of inventory it. There are dependencies within the system that require those validations and authentications

to, to make a process happen. So those identities are critical assets in my opinion, and you need to really think about it. I think a legacy way of thinking about it is that those identities that are tied to authentication, that's kind of an IT control. It's a static thing. I think the modern way to think about it is it's an attack surface and those identities kind of live across multiple domains. So therefore they should be treated as such. Yeah, I see your point there.

I mean, treating the identities as assets, does that mean that if you have just like a identity sprawl, that you have more assets and you're just a, a richer company? It's kind of tongue in cheek there. But I mean, I, I, no, yeah, I've only, I've only you that that

mess actually had some value. But I'm wondering, do you sometimes interface with clients and you're trying to incorporate that Intelli identity intelligence into the detection and response function? Is it, is that difference between somebody who's invested in identity or organization that has versus has not? Does that become very apparent where it's like, hey, we can't correlate the actions across these multiple systems because the identities haven't been tied together? Yeah, yeah.

I mean, that's one of probably multiple ways that identity in the management of identity intersects with what we do in the detection and response base. And I think in a lot of ways this kind of dovetails with a bigger trend in our industry. It's not new and quite frankly, it's kind of a buzzword that irritates a lot of people on the detection and response

community. But this whole XDR concept of thinking beyond the endpoints or thinking beyond, you know, servers, laptops and bringing in more data, right? So that could include things like IoT, so like your physical building management systems, HVAC, you know, it could be OT. So you know, you're going past that border into logic controllers and things that are managing control processes for

production and manufacturing. And it could also, you know, cross that boundary into the domain of identity, right? So your identity managers unfortunately I find more often than not are a little bit siloed off from the people that I operate with and you know, the clients that I serve and and deal with on a regular basis. And I think that's something that definitely should be remedied.

But I do think that identity, you know, kind of the question you was at, you were asking was, you know, how does it tie into what we do and and you know, how do we use identity essentially?

I think one of the key core concepts there and why it's so important is are you guys familiar with the concept of the kill chain, the cyber kill chain? Yes, I am. OK. I mean, it's it's kind of like a little bit of a mantra for everybody in the detection response base. It's a six step process of the things that an attacker will try to do to get it into an environment, right.

So reconnaissance weaponization, which is where they're building the exploit or the the weigh in building the breach mechanism delivery. So you get it into the target systems exploitation, you make it actually do what it's supposed to do so you can gain access command and control. So you want to remotely manage, you know, whatever you're trying to do and then actions on objective, I want to steal something, I want to destroy something.

I want to, you know, free something up using ransomware. Well, identity, if you abuse those identities, you can jump start right into the exploitation phase, right? So you can, you can subvert four of those steps of the kill chain and get right in there if you're just like walking in the front door with an identity that's legitimate and already has some permissions associated with it. So. So damn, we're all, we're all sitting here trying to, to

learn. I mean, there's a practitioner podcast from an identity standpoint anyway. I don't, I don't know the kill chain very well. Is that something you recommend that people do further research on and kind of where would someone want to start if they want to understand that? And then you're talking about some different aspects where identity can can play a role in that Kill Jane. I think it contextually seems to make sense for identity practitioners to understand

that. Yeah. I mean, it's a, it's a common enough concept at this point that I think, I mean, it's niche, right? You, you only really need to reference it if you're kind of in the business of trying to stop and attack midstream. So I'm not surprised if people outside of our community don't really know it very well. But if anyone were interested enough to, you know, to learn more about it, it's, you know, you could easily just just Google and there's a million

references and resources online about it to at least get the core steps, those six that I just enumerated and kind of get an understanding of what those are. And I'll put a link in our show notes. There's a, there's a, you know, like anything else that's on the Internet. So I grabbed the Wikipedia kind of entry and I'll put in our show notes so that people can kind of check that out. I want to follow up something around you said around data and the different silos.

I, you're, I will say you're not wrong that we tend to see like identity teams operating separate from maybe other parts of security apparatus, or at least not from a, separate from

a data perspective. And you know, part of the reason this show is called Identity Center is because that's, that's legacy thinking, not incorporating identity data into your operation center to be able to, you know, treat those pieces of data as, you know, other indicators, other signals that you want to be able to act on or correlate, etcetera.

Why do you think that isn't? Are you seeing a change where people and organizations and stuff like that are starting to incorporate more of their identity apparatus into the rest of their security operations? Yeah, yeah. So I'll try to break your question apart into two parts as to as to like why I think that is and then what I'm seeing changing presently. So I think it's probably the last like dying gasps of kind of a legacy way of thinking about

the problem. So people can truly only specialize in, in it in a certain number of areas or domains, right. And in my field, people are particularly interested in all the creation use of malware tactics and techniques that are used by attackers to get a foothold in the environment and where they want to go after the fact. So if you get ahold of an e-mail and what you're legitimately and you're holding a legitimate e-mail, what are you going to do with it?

Like what inbox roles are you going to create to stay silent, hidden? How are you going to spread by sending malicious emails out? Like knowing the, the guts of how attackers operate is more of what my community has generally been interested in. And then how do they stop that right? So I don't think that it's a lack of curiosity or lack of like legitimate context. It's just, you know, you can only focus in so many different

areas. So what I think is changing to answer the second part of your question is I think tooling and the the ability to access data has changed so much and there's so much ability to automate and, and use, not exactly generative AI, but certainly assistive, you know, assistant AI to crawl over these massive treasure troves of data in different ways than we

did before. And those systems like the ITDRS of the world are like the, you know, identity management systems of the world can actually provide better context and provide all that data over to us. So now we're not just getting an alert that says, hey, bad thing happened or misuse of an identity with no context.

We have all the data and the system's actually helping us to make make hay out of it, you know, getting some context out of it that we can plug into all of our core security knowledge and say, OK, the system's telling me this is an identity that's used in a certain way regularly. This is outside of the bounds of that regular in a regular usage. OK, I can couple that with a couple of weird process calls, you know, and weird accesses of data in the environment, and now

I can start to tell a story. So piercing all that stuff together, that is that XDR concept, right? Don't silo, don't think about, you know, just actions on objective or just an exploitation of a certain type of malware thinking about the broader picture. So that's what's changing in my opinion. So there's a kind of a movement that's starting to take hold right now in the identity space around this concept of

continuous identity. So shout out to, you know, our friend Sean, you know, out there, he's he's did a lot of things identity versus kind of around this concept of continuous identity management. And the whole concept kind of revolves around things like shared signals framework and other components like Cape CAP, continuous excess evaluation profile. Think you got it right. If not a tool, probably slap me next time he sees me, which I

would totally deserve. But that kind of data, you know, first of all, it requires a lot of data and it requires applications and systems to be talking to each other. So my focus so far on the SSF and sort of that Cape framework, shared signals framework is it's been more focused on the

identity space. But are there similar concepts maybe that apply to be able to take, you know, let's say your Octo, your Microsoft, your Ping, your sale point, your Cyber Ark, your Savient, your Delineia, blah, blah, blah, right? All these different identity tools, if they're all speaking the same language via something like shared signals framework, that theoretically makes it easier to consume that data into

a larger system. Maybe to be able to do those things like machine learning or pattern recognition or, you know, behavior analysis. Because I would love to be able

to take that data. And that was another thing that we've always kind of been talking about was like a lot of identity teams sit on their data. It's like, Oh yeah, we have an identity program and it does access reviews and it does on boarding, off boarding and then all that data just kind of sits in some database and never gets acted on. Those types of things today, you know, can feed into what a SoC might seek, right, To be able to correlate and and get smarter, better, faster alerts.

I don't know if you want to comment on that, but that's that seems to be a trend that's taking right now. I think you're really on to something and and I think that the I think that everything that you're talking about with the condensation of data into like common formats that could be used across the identity space, that could be really powerful If you have different use cases in different platforms.

If you've got your privileged identity being managed through cyber Ark, then you've got your core title means management being done through something like an Octa or cell punct or whatever. And if you've got all that tying

back to Kate, that's great. And I could see that, you know, tremendous value for the identity management teams themselves, but we even kind of layer on one additional layer because everything that we do from a detection and response space has to come back to the data set that's got disparate information coming in from multiple different systems. So there's a lot of next generation tool sets.

It I say next generation just because it's such a buzz term, But I mean, at this point it's like generation has gone to college and is like buying my first house. Not necessarily the next generation, but they, you know, that that actually have a core common schema on the back end. So they say this is, you know, I'm taking this thing in from Octa. Well, this is an identity event first and foremost. It's of a certain type. You know, it's a, it's a suspicious login against the

baseline, right? And it shows this kind of misuse. I'm going to file that away in the schema so that my logic in my detection and response system can access those things and plug it into a timeline, right? So there's XTR platforms like Stellar Cyber or Chronicle or, you know, all these different, you know, Google SEC OPS platform, all these different platforms that have that common schema on the back end. And that's what they're doing.

So they're taking all those disparate, disparate pieces of information and doing that again for the security community to use. And it sounds maybe a little bit duplicative or it sounds maybe a little bit like, you know, multi steps. But we have the horsepower and we have the systems that can do it now and can do it seamlessly quickly, you know, affordably. So it's, it's great. Yeah, I, I, I see that as a massive trend of, you know, massive benefit for us. Can you have too much data?

Yes, yes you can. Yes, you can. And the reason why you can have too much data is if there's no is for reasons unrelated to necessarily the core mission. So if you ask a hardcore data scientist, data engineer or

security practitioner, they might say, yes, there's, you know, there's no such thing as too much data to send it out to me. Well, I unfortunately have to sit in the intersection of of our clients needs and what our service can provide. And there are cloud transportation costs, there's storage costs, there's processing costs, there's legal and compliance ramifications of housing and storing data. So if it's not, if it's not necessary for the mission, you don't need it.

You can take a lot more of it, like a good example of this is in our space DNS data like IPS being divvied out or I'm sorry, IPS being accessed, you know, the Internet. Thousands and thousands and thousands and thousands of entries of data used to be impossible to to gather in like legacy SIM. Now you can't because of the combination of cloud and next generation SIM. So yes, it is possible to have too much data, but for unsexy

reasons. Yeah. I, I actually want to add on to that because I thought I spoke to another practitioner actually somebody using consulting and he worked on a UEBA implementation or it was kind of a discovery process number of years ago. And you know with UEBA it was about understanding here is normal patterns of access and then identifying abnormal access and triggering some kind of event. And the problem was the amount of log data that was needed to serve that function was

petabytes of data, though. And you're talking about a really large global organization and just the Active Directory logs can be just humongous. And they have to the point where it's like, we just don't have that much storage. We don't want to buy that much storage. Yeah, petabytes, petaflops of data plus a long time horizon of

interest, right? So you have to have it go for six months, nine months, a year with minimal, with reduced value of the findings because you're going to have to teach it. And then you also have to kind of tune it and tweak it based on your specific environment. And then you have to factor in, what about my third parties that only access things a couple

times a year? You know, what about my transient employees that only log in to check their benefits because they're not IT knowledge workers, You know, all these things that just make that that much harder to build patterns around. So it's a huge investment of time, a huge investment of money and a huge investment data to get that to work appropriately. Yeah.

And I think this conversation, Dan, is just so timely because I talked about that identity security and it's really like all these detection and response type systems that are having an identity component that that's really where this industry is

kind of focused on lately is, you know, not just to managing access, but detecting in real time when access is being misappropriated, if you will. It makes it to me, it puts a finer point on the fact that we can't live in an identity silo. We need to collaborate as practitioners with our colleagues, our counterparts in the SoC, for example, and, and by the way, when I say our colleagues, our counterparts, they don't necessarily work for the same company either, right?

The identity practitioner may work for the firm. The SoC may be outsourced, I guess potentially vice versa too. But it it all comes down to kind of in my book collaborating with those teams to make sure that one identity is able to serve that purpose, but also to the the dissection response can serve the purposes of identity.

You have any thoughts there? Yeah, So I. I definitely think that there there's a lot of meat on the bone, so to speak and, and how we can increase collaboration between the identity management teams and the SoC themselves.

And you know, I think there's probably 3-3 areas that I would think would be good, you know, kind of tactical ways that those teams can increase their collaboration and get mutual benefit out of it. So the first one is probably the simplest, which is just increase that bi directional sharing of

information. So the identity teams should be sharing the types of personas that they're managing, the types of identities that they're managing, you know, the credential use expectations and maybe perhaps most importantly the risk score. So which identities and which prudential payers had the greatest business impact. So that can influence the scoring and the response timing of the security operations center, right?

So that makes this the security mission stronger if we have a better idea of the context of the identities that the ID teams. On the flip side, the SoC is going to be continuous and gathering, alerting relevant to relative to identities and identity management. So what we can do is we can continue to share the investigations themselves, but more specifically the false positives that we're seeing. So here's a rule that we have, it's triggering on XYZ conditions.

And we've noticed in the last month, we've escalated 25 of these things to you guys. You've shot them all down. It's false positives. Help me collaborate better to make sure that I'm not sending these to you all the time, right? So how do we tune this thing? So that bi directional communication, I think it's, you know, listen, I'm a realist. It's not going to happen every

single week. But if you're having quarterly meetings that are, you know, between the two groups, between leaders of the two groups, that can probably make some positive benefit. I think that kind of gracefully transitions into the second one, which is mutual playbook development. So as I already said, tuning and

threshold development is one part of that. But another part of that is who do I escalate something to? If I see an anomalous travel indicator, somebody's logging in from outside of the country, who do I escalate that to? Is that to like people management? Is that to to you guys in the identity office as we live and die with our escalation procedures? So having identities like input into those is is very helpful,

right. And then probably the last thing I would say is, you know, one of our core missions in the sock is to identify shadow orphaned IT to in the the core attack

surface management mission. A lot of the tools that we have now, whether they're attack surface management tools themselves or whether they're things like CNAP, which is cloud native application protection platforms, they can actually identify the misuse of things like secrets like hard coded passwords and CIC pipelines, you know, password secrets, API keys being stored out on insecure buckets out of the cloud.

Sometimes they can even that detect misuse across different platforms in the cloud for addition, you know, different cloud assets or cloud resources. So I think there's a collaborative mission there as well to say, hey, we're doing this continuous attack service management mission. It dovetails what you guys are doing.

Let's talk about that. Like maybe we can find some orphaned identities or some things flowing out there that you didn't even know, Rob. It's an opportunity to get creative with some of that data they might be collecting. And so we, we've solved collaboration, right? Talk to each other. We've talked about the importance of the data, but now it comes like it's time for the

tool. And I feel like this is an area where like SIM tends to be like the default choice, but we've also got a bunch of new tools in his space that are commonly called, I guess, ITDR, identity threat Detection and response. You've got XDR, which you mentioned, you know, as well. There's, you know, other things like UBA user behaviour analysis or UEBA user and entity behaviour analysis.

We just so many acronyms. Where do these tools fit together? Is it still what I would call like a traditional SIM type approach? Is ITDR the new SIM, or is there some middle ground or collaborative space where there's room for all of those types of tools? We're in an awkward place right now in the, you know, in the security tools industry because so many of the platforms have grown so much to to cover a lot

of different ground. So it creates a lot of overlap and a lot of difficult conversations that our clients particularly have to ask themselves around where they want to get certain, you know, capabilities that come along with maybe their legacy partner that would have done something that that would they were more niche. But now they've grown and grown again, right? So like a good example probably being Crunch Trake, they would have been the gold standard on point tool for a long time.

They've grown into a lot of their cloud workload protections if they've got an ITDR, you know, capability in NASA. So I guess it's a it's a kluge way of saying that it's not a replacement for SIM, right? SIM as a concept or as a tool, particularly in its legacy stage, was get a whole bunch of data into a single platform, run some rules to continuously churn over it. So you're finding things in real time, right? And then do something with it on

the back end. And that in in its early stages, it wasn't really clear what you were going to do on the back end of it. Now things have grown and evolved, so you're taking that core data engine, but you're building a better skin over the top of it of a common data schema. You've got a MAIML crawling over the top of that, detecting things and and doing things in a more intelligent way, you know, with more heuristics.

You've got all those different plug insurance, you've got the cloud plug in, you've got the identity plug, you've got the endpoint plug in, right. And all these things are feeding

back into that same data set. And then and the additional layer on top of it, or now there's an automated response capability because maybe there's an inbuilt sore or maybe there's other, you know, integration capabilities to go out and actually touch an identity management system and, and sideline something, you know, sandbox a profile or a user or whatever. So it's not a replacement. Certainly to that part of the question. Their legacy platforms just they can't keep up.

They're they're bad at scaling data. In order to clunky to manage, you have to tell it exactly what logic you're working for. It doesn't have the AIML components that kind of help you in that mission. So not a sin, you know, same as a different thing in and of itself these new XDR platforms. To the second part of your question, ITDR specifically is 1 component of many that all these

vendors are trying to condense. So it's part of a broader set of capabilities that everybody's bringing together into into platforms. And the challenge we have now is identifying the core capabilities you need and then kind of doing a vendor analysis to see who have you had for 10 years for endpoint and who have you had for identity and who have you, who did you deploy five years for cloud and what

are they totally off for? How do we kind of declutter that to kind of stream on vendor management that's it's an interesting intersection in the security tool space right now? So Dan, I'm thinking about how a tax service management evolves into the future. And I also want to make this, you know, kind of pragmatic with some takeaways for the practitioner. So I'm kind of thinking like, what are the what are some of the strategies that we could put

out there? But I do want to interject something first, which is talked about this conversion of identity and endpoint threat detection. But it seems to me every time we hear about like a really big breach usually starts by somebody getting fished or a help desk getting socially engineered.

So it seems to me like no matter what we talk about in terms of strategies, it's like we've got to do a better job at like not letting that happen because you know, we're talking about identity as like the the gate, the door, usually it's they're walking through the front door. They're just take in the account they got. So I don't know if that resonates with you, but then if you can kind of talk about in terms of like pragmatic strategies that people can can

invoke. Yeah, I mean, identities are tied to people and you can't patch people, right? There's that old like problem between chair and keyboard. That's the that's the issue, right? So until you figure solve that problem, like we're never going to be out of the calling up the help desk and saying, can you please just pretty, pretty please reset my password so I can get in and having somebody do it for you. But having said that, you know, things that you can do.

I mean, treating identities, like I said at the beginning, as an asset that allows you to unlock things across the now sprawling multi environmental corporate, you know, bohemus that we have, you can take kind of a zero trust approach and and not take anything for granted. Reduce permissions as much as humanly possible, introduce borders and barriers between trust zones, you know, locked down to the even down to like

the cloud side workload level. You know, you have to authenticate in all those different instances. Not easy to do, takes a long time, takes a lot of investment and in a lot of cases you can't necessarily bolt that on on top. You kind of have to refresh your architecture to make that work. So that's like the Nirvana state, but very, very few of us can get to that Nirvana state, right? So I think what you do is, you know, you do the best with what

you've got. So one thing that I think a lot of practitioners fall into the the trap of with in my industry. Is they're constantly chasing the next shiny thing that's going to make everything work better. Just really do that deep thinking around what vendors do I have in place what tools do I have in place? What value can I get out of it? How do I stretch to the maximum value with all those capabilities that, you know, that vendor brings to me? And then how do I make my

processes rock solid? So I'm actually sharing information between my sock and my my identity team. How am I actually like making sure that I'm putting in the hours to have all of my vendors, you know, have the same level of rigor as my internal users when it comes to identity? Like, it's not, there's no magic, you know, so sexy magic bullet that's going to make it all go away, unfortunately.

Yeah. I mean, you know in the as a practitioner too, we get allocated a certain amount of funds to go and apply to our program. But ultimately usually have to kind of show like, hey, we got

value out of this, but it's hard with security. It's kind of like saying, I started working out at the gym and I haven't been robbed in two years. It's like, well, maybe you wouldn't have been robbed anyway, right? So do you have any recommendations there in terms of like trying to tie back the value to these investments? Metrics should be few and should be, you know, valuable. They should. They should, they should enable decision making and they should

be, you know, coherent, concise. But some of the best security metrics from a sock standpoint have to do with coverage and devices under management. I think you could do something similar with identity, right? So from a foundational standpoint, how much has multi factor authentication been deployed without the environment and and set some gold standards for that. How much privilege account use

do you have? And if you're really going to start a campaign to limit privilege account use or over privileged machine accounts, right? So like non human accounts that are that are performing back in functions. So how much privilege account use do you have? How much machine account use do you have? And can you drive a trend of like my campaign has driven that down right and identity

inventory, right? So you have X number of corporate users, you have wide number of of vendors that should track to a certain number of assumed identities and, and accounts. And then you know for your workloads, how many different permissions, whether they be API keys or whether they be, you know, otherwise secrets that you need to have to make all those things wrong. So like, are you actually identifying them and are you

actually inventorying them? That's kind of like your foundational level level if you want to get into something more advanced, like how do you start having trailing indicators to show that entitlement creep? So I went through this whole, you know, I went through this whole initiative. I inventoried and identified all my, you know, all my identities. I got a derived A trend for my privileged account use. OK, but now I'm starting to see that tick. Why is that? You know, what's happening?

Is that actually legitimate? Another thing is the unneeded or non compliant identities that are being found. This ties into what I said about using the attack surface management and CNAP tools or partnering with this. Am I seeing an increase in orphaned accounts? Am I seeing an increase in, you know, identities or secrets floating out there that I didn't know about before? Like that's when you really start getting into the more advanced levels of metrics around your identity management

program. So I think if you do that, if you do those things and you can really preach the value of what you're doing. So final question from the The Great Inquisition of 2025 here. What is the biggest misconception that you see when people start to think about, OK, here's what my attack surface looks like and how do I start to reduce that? Like what is something that people maybe can start to do or things that you see people do

wrong? Like I would not have started with that way? Like what's the biggest thing from your perspective that people listening to this go out and say, OK, here's how I start to tackle this problem? Specifically because of the way that you asked the question around misconception, I think the biggest misconception would be that it has to be a comprehensive program. Like all the little singles that you can hit all contribute.

So like pick a problem today, work on it for a couple months, turn your attention to another problem in another couple ones right? You're not going to solve like the ASM problem in a grand campaign. Just identify things, catalog things, get them under wraps, move on to something else. Just be iterative. And then when you don't take that approach, you never get anywhere because you just analysis paralysis. And you can't really ever truly solve it right?

It's really just about getting skinny, getting small small target to hit. But it's not like your attack surface is over 0. Is that a proper way to think

about it? Yeah, 100%. Yeah. I'd absolutely agree with that. Well, Dan, you've been really generous with your time. I do want to get into a little bit of your your background. And I know you have some military background. You've referenced mission several times throughout this conversation as well. One of the roles that I saw as I was, you know, stalking you on LinkedIn is human intelligence collector. So I want to dive into that a little bit here to kind of end the show.

But tell me, what is a human intelligence collector for people who aren't familiar with that role? And then I want to ask you some follow up questions around it. Sure, sure. So human intelligence collector is particularly in the Army, which is where I was, is the lowest man on the totem pole for the intelligence community. So we're the guys out there in in Army uniforms trying to trying to get secrets or information that could be helpful and then pass people chain.

But there's kind of two sides to that mission. There's the classic like booth interrogation style of questioning that everyone would think of it. They've seen in movies or you know, I've seen in TV shows where somebody is a detainee, they've been captured. You've got them for an hour with an interpreter in the room and you get to ask them all the questions about, you know, whatever topic of interest we have in for.

Then the other side of the mission is more elicitation on what they call source operations, which is more around making friends with locals and building connections in a community and trying to get people to want to provide information for either their own benefit or for the community benefit. So I was more on the on the source operations and elicitation side of things.

So that be kind of like a for the people in the US here like neighborhood watch, for example, kind of like partnership or kind of a band of people who are willing. To provide information. So in, in I'm from Chicago. So in Chicago there was this program 20 years ago at this point that was like it was called CHAPS. That was an acronym called CHAPS, but it was, you know, Community Action policing. And that's exactly what it was.

Is they were going to go around and kind of deputize people in the community and say, you know, you're a liaison. If you see something or, you know, come and say something to the police, like let us know what's going on here. Similarly, Yeah, you'd say, OK, you're a village elder. You know, you're, you know, you have a position at the mosque or, you know, position of influence. You probably see what's going on. You know, everybody in the community, you know, help me

understand what's going on here. Help me understand the problems you guys are chasing. Help me understand who could be causing trouble. Yeah, it's that concept. So would you consider Jim and I human intelligence collectors by way of this podcast or something similar? Like how do I how do I get an honorary title on this? I'm sure there's been a lot of intelligence collected on your podcast, maybe not in the last hour, but in other episodes I'm

sure that's been the case. I think we'd be the troublemaker chef. Somebody would be like, yeah, Jimmy, Jeff, this. Guy good trouble.

Know about them? Good trouble, good trouble. Like that's, you know, we're asking questions and, you know, eliciting responses. I think, you know, one of the things that I, I'd love to hear from your perspective, Dan, is what are, what are some tips that maybe Jim and I can take away for future conversations because it's too late for this one where we can ask better questions.

Or maybe for people who are listening right out there, they're in probably an identity that they can ask their stakeholders or, you know, other people that they need to either influence or try to get some better information out of other tips that you can share with, you know, us peons in that space. Oh, too harsh on yourself? A couple of things. The first thing I would say is conversation is it's easy, it's fluid. It's kind of a natural thing everyone does.

But when you specifically want to get information out of someone, whether it's because you're defying a mutual goal or you're it's a client situation and you need to know how to better serve them, have a plan about the questions you're going to ask and how you're going to ask them to get to a certain conclusion, right? So plan out your conversations, important ones anyway, is the first tip. The second tip is definitely ask open-ended questions.

Far too many people I hear ask a question that ultimately ends up in a one word answer or a yes or no and you don't get anything out of it. So make sure all of your questions are open-ended and force the other person to talk a little bit. Gives you more to pin it off of. And I think the third thing is it's just like really actively

listen, right? Because people say so much between the lines in the way they see something or the thing that they don't say that you would expect them to say that tells you that they may be apprehensive about something or they're worried. So really become good at understanding the people's tics and like paying attention to how they talk and what they don't say. And that's just good in all walks of life. I mean friendships, your family, client relationships.

Like just you'll be a better communicator. Yeah, I've heard the scenario where they say it's how to make the person that you're talking to think it was their idea. So if you have an idea, Dan, that was a great idea that you had. Even though. Maybe really it was my idea. Incepted. I love that idea. Exception. Like, yeah, plant the seed and let them think it's there. They're a great idea. That's great. That's great. All right, well, this has been a fun conversation. I learned a lot.

I think this is an area, This is why we are very fortunate to work with a bunch of people here at our some lots of access to the really smart people. So Dan, thank you so much for being part of this. I will have links in our show notes to your LinkedIn profile. People have questions around that want to get, you know, in touch with you. I'll have a link to the attack kill chain as well for people coming on that spoiler. It's going to be the Wikipedia.

Like that's the one that's probably the easiest one to go for. And yeah, so appreciate you being here, part of this. You can find us on the web, IDAC

podcast.com, like subscribe, help us hit that million and then maybe the next two next million after that. But appreciate everyone who has supported us. And, you know, thank you all for watching and or listening. So with that, we'll go ahead and leave it there for this week. Thanks. And we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon.

But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.