Surviving an Identity Crisis with Venkat Raghavan

All right, welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth, but wait, this is all about identity. So we don't know whether or not I really am Adam Roth, but continue.

Adam, after three seconds of that accent, I can tell it's you. Don't worry. You see, that's the human element. We're going to talk a lot about that because today we have a great guest. We have Venkat Raghavan. who is the another CEO, who is the CEO of Stack Identity and a long time hardcore identity professional. So Venkat, welcome. We're glad to have you on.

Thank you, Joe. Thank you, Adam. Nice to be here.

Yeah. So, you know, as we were saying, I thought I knew a lot about identity to tell the truth. It's not something we've talked about on the show. but it's something I like to think I know well, but I have a feeling you might have me a little bit outclassed, because you've been doing this and living it for quite a while. So can you tell us a little bit about your background and what you're doing these days too?

Yeah, absolutely. So I got into space, I guess, 25 years ago. I'm dating myself now, so it's been a long time. And it's sort of amazing that I grew up on the age of internet, right? And the first internet applications came along, it was like a wow. have to go to the bank anymore. And so it's amazing. So all this digital services came around 25 years ago, and now the world has completely changed now. And so I had a chance to kind of have a front row seat to a lot of the innovation happening in that time. And now we recall this as single sign-on. Everybody knows this because everybody hates passwords. So single sign-on was really the first response to make it easy for users to log in and do whatever they want online, right? And so that was a big, we had to use like 10 passwords. We would just write down passwords on yellow stickies from all those things. So we've gotten a long way from that discussion. So identities always kind of, I would say, inspired me and intrigued me. It's all about who you are. There's a caption I remember, it says something like, on the internet, nobody knows you're a dog, right? It's sort of captioned.

Yeah, that old comic, that's a classic.

That's a classic one. So that's the problem that always stuck with me, like, what is this problem all about? And then the contrast now, like, now I got to use FaceTime video to authenticate myself. The change is amazing. It's a fascinating change as well. So yeah, I started a startup called Daskomp, which we were one of the early pioneers and WebSingles went on. And all of us, three of us actually, three companies at the same time, all began at the same time, all got acquired pretty quickly. I got into IBM and then onwards and upwards, I guess. So that's why I got the entry into my identity space 25 years ago.

Wow. Well, that's interesting that you stayed into it because you know what, it was funny when you said single sign on, I got a flashback because back there in the nineties, in the early web days, I, you know, we started doing web stuff. We started doing the first e-commerce stuff at the place I was at, and we quickly bumped up against single sign on. And that was one of the big projects I was working on. And you know, I don't want to say I ran screaming from it, unlike you staying in it and digging in. But I wonder if there was something psychological in there that I decided to change jobs. I don't even remember going back that far. But I'm like, had enough. I don't know. Moved on to some other things. But yeah, that was kind of the first iteration, I suppose. And identity has only gotten more important. In fact, these days with everything happening in the cloud, everything moving up there, you know, a big selling point for a lot of things. People like to say identity is the new foundation, is the foundation of security and all.

So I'm going to, I'm going to argue that's not necessarily true.

You're going to argue with me.

Of course I will. You know, like, you know how you wear bell-bottom jeans 20 years ago and you start wearing it again. I think things come, You know, they go in fashion and out of fashion in fashion, because one of the nicest things I like to talk about is physical information security management. And I think what has happened with PISM or anything else is that people are going back to figuring out ways to establish identity in multiple different ways, whether it's through video surveillance or biometrics again, or through you know, password lists, sign-ons and push to authenticate and it's gotten sexier. It's gotten more complicated, but less complicated. And what I mean by more complicated is the backend has become a little bit more intricate, but to the user experience, it's like push. It's either a push to acknowledge or push to acknowledge and push a number of one of the three numbers, but eventually we'll find a way to get rid of pass was 100%. I'm sure of that.

Absolutely. In fact, I was thinking about this. I actually came to Atlanta from San Jose, right? Yeah. The system where even at that, you know, security check-in for the officer, He's not checking my physical ID anymore. He's saying, go look at the camera. I'm not even giving him the ID. I'm just looking at the camera to take a picture. In 30 seconds, how can I run, right? So it's that, you know, it's scary, but the world is going in.

Yeah, it's funny. In the past couple of years, since we started traveling again after COVID, I got that global entry thing.

Yeah.

me and the whole family, which is great. You walk right through it. Except the first time we used it, they don't even ask for your, for your passport. At least when I go through and they're like, just look at the thing. And then the guy says, Oh, Joseph, Patty, you're good. Oh, you know, such and such. You're good. And the weird thing is that my tech savvy kids who grew up with an iPad and the screen, they're the ones who got freaked out by it. Like, how does it know who we are? How does it know all that? My son is like, am I now tagged for life by the government? I'm like,

Probably I hate to tell you But it's very because I was coming back from I think some some travel so and The same thing happened to me and like and I'm asking the immigration guy. Here's my passport. He says do you want this layer?

Okay, you're okay good to go Wait, you are an authority and you're not checking my credentials what's going on here? Is there a way that you're validating me that I don't even know about? And I bet you, yeah, that's what people start talking about, right? Like, for example, I know we don't like the idea of it in New York City about congestion pricing, but it's kind of completely transparent to you. Not to your pocketbook. To your pocketbook, it's not transparent.

No, it's automatic. It's not transparent. I'd say there's a difference.

Well, it is transparent because you are not involved, but yeah, okay. Automatic, transparent. say it any way you want, but you're just driving. You don't have to worry about it. Guess what? They know everywhere you've been from license plate recognition. Again, I'm not saying bad. I'm not saying good. I'm just telling you where it's at and you're being billed. You're going to be billed one way or another. So I guess the point I'm making is, is that things have changed. It's the UI, the user experience is a lot easier, but I'll tell you this. The last thing I'll say right now about this is, I can go on to Amazon.com and just literally log on. It already knows everything about me. It knows what I want. I hit one button and it's ordered. It shouldn't be that easy to spend that much money.

I think the key point you made is already right, because by the time I got on a plane in India, right, Mumbai, They know everything about me, absolutely everything. So when I come in and put my face, it's done.

I guess so.

There's no need to ask any more questions. It already knows. Everything is there in front of you, right? And I think going back to passwordless for a moment, time is going to be a big change. What I see, for example, if I look at, for example, the different eras, The first era was all the Internet Java applications, right, that gave us the plumbing, the single sign-on plumbing, right? And in 2010, Facebook came along and said, we got a billion IDs. What do you want to do with this? That became the, you know, the de facto identity, right? And now we're into the age of biometrics and things. So what's changed is you're rushing, we are going from place to place. time is what we don't have. So these are all a response to automation, a response to our time. And I think identity is going to be the biggest change in the next decade. And I can't even imagine we won't even have security lines anymore. Like we'll know exactly where we are. We'll kind of go around different queues and get to where we want to go.

Everything is connected though, right? I mean, so the whole idea behind Facebook or Instagram or any of these social medias, they have attached a name to a face. And then when you start looking at the GPS capabilities of your phone, it knows where you are. So now it knows your face, who you are, where you are, and what you're doing, which I actually kind of wrote a paper about that once, about how they can identify you on many different things. So if your GPS shows you at a place and your heart rate is up a certain amount, they can kind of put two and two together.

Yeah, it's getting interesting, but You know, it's, it's, it's very, it's very strange because, you know, it's like I said, we have the thing now you can go right through the immigration line with global entry or whatever. And, you know, that, you know, the guards in the back, they're probably, you know, joking to themselves, it's like, you know, people used to complain, it's too slow. Now they're freaking out, it's too fast. But, but when it is, but when it is too fast, it does make me a little nervous, because, you know, the stuff is, you know, you don't know the level to which it's all correlated together. And You know, I mean, not being paranoid about the government or anything, you know, some of these organizations who are collecting this stuff and providing these services and doing it all, they don't all have the best track records on security and they're sharing it out with so many places. I mean, I don't know, you know, we've done enough with, you know, third-party risk management to know that they don't have a good handle on all that. That kind of bothers me a little bit just because I mean, it's a great thing with a single sign on with a ubiquitous access, whatever. Yes, you theoretically have one thing and you're in everywhere, but what about when you lose it?

How much assurance do you have? I'll give you one better than that. Let's not talk bad or good about government or companies or any one set of entities. The mere fact there's a repository of so much information that if a threat actor, a nation state, gathers that, they have everything about you. And I know the controversy about TikTok, right? If TikTok is really what people say they are, and it's really aggregating all this data, and a nation state is the owner of that app, you're basically just giving them a microphone, a camera, and all your data, free will.

I mean, if you just think of the world for a second, right? I mean, Amazon is trying to acquire iRobot, right? And they already stopped it. And the complaint that Andy made was, Robots are watching you. It's an identity. It's watching your activities. It's funneling information out there. So it's pretty scary to look at. It's just not a camera anymore. It's embedded in everything we do. Every device has got a camera. It watches you, where you are, what you're doing, and things like that. It's scary, but... And I would say more than the government, it's the attackers, the adversaries, right? If they can get a hold of this, right? I mean, imagine the damage that the United Health Group went through, right? black cat ransomware attack, right? They paid a ransom of $22 million, they themselves, to get it back. And then they spent $2 billion, 2 billion with a B, helping their healthcare providers to get their signal back. Okay, this is going to be the pattern. And I think we're at the very first inning right now, unfortunately, that these signals that we are, the very signals we use to simplify and automate our lives, are the very same signals that attackers are using to find a hole, find a gap, and get in. And I think we're seeing, at least in our startup, we did a study of the last 100 breaches since 2019. Recall the Capital One breach, the big one in 29-page Thomson? She siphoned off, I don't know, 70 million records of Capital One. Customers in two days going completely unnoticed. If you look at that breach from 2019 to now, including the Microsoft breach and, of course, the new one, It's the same pattern, it's all about identity. It's amazing. It's correlation identity, some weak identity, some weak posture, and then the identity is used to then do legitimate logins. If a login is you, Adam or Joe, you know, nobody can detect that variation. It's the same identity, the same legitimate credential. So, that's what I think we're trying to get into, figure out how do we kind of take a different approach to this problem.

Well, is it, is it getting any harder because, you know, I mean, you know, in the past few years, you know, we went to the, like I was with the business, we went to the cloud, you know, we got Microsoft Azure. This is good. I'm going to be clever and I'm going to say, all right, this is the chance we can say, hey, it's the Internet. We got to do to do to authentication. People don't like it, but we're going to do the two factor. We're going to do the biometric. Great. Whatever. And we're really proud of ourselves and we're thinking it's great. But then we start hearing about the token theft. And just for everyone who's not as technical, multi-factor authentication is not invincible. The bad guys in many cases have figured out how to get by it and protecting against it is really hard. And even detecting it, telling that it's not that real person is so difficult. And the bad guys are, are not giving up. Put it, put it that way.

Well, I think there's a lot of ways to authenticate a person in multi-facet. And what I mean by that is, all right, if you, if we get past the text messages where people intercept it, we'll literally go in and change your number. And we start using the windows hello with a fingerprint. Okay. That might be a little bit better. And if we do, the physical information security management, where they know not only, you know, that it's you, but you're at a certain location because you use some of the authentication to go through a physical door. I mean, it works. However, the unknown unknowns are always the issue. Did a nation state find a zero day to bypass it? Did they find a clever way to literally just use a simple hack? There's so many things that people can do. So, it's basically like a lock on the door. It keeps the honest people honest, but the threat actors will find a way to bypass your password, find a way to bypass your identity. The question is, are we ahead of what they're doing today?

The data doesn't suggest that at all. We are all here, right? It's always this whack-a-mole, right? I think the other thing, I think, Joe, you kind of talked about this, right? We live in a massive level of data sharing. We have never shared data this much in our lifetimes, right? So today we generate a day's worth of data. It's now equal to the last 30 years of interactions. We're looking at this, right, sort of this exponential growth in data. And it's all about data. It's all about building businesses on data. It's all about data, monetized data. So that data sharing is going to keep on going. So when you share data, you want to share identity information, personal information, credit card, transaction details. All these are small, small signals that are great for attackers. So they are able to reconstruct an identity. in a logical sense, using these small snippets of information that is easily can bypass snoop on email, a call center. I mean, they're all weak spots. And no matter how much, and now we are talking about using AI to detect these things, you know, it's always going to be catching up with these guys.

Go down a tangent, just one other note. We talk about identity. We talk about the data support and identity. So my question to you Venkat is, We talk about data lakes. There's no such thing as a data lake anymore. It's not even a data ocean. There's gonna be a point, and I had a conversation with an electrician about this. We are building so much storage arrays that we're gonna run out of room for the amount of storage, and run out of room, or run out of capabilities for the power, and run out of bandwidth for the internet. The infrastructure is not gonna be able to support the amount of information that we gather on people's identities and all other information. When I say identity, let's be honest, right? Identities, I know we talk about identities as credentials, but the identity of the person, their biometrics, their medical information, I mean, I've used identity in the broadest term, right? What you've been ordering, what food you order, what TV you watch, what, you know, there is such a dossier on everybody and Google and Amazon and eBay and whoever and you know all these companies have so much data on you that your identity has already been figured out who you are. They can tell you what you're going to do before you even do it.

Absolutely. I mean I think some sense, they should know to also stop these bad guys, right? You would expect that, right? You know so much about me and my patterns. And yet the information, it's a bit dystopian in that sense. Yes.

Yeah. Well, that's the thing. I mean, and I mean, Venkat, I'm going to put you on the spot. You're the expert here. So, you know, we originally had identity you know, based on things like attributes, you know, of a person, you know, to be technical, whether it's even, you know, your biometrics information about you, things, whatever. And you say, I can prove my identity with that. Um, it seems like with a lot of things now people are going towards, or all this information is the, it's being collected where identity is going even beyond that and getting into your, behavior, you know, the things that you do. Even with those cameras, you know, it's not just taking the picture of your face and everything. They're following your walk, seeing your gait, whether you tend to grab candy or chips from the thing or whatever. And, you know, one of the things that Adam and I have talked about before, and we're dealing with in some other work we have, when you have that environment where you have that much information about people that really is already out there, and it's being shared, how you would make a thing that, okay, it's easy to prove who you are, because all that is known, but all that can be duplicated now. I mean, you know, the old thing of ask a couple security questions becomes More and more of the things we use to, you know, identify people as a backup, the security questions are becoming useless. Even voice, voices are being duplicated. Even your manner of speaking. I mean, what, what, where does this go?

How are we going to come up with solutions to this? I got one better for that before he answers. You literally just have to be, create your own company. And now you're a trusted source and you can get an account on LinkedIn and literally just be like, Oh, I'm a recruiting firm. Now you have access to everybody's resumes, and you have everybody's phone numbers, and everybody's information that's in there, because they saw that data, and you're a willing person given that data. So if you know what your trusted sources are, all you have to do is sign up and become a consumer of that.

Yeah, if you look at ransomware attack, right, just a real example, right? what happens to ransomware attack? You need to compromise an identity, right? There are a number of ways you can do that, but that's not enough. There's a second factor to that, which is you need to have access to do something, right? I need to grab Joe's account and do something with that. Maybe Joe's got permissions or not. I need to find a way to use Joe's log in to do something nasty, right? So, the part that's always to me, there's so much focus on identity, and there's almost become a commodity right now. You have to assume attackers are already going to log in. But now what do I do? How do I differentiate between legitimate access from Joe versus an account that's been hacked and Joe's identity is being used? So, I think we're going to see a lot of focus on behavior. And we're going to find more focus on changes in behavior, drift on actions. And those are the early warnings we need to pick up. So I think we're going to see a shift from credentialed identity. Okay, we have to have that. But that's not enough. Because at the end of the day, look, if you're a bad actor, if you don't have any access, there's no damage. You can look around, look around, nothing is going to happen. Damage happens when you're able to use that identity to acquire a credential or permission to move across where you want to go, and then ransomware database and whatnot and do this damage. So I think we're seeing this change into focusing on access control. And the data point to support my thesis is that if we go back and look at all the investigations that happened, including the Microsoft attack last year, they all came to the same conclusion. This could have been stopped. But unlike malware, for example, with zero day, which is quite difficult. Here, there are obvious signs that was missed, right? And so this is not an unsolvable problem. Zero-day is unsolvable in many cases, because it's a new variant. And you're going to have the first guys going to suffer, but you quickly learn the crowdsourcers and we were built in a defense against it. But identity signals are always available. It's always there. And now we have a spaghetti of those systems out there. Customers have an average 24 different systems. just to manage identity. So they don't even have this problem. So when you say multi-factor authentication across 50 systems, you only need to have one open system and then you're in. So the ability for them to bring together this data in a unified fashion and provide some clear risk arbitration around it is a key area of innovation. that I think we're going to see in the marketplace pretty soon because people are tired of authenticating the user. That's fine. But what next?

So Venkat, I agree with you a hundred percent, right? In some ways, I'm like, okay, I've been there. I've done that. I've seen use cases written for Sims where, okay, is this an anomaly for an IP where the person's logging in or how much is the threshold before I turn around and I warn somebody about it? So you can create this beautiful, nice SIM hole rule set. Is the person logging in from a normal IP? No. Oh, okay. Is the IP on the list of nefarious or dangerous locations? Maybe. Is the person logging on to something that they don't normally log on? Okay. Then you can create another layer of, do I put in deceptive passwords If somebody does get in, are they searching and do they use a password that's not really in Active Directory, but in memory that no one would ever use? Oh, warn somebody. You can create so many levels of security. Does the budget permit it? Are people willing to implement that? Are they willing to hire the people to support it? There's a whole bunch of stuff. So you have to have some very deep pockets to even get closer to that, to such a complicated, viable solution?

Yeah, I think that's where I think some of the dynamic behavior-based is going to help. I mean, I'll just give you an example, right? If you look at the fraud detection, credit card fraud in particular, they've done a good job, right? The moment your card is used, you get a verification notice, right? Did you authorize this card? Was it a zero card? I mean, instantaneously. So, I think we're seeing this aspect of continuous verification, continuous you know, validation, right, to narrow the window. You're not going to stop these things, but if you can narrow the window down, right, and provide these early signals. So, going back to SIM, SIM was very heuristic-based. If this, then do this, right? There are a lot of gaps in these heuristics, right? I mean, you could have a legitimate reason to go to China and log in, you're going to get blocked access, right, because IP address is fixed. So the ability to kind of go through and provide some level of dynamic behavior, right? Okay, this is an executive. This person travels to China regularly. So it's not, you know, brute force, stop the access, but provide more conditional, hey, are you really in China or can you get me and go beyond the CAPTCHA and the three questions, right? So the behavior-based, you know, verification, by the way, Technologies have come up in a very well route. Now you can do FaceTime video. So in response to the verification, you can say, here's my face. Okay, I can put a live face together, not a picture I can take. So a lot of ways we can start to bridge the gap. But I think the industry is still grappling with this problem. Like you cannot just say, look, I want absolute convenience. And at the same time, I want security. It's just not possible. It's just not possible, and we keep trying to smash this together. It's not possible. There's always going to be a risk you accept, right? And so all we can do is mitigate this risk. So attackers have figured out how to exploit these technologies. Defenders, like ourselves, have to kind of get better at it. And that's why I do believe that the industry is going to be more continuous, more dynamic, more behavior-based, and going beyond just the credential part, right? Credential is fine, but at the end of the day, activities and your actions and behavior tell you a lot about what the risk is, because if I can stop you there, right, you know, look, if PageStomp didn't have any access to the Capital One system, she would not have done any damage. She had unauthorized access to customer tables and databases. Easily preventable.

Do you have on your laptop, your personal laptop, assuming you have one, do you have an EDR solution on your personal laptop? I don't on my laptop, no. I probably shouldn't be asking you that,

The reason why you do, I mean, why are you going to tell me or my windows defender? Everyone has defender or or whatever the hell apple calls there.

When's the last time you got a message from windows defender telling you there's nefarious activity. If you were scanning a network, I scan networks all the time with my laptop. I haven't heard boo from windows defender. I use M map. I use M map. I use angry IP. I use wire shock. There should be whistles and you know, so irons and horns and What I'm getting at is you're not using an EDR solution in your laptop. If somebody is doing privileged escalation, somebody is doing, you know, some kind of, uh, I don't know, um, mimikatz, uh, anything. You don't get that.

Yeah, but Adam, even the advanced commercially available EDR solutions now, they are heuristic, but they're really not behavioral. I mean, that I've seen maybe there's some newer stuff coming, coming up, but but maybe that's really the next step. Maybe that is the next step in, in identity. It's not just can you prove your identity and show it but Does it appear to be you? And Venkat, maybe you're right. We need to understand that in the world, people can just fake, can act like someone else to a certain extent.

CrowdStrike has IDP. I'm not supporting the product. I'm not against the product as identity detection and prevention, right? They have a whole entire module specifically looking for your username and password on the internet to see whether or not it's been there, to let you know if it's been compromised. They don't know your password itself per se, but they look at that. They tell you that. whether or not somebody's been trying to access that account other than you. So my point I'm making is there are stuff out there, but who wants to manage all that personally?

Yeah, I mean, even, I mean, that's the right step in the right direction because we have been very much focused on Windows and desktops and endpoints. I mean, at the end of the day, it's the identity that really matters to an attacker. They don't care about these things, these intermediates, they want to get to where the data is. So I think we're seeing, I mean, look, all these tools have been deployed for all these shops, right? Why can't we stop ransomware? Simple question. We can't stop ransomware. These folks are so great and they can do all the things and bells and whistles, we still can't seem to figure this thing out.

Well, it's funny because one of the things I can't stand, and I know you're in the vendor space, but when a vendor says to me, you know, there's no silver bullet for this. So you're telling me it's not perfect or it just doesn't work? Exactly what do you mean by that? But you're right, some of the things, they are not as effective as we would like them to be.

I think it's a combination both, right? Some of them are ineffective, not because it's the vendor's fault or it could be implementation coverage. See, the problem is we have an asymmetric actor, right? We have to defend every surface and have a perfect defense. The adversary needs to have one hole open, right? So it's a very asymmetric problem. Asymmetric problem by definition is all about risk management. So the proof is the continuous ransomware attacks. So we ought to change an approach from the past. The approach that we're advocating is identity first. Identity always. So if you can look at the identity, for example, if I've been able to track PageThumbs on activities, normal activities, I've got to figure out she never went to this database in the last 90 days. She's got no reason for that. Not only that, she's downloading a bunch of data that never happened.

That sounds like a law firm with ethical walls.

Yeah, sorry. So that's what I feel like we can, and again, they're not trying to solve these problems, but where do you put the investment in, right? Where do you focus the emphasis on? So I think, at least in our view, identity first is going to be a big takeoff point and get close to the problem.

Yeah, I think you were right in something that you said earlier, that there's always going to be a risk. I mean, it's a trite statement. Yes, there's always going to be a risk. But I mean, I think in this space, it's a particularly hard problem. And it's particularly true because, you know, when we talk about the behavioral things, you know, something that you come up against when you run a security group and you've done monitoring is that, you know, people do things that seem out of the ordinary all the time. It happens all the time, sometimes because of reasons that, you know, they change jobs, they have a new responsibility, they have a new client, there's a new system. Sometimes it's for other things, like there are just tasks that aren't done very often, or maybe they, you know, I don't want to say a black swan event, but you know, something unusual happens that's not pernicious or anything. It's just unusual. So, you know, behavioral stuff becomes very difficult. And I guess you're right. It's like, how much of a hair trigger do we want to have on it? How much risk do we want to accept? Because then people get really ticked off and, you know, Not just people personally get ticked off when you impede them, but the business complains of, we're trying to do our normal work and you're playing it as bad. And they do take it personally, even though they shouldn't, you know, it's just a psychological, a bit of psychology there too.

So I want to bring up the reason why we can't stop ransomware is the same reason why we all, we have not been able to stop the common cold and I'll leave it at that. I know that was meant to really make you think, are you going to do a contest here? Who can guess like, the point I'm making is do people really want to stop ransomware? Do people really, I mean, common cold all these years, there's many reasons why you would think somebody wouldn't have been able to stop the common cold. Is it medication? We able to stop COVID supposedly.

Or, or, or, or don't, don't, don't get into that. Don't get us. Don't even bring that up.

Okay. Leave it alone. But I'm saying to you is, is there enough money out there where people want to stop ransomware? Is it better to sell the products for ransomware? Can we really stop it? Is it an education thing? Do we do zero trust and not let people open up emails and websites? They don't know where you are and only allow certain contacts in there. It's labor intensive to do all these things. So that's kind of my point, right? My point is, how far and how much work do you want to do? And what are the results of that effort?

Yeah, the other thing is also, it's important to look at the trade-off between convenience and security, right? And so in a world we live in, which is a digital world, I think for companies, there's a cultural change. Security is not something different, okay? It's not the job of the security department to go fix things. It's your job. You as an employee are coming in and you're going to function to access digital assets. It's your job to behave in a certain way. So, you know, 10 years ago, we all went to the office, right? And there was no remote work. And, you know, you were given a laptop, a company laptop. Okay, and you signed in, and the risk was fairly contained. We didn't have to have this behavior torture. Now it's BYOD, you're working from Starbucks, you're on some golf course signing in. So, I think, Joe, the idea that we're going to disrupt people is, I think, overblown. And the reason for this is when I talk to CISOs primarily, you know what the biggest risk is for CISOs? It's not the fancy stuff. It is the exceptions. It's the exceptions they've approved, okay? So, you know, a customer situation happens, a developer says, I need access to debug it. Of course, you know, it goes to CEO, okay, grant the exception, right? We got to solve the problem. That stays for the next six months. Nobody even takes it out. So the exception becomes the norm. So we don't have a way to… So these are all simple problems. And again, they're not interrupting a business guy from getting access to a PowerPoint or a document. This is simply hygiene stuff. because of the complexity of the environments, because of the nature of the way we're interacting with digital assets, because of work from home, it is enormously complex for us to figure out the true profile of an individual. And so exceptions became the norm. So at least we can put the exceptions as the front focus now. You can actually remove 80% of the risks right away. There are exceptions. I was supposed to give you access for a week. Now we've got access for one year.

Yeah, yeah, you're right. It's interesting. I was I was just in the past day or so reading, studying up on some stuff. And I was reading, whether we talk about exception processes, and they say, you know, people put an exception and the owner or whatever it is, oh, yeah, I accept the risk, that's fine. 90% of the time, the people who say that have absolutely no idea, exactly the actual risk that they've accepted and what it is. And especially as you say, When the short term temporary becomes permanent, we need to extend it and you lose track. That's a real, real big problem.

So that is funny. It's funny you bring that up, Jerry. You and I one time were involved in a purple team exercise where an exception to an online proxy was put in a wildcard. And what those individuals did as part of this whole red team was the wildcard was star. And then let's say a website and star, all they did was pre-penned and append that wildcard and created a whole new website and was able to draw people to that site in order to compromise. But I think it's fair to say that one way or another, most of the compromises are based on layer eight being the individual one way or another, whether they've been compromised in a social media way or a social, not social media, but more like socially they were tricked or whether they made a mistake and clicked on the wrong link or they allowed a threat actor to do something or somebody disguised himself as one of their friends or hacked their account. It's usually an individual who has allowed an organization to be compromised short of zero days, which is another story.

Yeah. And it is interesting. It's like when you say, we can stop ransomware. Actually, we can, it's possible. There are a lot of things that can be done. They are expensive, they are inconvenient, and that's the thing. One of the reasons we have so many vulnerabilities is getting rid of them is very expensive.

There was a survey sent to, it was an identity group, some survey sent to leaders of identity, and they said, okay, retrospect, looking back, right? you have stopped the attacks within your own responsibility?" And 98% said yes. 98% said yes. They didn't throw up their hands and said, oh, wait a minute, I could not solve it. They saw signals in retrospect for problems. So I think, and by the way, going back to the behavior, I think AI is going to help a lot in that area, where we can start to really understand, fine-tune the heuristics of all kinds of places. It's a brute force, right? Yes or no. AI is very smart. AI could be very malleable, context-based. So we're going to see a lot more of interesting innovations that really can bring that productivity security equation a bit closer. So I believe that that's an area of innovation as well. But I think absolutely starts all the user. Now, as we do that, now we're seeing the rise of AI applications, right? Now they're all non-human users, right? They're all identities that's got machine credentials. And now we're going to see a whole wave of these identities are not even human being. You can MFA them. How do you do that? So some very interesting challenges are coming up on that front as well.

I was gonna say, even with that, they're getting so smart and so capable that maybe they can MFA. I mean, I'll tell you a funny story that happened a couple, it's been on my mind lately, happened a couple of years ago. My boss, who was the CISO, was on vacation on some island or whatever. And we get this text message from her from a personal address from one I didn't know. It says, it's me. I'm at this resort. The Wi-Fi is terrible, but I got to talk to you, whatever. And it was like, call me or click this link or email me this info. So of course, I think it's suspicious. I bring in the whole team. We're looking at it. You know, they're going through the header, they're like, well, it looks like it came from Gina, but, you know, whatever. Who the hell knows? And then I get the flash of insight and I say, wait a minute. If she's in this place and she has Wi-Fi, I know she has an iPad, maybe we can FaceTime her. So we FaceTimer and it was kind of funny because we FaceTimer, you know, we get a picture of very blocky, you know, there was low bandwidth, there was a terrible connection. And she goes, it's me, it's me, it's me. Yes, send it. I sent it to her. I'm like, okay. And we were proud of ourselves, but like, you know, that's a couple of years ago. Now we're getting to the point where, my God, AI can duplicate that.

Exactly.

Yeah. And I even saw something the, uh, I heard something, maybe it's on NPR or something. It wasn't even a regular thing the other day when they were like, you know, can you now duplicate someone's voice? Like respond in real time. I forget what it was. I think it was a Ukrainian company. And they said, yes, absolutely. We can do it.

They did it on America's Got Talent.

Seriously?

Yeah. They, what they did was they had, um, They took the face of people and what they did was they had, I forgot the name of the company, but what they did was they had the screens and they would type in real time what the people were saying. They were actually saying it looked just like them 100%.

Wow.

I don't know if you saw that Venkat.

I didn't see that one. No, it's a, it's a pretty scary. I mean, I don't think, look at the spam. Now you can construct illegitimate emails from Joe, right? I cannot even same, you know, same sort of, uh, you know, textual accents and things. So I can't even figure this thing out. They're perfect.

We can't tell them it's up to native speaker now. I mean, even you can even put a regional accents. If someone's supposed to be from New York or the West coast or something, you know, it's crazy.

What I do is if I know the people, And I'm having a conversation. I, I, I challenged him. Some of them look at me like, listen, it's me. I'm like, don't care. Cause it's just weird. They come out of nowhere.

I'm like, it's getting to the point where you have to say what color hair did that woman have in Vegas? I do like this.

I like, I'm like, when we hung out at this place, what did we eat? Are you kidding me? No, I'm not. Tell me what we ate. Cause there are times when. I've had conversations with people and it just didn't seem authentic. And I go, I can't believe you're challenging me. I'm like, yeah, I am.

You're going to have your own capture device with you.

Adam's like that too. I thought I was paranoid until I met him. It's crazy.

I've had people call me like, you know, Hey, this is blah, blah, blah from, you know, like whatever utility company. I'm like, I'm not talking to you. And actually the best part is they go like, Hi, this is blah, blah, blah. We're calling to, is this Adam Roth? I'm like, yes, it is. I go, can you give me the last four digits of your social security card? No, I can't. I can't give you anything. I don't, you're calling me. He goes, well, you can see on caller ID. I go, yeah, okay. I can call you with your mother's number.

Going back to the behavior, right? Think about this, right? Now our consciousness has changed now that we don't even take calls anymore, right? The first instinct is to look at it, right? That's changed now in the last 10 years. you're already expecting this to be a false call, and we only look at the true positive. So that's a change. So I think we have to kind of, I think we adapt, and we got to adapt at this. And so I think the idea is sort of really, I'm still a very extreme optimist. I think these technologies will come, and we will start to make some inroads. And I think if you just go back to that, because it's the bugging, it's one of the bugs me hell, because it's been around for 20 years now. It's still in the headlines, right? So, I would say even if you can make dent at 10% of this problem through better approaches, you can remove 90% of the impact. You can leave there to the nation state, that's all okay, but we are seeing so much basic hygiene exposures And that's what I feel like, you know, we can make a lot of dent into this.

You know, you are the, I mean, I guess we hear this all the time, but you are the second, if not the third or fourth or so person we've talked to on the podcast who has said, you know, there's all this whiz bang stuff and all these things, but people are really getting hurt by some of the basics. Fundamentals. You know, the fundamentals, yeah, they're just not covering it. And I think that's so true. And we see with everything, see with that Microsoft stuff, an acquisition, you know, credentials overprivileged, letting stuff go. Yeah.

You know, my thing to you Venkat is this, is that everyone talks about the nation state and everyone talks about the threat actor and they're sitting in their bedroom or they're in there. And I actually saw it on LinkedIn today. It reminded me that you guys are trying to get all these credentials and everything else. Meanwhile, 14 year old kid sat in this hotel room using this hotel room TV to hack the whole entire organization. My thing to you is, yeah, we can do all these beautiful things, but it goes back to premises. Meaning, if you're in a van, and you're sitting outside an organization, and you can smell the Bluetooth, and it can connect to the Bluetooth, and you know how to compromise the Bluetooth, and if you have a little bit of extra work, like, oh, I was a ham radio operator, if I turn around and I energize and I force everybody off an access point at 2.4, and they re-authenticate, I might be able to get that token. So if you're within physical proximity of a location, you can do so much damage. Somebody has that temperature sensor on the outside of the building connected to an RJ45 with no camera looking at it. Somebody has that access card reader that meanwhile, they didn't put the torque screws in and they unscrew it and they connect. There's a lot of good things you can do when you're very close to a proximity of an organization and get physical access to the network.

So what are you saying? Nobody near the building?

Adam loves that stuff. You put a boat around the building with lasers and sharks.

He wants to be the guy in the van, drinking coffee all day, hacking signals and doing all that.

Maybe, maybe. But what I'm getting at is, let's be honest. We talk about identity. We talk about ways to prevent it. but you never get to infinity. You're always getting closer and closer and you try to get closer, but there's always going to be vulnerabilities, whether it's the human layer, whether it's something that somebody exploited because they had a zero day or somebody did a misconfiguration. What I'm saying is we can do our very best to have the best possible hygiene, but we're never going to get perfect.

Absolutely. And I think by the way, it's actually, it's actually, it's okay to, it's actually okay to give up the singles and doubles. Okay. That's okay. No problem. Thing I worry about is stopping the home runs, right? That's when, like the United Health Group, right? Or the Grand Slam. You know, just do the basic stuff, right? I mean, look, in the real world, we have fraud happening, right? Every bank has got fraud. Do they stop renting? No. Do they stop transactions? No. They have a number of the fraud, it's reported in the annual quarterly reports, goes up and down. Okay, retail, pilferage goes up and down. Every industry has got cost structures to optimize for these behaviors. And security has to get there, right? With a combination of, you know, technologies, policy, insurance, you'll have to get there. So there's too much focus on absolute truth. And that's just, to me, frankly, nonsensical. You got to focus on what's critical to you, what's important, what can I live without tomorrow, and focus on that. If you start to wrap your arms around everything possible, it's just not possible. So I think good CISOs understand this. They prioritize, they ring fence the critical digital assets, they put a real focus on that, and they take out the home run, right? Here and there, incursions here and there, I'll deal with this. It's not a big deal, right?

I mean, it's... A CISO's job is to expose what the top exploits might be or the top vulnerabilities or the things to watch. But at the end of the day, it's the organization, it's the CEO, it's the board of directors who have to either accept or... Because everyone thinks the CISO is the one that's responsible for stopping everything. That's not true. The CISO's job is to let the others know that do make the decisions and provide the financial means to whether or not they want to accept those risks or address those risks with the resources they have. But only the CISO is the person that's supposed to deliver that information to those people.

And by the way, because of the SEC regulations, most CISOs I've talked to are scared now of public companies. Oh, yeah.

Say no, they're old in the bag.

You've got to put your hand up and say, you know what, I got hacked. Oops. You know, so we've seen that massive change in regulatory landscape with public companies in particular, right? So you've got to, now it's become the CEO's, the board's responsibility no longer, you can't put the blame on the CISO because there's a stop ship issue, right? Material disclosures is the term SEC uses. Okay, that's a big problem. So in some areas, we're getting better at this, frankly, getting more serious about this. And so I think in some way, I think these things are better because you cannot be just somebody who says, okay, here's the risk, right? Somebody has to go do something about it. It's got to be accountability around the function itself. And that's why I think the disclosures are putting more accountability on executives to take action.

Well, that's the magic of the CISO, right? The magic of the CISO it's not only to let you know what the risks are is to give you different ways to address it. Some might require larger amounts of money. Some might require less amount of money, but more to address any issue more on, um, on the holistic scale. I mean, but it's different ways. So that's what the CSO is there to do. Oh, we have an identity issue. God, we can fix that with $5 million and put 30 different applications in, or we can address it maybe for $50,000. that in this app bin, I think, you know, you know, the exposure is a lot less with that 50,000, but these are the ideas, whether or not the board of directors wants to address it and put money into it, that's up to them.

Well, you're right. And, you know, I remember years ago, I saw a guy, he was like one of the designers of the U-2 spy plane back in the 50s or whenever they came out with it. And it was like super light, it had to go a long distance. And he goes, you know, making, designing the plane that would fly at that altitude that was strong enough to take it. He goes, that wasn't hard, that's easy. He goes, but Designing a plane that was just strong enough to do it without breaking apart so we could make it light, he said that was the hard part. And that's it. Mitigating risk is not necessarily hard. Catching these things is not necessarily hard. But getting it just right, so you're just secure enough, so you've gotten the level of risk mitigation that you really need, and convincing the people who have to pay for it that it's what they need.

That's the hard part. That's the trick. You live in a house, let's say you live in a house and you put a lock on your door. Lock's $200. That lock is supposed to prevent most people from walking in your door. But what would be better than that $200 lock? Maybe taking your house, ripping it down, making everything brick with steel doors. Are you going to take your house, rip it down and put all that money into rebuilding a brand new house with brick and mortar and steel doors? Or maybe you just put a lock on the door and maybe add an alarm system.

So throwing money... What you can do, you can get a really mean dog too.

You know, but you're 100% right. But the point I'm making is, and that's what a CISO does, right? A CISO does that. They come up with ideas. Maybe it's a dog. Maybe it's a chicken that clucks every time someone's near a door. But the point I'm making is- Maybe it's a Staten Island turkey.

They're really mean.

Staten Island turkeys are mean. They're dangerous. If I put four turkeys in my front yard, you're not coming in. But you're making the point. You don't always have to throw large amounts of money at it. You gotta be creative and come up with the right idea.

Okay, so we're kind of at last call here. We're running up against time. So, you know, one final thought, Venkat. This is a quickie. This is an easy one. When are passwords going to go away?

Wait, wait, wait, wait, wait. If he answers that, I want the lotto numbers for tomorrow night.

You want the lotto numbers, yeah. Until in my lifetime? Never. I hate passwords. But not in my lifetime.

Yeah, I guess not realistic. I hate passwords like Yosemite Sam hates coconuts. I can't wait till they're gone. Maybe on my deathbed, the last password will be retired. I don't know.

Passwords are going to go away, I think in my lifetime, unless I drop that tomorrow. But the question is, just because passwords goes away, does not mean we have eliminated the threat. We just created a new way to compromise that new opportunity.

We're about one friction, but don't confuse that with being secure. It's not. That's right.

Yes, sir.

Okay. Well, Venkat, thank you so much for joining us. This is yet another topic that we could talk about for quite a while. But I got to say that in the midst of all this doom and gloom, I do appreciate your optimism and your realism here. I guess that's how we got to be to work on solving this stuff, not just bitch and moan.

We can't let bad guys take over. We got to win this. So thank you all. Appreciate it. Joe, Adam, great to meet you.

Thank you very much. I think we're getting closer to a better solution, but let's see how it goes.

Have a great weekend, gentlemen. Take care. You too.

Yes. Thanks, everyone. Oh, and remember, like, subscribe, share, tell your friends. And your enemies. And your enemies. We'll take your enemies, too. It's okay. Thanks, everyone. Bye for now.