Our EVP of Products Grady Summers has some interesting insights on the connection between data breaches and identity. He shares those insights and how to use them to make your organization more secure in this Identity Talks episode.
Hannah Giles: Hey everyone and welcome back to Identity Talks. We are lucky enough to have Grady Summers back on. He is our EVP of Products and today we’re going to talk about a topic that continues to be on everyone’s minds which is data breaches. Something we’re all pretty familiar with but today we’re going to get a little bit deeper into where identity fits into the data breach conversation. So, Grady thank you for coming back.
Grady Summers: Hey Hannah you bet.
Hannah Giles: You have some interesting experience with Mandiant and, and you mentioned in your last Identity Talks episode that you noticed a connection between identity and the intrusions that you saw in your research there. So can you just talk a little bit about that?
Grady Summers: Yeah sure this is an area that I’m pretty passionate about you know about the time I spent at Mandiant and FireEye all the way back to my experience at a large enterprise responding to breaches. You know one thing that’s become clear is like identity is at the nexus of every one of those breaches and the research you mentioned was the we used to call the M-Trends report. We saw the M-Trends report at Mandiant where we would share the research of things that Mandiant had learned from the last year of responding to breaches. And you know I’ll never forget I think it was the first one I worked on like the 2012 or maybe 2013 report and you know this the stats that we shared with it, 54 of our breaches at the time, the compromised computers, compromised devices, didn’t even have malware on them. They had been accessed with a legitimate ID but they weren’t compromised the way we often think of you know malware compromising a device. The other stat that kind of hits you in the face is the fact that 100% of the breaches that we investigated involve stolen credentials. Right so you know you think about that, attackers are coming in and they’re stealing credentials. Identity is, is right there in the middle of these breaches and I think that’s continued to hold true over the years. You know that’s the way attackers are getting in. You know they have a variety of different ways they might get into to an organization but the first thing they’re going to try to do is to get credentials that then allow them access to the data or the application they’re trying to get to. So I think as the world becomes so much more deep parameterized we’ve been talking about that for a decade or more in cybersecurity but, but we see it so clearly now with organizations using more SaaS applications and storing their data out in the cloud and taking advantage of the public cloud. To the extent there was ever a notion of a firewall keeping us safe I think that that notion is long gone now, and it really comes down to protecting your identities and making sure the right people have access to the things that they ought to.
Hannah Giles: Okay so given that breaches and identities are so linked, how does a good identity management strategy help secure a company? What does that look like for organizations in practice?
Grady Summers: So you know in the, the world of identity we talk about access management, access identity governance and of course privileged access management and all three play a role but of course I’ll hone in on identity governance where SailPoint plays. But on the access side you want to make sure that the users are appropriately authenticated and that you’ve got multi-factor authentication in place to do everything you can to make sure that person who’s authenticating is indeed who they say they are. And then we’re on the privileged side you want to make sure that you’re properly protect, protecting those privileged accounts that have access to the most sensitive information. Those two might be the obvious ones that someone might think of. I think identity governance plays such a key role though by making sure that people only have access to the things that they need to have access to and I can tell you firsthand I’ve seen very lax provisioning or over provisioning make the job of the attacker so much easier. You think about it the attacker let’s say they’re phishing somebody right and, and they’re phishing for you know a Microsoft 365 account, and spoofing an email login to try to get credentials. When the attacker’s successful and they usually are successful you want to make sure that, that credential is tightly scoped to what the user needs to do. And you really in effect want to force the attacker to have to keep working harder and harder to find the credentials that give them access to the data they’re going after. And this is something we talk a lot about when we’re back in the enterprise talking about defending a network is making the attacker’s job harder, making it more expensive and I think an important thing and really a relatively easy thing that organizations could do is make sure that you know the entitlements are applied properly, that roles are tightly scoped. Really important one is making sure that you know there aren’t orphaned accounts out there. That when somebody changes jobs or leaves, we always think of the lever right, make sure you turn off access when they leave. It’s just as important to make sure that people don’t accumulate entitlements when they change jobs, you take away the access they no longer need and those are the types of things I can tell you will, will make it a lot harder for attackers to do their job and that should be the goal of every kind of cyber defense organization is raising the bar on the attacker.
Hannah Giles: Well thank you so much again for joining us again Grady. I know our viewers got a lot out of this conversation and for those of you watching we hope to see you again soon on another episode of Identity Talks.
You might also be interested in:
Find out how SailPoint can help your organization.