We sit down with Oort’s Head of Solutions Engineering, Andy Winiarski, for a conversation about the trends and opportunities he sees in identity threat detection and response. Read on for some great insights, and connect with Andy on LinkedIn here.
Interviewer / Question 1:
From when you were first introduced to Oort, what were some of the things that excited you most about what the company is creating and in the process of bringing to market?
In my previous role, I was with a multi factor authentication company and working with large enterprise customers on MFA deployments. I saw a lot of challenges from their side, in terms of visibility around “What do I have deployed out there today? How can I tell how much success I am having and where are my blindspots?” This is especially true with external users or a B2B use case. Frankly, the market out there is really lacking in terms of visibility for customers around that and the amount of that type of access between companies and external users, contractors, etc. Right. It’s just kind of growing exponentially, I would say.
Interviewer / Question 2:
It’s been interesting seeing all the tools that we utilize more and more requiring MFA. How do you see that evolving? And what’s next for MFA? How do you see the technology progressing in the next five years?
Hopefully we’ll move away from things that are easily phishable, like SMS and OTP codes, to more device based MFA, whether it’s security keys or laptops and phones with secure chipsets and those types of things. I think the challenge is going to be having visibility into who used MFA, at what point did they MFA, etc. It’s very murky and there’s a lot of trust that has to happen right now. So there’s going to be this leveling up and trying to manage risk across all these organizations and relationships.
Interviewer / Question 3:
Can you tell us more about identity analytics? When did this term first appear and how do you see it evolving in the marketplace?
I was working this past year specifically with a very large global life sciences company. So let’s say 100,000 users globally distributed, internally and externally, and they want to get to an “MFA everywhere, wherever possible” security posture. And as they looked across their groups of users that span manufacturing, logistics, office and corporate users, they were essentially relying on custom point-in-time reports. They had to go build and mine data to get this level of visibility. So there’s clearly a ton of white space to improve on top of existing identity and access platforms.
Interviewer / Question 4:
How do you see the market evolving and developing around identity vulnerabilities?
Similar to what we’ve seen around device or endpoint security in the past 5-7 years, as far as anomaly detection and vulnerability scanning and remediation, we’re going to see the same thing in the identity space. In addition to the cohesive visibility across identity platforms, organizations are going to look to automate common identity vulnerability remediation scenarios – things that today are a very manual and time consuming process for IT and security teams. Visibility also gives them the power to move to more ephemeral or just-in-time (JIT) access flows. They can move away from the brittle and insecure identity lifecycle today and close gaps or eliminate unnecessary attack surfaces.
Even just in the near term, there’s a tremendous amount of low hanging fruit around identity hygiene. For example, if you look at these sort of “zombie accounts” hanging around in an organization – ones that haven’t been logged into in over 30 days or maybe never logged into – we can help close that door right now and make sure it stays closed to attackers.
Interviewer / Question 5:
I guess I got a little sneak peek from a conversation internally with one of your team members that there was a company you’re working with now that had hundreds of these “zombie accounts” that were just sitting there. It sounds like a massive liability. Is it?
Oh, absolutely. When you consider that there’s a lot more collaboration going on and having the ability to quickly invite people into your organization via Teams, Slack, and other tools – the business is moving much faster than IT security and governance. Some of these platforms are in some sense themselves becoming their own identity sources. So seeing your identity terrain is clearly step one.
Interviewer / Question 6:
There’s a lot of different ways to utilize identity when you log into something like the Google Workspaces of the world or Microsoft or Facebook or any of one of these majority platforms… Do you see some companies like those ahead of others in regards to how they’re doing it or how they are evolving in the identity landscape?
Yeah, great question. I will say, for instance, Microsoft seems to have put a lot of focus recently on exposing identity-related events in their premium versions of Azure AD, for example starting to do risk scoring around logon events. So having that data available for us to ingest and correlate with the overall user activity is fantastic. As on-prem AD slowly dies, we just need them to hopefully make that functionality available in other non-premium Azure tiers, even on a short-lived basis, so that smaller orgs, EDUs, and the like aren’t flying blind.
Microsoft is also doing some very interesting work in decentralized self-sovereign identity or SSI, which really needs a big player involved to make it real. So the commitment to identity as a whole is clearly there for them, both on the commercial and enterprise side.
Interviewer / Question 7:
I feel like it’s almost like the Apple model, where you have Android first to market some sort of functionality, and then Apple takes its time and kind of perfects it, and then they release it for the iPhone. I wonder if that may be happening with identity almost where a company like Microsoft may be on the forefront and then a big player like Google or Facebook or someone may refine it, but it is interesting to see the different options that people have from a personal level and a corporate level.
Right. If you look at the broader market of both customer identity or CIAM and enterprise identity, someone like an Okta, which was really first to implement FIDO2 and Webauthn in a flexible way – they’ve invested heavily with the Auth0 acquisition on the customer identity side. So they might be best positioned to enable some crossover or “best of both worlds” for the B2B space. Because while many CISOs may not be ready for full-blown BYO identity or BYOID, it’s certainly a challenge today.
One organization that we’re working with, they have roughly 5,000 thousand identities in their directory, but over half are external users in some form – contractors, guests, managed service providers (MSP) entities. How do you manage that kind of churn? Treating them all like internal users just doesn’t make sense today.
Interviewer / Question 8:
Do you have any final thoughts on identity vulnerabilities or other topics we discussed?
One parting thought is that I view identity today in the same way we used to look at endpoint devices maybe 3-5 years ago, where the OS and the applications were the target and it was this vast landscape of unpatched vulnerabilities. Now it’s identity, but the difference is that attackers have gotten much more targeted in their campaigns. It’s not like the spray-and-pray malware campaigns of the past. And our identities are so much more visible in the digital world to attackers than our devices. So the bad guys just need to find that crack in the window that they can get a shot in through.
So I’m really excited about our ability to give organizations that sort of wall-to-wall visibility of their identity threats at their fingertips. I want to help them easily find those gaps and quickly close them.