We sit down with Oortās Head of Solutions Engineering, Andy Winiarski, for a conversation about the trends and opportunities he sees in identity threat detection and response. Read on for some great insights, and connect with Andy on LinkedIn here.
Interviewer / Question 1:
From when you were first introduced to Oort, what were some of the things that excited you most about what the company is creating and in the process of bringing to market?
Andy Winiarski:
In my previous role, I was with a multi factor authentication company and working with large enterprise customers on MFA deployments. I saw a lot of challenges from their side, in terms of visibility around āWhat do I have deployed out there today? How can I tell how much success I am having and where are my blindspots?ā This is especially true with external users or a B2B use case. Frankly, the market out there is really lacking in terms of visibility for customers around that and the amount of that type of access between companies and external users, contractors, etc. Right. Itās just kind of growing exponentially, I would say.
Interviewer / Question 2:
Itās been interesting seeing all the tools that we utilize more and more requiring MFA. How do you see that evolving? And whatās next for MFA? How do you see the technology progressing in the next five years?
Andy:
Hopefully weāll move away from things that are easily phishable, like SMS and OTP codes, to more device based MFA, whether itās security keys or laptops and phones with secure chipsets and those types of things. I think the challenge is going to be having visibility into who used MFA, at what point did they MFA, etc. Itās very murky and thereās a lot of trust that has to happen right now. So thereās going to be this leveling up and trying to manage risk across all these organizations and relationships.
Interviewer / Question 3:
Can you tell us more about identity analytics? When did this term first appear and how do you see it evolving in the marketplace?
Andy:
I was working this past year specifically with a very large global life sciences company. So letās say 100,000 users globally distributed, internally and externally, and they want to get to an āMFA everywhere, wherever possibleā security posture. And as they looked across their groups of users that span manufacturing, logistics, office and corporate users, they were essentially relying on custom point-in-time reports. They had to go build and mine data to get this level of visibility. So thereās clearly a ton of white space to improve on top of existing identity and access platforms.
Interviewer / Question 4:
How do you see the market evolving and developing around identity vulnerabilities?
Andy:
Similar to what weāve seen around device or endpoint security in the past 5-7 years, as far as anomaly detection and vulnerability scanning and remediation, weāre going to see the same thing in the identity space. In addition to the cohesive visibility across identity platforms, organizations are going to look to automate common identity vulnerability remediation scenarios ā things that today are a very manual and time consuming process for IT and security teams. Visibility also gives them the power to move to more ephemeral or just-in-time (JIT) access flows. They can move away from the brittle and insecure identity lifecycle today and close gaps or eliminate unnecessary attack surfaces.
Even just in the near term, thereās a tremendous amount of low hanging fruit around identity hygiene. For example, if you look at these sort of āzombie accountsā hanging around in an organization ā ones that havenāt been logged into in over 30 days or maybe never logged into ā we can help close that door right now and make sure it stays closed to attackers.
Interviewer / Question 5:
I guess I got a little sneak peek from a conversation internally with one of your team members that there was a company youāre working with now that had hundreds of these āzombie accountsā that were just sitting there. It sounds like a massive liability. Is it?
Andy:
Oh, absolutely. When you consider that thereās a lot more collaboration going on and having the ability to quickly invite people into your organization via Teams, Slack, and other tools ā the business is moving much faster than IT security and governance. Some of these platforms are in some sense themselves becoming their own identity sources. So seeing your identity terrain is clearly step one.
Interviewer / Question 6:
Thereās a lot of different ways to utilize identity when you log into something like the Google Workspaces of the world or Microsoft or Facebook or any of one of these majority platformsā¦ Do you see some companies like those ahead of others in regards to how theyāre doing it or how they are evolving in the identity landscape?
Andy:
Yeah, great question. I will say, for instance, Microsoft seems to have put a lot of focus recently on exposing identity-related events in their premium versions of Azure AD, for example starting to do risk scoring around logon events. So having that data available for us to ingest and correlate with the overall user activity is fantastic. As on-prem AD slowly dies, we just need them to hopefully make that functionality available in other non-premium Azure tiers, even on a short-lived basis, so that smaller orgs, EDUs, and the like arenāt flying blind.
Microsoft is also doing some very interesting work in decentralized self-sovereign identity or SSI, which really needs a big player involved to make it real. So the commitment to identity as a whole is clearly there for them, both on the commercial and enterprise side.
Interviewer / Question 7:
I feel like itās almost like the Apple model, where you have Android first to market some sort of functionality, and then Apple takes its time and kind of perfects it, and then they release it for the iPhone. I wonder if that may be happening with identity almost where a company like Microsoft may be on the forefront and then a big player like Google or Facebook or someone may refine it, but it is interesting to see the different options that people have from a personal level and a corporate level.
Andy:
Right. If you look at the broader market of both customer identity or CIAM and enterprise identity, someone like an Okta, which was really first to implement FIDO2 and Webauthn in a flexible way ā theyāve invested heavily with the Auth0 acquisition on the customer identity side. So they might be best positioned to enable some crossover or ābest of both worldsā for the B2B space. Because while many CISOs may not be ready for full-blown BYO identity or BYOID, itās certainly a challenge today.
One organization that weāre working with, they have roughly 5,000 thousand identities in their directory, but over half are external users in some form ā contractors, guests, managed service providers (MSP) entities. How do you manage that kind of churn? Treating them all like internal users just doesnāt make sense today.
Interviewer / Question 8:
Do you have any final thoughts on identity vulnerabilities or other topics we discussed?
Andy:
One parting thought is that I view identity today in the same way we used to look at endpoint devices maybe 3-5 years ago, where the OS and the applications were the target and it was this vast landscape of unpatched vulnerabilities. Now itās identity, but the difference is that attackers have gotten much more targeted in their campaigns. Itās not like the spray-and-pray malware campaigns of the past. And our identities are so much more visible in the digital world to attackers than our devices. So the bad guys just need to find that crack in the window that they can get a shot in through.
So Iām really excited about our ability to give organizations that sort of wall-to-wall visibility of their identity threats at their fingertips. I want to help them easily find those gaps and quickly close them.
