C (13:33)

Foreign.

B (13:41)

Is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping and often specific to industries, geographies or regulations. That's why Black Kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com. Kavitha Mariapan is chief Transformation Officer at Rubrik. I recently got together with her to discuss understanding and building resilience against identity driven threats.

C (14:48)

We as a security insight and research lab constantly monitoring sort of the threat landscape, right? And so we put out a report every six Months we definitely noticed an increase in the number of identity based threats. And so as a team we decided we should really hyper focus for the fall report on creating a substantial body of work here around identity threats. And so that really was the motivation behind why we doubled down on an identity based report.

B (15:21)

One of the things that caught my eye was about how leaders are really looking to hire identity talent right now. What is driving that urgency?

C (15:32)

Well, lots of interesting things. I think first and foremost if we take a look at just the threat landscape, right. And if you take a look at this recent report, 90% of IT and security leaders were surveyed, at least throughout our study, agree that identity has driven identity driven cyber attacks are top threat to their organizations. And we see, we saw that number increase within the last six months by X points. Right. That is a critical area, right. Why organizations should be really thinking about like you know, identity was always considered more, more of an access management technology. Right. Like you know, we're governing user access, ensuring people have the right credentials and the privileges to access applications or have access to a corporate network. But really it's sort of the frontier for security right now. At the end of the day, I think one of the things we're seeing obviously is that when your identity is compromised, you've lost your ability to log in, much less recover from any identity based threat, any breach of your perimeter. So there's a real need to enhance and augment the skill sets and the capabilities within the organization. And that's kind of really the, you know, the movement we're seeing where a lot of enterprises are, one, focused on up leveling their identity talent. Two, we're seeing that many of these organizations, at least that we surveyed, up to 60% of them had switched IAM providers within the last three years. That said, 87% of them are currently still planning to change IAM providers. So even though they had looked at this and made some tremendous changes in the last three years, many of them are actually planning to make further changes and have already begun the process. And they're realizing the skill sets needed are not aligned internally, are not aligned to sort of, well, skill sets required are not aligned to the talent that they have internally. And you know, they're just new capabilities. I mean we're not just dealing with perimeter defense, we're dealing with the changing sort of landscape of like a hybrid workforce. We're dealing with the advent and sort of like production adoption of AI. And AI sort of introduces a whole new slew of security parameters. One specifically being non human identities Sort of added to that mix.

B (18:04)

Well, I mean, let's talk about that. The report points out that non human identities outnumber humans by 82 to 1. That's a striking statistic there. How are enterprises discovering and classifying and governing those identities without throwing sand in the gears, without slowing people down?

C (18:24)

Well, I think this is really important, right for us because one of the things organizations are doing is leaning into AI embracing AI. Right. And then that said protecting their organizations from agents that will be potentially compromised or going rogue is those are a capability we've got to build. And I think doing so requires these organizations to have visibility of kind of what these active agents are in their IT environment, what are the interactions that they're having. Right. With your data, specifically what applications, what identities. And then this is sort of like raising to the top the need to have observability across, across their infrastructure and their landscape. And it doesn't mean much if with all those insights you aren't able to remediate sort of any potential harmful actions being taken by an AI agent. So one of the things that organizations are like, as we're seeing sort of the 82 to 1 is actually just like the tip of the iceberg. Right. In six months from now, Dave, when we talk, I think that number is going to be would have scaled up. Right. It's really important for them to be able to understand how one are they classifying and understanding sort of this roles and behaviors. But how to rewind these sort of inadvertent or nefarious actions back to a clean state.

B (19:53)

What about human oversight? How do you draw the line between let's say assistive AI and more authoritative AI?

C (20:03)

Yeah, it's actually a great question. Right. Look, human oversight has always remained essential as we think about human users, human workers. Right now with LLMs that we're already starting to use today, we know that we've got to validate these outputs. It's no accident. A lot of gen AI tools today include disclaimers that they say look, we're capable of making mistakes and that you should really verify all important information. But we're definitely seeing hallucinations still and I think we'll continue to see hallucinations within the environment and all these interactions and tools. So I think specifically when you ask about assistive AI like this, human's oversight is going to become important. Now you take that to the next level as we cross into the use of authoritative AI where you've got agents that are able to take multiple steps right towards sort of accomplishing very complex tasks, Then you start to really have to factor in how human oversight becomes critically essential. Right. And it's a powerful thing that these agents are able to perform what they can. Like to be able to automate tasks from end to end at agent scale, not human scale. And we believe having a human in the loop is important. But I think that model for how we inject a human in the loop across the distributive process is also. We'll have to rethink that. Right. Because it's not just about having a human in the loop to understand are there other hallucinations or are there inadvertent actions? But having humans play a role, help create these guardrails and processes where we have the ability to sort of reverse and roll back actions taken by those agents. Otherwise I think we're going to really seek sort of the risk being like magnified.

B (21:53)

What about recovery time? The report points out that there are a lot of leaders out there who worried that recovery time is increasing. They're looking at days instead of hours to recover. What does identity centric practices, how do they play into this? How can you help shorten these recovery times?

C (22:15)

I think having good hygiene in the environment becomes really important. Right. First and foremost, let's think about. Right. Organizations today focus on, I would say legacy KPIs, right. They report on KPIs, not wrong, not bad. But if you look at a lot of organizations that have been compromised, they all followed process, they followed audits, met all their compliance requirements, put a lot of security measures in place. Many actually adopted some level of zero trust architecture. But I think we need to make sure that we're also focusing on proper security hygiene internally. Right. So let's kind of think about like, you know, what this looks like in terms of understanding the environment. Right. I think we need to start making sure that they're prioritizing an accurate up to date understanding of all identities in their environment specific to recovery time. Right. Because nominally what we put down as a rpo, for example, is not what, what is happening in practicality today in many organizations. So one thing we'd like to think about is let us evolve the KPIs especially specific to recovery time as part of this report around identity human and non human identities. Really bucketing this into I would say three categories. One being let's look at the traditional RTO capability, but reporting on MTTR mean time to recover, specific to I would say like compromised identity infrastructure. So as you look at sort of the granularity today we have like an RPO number and an RTO number. But can we like actually get a little bit more granular around the specifics since we are talking about identity, what is the MTTR specific to your identity infrastructure? So this could be a real critical measure for CISOs that are actually looking to establish a baseline for identity resilience. Right. In order to be a little bit more informative, I mean, it must be based on some of the simulated recoveries of the identity infrastructure. Now based on real world recovery procedures. How many organizations today think about recovery time by bringing in their identity infrastructure as part of that tabletop exercise? Probably very few. Second is actually thinking about recovery times from the perspective of resilience benchmarking against your industry peers. So what it takes for a, a hospital network versus a retail chain versus another manufacturing organization could be very different. And for a lot of CISOs to sort of start to really transform kind of what their recovery metrics are, what their resilience metrics are like, what they report on. It becomes important for them to understand what their peers are doing. Right. So we need to start thinking about baselining some of this and providing a measurement that's sort of relative to the industry because what healthcare does is different to manufacturing. And I think this is where we need to start educating boards and business leaders and the business themselves, business meaning like the business unit, on what is relevant to their industry and what are the benchmarks are and where they are.

B (25:35)

Let's talk some practical solutions here. I mean, the report points out that there are a lot of companies who are switching their IAM providers. What's your advice to folks who are switching here? If I'm a security professional, are there pitfalls I should avoid? Are there things I should absolutely be looking for?

C (25:54)

What are your words of wisdom, switching IAM providers? Let's think about. I think first and foremost it's a recognition. Identity compromise without doubt is an attack vector of choice for threat actors. I think one key area where a lot of organizations have invested in from an identity perspective is cloud native identity infrastructures and solutions. The thing is, many of these were rarely designed with security in mind. They were designed with access in mind. So I think this is an area, if I had to impart any thoughts here, we need to start thinking about this from a perspective of being purpose built for this new paradigm that we're in. I think summarizing some of our conversation is I said thinking about switching IAM providers. Think about the type of identities in your organization that require protection. So they're no longer just your users bringing in your human users that are within your organization, your third party, your contractors, and now start bringing in your machine and agentic identities or your non human identities. So really start to think about what your attack surface looks like and what kind of solution or provider best enables that. And then finally I would say different solutions obviously provide a different range of capabilities. But go back to core zero trust principles. What are those core tenets? How does that align to your ability to enforce least privilege access, things like role based access control? So really insist on strong security controls for IAM systems. And as you're doing that this is non negotiable, right? But as you're doing that it is also really important to understand how these solutions and these providers are also going to align with your evolving initiatives. Right? If you're deploying AI and factor recovery and resilience into that, you take Active Directory for example. The manual process to recover Active Directory is fairly laborious and it's multi step. How are you going to be able to ensure that you have a one click orchestrated recovery for that? How do we ensure that as they're thinking about all of this as well, that they're thinking about kind of what that minimum viable identity solution looks like? What is minimally viable for your organization should your identity be compromised for you to get back up and running?

B (28:21)

That's Kavitha Mariapan from Rubrik. We are pleased to add Rubrik as well. The latest addition to our knowledge partners.

A (28:42)

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while only staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles. Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. This message may be shocking to many millennials. If you are one, you might want to sit down. Right now loads of people are searching the following on low rise jeans, halter top, velour, tracksuit, puka shell, necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop where taste recognizes taste.

B (29:49)

And finally, Chow Hai Bang's misadventure began with an unlikely prison friendship in South Korea. The sort that usually leads to exchanged life lessons, not international malware schemes. Years later, he found himself in the Dominican Republic, sponsored by his old cellmate Lee, who introduced him to Spymax, a remote access Trojan dressed up as harmless Android apps. Chow became the unlikely star of a malware masterclass, recording tutorial videos that showed syndicate partners how to spy on phones, steal credentials and empty bank accounts. His lessons were effective enough for 129 Singaporeans to lose $3.2 million, though Chow himself earned barely $1,700 for his trouble. When the operation unraveled, he was arrested and extradited. Now sentenced to five and a half years, Chau stands as Singapore's first case of someone prosecuted not for writing malware, but for teaching it. Proof that in cybercrime, even being the tutorial guy carries serious consequences. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at TheCyberWire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A (32:21)

The Uniswap Wallet makes it easier and safer to own and use crypto Created by pioneers of the crypto economy, the Uniswap protocol has powered over 3.3 trillion dollars in trading volume, and it's trusted by tens of millions worldwide. With the Uniswap Wallet, you can discover, swap and manage your crypto all from your phone. Buy your first crypto assets in just a few taps and start exploring the freedom of decentralized finance with Uniswap. Tap the banner to get started.