Solving the Risk of Unmanaged Non-Human Identities

Solving the Risk of Unmanaged Non-Human Identities

Catch Karl Mattson, Chief Information Security Officer at Noname Security, and Danny Brickman, Co-Founder & CEO of Oasis Security, as they dissect the urgent issue of unmanaged non-human identities in today's increasingly automated world on the C-Vision International Thought Leadership Podcast.

Join them as they explore the widespread integration of AI and automated systems across industries, acknowledging their efficiency benefits while underscoring the critical importance of managing identities in this rapidly evolving landscape

Transcript:

Karl Mattson:

Hello, I'm Karl Mattson, the field CISO for Noname security. I'm joined by my good friend and a partner from the Cyberstarts portfolio, Danny Brickman from Oasis Security. Danny, thanks for joining me.

Danny Brickman:

Thanks for having me.

Karl Mattson:

Danny, that you and I have met several times over the course of the years, and so I've had the opportunity to travel a lot to Tel Aviv and to Israel, learning about the ecosystem. So before we get into Oasis, tell us a little bit about your background and why you and why so many some of the smartest people in our industry are coming out of Israel today.

Danny Brickman:

So my background is, I would say really simple if you're comparing to Israeli folks. I've been 11 years in the army serving in everything related to cyber and software. I've been managing engineering there like sections of 65 engineers and overseeing a lot of projects related to that. And to your point here, I think the reason why a lot of great startups are coming out from Israel is because two reasons. First of all, the expertise around cyber, understanding that really well. And the second of all is the mentality that we have in the army, which is we are able to say anything about everything, and no matter what is the rank. And we can challenge and we can discuss and this creates a lot of innovation and thinking. So I think those two.

Karl Mattson:

That's spot on too, is I served in a army and I was in the army for eight years. And I can tell you with a great deal of certainty that almost myself and really everybody I served with, when we're departing service, we are not thinking about going off in the world to start a company that could take on the world and build something. We're thinking about things that maybe we would do 20 years from now. And I'm always so impressed at the drive and the ambition that is fostered in Israel, that it is hard to find in the US. So it is really interesting to see that keep happening in the ecosystem.

Danny Brickman:

I 100% agree with you and I think as far as I know, the Israeli entrepreneurs, everyone wants to prove that they can do that. And Israel is a small country and we all understand the challenges. So coming out and doing something good for people, innovating, creating something new, just it's part of the culture.

Karl Mattson:

So we're going to get to Oasis and what you're working on here in a minute. But one thing I'd really like to ask if you could dive into a little bit is before you came out of Stealth, you're building a company during a time of conflict. And so can you talk to us about what it was like for you and for your team to be building Oasis in a time when it was complicated for everybody? So can you share a little bit behind the scenes on that?

Danny Brickman:

I think because people were expecting from us for resiliency, and this is something that we're again also really good at. We know how to operate in quiet times and we know how to operate in wartimes, unfortunately, yes. This is the reality that we were born to and that we were unfortunately raised to. And this shows the industry, I think, how strong is the ecosystem and the community in Israel when it comes to challenging times. And I have to say that specifically now, it's even more than ever, people want to create and continue creating and doing value. It's really important for us because it's a driver. And even in those challenging times, show the world that we still stand and we deliver and make things happen. It's even more compelling and more important for us.

Karl Mattson:

Well congratulations to you and everybody at Oasis because you proved that. You going to emerge now this month coming out of stealth. Can you give us a picture of what the last couple of weeks have been like for you and the team coming out of Stealth with a lot of media attention, a lot of focus now on Oasis, and what's that journey been like coming out of Stealth?

Danny Brickman:

It's unpredictable. I would say no matter what you think it'll be, it's unpredictable. And I'm really happy that first of all, there's a lot of attention to the field and to the problem statement. And this is, we are there only to help solve the problem. And as long as people understand that, we can help. But there's definitely a difference between being in Stealth and working on the product, working with the market, working with customers to the point that everyone now knows what does it mean non-human identities for example. And how big is this risk? So it's changing and it's really exciting to be in this front of the problem and solving it.

Karl Mattson:

Since I've known you, that you've been talking about non-human identity from the start. Where's the origin of that or the seed of focusing on non-human identity? What was it about that subject area that really drew your attention?

Danny Brickman:

Two points. One of them is our experience. Well, we all know service accounts for many years. Many, many, many years. And in a way, service account been always the weakest point because changing passwords was always painful. And then if a password, like service account being breached and people don't know about it, the attacker can keep it for years because nobody's changing the password. So this was the mentality that we thought about originally, but more importantly is that the market actually was describing to us how complicated is this problem and how it's growing right now. And every initiative that the business is driving towards cloud transformation, automations, now a lot of people speaking about AI, but at the end of the day, is replacing human identities with non-human identities. They're doing processes, automatic processes. So it was exciting while we've been in Stealth to see how the market transition and his focus on that and how a lot of problems are actually symptoms of non-managed non-human identity landscape.

Karl Mattson:

In the area of non-human identities. You mentioned secrets, vaults, privileged account managers, active directory. There are so many different companies who specialized in these security areas over time. So when you were building Oasis, what were you building towards to differentiate yourself from the available technologies? Talk to me?

Danny Brickman:

So first of all, two things here that drove us from the get-go. One of them we figure out that people are expecting in those days, in 2024, and hopefully as we look forward to, be as agentless as possible and to have fast deployment and fast onboarding. And those type of characteristics of the product are really important in the identity space. The DS project in identity space, if you last sometimes lasts like 18 months of deployment. So we built Oasis to do an integration as fast as possible so people can get value within days. Actually I can tell you Karl today, that with the work with our customers, they're solving their first violation within the first week of working with Oasis, and giving value to the organization and showing value to the business within the same week, which was for us a great success, but it's also like this is the goal that we're aiming for as a company and as we're building the product right now. So this was really important for us.

And second of all, you were mentioning a lot of solutions that there are in the market and reality is that there will not be a one single solution to solve Secret managers or this, because developers will use their own and this team will use this on. So the mentality of Oasis is to help you work with your ecosystem, with your platforms that you're using, utilizing whatever you can and making sure that you are achieving the goals that you want to achieve in this space. And again, keeping in mind the lifecycle management concept, so working with different Secret managers and different platforms at once.

Karl Mattson:

So can you talk about, you mentioned your environment, and I think this is probably true with some teams that are still are dealing with a legacy on premise infrastructure. Are they left out here? Is it cloud centric, cloud only that can take advantage of Oasis? And what do teams with legacy or on-prem architecture have to gain as well?

Danny Brickman:

So first of all, we're not leaving anyone behind. The world of non-human accounts is spread across cloud, on-prem and SAS. And we're dealing with all of those and helping organization with each part of it. And it depends where we want to start. Many times cleaning up the messes, like you need to clean up your on-premises or your cloud. It really depends.

Karl Mattson:

Well on behalf of most banking institutions in the US, thank you. Because still a lot, there's still a lot out there. So no security discussion today can happen without thinking about the implications of Artificial Intelligence. And so can you talk to us about how you think about AI both in terms of risks and opportunities and how does that fit into Oasis's strategy?

Danny Brickman:

In the terms of opportunities, it's a long discussion, but I think there is a ton of things that we can innovate in inside of the organization because of the AI that is coming in through every door, every window, every hole we have in our house. But when it comes to non-human identities, for us it's like I was describing in the beginning, this transition from manual work to an automation, AI is just accelerating this, the creation of accounts, sometimes to the point that you don't even able to be understanding what account's being created, who created this token, what it was created for, because the amount of integration is so high that we can lose track if we're not keeping up with the right policies out of the gate. And this is really important, this is why driving towards lifecycle management, good posture of those accounts, is really important and collaborating with the teams to achieve that. So those factors are now becoming really predominant and we're seeing it happening actually in every organization right now.

And actually it helps us also to explain why it's proliferating that fast. For a single operation that you needed to do manually, you needed one account, yours, mine, whatever. But in the world of API architecture, microservices, AI playing a huge game of leveraging a lot of access, a lot of tokens, and you have dozens for one operation, one process. So the maths is simple.

Karl Mattson:

So there's a small shift then over to maybe the same question about RPA and robotic identities and where does Oasis play in that space and how does a security practitioner think about an RPA identity? Is it a human or is it a non-human identity?

Danny Brickman:

It's a great question. Actually, RPAs are powered by non-human accounts. Every robotic automation is using and leveraging tokens, service account, secrets. And some of them are overused, some of them are really hard to be maintaining because we don't know what other bots are using that, other processes are using that. So again, it boils down again to the same notion of understanding everything, contextualizing the usage and the ownership of those accounts. And then RPA falls into this one of the buckets of usage of non-human accounts.

Karl Mattson:

So in that non-human identity landscape, give us a few examples of what that entails. You mentioned service accounts, what other types of identities kind of make this universe complete?

Danny Brickman:

So wow, the list is so long, but if we need to put it in several categories, it'll be service accounts or principles, keys, tokens, secrets, certificates, all those different creatures, old and new that are powering. I know every system today has its own way of authenticating through tokens, keys and secrets. So this is the whole lens of non-human accounts.

Karl Mattson:

So are there specific breaches or examples you think really illustrate the scope and the severity of impact of getting this problem set wrong?

Danny Brickman:

So it's really interesting. We were investigating all the breaches, later breaches, and each and every one of them has a non-human component, whether it's the first step or we stole a secret from, I don't know, Slack channel, something like that and we got into the organization. Or people breach or use the human account, came in, found in higher code credentials and for Uber case or others like Okta case. And then the blast radius from that point on was really significant. But if we're even looking a few weeks ago, Cloudflare declared that they've been breached after they needed to be rotating all the tokens related to the Okta breach. They tried to rotate all of them, they forgot about four of them, not necessarily forgot, maybe they thought they're stale, but those caused the breach. And they needed to rotate again all of the non-human accounts related to that. So not only this was a really long manual process, but they also could not complete it holistically because basics were missing. So this is generally what's happening now.

Karl Mattson:

So if I'm an organization and I've got tokens, certificates, API keys for example, I may have significant gaps in one area, in other areas I may be relatively mature. How do I know where to start and how do I begin to look at this non-human identity space? Where do I start as a security practitioner?

Danny Brickman:

So the first step is we need to understand the landscape. We cannot address parts of the problem. We need to see everything. Because for example, stale accounts can be discovered only if you're discovering all of your accounts. So mapping them, inventory, contextualizing the usage, the ownership, all of those pieces that needed to even operate on the first place. So only this helps us understand how big is the problem. Where is the risk? How many exposures we have, what types of exposures we have? But then the next step is just to prioritize and understand where we need to start. What is the lowest hanging fruit from one end and what is the most riskiest accounts for us, and address those.

Actually I was lately speaking with my friends and we understood that non-human accounts, specifically the most critical ones, are kind of like the zero-day of identities. You don't know about them, they exist there, they pose a really huge risk and they might cause your massive breach in your organization. So treating those zero-days identities is the next step. And as we're looking at the organization holistically, we understand it, running after those accounts one by one. It's an impossible task. So what we are actually need to be achieving is the life lifecycle management of non-human accounts. Just as we did with humans. We need to build this lifecycle process right now for non-humans.

Karl Mattson:

So let's expand a little bit upon that because if we've got organizations that are running active directory and key vaults and certificate servers, you talked about observability, but where do you then also get into the remediation business of being able then to touch those identities and be the lifecycle point of emphasis?

Danny Brickman:

So in two parts, first of all, we need to understand how the process and how the life of those identities looks like. So created by developers, created by identity team, created by this team who's managing that, who's responsible for the vaults and what are the processes? The moment we configure, we want to stand in those policies like rotation every six days, vaulting every privileged account, et cetera, what we actually need to do is to make sure that this process is automatically done. And a developer asking for a key, it doesn't need to be manually done, create him, and then vaulted by other team, et cetera. All of this needs to be completely and holistically managed in this lifetime, in this life of accounts. And managed on top of that because if we're vaulting it in a secret manager, we need to make sure that we're rotating it, cleaning up if it's not really in use and those kind of stuff. And this is also a manual work that can be automated.

So we're looking at this whole process from the beginning of the account to everything that is happening with them, changing permissions, rotating it, and to the moment that it need to be disabled because it's not in use. So this is a whole span of that.

Karl Mattson:

So in that life cycle, are there any common denominators that you're seeing pretty much everywhere you go, when you turn Oasis on, you're seeing the same theme or the same kind of finding? Is there any examples that you're seeing pretty much every security team is challenged with this?

Danny Brickman:

It's going to the simplest things, stale and privileged accounts, identifying them and cleaning them, making sure that they're really stale and nobody's using them. It's a painful project, but it's so important to clean those up. And the second one is the process of rotating keys and rotating secrets. This is also a manual process that requires a lot of contextualization and working with the teams and sending emails to people. So only those two really basic things are really lagging behind of the automation approach that we have in general.

Karl Mattson:

Great. So can you give us maybe a thumbnail sketch, where will Oasis be a year from now or two years from now? Are there other challenges that you see in the horizon that you really think are the next problems to solve for Oasis?

Danny Brickman:

So first thing first is the market will dictate it exactly. Because we're now opening up this Pandora box, if you will, and the use cases that are coming out of it and people trying to understand like, oh, can I solve this? Can I solve third parties? Can I solve employees with access to the secrets, etc. How can we address it? So this whole notion is now bringing more and more problems to the table. But I think from my perspective, in a year or two from now, lifecycle management as it's by itself, if it will become more predominant in the organization, we can eliminate the problem almost holistically. And this will free up to think about what is the next step with identities, and non-human identity specifically, and what should be the next innovation there and how can we maybe federate some accounts, maybe do something else. But this is too early to say because we're now yet dealing with the basic of inventory understanding, what is the mess that we have in our organization.

Karl Mattson:

I'm really glad to hear you say that. I can think of a couple examples, but one in particular with a company that my organization about five years ago was an early customer of, and as soon as we deployed the technology, we immediately began to use that thing for something that the company did not intend us to. And we were very, very happy with what we were doing and it was a deceptions platform, but we used it for something completely unrelated. And that thing with that feedback loop to the founders, I think, ended up to be very valuable. And so that listening to the market and getting the feedback loop. Is there anything in particular that you've brought Oasis to market and working with customers, is there anything that surprises you? What they think or their feedback is very contrary to what you thought it would be, or features that they value that you'd had no idea that they would value?

Danny Brickman:

So what surprised me is even the basic of that people, all of them understand the problem. All of them understand the problem exists. And I was like, people was like, hey, so why didn't they told anyone else about it? And the reality is that when you are asking people, and this is the nature of all of us, if you don't have a solution for something, you will not try to solve the problem. And we know, I know today, and you Karl of course know that CISOs and security experts has a lot on their plate, and they all the time needs to prioritize what brings the most value to the organization with the resources, the limited resources, that we have. And if there's nothing to simplify the remediation, we won't be addressing that. Not because we're bad or not because we're negligent. Just because we cannot do that.

And the moment the problem is described and there is a solution to automate that, suddenly people say, "Oh my God, I can solve it. I want to do that." And then this motion that brings, by the way, a lot of features to your question, is creating like can we solve this and can we solve that and can we solve that? And this creates the best and the best place for startups to grow and to help the organizations.

Karl Mattson:

So I remember in a organization I was a part of, we had an active directory with perhaps seven or 8,000 human identities and about 15,000 machine or service accounts. Is there any sort of metric that you're maybe observing for how many non-human identities are out there in an organization?

Danny Brickman:

I will be surprised if we're coming back to that organization Karl today, and we still will see 15,000. I won't be surprised if we'll see 7,000 human accounts. I will be surprised if it's 15,000. Because it's growing really fast and we're seeing the multiplies around 5, 10, 15 and even 100 in several of our customers. And this is without counting in all the different short-lived tokens that we have.

Karl Mattson:

Yep. Yeah, that was just even just active directory of course. And then you've got all the other identity assets as well. Last thing I wanted to ask you about is, as you go into this American market, of course the CISO is oftentimes assumed to the buyer or the customer, but what are you seeing? Who's the role in the security team that knows the problem but also can have the mandate to solve for non-human identity?

Danny Brickman:

You're touching a really interesting and important point right now for organization. And I can say it's various right now. Because everyone understands the problem. It's just a matter of who has the permission, who originally had the permission. If we're speaking about, I would say, active directory service accounts, usually it's in full control of the identity teams and they're controlling that and there is in their responsibilities. But when we're going to other types of accounts, it really varies. And I think today the biggest mission for us as an industry, we need to explain better how this function looks like. How should we be managing that? We need to be responsible for doing it zero to one. Not only dictating exactly how we want the policies should be working, but also helping the organization to get to that point. And this requires a lot of collaboration between teams. At the end of the day, I'm always saying when it comes to identities in mind, when you shut down all of your identities in the organization, you don't have any security issues no more. But then you don't have a business running.

So collaborating with developers, with engineers, with cloud teams, with application owners, this is the number one goal that we need to be achieving. And this requires a mentality and the right approach for that. And I see a lot of organizations are doing that and moving toward that direction right now.

Karl Mattson:

So oasis.security is the website. Talk to us a little bit about what resources you have available or how do organizations get in contact with you and your team to see more?

Danny Brickman:

So first of all, you can leave your details on the website and or reach out directly to us through the website or LinkedIn or any other platform that we exist on. So this is one. And the second one is Oasis is focused on bringing as much as possible value as fast as possible. And we're doing it by giving organizations risk assessment around non-human accounts, to help them understand the problem, to help them quantify the problem and see it with their eyes. And we're doing it really fast, within days. So this is one of the things that we are hoping to help the industry even before jumping on exactly how to solve that.

Karl Mattson:

And then the burning question that seems to be circulating in industry this week, which is, are you going to be at RSA? Will we able to meet the Oasis Security team at RSA this year?

Danny Brickman:

The answer is yes. The whole team will be in the RSA and I would love to meet as much as possible, folks from the industry. And Karl, as I said, I think along our conversation here, this product was built for the market, not for us. And so every interaction, every feedback and every thought is helping Oasis and the industry to be more secure. So please don't be shy, we will be there. And I'm really hoping to see as much as possible people there.

Karl Mattson:

Good. And our gracious hosts today, C-Vision International, no name, has been a partner with C-Vision for quite a long time. And those events, the think tank forums and the dinners and the community, the sport that they provide, that's actually, RSA is the fireworks and the large exhibit hall. The C-Vision events are a fantastic way to actually get to meet people, talk one-on-one, much more personal relationship. And that's why we stay connected and hopefully you feel the same.

Danny Brickman:

C-Vision is probably one of the best in that term of what you've described, of ability to speak closely to people, to think, to innovate, to give feedbacks and challenge every step that we do. And I'm learning a lot from those events and I'm really happy that we have the chance to participate in those and meet folks from the industry and a lot of innovative folks that are coming there. So thanks for C-Vision.