Transcript
Hi Mike Matchett Small with World Big Data and we are talking today about identity security. It's a big thing. Everyone that I know of, every company I know of, tends to have Active Directory or the like in its entirety. You've got teams, you've got exchanges, SharePoint, but you have Active Directory in there somewhere or some other identity security problem. And that is a key point of attack for hackers. It is a key vulnerability. If you haven't paid attention to it and aren't securing it properly. So it is something you really need to pay attention to going forward. And we won't even mention AI. I've got Cayosoft here today. We are talking with Craig Bertsch. Welcome, Craig. Thanks for having me, Mike. All right. You are you are one of the techie guys out there. What do you do for Cayosoft? Well, I'm a principal technologist. Really? An identity security enthusiast, right? So my passion is all around identity security. Identity security. All right. So, you know, at one level it's like, oh, that's just another little facet hanging off the security, uh, domains and kingdoms we have to secure today. But it really is the key to everything. I mean, this is where if somebody if somebody can hack, hack an identity they've got, they got their in there into your system. They can do whatever they want. Uh, so tell us about like, just just in your sort of opinion, is this something that we're losing the game with? Is this is this going. Is this an exponential threat now, uh, with especially with AI, or are people managing to keep pace as technology, keeping pace with the active identity? Uh. Security identity is the number one attack vector. So, I mean, it used to be, hey, we're going to get a vulnerability. We're trying to break into a system. You've heard the basically slogan, why do I need to break in when I can log in? So that's exactly what the attackers are doing. Active directory in both. Android are so prevalent in Organizations attackers know this Active Directory has been around for, what, 25 plus years almost now, untried, coming up around 10 or 13 years as well. So these are technologies that have been in, you know, in organizations for a very long time. You know, I will say that there's been a lot of admins in those environments, a lot of changes going on, and organizations just haven't been able to keep up. And I would, you know, basically say we are facing a identity crisis because we're seeing more and more attacks around identity, and organizations are suffering from those attacks. Yeah, psychologically. And identity crisis is what we're all having, right? We don't we don't. Well, you could say it that way. You know, it's not not that I don't know who I am, although sometimes I look at the screen and look at the paper trail and I go, did I do that? Was that even me? I don't even know. Um, so what are some of the just just at a broad brush, what are some of the things which are Vulnerable and Active Directory? What are some of the coverage areas that people have not been paying as much attention to as they should have on configuring Active Directory, or setting it up, or just keeping up with what hackers are doing these days. We need to start with the basics, right? So basic hygiene right. So onboarding and onboarding right. Properly when we're off board are we removing all the access as part of that service accounts. Right. There's a lot of service accounts out there in organizations legacy service accounts. They might not even be in use anymore. Mostly because it's like but. What those. Group permissions are afraid to touch them. Yeah. Because they're afraid of oh what happens if it breaks. But there's also misconfigurations that over permissioned accounts, uh, you know, integrations if we think about, you know, Active Directory integrations with Android. So we have the hybrid, uh, I'll call it the hybrid identity bridge. Right. There's two of them. So, uh, Android Connect and Cloud Sync. Those have challenges as well in regards to potential attack pathways into both environments. And then we take our Active Directory and extend those into the cloud. And we just increased our attack surface without putting, you know, cleaning up what we needed to clean up before. So we basically just replicated that into the cloud in some cases. Not all cases. All right. So so a number of things, people that haven't been paying a lot of attention to Active Directory and Security way are kind of falling behind on what are some of the things that they should be doing. I guess if I, if I have an active Active Directory, enter ID responsibility, what should I what should I be doing? Just broadly? I mean, the first thing you need to do is think about hygiene. So am I did I offered do I have a bunch of stale accounts in our environment. And you can do that a different ways, but also look at avenues that an attacker would go after your environment. So attack path analysis or what I'll call identity security posture management. Go out. Get it? It'll get a scan of your environment. Look what misconfigurations pop up. And then focus on the ones that are critical to your organization or to an identity platform organization. So if I have a bunch of, um, domain or global admins in my environment and none of them have, um, MFA enabled, which wouldn't be the case nowadays, but in the butt or they're all active, right? So they're not they're not using eligible PIM. Those are things I would want to address right away. Or maybe there's some over permissions inside of Active Directory, like from the actual perspective, um, that have been there for years. Um, those things need to be cleaned up, but organizations aren't searching for those. If you bring in and just do like a regular audit, you might miss those things. So that's what the attackers are looking for. Are those different avenues? Can I move from one account to the next account to get what I need? What do I need? I need privileges if I can get privileges, We're in trouble, right? So from that aspect. Right. So so identity posture management, you said a couple of times we're going to come back around to what Cayosoft can do in that in that area in a minute. Uh, but I just wanted I, I'm kind of been in the storage industry for a while as a background talk a lot about data protection. We talk a lot about backups and recovery and so on. And increasingly, doing backups and being able to recover from a backup is is becoming less of the best practice, less current practice. You are taking a similar kind of path to saying like just having a backup offline isn't really good enough in today's business world. How is Cayosoft helping people address that sort of real time nature of being hacked and getting getting back on recovery? Uh, and I guess you would use the word resilience. So how are you helping people be more resilient? So exactly. So our we're focused on identity resilience. So the first thing is there's a couple different ways you can recover, right? So if we look at it from the change visibility, we can do things like rollback, you know basic changes. But most organizations, if they basically have a catastrophic event, whether that be, you know, a ransomware attack or some kind of major outage, um, they're going to have to go to pull backup and then basically, you know, put some servers down, install the operating system, etc., and, you know, kick off that recovery process. Think about that in a ransomware scenario. Right. So that hardware may all be down. The government's usually going to seize all that information. So what Cayosoft does with our instant standby force recovery, and that's one of the key things, is we actually build out a cold standby in an isolated cloud environment, whether that be Azure or AWS. It's scheduled it's fully automatic, um, tested to make sure that it is a backup of their Active Directory. And it's a working backup that's fully ready to go. And now all they need to do in that event is basically power on the cold standby and make some network configuration and then run through the post analysis as some additional checks. And that's one of the key differences about Cayosoft as well is our identity threat detection and response. You've probably heard of that term um, really extends into full on recovery and it's built into the platform. So we have the threat detection capability. We see the real time changes, but we also have the ability to both recover from a force perspective. Or like I said earlier when we were talking before, um, it's not some of these changes are not just done by an attacker. It could be an oops, I was an admin back in the day. I've had a couple oopses with throughout my career, and the business needs to be able to get back up and running very quickly, and they might not want to go to a backup. They need something that's going to be instant and we can provide that with our solutions. So yeah, I think this is this is an interesting point. I would just, you know, reiterate that for our audience that like having a backup is one thing. Spending a lot of time outside of the the backup solutions to create cold recovery situations or, you know, offsite things can take a lot of effort. And just even configuring them, much less testing them and making sure they're up to date. But it looks like you're sort of leading the pack here. On putting that cold recovery into the product itself. So it's just part and parcel of what someone does. Uh, which which I think is great. So that, uh, you know, we can start elevate the idea of recovery to this next stage of saying, well, we are we are already set up to to switch over and fail over to something if we need to. And that's built into the solution, not something we have to build up from Lego blocks outside of it. That is correct. And the reason why that's important is ransomware. So if you think about what we built, if you think about traditional disaster recovery, hey, we had some kind of event, maybe we lost a data center, you know, could be it wasn't that the backups or the systems themselves were impacted as part of that change in the environment. So that's something you need to be aware of. And that's why a cold standby forest environment is the way to go in that scenario. So we know that we have, you know, Active Directory backup ready to go, ready tested, fully functional in a moment's notice. You don't want to try to recover during a ransomware event. It's very painful to think about all the stress that you're you're already dealing with from an organization perspective. If you can eliminate one of your biggest challenges, which is getting an Active Directory back up and running because it's already there for you, guess what the organization is going to be, you know, back up and running very quickly. I use the term minimal viable business, so we're providing that way for them to get their minimum viable business back up and running. So that means they can point their most critical applications back to this environment with little to no effort. All right. That's awesome. And, uh, you know, I know, I know, there's some interesting things you could talk about, um, you know, looking at events and logs and audit trails versus looking at real time feeds and looking at what's happening right now behaviorally. Uh, and the difference between that and I understand Cayosoft kind of takes this real time perspective or the on what's going on now perspective as well. Because again, for the reasons you just mentioned, you know, if you're looking backwards in time, you're already you're already you're already penetrated. Probably. That's why it was critical to have the change monitoring piece built into the recovery system so that we can do that forensic analysis as part of the recovery. So as you mentioned, changes happen on a regular basis. And I could go in and maybe update a conditional access policy to exclude a certain group of users from multi-factor authentication. And maybe I did that for a reason to help a user when they were in trouble. And then I forgot that. So we have the threat detection that's going to alert you of that change. But we also can see the change in who made the change and revert it, as well as we can put in automated automatic rules to rollback things on behalf of an organization that says, hey, only Craig's allowed to update conditional access policies. So if Mike goes in and tries to update the conditional access policy, we're automatically going to roll that back. We're going to. And if Craig makes that conditional access policy update we're going to allow it to go through. But we're not going to just allow it to go through. We're going to alert to make sure that Craig made that change, because who knows if it's, you know, someone might if it's an attacker. Right. Um, they could be impersonating my account. My account may have been breached from that scenario. And now we need to have that real time visibility. And you can say, hey, Craig, was that you? And if it's not me, then we need to go further in our investigation to see, hey, are we really dealing with a a live attack in our organization and what other steps that we need to do? So we help with the triage. Um, but really around the prevention side as well. Awesome, awesome. Uh, I understand you have, you know, you have some, uh, things you're talking about, uh, going from an on prem in-house solution to something that you can assist people with. Saas version coming up soon. Uh, and you're going to be rolling that out. When does that come out? So we're rolling out a new deployment method, as you mentioned, our SaaS solution. Uh, I would say it's going to probably be closer to either the beginning of the year or two to, um, from that aspect. But basically, it's our Cayosoft Guardian solution, being able to deploy, um, fully SaaS supported solution for cloud first environments. There's a lot of organizations that do not want to, um, have, uh, the overhead of infrastructure right up to, you know, the upkeep of infrastructure in their organization. And they have a mandate to be cloud first. So we're really going to be able to enable those organizations, as well as an interesting use case with the SaaS solution would be to help organizations with mergers and acquisitions. Because if you think about trying to, you know, go in and do these assessments, um, from an Active Directory or identity security posture perspective, it's very hard. We have to connect the networks or run scripts and there's no central visibility. But with Cayosoft, um, SaaS solution, they'll be we'll be able to help organizations quickly get visibility into both environments from from that aspect. So I'm very excited about that capability. Right. Just and just managing, you know, disparate divisions and organizations that, you know, you said hybrid, uh, being able to manage across a complex environment is a big thing. Exactly. And we are dealing with that. Right. So multiple forests, multiple tenants, multiple I mean, so it's very complex getting there. Um, so let's let's circle back around. We talked about, um, this identity posture security management analysis. We talked about something called Guardian Protector. Tell us a little bit more about Guardian Protector. So Guardian Protector we released in October as a free solution to everyone. So if you think about traditional identity security posture management, we go out and do a scan of our environment. We get some kind of findings back. We go in and fix those findings, and then something happens, right. Administrative drift could occur. Maybe. Worse yet, there's an attacker in your environment making changes, and you don't know until the next time you ran that scan. So we said there's a gap in regards to what organizations are being able to see. And we're seeing all these identity based attacks. And the next step would be to go out and buy this, you know, an enterprise solution, and not every organization has the budget to, you know, have these types of capabilities. Initially, maybe they get it down the road. Well, now they can use Guardian Protector that has real time threat detection, built in alerting, but also the change piece of it. So now if I went in and cleaned up my Active directory and I start to see an admin go in and make a change and we just drift normally, I'm going to catch that before immediately. I'm not waiting for that next scan. Or maybe I don't even have a scan. Maybe hire a pentester once a year to go in and find that for me. Right, that's too late. Attackers aren't waiting for those changes. If we play by zero trust rules real quick, right? We have to assume breach. So if we assume the attacker is already on our network, think about that. If they're on our network and a change wasn't there that was weakening our identity posture. And now it does, we just give them an avenue we need to know right away. We can't wait from that aspect. So so so Guardian protector Unlike some other sort of, you know, open the door kinds of solutions. Other people are offering isn't simply an audit of this. It's an ongoing tool you can use to get to stay on top of change management. Obviously not the full solution with the built in recovery and all the rest of it, but something people can install on actually productively use day to day going forward, which. Absolutely. I mean, it's so easy to get up and running for Guardian Protector. I mean, basically they provide a windows server or some service accounts and, you know, run our software and they can immediately take advantage of it. Yeah. So who doesn't have Active Directory right now? You don't have to answer that. That's I mean like everyone has Active Directory. Everyone if they're not doing anything here could go get Guardian Protector. Where would they find this and what else would they be looking for if they if they want to learn a little bit more about Cayosoft. Well, they can definitely go to our Cayosoft website. Right. So Cayosoft. Com but and search for Guardian on protector hit the download link Basically, and then we also build a subreddit for support of Guardian Protector. I am actively in the subreddit on a regular basis. I put out tips and tricks. We built another resource around advanced remediation, showing them step by step. Because not everybody's a security expert and our product has some good detail around, you know, guidance of remediation. But we even went one step further and built like pretty much walkthroughs on how you do the remediation for organizations. And if you think about that, you know, organizations like K12 or rural hospitals now have the capability to get into seeing visibility and guardian protectors, not just Active Directory. It goes across both Android M365 workloads and Microsoft Intune as well. And that was one of the reasons why when we put out Guardian Protector, we saw an expanding attack surface. It wasn't just identity. We were seeing Intune being attacked. We were seeing teams being attacked. We already saw exchange online, right? It's been part of attacks through, you know, many years. Those other solutions weren't really going into the level that we're going into. And there was a gap and we felt like our solution can really fill that gap and we can give back to the community. And that's what we built it. Yeah. And I was saying everyone has Active Directory. Uh, thank you, Craig, for being here making making that offer of Guardian Protector. You've got Active Directory folks. This is a this is not just a free audit tool on your security posture, but it's an ongoing monitoring for change management, uh, parts there to could help you with some compliance and some other things as well as active security keeping you from being compromised. So check it out. That's Cayosoft. Thanks again Craig. Thank you. All right. Take care folks.
