Podcast

The Cybersecurity Readiness Podcast: Beyond Passwords, Making Identity-Based Attacks Impossible in the Age of AI

Table of contents

TL;DR

  • Identity-based attacks dominate breaches—adversaries exploit MFA fatigue, phishing kits, and session hijacking
  • Human training alone can’t withstand threats like deepfakes and AI; technology must carry the defense
  • Effective strategies include identity defense that continuously verifies users and devices through device-bound passkeys

Full Transcript

[0:07 - 0:27] Host:  Welcome to the Cybersecurity Readiness Podcast Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of the book, Cybersecurity Readiness, a Holistic and High-Performance Approach, a Sage Publication. He has been studying cybersecurity for over a decade, authored and edited scholarly papers, delivered talks, conducted webinars and workshops,consulted with companies, and served on a cybersecurity SWAT team with

[0:27 - 0:29] Jasson Casey, CEO of Beyond Identity: team with chief information security officers.

[0:30 - 0:47] Host:  His work on proactive cybersecurity has been featured on USA Today. Dr. Chatterjee has been a tenured professor at the Terry College of Business at the University of Georgia.As a Duke University visiting scholar, Dr. Chatterjee teaches in cybersecurity programs at the Pratt School of Engineering.

[0:49 - 1:09] Dr. Dave Chatterjee: Welcome to the Cybersecurity Readiness Podcast Series. Today, we will be talking to a renowned expert in the area of enterprise security, identity security, zero-trust architecture, phishing-resistant authentication, and more.

[1:09 - 1:21] Dr. Dave Chatterjee:  Before I formally introduce him, I wanted to paint the context for my listeners. We are going to be talking about identity-based attacks. So what are identity-based attacks?

[1:21 - 1:33] Dr. Dave Chatterjee:  As the name sounds, it's basically attacks that are based on using user credentials. And 80% of attacks are of these types.

[1:33 - 1:50] Dr. Dave Chatterjee:  My guest today, Jason Cassie, who is the CEO and co-founder of Beyond Identity, will shed light on how to mitigate, exterminate such types of attacks.

[1:50 - 1:54] Dr. Dave Chatterjee:  So without any further ado, Jason, welcome to the podcast.

[1:54 - 1:55] Jasson Casey, CEO of Beyond Identity: Thanks for having me.

[1:55 - 2:07] Dr. Dave Chatterjee:  Well, let's begin by learning a little more about yourself, your professional journey, and what led you to focus on identity security.

[2:07 - 2:24] Jasson Casey, CEO of Beyond Identity: Sure. Let's see. I am an engineer by training. I've always enjoyed building things. I got my first startup in the late 90s, and it was one of those startups where we had a lot of ambition and a lot of money and not a lot of people to get the work done.

[2:24 - 2:49] Jasson Casey, CEO of Beyond Identity:  So if you were willing to be ambitious, you were given a lot. So, yeah, I got into basically building replacement networks for telcos back in the late 90s, which led to voice over IP, which led to kind of carrier grade routers and firewalls and systems, which led to a PhD, which led to SDN, which led to actually being able to work for General Keith Alexander, the former director of the NSA for a while.

[2:49 - 3:18] Jasson Casey, CEO of Beyond Identity:  That was a lot of fun, which led to being the CTO at a company called Security Scorecard, where I kind of built out the product around kind of global data collection and analysis. And telling a long story as quickly as possible, one of the insights I had at Security Scorecard, I shouldn't say I had, one of the insights that was obvious when we would work with our partners from the cyber insurance industry was of the thousands of data points that we looked at, there were three or four that were the strongest indicator of a future breach.

[3:18 - 3:34] Jasson Casey, CEO of Beyond Identity:  And those three or four were all really around like password management and endpoint posture management. And I thought I had an analytics company idea. And at the same time, I got railroaded by a guy named Jim Clark, the same one who built Netscape and Silicon Graphics and a couple other companies.

[3:34 - 3:48] Jasson Casey, CEO of Beyond Identity:  And he had built a working prototype with Nelson and Mike on how to remove the password because he was so annoyed just from the user experience of a password getting in the way to logging into stuff.

[3:48 - 4:09] Jasson Casey, CEO of Beyond Identity:  right? Homes, boats, things, gym style stuff. And long story short, in 2019, we kind of joined forces and started Beyond Identity. And the idea was if we unify these things, we really chip at the four likely indicators of future breach. And as you alluded to earlier, there's quite a bitmore behind that goes to pay back organizations in the industry

[4:10 - 4:31] Dr. Dave Chatterjee: Absolutely. I appreciate that insight, yours is a very impressive background. So, Jason, let's introduce our listeners to identity-based attacks. I mentioned a little bit in my intro, but I'd let you explain what are these types of attacks? Why do they happen without getting very technical?

[4:31 - 4:51] Jasson Casey, CEO of Beyond Identity: Yeah. All right. We're going to stay a little bit higher than walking through kind of the machine code. So, yeah, identity-based attacks. I mean, everyone's heard of them in some form or flavor. You've probably heard phrases like session hijacking, credential theft, initial access brokers where you can buy access tokens, push bombing, MFA bypass.

[4:51 - 5:12] Jasson Casey, CEO of Beyond Identity:  Like these are all forms of identity attacks. And if you can't remember where you've heard about them, if you've ever read news articles about Scattered Spider, if you've ever read news articles about Lapsus or Lazarus or any of the blizzards, I'm very focused on one right now called Secret Blizzard because I feel like it illustrates a lot of interesting concepts.

[5:12 - 5:23] Jasson Casey, CEO of Beyond Identity:  But basically, this Russian actor is really, really good at exploiting the identity system. And it's funny, the adversary over the last four or five years, they don't really break in.

[5:23 - 5:26] Jasson Casey, CEO of Beyond Identity:  They log in and they do it by exploiting the identity system.

[5:26 - 5:37] Dr. Dave Chatterjee: Wow. So you mentioned about Jim Clark and his aversion for passwords. I don't think we have solved the problem yet because even this morning, I had to log in and I didn't remember the password.

[5:38 - 5:51] Dr. Dave Chatterjee:  I thought that maybe I could use my LinkedIn to get in, but I still couldn't. And it was very annoying. I have published 88 episodes. I was going through the list. I've had quite a few discussions on passwordless authentication.

[5:52 - 6:07] Dr. Dave Chatterjee:  And every time I have this discussion, I get very excited that, okay, we have a solution. It's going to be widely implemented and we will not have to remember passwords. neither do we have to worry about our credentials getting compromised or accessed.

[6:07 - 6:23] Dr. Dave Chatterjee:  So I'd like you to share with us, how do you come at identity security? What is it that you offer by way of an approach or a solution that would make such attacks go away?

[6:23 - 6:35] Jasson Casey, CEO of Beyond Identity:  So let me start with the passwordless comment, because if you're going on the passwordless journey, there's kind of a bridge in the road that you need to know about. Are you looking for passwordless for ease of use?

[6:35 - 6:47] Jasson Casey, CEO of Beyond Identity:  Or are you looking for passwordless for security and ease of use? Something we've learned very quickly in going into the market is there's probably 200 companies willing to offer you a passwordless solution.

[6:47 - 7:13] Jasson Casey, CEO of Beyond Identity:  Hey, I'll let you log in. I'll text you a magic link. I'll email you a magic link. I will do the hokey pokey and then I'll let you in. If that is your goal, there's a lot of companies out there that can solve it for you very simply and very cheaply. All of those techniques are not going to solve any of your security problems, and they may actually create even more workload on your SOC or your MSSP or whoever actually commands operations for your organization. What we focus on is identity defense.

[7:14 - 7:46] Jasson Casey, CEO of Beyond Identity:  And what we do, we plug into the existing identity platform that organizations have, right? All organizations already have an identity platform. Otherwise, you couldn't really work, right? The traditional names that you would think about is maybe you have most of you listening have Microsoft, right? You have Azure AD, probably federated into some premise AD with some other interesting Microsoft barnacles kind of attached to make your organization go. Some of you have Okta, some of you have Pings, maybe you have ForgeRock, but you all have a system that you've spent time and energy integrating into all your apps so you can kind of have the seamless solution.

[7:46 - 7:58] Jasson Casey, CEO of Beyond Identity:  Our identity defense platform, it plugs into that existing identity stack. And what we do is we kind of give an upgrade to how authentication and authorization flows across that existing stack.

[7:58 - 8:08] Jasson Casey, CEO of Beyond Identity:  And our focus is really on where can we improve both security and usability. So there's a passwordless benefit to the end user. They do less stuff.

[8:08 - 8:26] Jasson Casey, CEO of Beyond Identity:  They don't have to remember things. But there's also a huge benefit to the organization. 70% to 80% of the tickets that show up on the operations desk, Whether you have your own SOC or an MSSP or you just call it IT ops, 70 to 80 percent of the security workload will actually go away.

[8:27 - 8:41] Jasson Casey, CEO of Beyond Identity:  And the reason it goes away is because we focus on what are those root cause problems that result in credential theft, that result in session hijacking, that result in that laundry list of things that I mentioned earlier.

[8:41 - 9:15] Jasson Casey, CEO of Beyond Identity:  Turns out there's really only four or five root causes for all of those things. and we look to basically change the equation, right? Like we not saying you need to be smarter you need to run faster We basically saying you can compete in a foot race by hopping in a car and you can win And so that what we do by using these things called immovable credentials that are hardware backed That's what we do with this thing we call the zero trust authenticator that actually is much more focused on are you the right person and is your device safe enough for the environment?

[9:15 - 9:26] Jasson Casey, CEO of Beyond Identity:  We focus on doing this continuously because things change. And for the scenarios where you actually can't prevent bad things from happening, how do you actually cover those with detection and response?

[9:27 - 9:49] Jasson Casey, CEO of Beyond Identity:  So, for instance, one of the attacks that's gotten in the news in the last few weeks has been downgrade attacks. Someone targets an organization, sees that FIDO is enabled for a particular user, and then focuses on how do I socially engineer the user to trigger a fallback mechanism or even disable their FIDO factor to then attack a lesser-than avenue.

[9:50 - 9:59] Jasson Casey, CEO of Beyond Identity:  So we build an identity defense platform. We plug into that existing identity stack, and we really kind of cover this whole host of root cause issues.

[9:59 - 10:18] Dr. Dave Chatterjee: Okay, that's good to know. So as a security official, say I'm a CISO of an organization, I'm listening to you,And I'm trying to think thatsolutions providers offer solutions, they obviously try to suggest that theirs is the best or theirs is the most foolproof.

[10:18 - 10:39] Dr. Dave Chatterjee: What guidance would you give themthey are trying toan appropriate solution for their organization, given what you just said, that there are tons of password-less authentication systems out there?

[10:39 - 10:54] Dr. Dave Chatterjee:  They might make it user-friendly, but not necessarily be a robust defense mechanism. So if you are trying to achieve both, how do you go about vetting the solutions offered out there?

[10:54 - 11:11] Jasson Casey, CEO of Beyond Identity: I would say there's really three angles here. So angle number one is where is the solution used where security results matter? And focus on companies that have actually been in the news with high-profile customers themselves with security incidents and what are they using, right?

[11:11 - 11:27] Jasson Casey, CEO of Beyond Identity:  So that's kind of the referential, right? Number two, I would say, is kind of the technical. And the technical, I could give you the properties, but you're just kind of trusting me on the properties. But we'll put that out there anyway, which is, is the credential, does the system use hardware-backed credentials where the credentials can't move?

[11:27 - 11:38] Jasson Casey, CEO of Beyond Identity:  Can the system actually stand up to connection interdiction, right? If someone man in the middle is the connection. Can the system actually stand up to social engineering attempts where the human actually does click the wrong way?

[11:38 - 11:49] Jasson Casey, CEO of Beyond Identity:  If the human can stand up to those three, then it's probably good enough for you. And I feel confident enough that we're really the only ones who can do that today. But here's another angle that I've got to say in an interesting way.

[11:49 - 12:06] Jasson Casey, CEO of Beyond Identity:  We have big customers, and our big customers regularly red team themselves as well as our infrastructure. And some of our big customers regularly engage with nation states, whether it's intel gathering on their part, intellectual property theft, given the state actor, or even just plain-out sabotage.

[12:06 - 12:24] Jasson Casey, CEO of Beyond Identity:  So any solution that you look at, like what's their level of exposure to the hardest of hard? Did the red team ask to have the solution disabled just to actually game around and try and recreate what may or may not actually be happening?

[12:25 - 12:36] Jasson Casey, CEO of Beyond Identity:  Another way of putting it is any viable solution should stand up to a focused red team attack where you even give the red team the ability to just tell users to click the bad links.

[12:36 - 12:41] Jasson Casey, CEO of Beyond Identity:  A good solution is going to actually survive even those conditions.

[12:41 - 12:53] Dr. Dave Chatterjee:  Good to know. Good to know.You know, when we were planning thisepisode, you talked about a particular case where you had to face a credential-based attack.

[12:54 - 12:55] Dr. Dave Chatterjee:  Can you share some details?

[12:56 - 13:12] Jasson Casey, CEO of Beyond Identity:  So we've had a bunch of customers, and it's funny. I was sitting with a customer once, and two of the C-levels saw us. We were in their cafeteria. They walked over, and they shared the results, a fairly invasive red team result, as well as some incident response that was going on.

[13:12 - 13:25] Jasson Casey, CEO of Beyond Identity:  And it was actually, A, it was fascinating, right, because you get a level of detail that you don't normally see directly. But B, it was really kind of a testament to the product. And, of course, my initial response was, can we share this?

[13:25 - 13:42] Jasson Casey, CEO of Beyond Identity:  And their response was, absolutely not. So we'll make it a little bit general, and I'll merge the identities of a handful of customers. Let's say you're using the Microsoft infrastructure. You are regularly being hit with a series of attacks where the primary credential of the user has been stolen a long time ago.

[13:42 - 13:54] Jasson Casey, CEO of Beyond Identity:  where the numbers and private information of these users exist, and where these users are being targeted in two different ways. One, which is the simpler way, is like MFA fatigue or push-bomb attacks, right?

[13:55 - 14:08] Jasson Casey, CEO of Beyond Identity:  The adversary uses what they've learned from you. They go to log in, they hit that second prompt, and you're watching TV, and eventually you get annoyed and you hit accept, right? That's kind of low-level stuff. Next level up is they send you a phishing link.

[14:08 - 14:19] Jasson Casey, CEO of Beyond Identity:  Like, hey, I'm your boss. Why are you being so lazy? I need you to log in and approve this thing. And they're using ProxyKit. And by the way, your red teams probably use this already.

[14:19 - 14:47] Jasson Casey, CEO of Beyond Identity:  There's an open source tooling called EvilGenX3 that we use quite a bit to illustrate these points. You should ask your team about it. But this toolkit makes it very, very easy for the adversary to drop this phishing link into your workers' inbox, pose as if they were the boss or someone important, drop a link that basically interdicts the connection, and they can even defeat Microsoft Number Match Authenticator, even when it's running a biometric hardware-bound blah, blah, blah.

[14:48 - 15:07] Jasson Casey, CEO of Beyond Identity:  And in a way, they steal with the access token. And we've got a bunch of those on our company YouTube. Feel free to check it out. But we've got story after story after story with customers where we deployed and they were talking about how they were dealing with hundreds of these months and having to do cleanup on tens of targeted individuals on a monthly basis.

[15:07 - 15:19] Jasson Casey, CEO of Beyond Identity:  And now they've basically gone to zero because there is no credential to steal, right? Our credentials are removable. You can't really interdict a connection without being found out in our system because of the way the crypto protocol works.

[15:20 - 15:30] Jasson Casey, CEO of Beyond Identity:  And when you think about not all of your security incident turns into a breach, thankfully, right? Because you have a security team that you spend time and money on. You have heads that go and work these incidents, right?

[15:30 - 15:43] Jasson Casey, CEO of Beyond Identity:  Trying to deal with them before they rise to a level of an actual breach. That's work. That's time. That's expense. That's OPEX. That's heads. So the other thing that we've gotten back from a lot of these customers is they've reclaimed time.

[15:43 - 15:46] Jasson Casey, CEO of Beyond Identity:  They've actually been able to move on to new projects.

[15:46 - 16:00] Dr. Dave Chatterjee:  Awesome.In fact,know, when you have to convince the leadershipabout trying a new solution or tryingtechnology, the question that often comes up, what's wrong with what we have?

[16:00 - 16:14] Dr. Dave Chatterjee: Because if there hasn't been an incident, why do you want to change it, given there are many other projects whereleadership would feel the money is better invested?

[16:14 - 16:27] Dr. Dave Chatterjee:  Because it's always an ROI challenge. So I have seen this from my own experience engaging with companies, that they are averse to changing their existing solution, even though it may not be foolproof.

[16:27 - 16:39] Dr. Dave Chatterjee:  Just like you shared, I have a passwordless authentication system in place, but however, it may not be robust enough. So how do I know that? Many organizations may not be doing those red team exercises that you talked about.

[16:39 - 16:50] Dr. Dave Chatterjee:  Many organizations may not be doing the different types of pen testing or periodic pen testing, periodic monitoring. Because we're talking about a cross-section, large organization, mid-size organizations.

[16:50 - 17:04] Dr. Dave Chatterjee:  Yes, the ones which are in the financial sector, probably more on top of things and a few other regulated sectors. And then there are others that will essentially react to an episode.

[17:04 - 17:17] Dr. Dave Chatterjee: There's one thing you mentioned once again while we were discussing the episodeyou talked about your concern or your lack of confidence in training humans.

[17:18 - 17:20] Dr. Dave Chatterjee:  Remind me, what were we talking about?

[17:20 - 18:04] Jasson Casey, CEO of Beyond Identity: Yeah, this is my provocative statements. So our industry is full of we need to train, we need to train, we need to train, we need to train people better. All mistakes are ultimately come back to training issues. And I think that is an overused mantra. And here's why. When I think about the general person who has to work with this technology, I'm thinking about my parents. I'm thinking about my brother and my sister who aren't in tech, but they use tech. Who doesn't use tech in their business, right? Everybody logs in to get work done. So imagine these folks and now think about all right they really have to always be on their heels to know hey is this person who spent probably the last five to ten years of their life training to be the adversary that they are

[18:04 - 18:21] Jasson Casey, CEO of Beyond Identity:  are they really going to be able to detect the craftiness of this person when it's a link that's really close, when it's a link that's actually correct because they've just hijacked an existing service, or they've manned in the middle of the connection and it looks fairly similar, Or it's a QR code.

[18:22 - 18:35] Jasson Casey, CEO of Beyond Identity:  Like, how do you know the bad QR codes from the good QR codes? No, really, tell me how, right? So that's the state. The state is, it's like we're sending humans, we're sending these people in to go effectively fight the nerds, right?

[18:35 - 18:47] Jasson Casey, CEO of Beyond Identity:  I guess nerds are humans too, but you get my point, right? Like, the non-nerds are going to fight the nerds in a world of agentic AI where the cost for me to look like you takes, I don't know, 30 seconds of anything I can pull off YouTube.

[18:47 - 19:01] Jasson Casey, CEO of Beyond Identity:  The cost of sounding like you is six seconds off your outbound voicemail. Writing like you, very easy, right? Like, I can look like you, I can write like you, I can sound like you. How in the world are we going to train anyone against that?

[19:01 - 19:20] Jasson Casey, CEO of Beyond Identity:  And so the metaphor was it's like we're sending humans to go fight robots. Like, that's not a fight that I would want to go into, and that's not a fight I would want to send any of my friends into. And so it kind of begs the question of, like, Is the system itself fundamentally flawed where the answer is, you idiot, why did you click the link, right?

[19:21 - 19:27] Jasson Casey, CEO of Beyond Identity:  Whereas the response is the person who clicked the link should say, you idiot, why did you buy a system that allows this to even percolate?

[19:27 - 19:37] Dr. Dave Chatterjee:  Correct. I really appreciate that. My work in cybersecurity is holistic cybersecurity governance. It's often pitched as a human factors-based approach.

[19:37 - 19:50] Dr. Dave Chatterjee:  So as much as I'm a proponent of human involvement, human empowerment at all levels, starting from leadership right to the people who are doing the work at the action front.

[19:50 - 20:00] Dr. Dave Chatterjee:  But it is also a reality that with the increasing use of agentic AI, we have to find a way of taking the stress away from humans.

[20:00 - 20:11] Dr. Dave Chatterjee:  Because we are constantly, you know, I'm going to use myself as an example. So every morning when I'm checking my email, out of 50 emails, 40 are probably spam.

[20:12 - 20:28] Dr. Dave Chatterjee:  And out of 40, at least 20 are switching emails. So my mind is constantly working to filter them out. I'm obviously wasting a ton of time, but I'm trusting my knowledge, my filters.

[20:28 - 20:41] Dr. Dave Chatterjee:  I'm not trying to suggest that I'm a major expert, but I feel bad for those who lack the awareness and they are being subjected to these kinds of phishing attacks.

[20:42 - 20:53] Dr. Dave Chatterjee:  Therefore, technology has to do the heavy lifting. And that is precisely why I welcome folks like yourself to come to my podcast and talk about your solutions.

[20:53 - 21:14] Dr. Dave Chatterjee:  not so much to promote a particular solution over the other, but more because I know that we are all clamoring for a real solution that takes the stress out of people so people can work and even think that, okay, even if I have by mistake clicked a phishing link, my organization or I will still be okay.

[21:14 - 21:34] Dr. Dave Chatterjee:  Without getting too personal here, I recently experienced they're calling it a card testing attack. I'm investigating it further, getting the details, It's been quite the experience, trying to figure out what happened, trying to get the relevant vendor platforms to support me in my investigation, provide me the details.

[21:34 - 21:48] Dr. Dave Chatterjee:  Here I'm an individual extrapolating it to organizations, experiencing these attacks and all that happens after, which is massive. Whether we are talking about reputation, legal implications, staying in business.

[21:48 - 22:02] Dr. Dave Chatterjee:  So you have to be proactive and you have to do that due diligence to do a deep dive and constantly find out what's the attack type that we aren't covered for that we need to consider.

[22:02 - 22:18] Dr. Dave Chatterjee: I'm coming at it from the standpoint of having that level of commitment, and this has to come from the C-level, because the commitment will drive preparedness, and preparedness in turn will drive the discipline of continuous monitoring, continuous testing.

[22:18 - 22:35] Dr. Dave Chatterjee:  As a solutions provider, you and your team, you are constantly trying to improve your solution to keep up or even be one step ahead than the attackers. That is the other reality that listeners should recognize, that implementing a solution was helpful.

[22:36 - 22:46] Dr. Dave Chatterjee:  That doesn't stop you from doing these three things. I call them the three dimensions of holistic cybersecurity governance, commitment, preparedness, and discipline.

[22:46 - 23:07] Dr. Dave Chatterjee:  Because there are so many aspects to security, the technical, the procedural, the people. But we need more technology to take the load off people because otherwise, just like Jason said, it's unfair to keep blaming people that you didn't really do your training right.

[23:07 - 23:17] Dr. Dave Chatterjee:  So you fell for the switching attack. We'll give you a couple of chances. If you don't, then there are greater consequences. I don't think that is a way to go.

[23:17 - 23:18] Dr. Dave Chatterjee: No, not

[23:18 - 23:18] Jasson Casey, CEO of Beyond Identity: at all.

[23:19 - 23:30] Dr. Dave Chatterjee: What has been your experience engaging with organizations? What challenges do they face when they're trying to consider, let's say, your solution?

[23:31 - 23:41] Dr. Dave Chatterjee:  Because one thing is to consider a solution. The other thing is to implement it properly, which I have seen in many occasions. They buy a great solution, but it's not well implemented.

[23:41 - 23:46] Dr. Dave Chatterjee:  So the outcome is not very positive. What has been your experience with your product?

[23:47 - 24:13] Jasson Casey, CEO of Beyond Identity: let's see, we've got a range there. So they exist, but there are companies who buy your product to check a box and never deploy it, right? It's the shelfware. So clearly they're not going to get a benefit from the product. And I am often surprised by that group. But moving out of that group, when we look at what we've learned out of deployments, it's very organizational dependent. And the dimensions are really kind of size and industry. So the larger an organization, the more likely it's an older organization.

[24:13 - 24:26] Jasson Casey, CEO of Beyond Identity:  The older, the more likely it's going to have – it's like you're an archaeologist and there are, like, layers and layers and layers of the city. Well, there are layers and layers and layers of compute in the organization. So I'm thinking about a bank we're doing a deployment in right now.

[24:26 - 24:44] Jasson Casey, CEO of Beyond Identity:  So with a bank, the first ring of deployment is always with IT and tech staff, so IT and security. And that usually goes – that's usually pretty straightforward. It's usually about 1,000 people. The way we built out our platform is for it to be kind of auto-deployed through the existing MDN that the company likely has in place.

[24:44 - 24:54] Jasson Casey, CEO of Beyond Identity:  So for most of you, that would be Intune. For some of you, that might be Jamf or Kanji or AirWatch. I feel like VMware keeps renaming their products. It's not even called VMware anymore, but you get my point.

[24:54 - 25:08] Jasson Casey, CEO of Beyond Identity:  So that's the first ring. Then we'll go from the first ring to what's typically considered like the highest risk users. So this would be kind of executives or anyone in the front line of the business that are oftentimes targets.

[25:08 - 25:22] Jasson Casey, CEO of Beyond Identity:  So it's funny, like a lot of them call it the same thing. They call them these ring deployments. And what they're trying to do is they're trying to learn, no matter what we tell them, there's a difference between like book knowledge and experience. So they're trying to kind of get experience in these rings that don't overwhelm them as they do deployments.

[25:22 - 25:33] Jasson Casey, CEO of Beyond Identity:  And then they kind of ring out. And for the general carpeted office worker, deployment's pretty straightforward and happen very, very quickly. There are other use cases that we support that show up that are a little bit more involved.

[25:34 - 25:47] Jasson Casey, CEO of Beyond Identity:  So think like kiosk computing. So whether you're on a factory floor or you're a police officer driving a cruiser, your computing environment is going to look a lot like a kiosk. So what I mean by that is you have a different computer every day.

[25:48 - 25:59] Jasson Casey, CEO of Beyond Identity:  You may not actually have a local account on that computer, but you still want to access that computer and the services behind it on the network in a secure and easy, right? So secure and easy sort of way.

[25:59 - 26:19] Jasson Casey, CEO of Beyond Identity:  And so those deployments are a little bit more involved in terms of combination of education and because kiosk computing usually are adding a physical component to it, whether it's through, you know, we have a partnership with YubiKey, kind of leveraging some YubiKey's to where you end up having a mobile credential in like the officer's pocket on a YubiKey, but then also a fixed credential on the device.

[26:19 - 26:31] Jasson Casey, CEO of Beyond Identity:  So we can always say it's the right officer in the right motor pool car on the right day with the right permissions and nothing else. You can flip from there to like a factory floor in a logistics scenario. Again, these are most likely Microsoft computers.

[26:32 - 26:49] Jasson Casey, CEO of Beyond Identity:  Microsoft has a hard limit. I can't remember if it's five or ten, but, like, they won't support more than five or ten kind of secure Hello-style logins per computer. So if you really want seamless computing, which is kind of kiosk computing, let people walk where they want and do what they need, you need an alternative solution.

[26:50 - 27:11] Jasson Casey, CEO of Beyond Identity:  So these take a little bit more but when I put it around numbers we got through the bulk of the 60 company deployment in six weeks Got for other deployments It dependent on kind of the process of the customer There are certain organizations, and this is where it becomes vertical dependent, where you have free schedules that follow your industry's service periods.

[27:12 - 27:20] Jasson Casey, CEO of Beyond Identity:  And so what you're rolling out is going to be in those phases that can kind of spread things out. So it's very customer dependent, but it doesn't have to be hard.

[27:20 - 27:21] :  Okay.

[27:21 - 27:38] Dr. Dave Chatterjee:  That's good to know. So let's talk a little bit about the role of AI in identity security. We've kind of touched upon the negative aspects, whether it's a deep fake or whether it's just like you said, that it's not too difficult to imitate a voice, imitate your writing.

[27:38 - 27:48] Dr. Dave Chatterjee:  And so that presents a whole slew of challenges. And then you have AI products that can proactively go looking for vulnerabilities and exploit those vulnerabilities.

[27:49 - 27:49] :  Yep.

[27:50 - 28:09] Dr. Dave Chatterjee:  But on the flip side, the good guys, the defenders also have the AI tools to thwart these attacks. And there are lots of tools out there. So once again, from a guidance standpoint, what would you recommend to organizations when they are trying to secure their AI applications?

[28:09 - 28:15] Dr. Dave Chatterjee:  And you can use the context of identity security to make those recommendations. Yes.

[28:15 - 28:25] Jasson Casey, CEO of Beyond Identity: would say, number one, you don't want to hobble your business, right? You want to enable your business. If your people want to experiment with AI, how do you enable them, right? Like that's where you want to be.

[28:26 - 28:39] Jasson Casey, CEO of Beyond Identity:  But at the same time, you can't say do whatever you want and let them essentially reinvent key sprawl, which is a problem you're going to run into. So we have a customer right now. We actually did a webinar with them recently.

[28:39 - 28:51] Jasson Casey, CEO of Beyond Identity:  It's a company called Monolithic Power Systems. The CISO there is a gentleman by the name of Hui, and you can find it on our site. He's experimenting with enabling his workforce in two different ways.

[28:51 - 29:03] Jasson Casey, CEO of Beyond Identity:  How does he, number one, let employees harness the power of an LLM against the company's native data sets? And so some of you may be familiar already with this concept. It's called retrieval augmentation generate.

[29:04 - 29:19] Jasson Casey, CEO of Beyond Identity:  Wow, forgetting what the G stands for. But basically, it's a way of creating a set of vector embeddings, your data to where you can kind of add it to an LLM. The typical exploit that shows up here is your crafty intern gets the LLM to cough up the CEO's email contents, right?

[29:20 - 29:50] Jasson Casey, CEO of Beyond Identity:  And so he was experimenting with our product and some of the things that we've been working on around, like how do we ensure fine-grained permissioning from an identity defense system to where the LLM is never even fed RAG data that's not of the permissioned current user. But more interesting than that is when you think about agents, right? So an agent is an interesting idea. It's kind of like a firefly. It's born, it does something interesting, and then it dies, right? So if the

[29:50 - 30:08] Jasson Casey, CEO of Beyond Identity:  Agent-wide cycle is really fast, right? I log into an agent service. Me as a user, I authorize the agent to do something on my behalf. It uses, through some orchestrated workflow and an LLM and all sorts of ragified data as well as services, it does something interesting, and then it dies.

[30:08 - 30:39] Jasson Casey, CEO of Beyond Identity:  How do I always know, as the governing body, what user authorized what agent running what model on what device with what security controls, with what permissions, in what geography, for how long, even when the agent is destroyed? How do I always answer all of those questions in a tamper-proof way? And I would argue, whether it's us or someone else, any identity defense-based platform needs to solve that problem for you simply, right? The other thing that I would say on the AI side, it's a little bit

[30:39 - 30:51] Jasson Casey, CEO of Beyond Identity:  perpendicular to the question, but it's around AI defense. If the adversary is coming at you where and AI is now in their toolkit to basically be a better mimic. How do you handle that?

[30:51 - 31:02] Jasson Casey, CEO of Beyond Identity:  And this is, again, where I would argue, whether it's us or someone else, any acceptable identity defense platform is going to be able to handle that, and I would challenge it to handle it in a very specific way.

[31:02 - 31:14] Jasson Casey, CEO of Beyond Identity:  So I'm sure you've all seen these companies that have come out of the woodwork recently to go detect AI as a usage, right? We think that's a bad idea. We think that's going to waste your money and time and not pan out.

[31:14 - 31:28] Jasson Casey, CEO of Beyond Identity:  And we think it for two reasons. One is technical, which is detectors are really useful to train the next generation of generator. So if they were, right, and I'm saying if. If they were, you're in an arms race and you're constantly having to swap these things out.

[31:28 - 31:51] Jasson Casey, CEO of Beyond Identity:  My second argument is almost from a usability perspective. If you really believe AI is around the corner and is going to 100 or 1,000x what everyone is doing, then you've already anticipated that most of your users are joining this Zoom with artificial faces, speaking languages they don't actually speak, having expert editors making their writing flawless.

[31:51 - 32:05] Jasson Casey, CEO of Beyond Identity:  So what good is your detector even going to do in that environment, right? If you think AI is really around the corner and it's going to proliferate in that way, then you've already accepted that it's going to proliferate in Zoom, in Teams, in Outlook, in all this form of communication.

[32:05 - 32:23] Jasson Casey, CEO of Beyond Identity:  And therefore, a detector is just going to always say yes. So why not work on a better solution now or ask a better question? And the better question is, who authorized this, on what device, with what workload, with what security controls, in what geo, with what permissions, and for how long?

[32:23 - 32:40] Jasson Casey, CEO of Beyond Identity:  In a tamper-proof way, right? Like, you don't know if this is really an image of Jason right now, but you do know, and this is a whole other conversation, but because of something we call reality check, This is coming from Jason's machine, Jason's biometric and possession factor were used in the authorization of this session.

[32:40 - 32:52] Jasson Casey, CEO of Beyond Identity:  The security controls on the machine, this is coming from actually fit beyond identities, current posture requirements for an active employee, and along with some other information that pops out. Anyway, sorry, that was a long response.

[32:52 - 33:09] Dr. Dave Chatterjee: no, that's fine. Your knowledge is oozing out. I want more of that. That's fantastic. Well, unfortunately, we are coming to the end of our episode. I wish we could go on. So as we start wrapping up, let me share with listeners some of my takeaways, listening to Jason share his expertise.

[33:09 - 33:31] Dr. Dave Chatterjee:  And Jason, you can add to that list. So what I'm hearing from you is obviously the move towards phishing-resistant authentication to integrate continuous monitoring and device checks, adopt a zero-trust framework, educate staff with the best you can about AI-driven impersonation, and make identity security a board-level priority.

[33:32 - 33:44] Dr. Dave Chatterjee:  Another takeaway that came through, unless we know what devices are on our network or what are being added, it's very hard to proactively protect or secure.

[33:44 - 34:06] Dr. Dave Chatterjee:  So a continuous awareness of identity vulnerabilities is key, absolutely key. Switching it back to you, what should if there was one takeaway for a senior leader it was one takeaway for the general publicif it was one takeaway for a cyber professional what would they be i

[34:06 - 34:34] Jasson Casey, CEO of Beyond Identity: would say everyone needs identity defense they don't have to get it from us but the way you know you have it versus the way you don't is pick anyone in your organization employee contractor even business partner and ask them to always do the wrong thing from an adversarial perspective. The adversary should still not be able to create a security incident. If that statement is true, you know you have identity defense. I would really just kind of leave it at that. Like, that's the ultimate test.

[34:35 - 34:49] Jasson Casey, CEO of Beyond Identity:  And from a value perspective, like, even if you don't believe or it's a hard argument of doing better than where you're at, know that this is going to save real dollars and real heads in operations by preventing the workload that's hitting that desk.

[34:51 - 34:57] Dr. Dave Chatterjee:  Fabulous. Well, with that, we will conclude our session today. It's been a real pleasure, Jason, and I hope to have you back again.

[34:58 - 34:58] :  Awesome.

[34:59 - 34:59] Jasson Casey, CEO of Beyond Identity:  Thank you.

[35:00 - 35:10] Dr. Dave Chatterjee:  A special thanks to Jason Casey for his time and insights. If you like what you heard, please leave the podcast a rating and share it with your network.

[35:11 - 35:18] Dr. Dave Chatterjee:  Also, subscribe to the show so you don't miss any new episodes. Thank you for listening, and I'll see you in the next episode.

TL;DR

  • Identity-based attacks dominate breaches—adversaries exploit MFA fatigue, phishing kits, and session hijacking
  • Human training alone can’t withstand threats like deepfakes and AI; technology must carry the defense
  • Effective strategies include identity defense that continuously verifies users and devices through device-bound passkeys

Full Transcript

[0:07 - 0:27] Host:  Welcome to the Cybersecurity Readiness Podcast Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of the book, Cybersecurity Readiness, a Holistic and High-Performance Approach, a Sage Publication. He has been studying cybersecurity for over a decade, authored and edited scholarly papers, delivered talks, conducted webinars and workshops,consulted with companies, and served on a cybersecurity SWAT team with

[0:27 - 0:29] Jasson Casey, CEO of Beyond Identity: team with chief information security officers.

[0:30 - 0:47] Host:  His work on proactive cybersecurity has been featured on USA Today. Dr. Chatterjee has been a tenured professor at the Terry College of Business at the University of Georgia.As a Duke University visiting scholar, Dr. Chatterjee teaches in cybersecurity programs at the Pratt School of Engineering.

[0:49 - 1:09] Dr. Dave Chatterjee: Welcome to the Cybersecurity Readiness Podcast Series. Today, we will be talking to a renowned expert in the area of enterprise security, identity security, zero-trust architecture, phishing-resistant authentication, and more.

[1:09 - 1:21] Dr. Dave Chatterjee:  Before I formally introduce him, I wanted to paint the context for my listeners. We are going to be talking about identity-based attacks. So what are identity-based attacks?

[1:21 - 1:33] Dr. Dave Chatterjee:  As the name sounds, it's basically attacks that are based on using user credentials. And 80% of attacks are of these types.

[1:33 - 1:50] Dr. Dave Chatterjee:  My guest today, Jason Cassie, who is the CEO and co-founder of Beyond Identity, will shed light on how to mitigate, exterminate such types of attacks.

[1:50 - 1:54] Dr. Dave Chatterjee:  So without any further ado, Jason, welcome to the podcast.

[1:54 - 1:55] Jasson Casey, CEO of Beyond Identity: Thanks for having me.

[1:55 - 2:07] Dr. Dave Chatterjee:  Well, let's begin by learning a little more about yourself, your professional journey, and what led you to focus on identity security.

[2:07 - 2:24] Jasson Casey, CEO of Beyond Identity: Sure. Let's see. I am an engineer by training. I've always enjoyed building things. I got my first startup in the late 90s, and it was one of those startups where we had a lot of ambition and a lot of money and not a lot of people to get the work done.

[2:24 - 2:49] Jasson Casey, CEO of Beyond Identity:  So if you were willing to be ambitious, you were given a lot. So, yeah, I got into basically building replacement networks for telcos back in the late 90s, which led to voice over IP, which led to kind of carrier grade routers and firewalls and systems, which led to a PhD, which led to SDN, which led to actually being able to work for General Keith Alexander, the former director of the NSA for a while.

[2:49 - 3:18] Jasson Casey, CEO of Beyond Identity:  That was a lot of fun, which led to being the CTO at a company called Security Scorecard, where I kind of built out the product around kind of global data collection and analysis. And telling a long story as quickly as possible, one of the insights I had at Security Scorecard, I shouldn't say I had, one of the insights that was obvious when we would work with our partners from the cyber insurance industry was of the thousands of data points that we looked at, there were three or four that were the strongest indicator of a future breach.

[3:18 - 3:34] Jasson Casey, CEO of Beyond Identity:  And those three or four were all really around like password management and endpoint posture management. And I thought I had an analytics company idea. And at the same time, I got railroaded by a guy named Jim Clark, the same one who built Netscape and Silicon Graphics and a couple other companies.

[3:34 - 3:48] Jasson Casey, CEO of Beyond Identity:  And he had built a working prototype with Nelson and Mike on how to remove the password because he was so annoyed just from the user experience of a password getting in the way to logging into stuff.

[3:48 - 4:09] Jasson Casey, CEO of Beyond Identity:  right? Homes, boats, things, gym style stuff. And long story short, in 2019, we kind of joined forces and started Beyond Identity. And the idea was if we unify these things, we really chip at the four likely indicators of future breach. And as you alluded to earlier, there's quite a bitmore behind that goes to pay back organizations in the industry

[4:10 - 4:31] Dr. Dave Chatterjee: Absolutely. I appreciate that insight, yours is a very impressive background. So, Jason, let's introduce our listeners to identity-based attacks. I mentioned a little bit in my intro, but I'd let you explain what are these types of attacks? Why do they happen without getting very technical?

[4:31 - 4:51] Jasson Casey, CEO of Beyond Identity: Yeah. All right. We're going to stay a little bit higher than walking through kind of the machine code. So, yeah, identity-based attacks. I mean, everyone's heard of them in some form or flavor. You've probably heard phrases like session hijacking, credential theft, initial access brokers where you can buy access tokens, push bombing, MFA bypass.

[4:51 - 5:12] Jasson Casey, CEO of Beyond Identity:  Like these are all forms of identity attacks. And if you can't remember where you've heard about them, if you've ever read news articles about Scattered Spider, if you've ever read news articles about Lapsus or Lazarus or any of the blizzards, I'm very focused on one right now called Secret Blizzard because I feel like it illustrates a lot of interesting concepts.

[5:12 - 5:23] Jasson Casey, CEO of Beyond Identity:  But basically, this Russian actor is really, really good at exploiting the identity system. And it's funny, the adversary over the last four or five years, they don't really break in.

[5:23 - 5:26] Jasson Casey, CEO of Beyond Identity:  They log in and they do it by exploiting the identity system.

[5:26 - 5:37] Dr. Dave Chatterjee: Wow. So you mentioned about Jim Clark and his aversion for passwords. I don't think we have solved the problem yet because even this morning, I had to log in and I didn't remember the password.

[5:38 - 5:51] Dr. Dave Chatterjee:  I thought that maybe I could use my LinkedIn to get in, but I still couldn't. And it was very annoying. I have published 88 episodes. I was going through the list. I've had quite a few discussions on passwordless authentication.

[5:52 - 6:07] Dr. Dave Chatterjee:  And every time I have this discussion, I get very excited that, okay, we have a solution. It's going to be widely implemented and we will not have to remember passwords. neither do we have to worry about our credentials getting compromised or accessed.

[6:07 - 6:23] Dr. Dave Chatterjee:  So I'd like you to share with us, how do you come at identity security? What is it that you offer by way of an approach or a solution that would make such attacks go away?

[6:23 - 6:35] Jasson Casey, CEO of Beyond Identity:  So let me start with the passwordless comment, because if you're going on the passwordless journey, there's kind of a bridge in the road that you need to know about. Are you looking for passwordless for ease of use?

[6:35 - 6:47] Jasson Casey, CEO of Beyond Identity:  Or are you looking for passwordless for security and ease of use? Something we've learned very quickly in going into the market is there's probably 200 companies willing to offer you a passwordless solution.

[6:47 - 7:13] Jasson Casey, CEO of Beyond Identity:  Hey, I'll let you log in. I'll text you a magic link. I'll email you a magic link. I will do the hokey pokey and then I'll let you in. If that is your goal, there's a lot of companies out there that can solve it for you very simply and very cheaply. All of those techniques are not going to solve any of your security problems, and they may actually create even more workload on your SOC or your MSSP or whoever actually commands operations for your organization. What we focus on is identity defense.

[7:14 - 7:46] Jasson Casey, CEO of Beyond Identity:  And what we do, we plug into the existing identity platform that organizations have, right? All organizations already have an identity platform. Otherwise, you couldn't really work, right? The traditional names that you would think about is maybe you have most of you listening have Microsoft, right? You have Azure AD, probably federated into some premise AD with some other interesting Microsoft barnacles kind of attached to make your organization go. Some of you have Okta, some of you have Pings, maybe you have ForgeRock, but you all have a system that you've spent time and energy integrating into all your apps so you can kind of have the seamless solution.

[7:46 - 7:58] Jasson Casey, CEO of Beyond Identity:  Our identity defense platform, it plugs into that existing identity stack. And what we do is we kind of give an upgrade to how authentication and authorization flows across that existing stack.

[7:58 - 8:08] Jasson Casey, CEO of Beyond Identity:  And our focus is really on where can we improve both security and usability. So there's a passwordless benefit to the end user. They do less stuff.

[8:08 - 8:26] Jasson Casey, CEO of Beyond Identity:  They don't have to remember things. But there's also a huge benefit to the organization. 70% to 80% of the tickets that show up on the operations desk, Whether you have your own SOC or an MSSP or you just call it IT ops, 70 to 80 percent of the security workload will actually go away.

[8:27 - 8:41] Jasson Casey, CEO of Beyond Identity:  And the reason it goes away is because we focus on what are those root cause problems that result in credential theft, that result in session hijacking, that result in that laundry list of things that I mentioned earlier.

[8:41 - 9:15] Jasson Casey, CEO of Beyond Identity:  Turns out there's really only four or five root causes for all of those things. and we look to basically change the equation, right? Like we not saying you need to be smarter you need to run faster We basically saying you can compete in a foot race by hopping in a car and you can win And so that what we do by using these things called immovable credentials that are hardware backed That's what we do with this thing we call the zero trust authenticator that actually is much more focused on are you the right person and is your device safe enough for the environment?

[9:15 - 9:26] Jasson Casey, CEO of Beyond Identity:  We focus on doing this continuously because things change. And for the scenarios where you actually can't prevent bad things from happening, how do you actually cover those with detection and response?

[9:27 - 9:49] Jasson Casey, CEO of Beyond Identity:  So, for instance, one of the attacks that's gotten in the news in the last few weeks has been downgrade attacks. Someone targets an organization, sees that FIDO is enabled for a particular user, and then focuses on how do I socially engineer the user to trigger a fallback mechanism or even disable their FIDO factor to then attack a lesser-than avenue.

[9:50 - 9:59] Jasson Casey, CEO of Beyond Identity:  So we build an identity defense platform. We plug into that existing identity stack, and we really kind of cover this whole host of root cause issues.

[9:59 - 10:18] Dr. Dave Chatterjee: Okay, that's good to know. So as a security official, say I'm a CISO of an organization, I'm listening to you,And I'm trying to think thatsolutions providers offer solutions, they obviously try to suggest that theirs is the best or theirs is the most foolproof.

[10:18 - 10:39] Dr. Dave Chatterjee: What guidance would you give themthey are trying toan appropriate solution for their organization, given what you just said, that there are tons of password-less authentication systems out there?

[10:39 - 10:54] Dr. Dave Chatterjee:  They might make it user-friendly, but not necessarily be a robust defense mechanism. So if you are trying to achieve both, how do you go about vetting the solutions offered out there?

[10:54 - 11:11] Jasson Casey, CEO of Beyond Identity: I would say there's really three angles here. So angle number one is where is the solution used where security results matter? And focus on companies that have actually been in the news with high-profile customers themselves with security incidents and what are they using, right?

[11:11 - 11:27] Jasson Casey, CEO of Beyond Identity:  So that's kind of the referential, right? Number two, I would say, is kind of the technical. And the technical, I could give you the properties, but you're just kind of trusting me on the properties. But we'll put that out there anyway, which is, is the credential, does the system use hardware-backed credentials where the credentials can't move?

[11:27 - 11:38] Jasson Casey, CEO of Beyond Identity:  Can the system actually stand up to connection interdiction, right? If someone man in the middle is the connection. Can the system actually stand up to social engineering attempts where the human actually does click the wrong way?

[11:38 - 11:49] Jasson Casey, CEO of Beyond Identity:  If the human can stand up to those three, then it's probably good enough for you. And I feel confident enough that we're really the only ones who can do that today. But here's another angle that I've got to say in an interesting way.

[11:49 - 12:06] Jasson Casey, CEO of Beyond Identity:  We have big customers, and our big customers regularly red team themselves as well as our infrastructure. And some of our big customers regularly engage with nation states, whether it's intel gathering on their part, intellectual property theft, given the state actor, or even just plain-out sabotage.

[12:06 - 12:24] Jasson Casey, CEO of Beyond Identity:  So any solution that you look at, like what's their level of exposure to the hardest of hard? Did the red team ask to have the solution disabled just to actually game around and try and recreate what may or may not actually be happening?

[12:25 - 12:36] Jasson Casey, CEO of Beyond Identity:  Another way of putting it is any viable solution should stand up to a focused red team attack where you even give the red team the ability to just tell users to click the bad links.

[12:36 - 12:41] Jasson Casey, CEO of Beyond Identity:  A good solution is going to actually survive even those conditions.

[12:41 - 12:53] Dr. Dave Chatterjee:  Good to know. Good to know.You know, when we were planning thisepisode, you talked about a particular case where you had to face a credential-based attack.

[12:54 - 12:55] Dr. Dave Chatterjee:  Can you share some details?

[12:56 - 13:12] Jasson Casey, CEO of Beyond Identity:  So we've had a bunch of customers, and it's funny. I was sitting with a customer once, and two of the C-levels saw us. We were in their cafeteria. They walked over, and they shared the results, a fairly invasive red team result, as well as some incident response that was going on.

[13:12 - 13:25] Jasson Casey, CEO of Beyond Identity:  And it was actually, A, it was fascinating, right, because you get a level of detail that you don't normally see directly. But B, it was really kind of a testament to the product. And, of course, my initial response was, can we share this?

[13:25 - 13:42] Jasson Casey, CEO of Beyond Identity:  And their response was, absolutely not. So we'll make it a little bit general, and I'll merge the identities of a handful of customers. Let's say you're using the Microsoft infrastructure. You are regularly being hit with a series of attacks where the primary credential of the user has been stolen a long time ago.

[13:42 - 13:54] Jasson Casey, CEO of Beyond Identity:  where the numbers and private information of these users exist, and where these users are being targeted in two different ways. One, which is the simpler way, is like MFA fatigue or push-bomb attacks, right?

[13:55 - 14:08] Jasson Casey, CEO of Beyond Identity:  The adversary uses what they've learned from you. They go to log in, they hit that second prompt, and you're watching TV, and eventually you get annoyed and you hit accept, right? That's kind of low-level stuff. Next level up is they send you a phishing link.

[14:08 - 14:19] Jasson Casey, CEO of Beyond Identity:  Like, hey, I'm your boss. Why are you being so lazy? I need you to log in and approve this thing. And they're using ProxyKit. And by the way, your red teams probably use this already.

[14:19 - 14:47] Jasson Casey, CEO of Beyond Identity:  There's an open source tooling called EvilGenX3 that we use quite a bit to illustrate these points. You should ask your team about it. But this toolkit makes it very, very easy for the adversary to drop this phishing link into your workers' inbox, pose as if they were the boss or someone important, drop a link that basically interdicts the connection, and they can even defeat Microsoft Number Match Authenticator, even when it's running a biometric hardware-bound blah, blah, blah.

[14:48 - 15:07] Jasson Casey, CEO of Beyond Identity:  And in a way, they steal with the access token. And we've got a bunch of those on our company YouTube. Feel free to check it out. But we've got story after story after story with customers where we deployed and they were talking about how they were dealing with hundreds of these months and having to do cleanup on tens of targeted individuals on a monthly basis.

[15:07 - 15:19] Jasson Casey, CEO of Beyond Identity:  And now they've basically gone to zero because there is no credential to steal, right? Our credentials are removable. You can't really interdict a connection without being found out in our system because of the way the crypto protocol works.

[15:20 - 15:30] Jasson Casey, CEO of Beyond Identity:  And when you think about not all of your security incident turns into a breach, thankfully, right? Because you have a security team that you spend time and money on. You have heads that go and work these incidents, right?

[15:30 - 15:43] Jasson Casey, CEO of Beyond Identity:  Trying to deal with them before they rise to a level of an actual breach. That's work. That's time. That's expense. That's OPEX. That's heads. So the other thing that we've gotten back from a lot of these customers is they've reclaimed time.

[15:43 - 15:46] Jasson Casey, CEO of Beyond Identity:  They've actually been able to move on to new projects.

[15:46 - 16:00] Dr. Dave Chatterjee:  Awesome.In fact,know, when you have to convince the leadershipabout trying a new solution or tryingtechnology, the question that often comes up, what's wrong with what we have?

[16:00 - 16:14] Dr. Dave Chatterjee: Because if there hasn't been an incident, why do you want to change it, given there are many other projects whereleadership would feel the money is better invested?

[16:14 - 16:27] Dr. Dave Chatterjee:  Because it's always an ROI challenge. So I have seen this from my own experience engaging with companies, that they are averse to changing their existing solution, even though it may not be foolproof.

[16:27 - 16:39] Dr. Dave Chatterjee:  Just like you shared, I have a passwordless authentication system in place, but however, it may not be robust enough. So how do I know that? Many organizations may not be doing those red team exercises that you talked about.

[16:39 - 16:50] Dr. Dave Chatterjee:  Many organizations may not be doing the different types of pen testing or periodic pen testing, periodic monitoring. Because we're talking about a cross-section, large organization, mid-size organizations.

[16:50 - 17:04] Dr. Dave Chatterjee:  Yes, the ones which are in the financial sector, probably more on top of things and a few other regulated sectors. And then there are others that will essentially react to an episode.

[17:04 - 17:17] Dr. Dave Chatterjee: There's one thing you mentioned once again while we were discussing the episodeyou talked about your concern or your lack of confidence in training humans.

[17:18 - 17:20] Dr. Dave Chatterjee:  Remind me, what were we talking about?

[17:20 - 18:04] Jasson Casey, CEO of Beyond Identity: Yeah, this is my provocative statements. So our industry is full of we need to train, we need to train, we need to train, we need to train people better. All mistakes are ultimately come back to training issues. And I think that is an overused mantra. And here's why. When I think about the general person who has to work with this technology, I'm thinking about my parents. I'm thinking about my brother and my sister who aren't in tech, but they use tech. Who doesn't use tech in their business, right? Everybody logs in to get work done. So imagine these folks and now think about all right they really have to always be on their heels to know hey is this person who spent probably the last five to ten years of their life training to be the adversary that they are

[18:04 - 18:21] Jasson Casey, CEO of Beyond Identity:  are they really going to be able to detect the craftiness of this person when it's a link that's really close, when it's a link that's actually correct because they've just hijacked an existing service, or they've manned in the middle of the connection and it looks fairly similar, Or it's a QR code.

[18:22 - 18:35] Jasson Casey, CEO of Beyond Identity:  Like, how do you know the bad QR codes from the good QR codes? No, really, tell me how, right? So that's the state. The state is, it's like we're sending humans, we're sending these people in to go effectively fight the nerds, right?

[18:35 - 18:47] Jasson Casey, CEO of Beyond Identity:  I guess nerds are humans too, but you get my point, right? Like, the non-nerds are going to fight the nerds in a world of agentic AI where the cost for me to look like you takes, I don't know, 30 seconds of anything I can pull off YouTube.

[18:47 - 19:01] Jasson Casey, CEO of Beyond Identity:  The cost of sounding like you is six seconds off your outbound voicemail. Writing like you, very easy, right? Like, I can look like you, I can write like you, I can sound like you. How in the world are we going to train anyone against that?

[19:01 - 19:20] Jasson Casey, CEO of Beyond Identity:  And so the metaphor was it's like we're sending humans to go fight robots. Like, that's not a fight that I would want to go into, and that's not a fight I would want to send any of my friends into. And so it kind of begs the question of, like, Is the system itself fundamentally flawed where the answer is, you idiot, why did you click the link, right?

[19:21 - 19:27] Jasson Casey, CEO of Beyond Identity:  Whereas the response is the person who clicked the link should say, you idiot, why did you buy a system that allows this to even percolate?

[19:27 - 19:37] Dr. Dave Chatterjee:  Correct. I really appreciate that. My work in cybersecurity is holistic cybersecurity governance. It's often pitched as a human factors-based approach.

[19:37 - 19:50] Dr. Dave Chatterjee:  So as much as I'm a proponent of human involvement, human empowerment at all levels, starting from leadership right to the people who are doing the work at the action front.

[19:50 - 20:00] Dr. Dave Chatterjee:  But it is also a reality that with the increasing use of agentic AI, we have to find a way of taking the stress away from humans.

[20:00 - 20:11] Dr. Dave Chatterjee:  Because we are constantly, you know, I'm going to use myself as an example. So every morning when I'm checking my email, out of 50 emails, 40 are probably spam.

[20:12 - 20:28] Dr. Dave Chatterjee:  And out of 40, at least 20 are switching emails. So my mind is constantly working to filter them out. I'm obviously wasting a ton of time, but I'm trusting my knowledge, my filters.

[20:28 - 20:41] Dr. Dave Chatterjee:  I'm not trying to suggest that I'm a major expert, but I feel bad for those who lack the awareness and they are being subjected to these kinds of phishing attacks.

[20:42 - 20:53] Dr. Dave Chatterjee:  Therefore, technology has to do the heavy lifting. And that is precisely why I welcome folks like yourself to come to my podcast and talk about your solutions.

[20:53 - 21:14] Dr. Dave Chatterjee:  not so much to promote a particular solution over the other, but more because I know that we are all clamoring for a real solution that takes the stress out of people so people can work and even think that, okay, even if I have by mistake clicked a phishing link, my organization or I will still be okay.

[21:14 - 21:34] Dr. Dave Chatterjee:  Without getting too personal here, I recently experienced they're calling it a card testing attack. I'm investigating it further, getting the details, It's been quite the experience, trying to figure out what happened, trying to get the relevant vendor platforms to support me in my investigation, provide me the details.

[21:34 - 21:48] Dr. Dave Chatterjee:  Here I'm an individual extrapolating it to organizations, experiencing these attacks and all that happens after, which is massive. Whether we are talking about reputation, legal implications, staying in business.

[21:48 - 22:02] Dr. Dave Chatterjee:  So you have to be proactive and you have to do that due diligence to do a deep dive and constantly find out what's the attack type that we aren't covered for that we need to consider.

[22:02 - 22:18] Dr. Dave Chatterjee: I'm coming at it from the standpoint of having that level of commitment, and this has to come from the C-level, because the commitment will drive preparedness, and preparedness in turn will drive the discipline of continuous monitoring, continuous testing.

[22:18 - 22:35] Dr. Dave Chatterjee:  As a solutions provider, you and your team, you are constantly trying to improve your solution to keep up or even be one step ahead than the attackers. That is the other reality that listeners should recognize, that implementing a solution was helpful.

[22:36 - 22:46] Dr. Dave Chatterjee:  That doesn't stop you from doing these three things. I call them the three dimensions of holistic cybersecurity governance, commitment, preparedness, and discipline.

[22:46 - 23:07] Dr. Dave Chatterjee:  Because there are so many aspects to security, the technical, the procedural, the people. But we need more technology to take the load off people because otherwise, just like Jason said, it's unfair to keep blaming people that you didn't really do your training right.

[23:07 - 23:17] Dr. Dave Chatterjee:  So you fell for the switching attack. We'll give you a couple of chances. If you don't, then there are greater consequences. I don't think that is a way to go.

[23:17 - 23:18] Dr. Dave Chatterjee: No, not

[23:18 - 23:18] Jasson Casey, CEO of Beyond Identity: at all.

[23:19 - 23:30] Dr. Dave Chatterjee: What has been your experience engaging with organizations? What challenges do they face when they're trying to consider, let's say, your solution?

[23:31 - 23:41] Dr. Dave Chatterjee:  Because one thing is to consider a solution. The other thing is to implement it properly, which I have seen in many occasions. They buy a great solution, but it's not well implemented.

[23:41 - 23:46] Dr. Dave Chatterjee:  So the outcome is not very positive. What has been your experience with your product?

[23:47 - 24:13] Jasson Casey, CEO of Beyond Identity: let's see, we've got a range there. So they exist, but there are companies who buy your product to check a box and never deploy it, right? It's the shelfware. So clearly they're not going to get a benefit from the product. And I am often surprised by that group. But moving out of that group, when we look at what we've learned out of deployments, it's very organizational dependent. And the dimensions are really kind of size and industry. So the larger an organization, the more likely it's an older organization.

[24:13 - 24:26] Jasson Casey, CEO of Beyond Identity:  The older, the more likely it's going to have – it's like you're an archaeologist and there are, like, layers and layers and layers of the city. Well, there are layers and layers and layers of compute in the organization. So I'm thinking about a bank we're doing a deployment in right now.

[24:26 - 24:44] Jasson Casey, CEO of Beyond Identity:  So with a bank, the first ring of deployment is always with IT and tech staff, so IT and security. And that usually goes – that's usually pretty straightforward. It's usually about 1,000 people. The way we built out our platform is for it to be kind of auto-deployed through the existing MDN that the company likely has in place.

[24:44 - 24:54] Jasson Casey, CEO of Beyond Identity:  So for most of you, that would be Intune. For some of you, that might be Jamf or Kanji or AirWatch. I feel like VMware keeps renaming their products. It's not even called VMware anymore, but you get my point.

[24:54 - 25:08] Jasson Casey, CEO of Beyond Identity:  So that's the first ring. Then we'll go from the first ring to what's typically considered like the highest risk users. So this would be kind of executives or anyone in the front line of the business that are oftentimes targets.

[25:08 - 25:22] Jasson Casey, CEO of Beyond Identity:  So it's funny, like a lot of them call it the same thing. They call them these ring deployments. And what they're trying to do is they're trying to learn, no matter what we tell them, there's a difference between like book knowledge and experience. So they're trying to kind of get experience in these rings that don't overwhelm them as they do deployments.

[25:22 - 25:33] Jasson Casey, CEO of Beyond Identity:  And then they kind of ring out. And for the general carpeted office worker, deployment's pretty straightforward and happen very, very quickly. There are other use cases that we support that show up that are a little bit more involved.

[25:34 - 25:47] Jasson Casey, CEO of Beyond Identity:  So think like kiosk computing. So whether you're on a factory floor or you're a police officer driving a cruiser, your computing environment is going to look a lot like a kiosk. So what I mean by that is you have a different computer every day.

[25:48 - 25:59] Jasson Casey, CEO of Beyond Identity:  You may not actually have a local account on that computer, but you still want to access that computer and the services behind it on the network in a secure and easy, right? So secure and easy sort of way.

[25:59 - 26:19] Jasson Casey, CEO of Beyond Identity:  And so those deployments are a little bit more involved in terms of combination of education and because kiosk computing usually are adding a physical component to it, whether it's through, you know, we have a partnership with YubiKey, kind of leveraging some YubiKey's to where you end up having a mobile credential in like the officer's pocket on a YubiKey, but then also a fixed credential on the device.

[26:19 - 26:31] Jasson Casey, CEO of Beyond Identity:  So we can always say it's the right officer in the right motor pool car on the right day with the right permissions and nothing else. You can flip from there to like a factory floor in a logistics scenario. Again, these are most likely Microsoft computers.

[26:32 - 26:49] Jasson Casey, CEO of Beyond Identity:  Microsoft has a hard limit. I can't remember if it's five or ten, but, like, they won't support more than five or ten kind of secure Hello-style logins per computer. So if you really want seamless computing, which is kind of kiosk computing, let people walk where they want and do what they need, you need an alternative solution.

[26:50 - 27:11] Jasson Casey, CEO of Beyond Identity:  So these take a little bit more but when I put it around numbers we got through the bulk of the 60 company deployment in six weeks Got for other deployments It dependent on kind of the process of the customer There are certain organizations, and this is where it becomes vertical dependent, where you have free schedules that follow your industry's service periods.

[27:12 - 27:20] Jasson Casey, CEO of Beyond Identity:  And so what you're rolling out is going to be in those phases that can kind of spread things out. So it's very customer dependent, but it doesn't have to be hard.

[27:20 - 27:21] :  Okay.

[27:21 - 27:38] Dr. Dave Chatterjee:  That's good to know. So let's talk a little bit about the role of AI in identity security. We've kind of touched upon the negative aspects, whether it's a deep fake or whether it's just like you said, that it's not too difficult to imitate a voice, imitate your writing.

[27:38 - 27:48] Dr. Dave Chatterjee:  And so that presents a whole slew of challenges. And then you have AI products that can proactively go looking for vulnerabilities and exploit those vulnerabilities.

[27:49 - 27:49] :  Yep.

[27:50 - 28:09] Dr. Dave Chatterjee:  But on the flip side, the good guys, the defenders also have the AI tools to thwart these attacks. And there are lots of tools out there. So once again, from a guidance standpoint, what would you recommend to organizations when they are trying to secure their AI applications?

[28:09 - 28:15] Dr. Dave Chatterjee:  And you can use the context of identity security to make those recommendations. Yes.

[28:15 - 28:25] Jasson Casey, CEO of Beyond Identity: would say, number one, you don't want to hobble your business, right? You want to enable your business. If your people want to experiment with AI, how do you enable them, right? Like that's where you want to be.

[28:26 - 28:39] Jasson Casey, CEO of Beyond Identity:  But at the same time, you can't say do whatever you want and let them essentially reinvent key sprawl, which is a problem you're going to run into. So we have a customer right now. We actually did a webinar with them recently.

[28:39 - 28:51] Jasson Casey, CEO of Beyond Identity:  It's a company called Monolithic Power Systems. The CISO there is a gentleman by the name of Hui, and you can find it on our site. He's experimenting with enabling his workforce in two different ways.

[28:51 - 29:03] Jasson Casey, CEO of Beyond Identity:  How does he, number one, let employees harness the power of an LLM against the company's native data sets? And so some of you may be familiar already with this concept. It's called retrieval augmentation generate.

[29:04 - 29:19] Jasson Casey, CEO of Beyond Identity:  Wow, forgetting what the G stands for. But basically, it's a way of creating a set of vector embeddings, your data to where you can kind of add it to an LLM. The typical exploit that shows up here is your crafty intern gets the LLM to cough up the CEO's email contents, right?

[29:20 - 29:50] Jasson Casey, CEO of Beyond Identity:  And so he was experimenting with our product and some of the things that we've been working on around, like how do we ensure fine-grained permissioning from an identity defense system to where the LLM is never even fed RAG data that's not of the permissioned current user. But more interesting than that is when you think about agents, right? So an agent is an interesting idea. It's kind of like a firefly. It's born, it does something interesting, and then it dies, right? So if the

[29:50 - 30:08] Jasson Casey, CEO of Beyond Identity:  Agent-wide cycle is really fast, right? I log into an agent service. Me as a user, I authorize the agent to do something on my behalf. It uses, through some orchestrated workflow and an LLM and all sorts of ragified data as well as services, it does something interesting, and then it dies.

[30:08 - 30:39] Jasson Casey, CEO of Beyond Identity:  How do I always know, as the governing body, what user authorized what agent running what model on what device with what security controls, with what permissions, in what geography, for how long, even when the agent is destroyed? How do I always answer all of those questions in a tamper-proof way? And I would argue, whether it's us or someone else, any identity defense-based platform needs to solve that problem for you simply, right? The other thing that I would say on the AI side, it's a little bit

[30:39 - 30:51] Jasson Casey, CEO of Beyond Identity:  perpendicular to the question, but it's around AI defense. If the adversary is coming at you where and AI is now in their toolkit to basically be a better mimic. How do you handle that?

[30:51 - 31:02] Jasson Casey, CEO of Beyond Identity:  And this is, again, where I would argue, whether it's us or someone else, any acceptable identity defense platform is going to be able to handle that, and I would challenge it to handle it in a very specific way.

[31:02 - 31:14] Jasson Casey, CEO of Beyond Identity:  So I'm sure you've all seen these companies that have come out of the woodwork recently to go detect AI as a usage, right? We think that's a bad idea. We think that's going to waste your money and time and not pan out.

[31:14 - 31:28] Jasson Casey, CEO of Beyond Identity:  And we think it for two reasons. One is technical, which is detectors are really useful to train the next generation of generator. So if they were, right, and I'm saying if. If they were, you're in an arms race and you're constantly having to swap these things out.

[31:28 - 31:51] Jasson Casey, CEO of Beyond Identity:  My second argument is almost from a usability perspective. If you really believe AI is around the corner and is going to 100 or 1,000x what everyone is doing, then you've already anticipated that most of your users are joining this Zoom with artificial faces, speaking languages they don't actually speak, having expert editors making their writing flawless.

[31:51 - 32:05] Jasson Casey, CEO of Beyond Identity:  So what good is your detector even going to do in that environment, right? If you think AI is really around the corner and it's going to proliferate in that way, then you've already accepted that it's going to proliferate in Zoom, in Teams, in Outlook, in all this form of communication.

[32:05 - 32:23] Jasson Casey, CEO of Beyond Identity:  And therefore, a detector is just going to always say yes. So why not work on a better solution now or ask a better question? And the better question is, who authorized this, on what device, with what workload, with what security controls, in what geo, with what permissions, and for how long?

[32:23 - 32:40] Jasson Casey, CEO of Beyond Identity:  In a tamper-proof way, right? Like, you don't know if this is really an image of Jason right now, but you do know, and this is a whole other conversation, but because of something we call reality check, This is coming from Jason's machine, Jason's biometric and possession factor were used in the authorization of this session.

[32:40 - 32:52] Jasson Casey, CEO of Beyond Identity:  The security controls on the machine, this is coming from actually fit beyond identities, current posture requirements for an active employee, and along with some other information that pops out. Anyway, sorry, that was a long response.

[32:52 - 33:09] Dr. Dave Chatterjee: no, that's fine. Your knowledge is oozing out. I want more of that. That's fantastic. Well, unfortunately, we are coming to the end of our episode. I wish we could go on. So as we start wrapping up, let me share with listeners some of my takeaways, listening to Jason share his expertise.

[33:09 - 33:31] Dr. Dave Chatterjee:  And Jason, you can add to that list. So what I'm hearing from you is obviously the move towards phishing-resistant authentication to integrate continuous monitoring and device checks, adopt a zero-trust framework, educate staff with the best you can about AI-driven impersonation, and make identity security a board-level priority.

[33:32 - 33:44] Dr. Dave Chatterjee:  Another takeaway that came through, unless we know what devices are on our network or what are being added, it's very hard to proactively protect or secure.

[33:44 - 34:06] Dr. Dave Chatterjee:  So a continuous awareness of identity vulnerabilities is key, absolutely key. Switching it back to you, what should if there was one takeaway for a senior leader it was one takeaway for the general publicif it was one takeaway for a cyber professional what would they be i

[34:06 - 34:34] Jasson Casey, CEO of Beyond Identity: would say everyone needs identity defense they don't have to get it from us but the way you know you have it versus the way you don't is pick anyone in your organization employee contractor even business partner and ask them to always do the wrong thing from an adversarial perspective. The adversary should still not be able to create a security incident. If that statement is true, you know you have identity defense. I would really just kind of leave it at that. Like, that's the ultimate test.

[34:35 - 34:49] Jasson Casey, CEO of Beyond Identity:  And from a value perspective, like, even if you don't believe or it's a hard argument of doing better than where you're at, know that this is going to save real dollars and real heads in operations by preventing the workload that's hitting that desk.

[34:51 - 34:57] Dr. Dave Chatterjee:  Fabulous. Well, with that, we will conclude our session today. It's been a real pleasure, Jason, and I hope to have you back again.

[34:58 - 34:58] :  Awesome.

[34:59 - 34:59] Jasson Casey, CEO of Beyond Identity:  Thank you.

[35:00 - 35:10] Dr. Dave Chatterjee:  A special thanks to Jason Casey for his time and insights. If you like what you heard, please leave the podcast a rating and share it with your network.

[35:11 - 35:18] Dr. Dave Chatterjee:  Also, subscribe to the show so you don't miss any new episodes. Thank you for listening, and I'll see you in the next episode.