December Product Update Livestream

Transcription

Joshua

Hello, and welcome, everybody, to our Season of Giving live stream. I am Joshua Gonzales, and with me today is Jing Gu, our product marketing lead. 

Hi, Jing, how are you? 

Jing

Hello, I'm so good. I'm excited to be generous and give. 

Joshua

It is the season. If you have been following along, we here at Beyond Identity have been having our Season of Giving campaign. We have a lot of awesome resources and free tools and free products and other things that we are so excited to share with you all season long. So, you know, this, kind of, came about because this year has been difficult, you know? 

There's been a lot going on, not only in the cyber security world, but in the greater macro economy at large. And so we here at Beyond Identity really, you know, reflected and we said, what can we do to better help our customers, better help anyone out there actually who is going up against challenges? 

They may have limited budgets, limited resources given everything. What can we do? And so we created a lot of things that we are excited to show you. First, we are going to be talking about our Okta Defense Kit. So, lots of things have been going on with Okta right now recently. So we created two tools to help you out with your Okta environment, help keep you secure, help you make decisions about what to do. 

We'll go into that. Then we are going to talk about one of our tools called the Passkey Journey, which Jing... 

Jing

I have a lot to say about that as well. 

Joshua Yes. It's a free tool that gives you a free report where you can discover how your users or your customers can use passkeys on your website. So we're going into that. And then we will be showcasing our Zero Trust Assessment Tool, which is free, and also one of my very, very favorites. This tool will let you see how your current security stacks up against CISA, their Zero Trust Maturity Model

Jing

It's like a report card. 

Joshua

It's a report card. Exactly right. 

Jing

Hope you get an A. 

Joshua

And then what I really love about it too, which is really, really nice, is it actually will give you the steps that you need to, if you're not at the optimal status for identity or device security, it gives you the steps that you need to take in order to get there. So I love that. We're going into that. And then we are giving you an exclusive first look at Device 360, a brand new device trust tool that we will talk about in a moment. 

So, let's get right into it. How does that sound? 

Jing

That is a lot. 

Joshua

It's so much. 

Jing

I love it. I will just say, you know, we also see security as a collective effort, right? 

Joshua

Exactly. 

Jing

Rising tide raises all ships. So if we can give these tools away for free to all of you, and you can leverage that to make better decisions or to improve your security posture, that is well worth it. So let's dive in. 

Joshua

Let's dive in. First, we are going to the Okta Defense Kit. So Jing, take it away. 

Jing

All right, so Okta has been in the news lately. And Okta is a very robust identity SSO access management company, right? However, there are steps that you can take to protect your Okta environment against all of these vulnerabilities that attackers have been able to exploit in the last year. So we built this kit with that in mind, right? 

It might be really difficult to go through all of your Okta logs and figure out, like, is suspicious activity happening on my account? Are there known indicators of compromise that I should be on the lookout for? And what should I do to prevent bad actors from accessing my corporate and customer data? So the Okta Defense Kit is completely free. You can find it on www.beyondidentity.com/resources/okta-defense-kit

Joshua

Exactly. 

Jing

Thank you, thank you. It has two components. One is a HAR File Sanitizer, and the other is an Okta Session Analyzer. So the HAR File Sanitizer, what it does is that it scans all of the cookies and headers in the requests that you're sending. And the HAR file is something that customer support would usually send and receive in order to resolve issues within your Okta environment. 

Bad actors were able to leverage this to gain access to Okta's customer data. So you definitely want to cut off this path before it's even viable for bad actors to take. So the sanitizer scans everything, flags all of the risky session cookies, and then it generates a safe-to-share HAR file so that you can take that and resolve your customer support issue without exposing any sensitive data in the process. 

This is live on the site. It's also live on GitHub. And that is the first component of the Okta Defense Kit, preventative, right? Preventative security is always a good idea. Now, we come into the second component of the Okta Defense Kit. This is what we call the Okta Session Analyzer. 

So all of these bad actors were able to gain access to Okta, and every time they gain access, they leave behind breadcrumbs, right? In security threat hunting world, you probably refer to that as indicators of compromise. And these indicators of compromise that have been leveraged in the past year include push bombing, delegated IDP change, fast travel, unauthorized app access, and more. 

So what the Session Analyzer does is it takes in your Okta session logs and you can say, hey, the past week, the past month, past year, whatever that cadence might be, and then the Session Analyzer will basically make sense of it for you and decipher it from a threat hunting perspective. 

What it will tell you is, hey, this session ID, whatever the long numerical ID is, has all of these known indicators of compromise. You should go take a look at that. And this way, you're not searching for a needle in a haystack. What you're able to do with the Session Analyzer is you're able to basically take a magnet and just scan your environment and pick out all of the risk signals that exist in it. 

And those are the two components of the Okta Defense Kit. It's available today and people can find it on our website. And I hope you enjoy it and let us know what you think because we want to improve it as well. 

Joshua

Yes, yes, yes. With any of these tools, please, our ears are open. Message us, let us know. Feedback, we always want it, because we are making these for you, right? So, if you think you can have better value out of something else that you could use with this, let us know. 

We would maybe want to build it. And I have seen the Okta Session Analyzer in work, at play. It is so cool how it just immediately pulls out all the things that could be indicators of threats and it lets you know, again, exactly that session ID, exactly what those indicators are, and you can go on to your remediation efforts from there. 

Jing

Yeah, yeah, and, you know, like, we had some IT and security folks say to us, you know, my boss is asking me what's the impact of the Okta breaches on my environment, or another variation of that question, what are we doing to protect ourselves, right? So we've been recommending the Session Analyzer as a way to prove that, hey, here are the risks in my environment, and here's kind of the prioritized plan to address these risks. 

So yeah, we've been getting some decent feedback on it, but we definitely want to, you know, make it more robust and useful for all of you. 

Joshua

Yes, all right, so that is the Okta Defense Kit. Check it out. Now, let us talk about the Passkey Journey

Jing

The Passkey Journey, all right. So passkeys, they are a very exciting authentication method, right? They allow you to log into any account with the same method that you use to log into your favorite devices. What I mean by that is I log into my iPhone with a Face ID every day, and I have never forgotten how to do that. 

And what passkeys enable companies and organizations to do is they can now build that capability for users to authenticate with the same method they use to authenticate into their phones as a way to authenticate into their online accounts. The problem with passkeys, however, as amazing for security and user experience as they are, is that they're not universally supported. Some browsers, older browser versions, do not support passkeys with biometrics. 

Certain types of older devices also do not support passkeys with biometrics, so your users would have to default back to a security key, which most end users do not have. I have a YubiKey, I have a security key, but I'm a security geek, so that doesn't count. So what the Passkey Journey will allow you to do is it allows you to assess your entire user base and see exactly what percentage of them can use passkeys and what the user experience will actually be like. 

So it'll generate a report that looks something like this. You'll have a sort of simplified pie diagram breaking down the devices that are able to use passkeys. You have your three tabs on the different user experiences, and you'll be able to see recommendations as well as an interactive click through. 

So there's no guesswork about what the user experience for passkeys will be at your organization. And this is also available for free. It is available also at a very nice URL. It's just thepasskeyjourney.com. And yeah, check it out. We launched this on Product Hunt. Good feedback from there as well. 

Joshua

Of course, yeah, yeah, yeah. 

Jing

Yeah, it's been fun. 

Joshua

Check it out. You know, when you're looking to move to passkeys, the number one thing is how do I roll this out to my users in a way that is going to be nice, that they're going to like, that they're going to understand? And this will just give you so many great insights to how your users can leverage passkeys. And so now you know, how do I roll them out? 

Well, if most of my users can use them like this, this is how I do it. It's really great. Really check it out, thepasskeyjourney.com. And now we will move on to the Zero Trust Assessment Tool. This free tool, we have prepared a very special video for you to give you an overview of this tool. So we will go to that now, play the video. 

Roll the footage. 

Video

Introducing Beyond Identity's Zero Trust Assessment Tool. See where you currently stand in your Zero Trust journey and what steps you can take to achieve the optimal level of Zero Trust security. For example, let's say your company uses password plus SMS to authenticate and you have a device fleet consisting of BYOD contractor devices, as well as company managed devices with MDM and EDR installed. 

Based on CISA's Zero Trust maturity model, your configuration has an initial rating. Not so great. Now, let's toggle to see how adding Beyond Identity would change your rating. With Beyond Identity, your identity rating and device rating move to CISA's optimal level. In our deep dive analysis, the left-hand column provides a view of your current identity and device environment. 

The right-hand column provides steps to achieve an optimal Zero Trust implementation. Our Zero Trust Authentication solution is a passwordless, phishing-resistant, and policy-based authentication using device-bound cryptographic keys. It ensures continuous device posture checks throughout a session, extending beyond the initial login to provide comprehensive and optimal security. 

Try our free tool today. 

Joshua

All right, and that was the Zero Trust Assessment Tool. Definitely check it out. See where you stack up against CISA's Zero Trust Maturity Model. And yeah, check it out. All right, I think the time has come for the exclusive sneak peek into our latest and greatest tool, Device 360. 

Jing, what do we have to say about Device 360? 

Jing

I have so much to say about Device 360. So let's see. Let's see where we should start. Okay, let's start with the exciting thing, okay? It has entered public full beta today, which means you can get early access, which means you can get access to this tool for free. 

And you can help us build it. We are actively seeking feedback. As I speak, there's probably somebody in a feedback session right now. That is literally how much feedback we want. Device 360, what is it? Well, it is a set of features that enable you to do device trust like you've never done before. And you might say to yourself, "Wow, that is a statement." 

What I mean by that is Device 360 enables deep centralized visibility across both your managed and unmanaged endpoints. And it allows you to see a single report of all of your endpoints as well as their associated vulnerabilities. This way, you know what to prioritize in terms of remediation. Additionally, Device 360 allows you to leverage this really powerful solution called Osquery to ask questions of your devices in real time. 

It's not just our configuration controls existing on my endpoint, but validating that they are existing and that they are running. So for example, is the disk encrypted? Is the biometric enabled? Are the firewall on? All of these little configuration drifts that can happen within a device lifecycle, now you can get a real time assessment of every single device in your endpoint fleet to be able to manage risk across your fleet and instantly identify weak links where they may be. 

And right now, it's in public beta. If you go to beyondidentity.com/device360, 360 is just little numbers, you can go ahead and join the wait list here. And we have a little bit of a preview into what you can expect from the product. So as I mentioned, it's in beta because we really want to make this product something that is usable for you, that is valuable for you, and that delivers against our value proposition or our mission of securing digital access to any digital application. 

Check it out and let us know what you think. And is there anything else that we need to cover about device 360? I have so much to say about it. I'm like, "Oh my goodness." 

Joshua

There is so much to say about it because it is so exciting. You know, I think just one thing that may be important that I would love for you to go into a little more is what we are hearing and seeing from people about the importance of device trust. Like, why are we making this for people who have been asking us for so long about device trust and their needs? 

Jing

Okay, there are a couple of pain points when it comes to device trust for IT and security teams. For IT teams, device trust often takes the form of making sure that device configuration is up to date and that the configuration, security configuration controls that they want on the device is actively running. Turns out both of those things are really difficult to validate with the tools that exist today. 

So device trust or Device 360 allows you to get the kind of visibility you need in order to achieve validation that configurations are running correctly on endpoints. Additionally, the second pain point is that companies need to prove compliance, right? Your devices need to comply to a certain level of security threshold. 

And depending on what industry you're in, your company's individual needs, those thresholds might look a little bit different. But in order to prove compliance, you need a single unified view into your endpoints. And that view needs to include vulnerabilities and risks associated with each device. And that is what Device 360 is able to offer, right? 

You don't just have to say, "Oh, I think my devices are in compliance." You can actually verify, ensure, and prove compliance against your inventory. So those are two pain points that we've heard around configuration concerns as well as reporting and compliance concerns. 

And something else that is interesting that came up in some of the feedback sessions we've been having is our customers are really excited about the ability to simulate policy. So Device 360, one way to look at it is it allows you to see something. It allows you to identify all of the kind of risks in your fleet. And policy, which is part of the Beyond Identity platform, is able to help you do something about them. 

So if you have a device that doesn't have its security controls in place, access policy is able to say, "Hey, this person shouldn't be able to access your applications. Please terminate this authentication request or please request the user to step up their authentication with an additional factor." 

So policy simulation is able to show you, based on the things that you care about, the queries that you've run, the risks that you care about, if you were to implement this policy, how many devices it would impact. What percentage of denies would you see? Are there OS patterns within those responses? So policy simulation is also another core piece of the product that kind of allows you to test before hitting deployment. 

You never want to break user authentication, right? 

Joshua

No. 

Jing

That would not be good. 

Joshua And like being in these feedback sessions and seeing the way people light up when it comes to like, wait, I can test this policy and I'm not going to lock out 200 of my users and have them all angry at me for trying to, you know, get their devices into compliance, it's just so great to see. Very, very excited for Device 360. Please check it out. 

Share the link with anyone you know who may want to check it out. Again, it's beyondidentity.com/device360. Super excited for it. 

Jing

Yeah, yeah, absolutely. And, you know, it's also on our social media. So if you follow us on LinkedIn or Twitter, it will be right up there as one of our most recent posts. 

Joshua

Yeah, awesome. Well, that is our Season of Giving live stream. Again, we are so passionate about doing every single thing we can for you all. So again, feedback is so greatly appreciated. It's how we can build the best products for you, try them out, send them to friends who may want to try them out. 

We have the Okta Defense Kit, the Passkey Journey, the Zero Trust Assessment, and now Device 360. Thank you, thank you so much for tuning in. Check us out, follow us, go check out the tools. Any last words, Jing? 

Jing

Have fun. 

Joshua

Have fun. 

Jing

We handed you a bunch of tools on a platter. So go wild. 

Joshua

Go wild, have fun, happy holidays. We will see you in the new year for even more updates and announcements and fun. So, I can't say anymore, they'll cut me off. All right, bye. 

Jing

Bye.