From Detection to Response - Identity in the Cybersecurity Framework



Carrie:  Hey everybody, how are you doing? Thank you for joining us for the last session in today's security track. I hope you’ve had a good Oktane so far. You’ve come to the right session because we have an enviable line up of characters for you up on the stage today.

We've got a number of team members from both GoDaddy and Informatica and Okta who are all here to talk to you about how to use authentication data to detect account compromise. Without further ado I'm going to introduce them. Before I do so I just wanted to remind you that we are being recorded.

We're recording these sessions today so if you do need to leave just pop through the eves and please turn off your mobile phone. There'll be time for questions at the end we hope and we’d love your feedback. Let me see if I can get all these right in order, no, not in order.

We've got Joe Diamond who's the Director of Security, of our security product at Okta. We've got our first Jason, Jason Biak who's the manager of global employee safety and security at GoDaddy. He's joined by his colleague Seth Paxton who's the Senior Security Engineer at GoDaddy.

Then we've got Jason squared or Silvera, sorry. Manager of enterprise ops at Informatica. Thanks gents, I’ll leave it up to you.

Joe Diamond:  Did you guys hear that? She referred to us as characters. I don't know whow to take that. What do you guys think?

Jason Silvera:  I’ll be a character.

Joe Diamond:  Okay, me too. It's okay. Just remember guys, she's from Australia and she likes vegemite; credibility gone. Raise your hand if you like vegemite. Get out, no vegemite love here. Again, my name is Joe Diamond; I head the security business at Okta. I'm going to be totally honest; this topic is a topic of passion for me personally.

There's a big reason for that. That is because I think there is a couple of very critical trail points that organizations have as the computing landscape continues to shift. That is obviously things that stupidly sit at the edge. The authentication layer is one really good one and also the email gateway.

Those are two very critical choke points. I think there's a really big opportunity for organizations to uplift how they view where identity sits in their security stock. That's really what this session is all about today, is talking about how you can use authentication solutions specifically from exhaust data perspective to identify account compromise and actually respond to that account compromise.

That's a critical component for all of this; it's why everyone's in the room. It's a huge aspect of growth for all of us. Into our obligatory forward looking statement slide, skipping forward looking statement slide. You can't really have an identity conference without talking about how shitty passwords are, you just can't.

I had to have a couple of these to really just paint the picture about how much we hate passwords. One of our great inventions was the notion of password complexity. How many of you actually think password complexity actually solves anything?

Male:  Boo.

Joe Diamond:  Boo, yeah, boo is right. That's one major aspect of the problem. Then we look at how much passwords such from a password sharing perspective. I believe I caught Seth sharing his password with Jason earlier today. It was an administrative password and it was just something slightly critical, like a big office with 65 tenant, no big deal.

This is a really great way of sharing passwords I think. “Hey, what's your password?” “My password is get the fuck off of my computer.” “Is that all one word?” “Yes and fuck is caps.” Best comic ever, most true comic ever. It's the truth. All of us suck at passwords. Just behaviorally we suck at passwords.

It's a human nature thing to suck at passwords because passwords are a pain in the ass. It's just how it goes. Administratively we suck at passwords too. We share them with our friends, we share them with our colleagues, we pretend like we don't really do. That's just the reality.

This is ultimately why we turn to these identity driven, to this approach of identity driven security. I think all of us have a pretty good preview of these four value pillars is you will. We understand that, yes, we're going to centralize identity, we're going to help mitigate the risks of los by limiting access control and we're going to use single sign-on to do that.

I think we're pretty mature for the most part at actually leveraging that as a solution. We're going to ensure that we bring strong authentication to every single solution that we have. We're fairly competent, we're fairly strong there. I think there's still some room for growth in that aspect as well.

We can bring strong optimal solutions than perhaps we are today. This is another area for growth in terms of just understanding how we can reduce our attack surface through contextual access management, making sure the right people have the right level of access to the right stuff. We're yellowish there, we're growing, we're getting there. I think people generally understand that.

This last one I think is a huge blind side actually for most people who use single sonar authentication solutions. Which is, how do you use all of that exhaust data which is effectively the gate for authentication for every single solution that we have in our company, how do we use this data to identify that account compromise and respond to that account compromise?

This is ultimately what this session is all about. This is why Informatica is here, this is why GoDaddy is here. Is how do we line this up to protect and respond? At this point I'm just going to pass it onto Jason on the Informatica side who's going to walk us through their views, how you can move forward with that.

Jason Silvera:  Joe, I really appreciate it.

Joe Diamond:  Any time.

Jason Silvera:  Good afternoon, I'm Jason Silvera. I'm the IT enterprise operations manager for Informatica. That is totally a mouthful but all it really means is I manage a lot of stuff. That's the way these things work. Informatica is about data management, it's about the disruptive power of data.

It's taking that data from your organization and using it to make the best possible decisions for your company. This is really all about that. A huge part of any incident response is about looking at that dada and understanding how did it happen, where did it come from, what are we doing?

Of course Informatica, it's transforming into a relentless base. All we do is move forward. That's what everybody is looking for. It's funny because sometimes people say moving forward is you get one thing done then you get another thing done, then you get another thing done, but what actually happens is it's all happening at once, it's all multi threaded and it's all going all at the same time.

A big part of what I did when I came in at Informatica and took over the Okta management was we had to revamp the entire split architecture. How many of you guys have deployed Okta and have an AD agent running? Lots of people get AD agent running, and LDAP agent maybe, IO servers, Radius for Okta verify.

Now here comes the million dollar question. When was the last time you upgraded any of those? See that's the key, is that all of a sudden you realize we're a little bit behind. Okta's still pushing forward, they’ve got new agents, they're a little bit more reliable, they're putting everything in one place.

We used to keep doing that. Part of our role, in order to have high availability, in order to keep up with current standards is continuing that trend, keeping up to date. It's the most important thing that we can do. We were going through the middle of a major process to deploy multiple new AD agents.

New architecture, new servers, new data centers, worldwide highly availability. We were trying to get all the way through that. Right in the middle of this project, that's when the attacks come. There's no perfect time for an attack. If we can plan it, we’d like that attack when we're completely done with the work, we’d like the attack when everything is stood up.

We want it when we are 100% confident in our infrastructure, in our environment. Everyone knows that's not the way these things ever go. This attack was 46,000 authentication attempts in a 24 hour period. What that really came down to was actually 40,000 in two hours.

That's where it really hit us. For anyone doing the math here, that's five authentication attempts a second. Five attempts every second. The great thing about working with Okta and the great thing about being where we were is that we had the architecture to handle it. We didn't have anything go down.

We didn't even notice this was happening guys. That's what is so amazing about looking at the data later. All of a sudden we're, “It's a mission control atmosphere.” Anyone seen these places? You guys have all watched 24, the big banks of TVs everywhere, everybody’s looking at it, my gosh, what's going on now?

That's not really what happens. What really happens is there's one guy, just one guy in a cubicle, head in his hands, phone ringing off the hook. “Hey, what's going on with authentication?” “Hey, my guys can't get in.” “Hey, is there something wrong with any of our servers?”

We're sitting there going, “All our servers are up, everything's up and running. There isn't anything wrong. Where is all this activity coming from?” That's when the response really kicks in. That's when getting into the nitty gritty of the data is actually fun. Because now we recognize this one guy who's overwhelmed, the attack is already over by the time we get to it.

We get to jump right in and say, “Okay, what really happened today? What happened today? Who did what to whom for how many cookies and which cookies were?” If they're my snicker doodles, I got a problem. Those are my snicker doodles guys, don't touch my snicker doodles.

The aftermath. I really want to talk about this because this is the exhaust data. This is what SIS Logs 2.0 was able to get to us. Is that after the end of the attack is when we realized everything’s coming from a single IP address, one place doing all those authentication attempts, one place.

We get Okta on the phone and they blacklist that IP right away, our support infrastructure immediately recovers. Less than 30 seconds after we put that blacklist in place, no more account lockouts, no more activity on all the authentication services. Everything’s smoothed right out.

That's the kind of thing that I really want to say thank you to the Okta team. They got on the phone; they were ready to go, jumped right in. The very next question is how do we stop this? How do we prevent this from happening again? How do we be more intelligent in the future for these things that are actually happening?

Again, big kudos to Okta here, reached out, got us good sessions with their security engineers, talked about our architecture, talked about going over some of our metrics. We got to start talking about IP zones. We don't need to have everything opened everywhere for Informatica, we need everything opened where we have offices, where we're doing businesses, where we've got our employees who need to access our systems.

We're able to all of a sudden lock down geographically, where do we allow access? We go over the account lockout policies. It's one of those things that everybody expects is set up. You think that your account lockout policies are great because I think everybody here has been through at least one of those audits where you have to take a screenshot of your password policies, account lockout policies.

All of a sudden you realize, wait a minute, our Okta account lockout policy doesn’t match our active directory account policy. Or wait, that doesn't match our Sisco lockout policy. Bring it all together, start fresh, make sure everything comes back together. I think this is one of those review pieces; it almost takes a fire drill.

It takes an attack, it takes something happening before everybody is really willing to look at that data and say, hey, we got to get those things all together. I think the biggest win is our MFA policies. We were set up where we protect MFA at the org level. The first time that you are off network and you login to Okta, you get prompted for MFA.

What was that key word? Off network. It's turns out a lot of Informatica employees; they're that 9:00 to 5:00 person. Everyone talks about this, nobody’s 9:00 to 5:00 anymore, you don't work from the office anymore, you work from anywhere. You're on your tablet, you're on your mobile phone, you're at Starbucks.

It turns out that 30% of Informatica employees, they only logged in from the office. They showed up in the morning at 8:00, they logged in at 8:00. They left at 5:00. They never were prompted for that MFA initial setup because why would they? They were always on network.

Changing that policy that says, “Hey, your first time that you're in Okta, now you got to set up MFA.” We went from having all these users who had never sighed up to 100% MFA usage. That was a huge win for everybody. Again, 100% MFA, it's a big deal. Then finally it's always the clean up, nobody likes clean up.

Everybody’s again, relentless push forward, new. You go back and clean up. All those AD agents that we had lying around, they were all in use; they were all part of this. Decommission them and get them out of the way. Now we only have the most up to date AD agents, the most up to date IO agents, the most up to date Radius agent.

All that legacy is gone. Every little piece of that that helps us be ready for whatever is going to happen next. Again, I really want to talk a little about the intelligence and where Okta has gone for security incident response. I think you’ve heard a lot of it in some of the other conversations this morning talking about the keynote and the seam tool integration.

I can't say enough good things about how Okta has helped us use our chosen seam tool to get all those SIS Log data into a place where our incident response team can see it right away. Because again, there's one guy in a cubicle, one guy overwhelmed. Now we've got the sock team, now we've got all that data for all that authentication traffic, it's all in the seam tool; the sock team can see it right away.

They get that view to actually say, “Hey, I see something funny going on.” That's a huge win and I can't again, thank Okta enough for being able to push that forward. I really appreciate the tie guys. I know I went real fast but we're available for questions later. Jason.

Jason Biak:  A little too fast.

Jason Silvera:  A little bit too fast? Should I take a little bit more time? Should I talk about snicker doodles?

Jason Biak:  Actually no, no will do. Green goes forward.

Jason Silvera:  Green goes forward like Jason.

Jason Biak:  All right, hi everybody, I'm Jason. I run the global employee safety and security team at GoDaddy. I'm joined here by Seth Paxton our senior engineer. We're about six months into an experiment at GoDaddy where we're running a converged security model. We have one team that focuses on the physical and the cyber.

Full disclosure, I was hired to do the physical and now I'm in charge of the cyber. Speak slowly if you have technical questions or direct them to Seth. I've got about 17 years of military and law enforcement experience and it's pretty interesting to apply those methodologies to the cyber side. That's what we're going to talk about here. I’ll let Seth introduce himself real briefly as well.

Seth Paxton:  Yeah, Seth Paxton, senior security engineer at GoDaddy. I'm pretty much the architect behind what we do in the global employee and security safety space. I've been in IT security DevOps and development for roughly 12 years so a good mix of experience.

Jason Biak:  When he says architect he means smart guy in the room. There's a lot of meetings that I sit in and I go then he nods then I really nod. Sorry, try not to make fun of me here. Really briefly I’ll go over GoDaddy as a company and then what our team does. I'm sure as everybody else has to deal with here; the work from anywhere is a big deal.

It gets even more important as you rapidly integrate mergers and acquisitions. The joke that I use whenever I talk is that GoDaddy probably purchased two more companies while we're standing here talking. I've been with the company for about 18 months. We've integrated six different acquisitions.

They range from three employees and 75 contractors to 1,200 employees. I want to be clear about what BYOD means. I was trying to think of the acronym in my head. I think it's BYODWWDY which is bring your own device when we bought you. It's really not about an employee bringing their device into work, it's about, we just bought a company of 1,200 people and they're bringing those devices into our environment.

How do we get them up to speed quickly? What we do as a team is we think about the employee holistically. You hear a lot about technology and issues. Really what's the problem at the end of the day? It's the human. We can put all the technology in the world but the human’s still going to click on the link, he's going to execute the file, he's going to open the email, he's going to go to the site, he's going to do whatever we've told them not to do.

We have to think about the human part of it. We think about it three ways, so the employee at risk. That could be anything. That could be cyber stalking for our customer care agents so we think about that from a holistic view. Everything from their Facebook settings to the email domain that they use when they deal with our customers.

We think about them when they're in the parking lot at midnight and it's dark and they're by themselves. Because when third shift gets there, they have to park all the way out there and then they get off and there's no cars in between. We think about a lot of travelling to Munich and there's a terrorist incident.

The beauty of it is, and what we're going to talk about throughout our conversation here is, we use all of that data for all of those use cases. The employee as a vulnerability, that's pretty much the cyber piece. That's that accidental data loss, that's clicking on that link, that's doing all the things that we don't want them to do.

Then the one that we probably won't talk about outside of this room or with the employee base; but the employee as a threat. Not that accidental data loss but that malicious data loss. What we do is we fuse all of the information across all of the sensors to try to get that 360 view.

Actually one thing I will say, GoDaddy is a company … Just so you have an understanding of size and scope. We have about 7,000 employees globally, about a million square feet of office space. We have 30 facilities in 14 countries and about 10,000 employee end points. That's a pretty significant group.

Then just to give that 360 view, we also have about 250,000 of employee travel a year. Just thinking about when they're not on premise and they're out there all across the globe. One of the things, being a non technologist and coming into not only a technology company but an IT team that's full of technology as I said, you know what, we're going to use the tools that we have instead of building our own stuff on the side.

What we look at is how can we protect that end point? How can we force everybody, to use military terms, through a choke point so that we can see what they're doing? Make sure who there are, make sure they're in the right place, make sure that they're allowed to be in the places that they're accessing and make sure they tell us if they're not.

That's really where it gets fun, it's the last part. It's the logging, the alerting and the responding. The things that we're looking at now, multi factor, I wish we were better at it, 100% but we're joined by four other people from GoDaddy that we're going to be partnering with in the next hopefully quarter or two to get there.

Really the big piece for us is mobile device management. As Seth will talk about some of our SIS Log data that we've imported into our seam, we're missing device name. It's a critical piece of data. There's certain things that we have but there's more data that we want out of that session and we’ll get really deep into the logging and analysis. Now for the technical talk, we’ll turn it over to Seth.

Seth Paxton:  Thanks for your time everybody. I wanted to start talking about how we deal with IT from a security perspective. One of the problems we have as a security team is we cannot be embedded into every facet within IT. One of the problems is we just don't have enough resources and our IT organization’s very large.

We have a lot of things going on at once so we just can't be everywhere at once. What we've decided to do is take this idea of security evangelists. What we do is we identify individuals within certain departments that can help us enforce security controls and someone we can actually communicate security policy with.

They can act as basically on our behalf to implement controls within the IT organization. This allows us to be more flexible and to actually utilize resources across the company. Now I want to talk about how we deal with authentication, authorization access control. We don't manage that platform, we actually deal with policy.

We help guide these teams with policy when it comes to security. We have a whole identity access management team, we have a Windows team, we have Okta admins, we have user administration but they all don't fall into security. We develop policy, we guide them, we help them with controls, we put those things in place.

I think with this structure it's become a natural partnership between us and IT in general. We focus on security controls and we focus on being really good at security policy. That's our expertise. With this partnership, IT essentially has their expertise. They work on the integration piece, they work on maintaining operations and allow us to work together and really build a great picture together.

Now we want to talk about where we are. We've really just started looking at Okta in the last five months from a security perspective so we're still new on our journey. I think we've done a lot to get to where we are today. We continue to grow those internal relationships with IT.

What that means is we're starting to work with IT to scope our multi-factor authentication as well as Okta Mobility Management. Again, we're going to enforce policy, we're going to guide the decision but ultimately IT is going to implement the solution. Again, we’re going to work together and make sure that we get a good experience for the employee out there.

The next thing is our drive to secure applications. What that means is our company is trying to enable developers and enable our employee workforce to work from anywhere. With that they’ve started to take applications that have always been internal and expose those to the internet. Some of those applications don't have strong security controls around them so it increases the risk to GoDaddy.

What we've done is we've forced integration with Okta so that we get MFA; we get detailed auto logging with those applications that are now exposed to the internet. We can be more confident by deploying applications out there that our employee population can use.

Another thing we've done, because we didn't do MFA across the board, we haven't, mass enabled it, is any time there's an incident and an employee’s credentials are compromised or the work station’s compromised, one of the steps we take is enable MFA on their account right away.

That's the slow rollout of MFA across our environment. We're going to continue that path going forward; we're going to work with, again, our Okta administrators to figure out how we enable that across the board. Potentially use a duct of MFA within our environment.

A couple of those things we've done, I think that are interesting around securing the applications is, we have some internal applications, they’ll have authentication built in. We use ELK for SIM. Cabana doesn’t have authentication built in unless you purchase the product from elastic.

We built some proxies out in the environment and tied those into Okta. Now not only do we get MFA, we get authentication, we get auto logging into out log data. That's important for us because we are a PKI provider. With that, we get strict restrictions around who can access PKI log data.

Because of Okta we can now segregate who gets access to PKI log data, who gets access to all general information. I think that's a big win. Putting Okta in front of open source applications which we use pretty heavily within our environment. Another thing we're starting to do is integrate Okta with our VPN solution.

Being able to give users push notifications on their end points enables the user experience and makes it easier to connect to the corporate network. This is also starting to drive the retirement of our current MFA provider. Ultimately we’ll save money. I wanted to upon logging activities.

I mentioned before that we use ELK as our seam. We have a pretty sizeable environment as far as log data goes. As far as COS goes, when you're looking at spunk, it's just out of our realm. We've built our own custom ELK solution. One of the first things we did when we started integrating with Okta was we wanted to get that data from the Okta portal into our ELK stack.

We developed a custom plug-in for log stash that essentially hits events API on a pulled interval, pulls that data into Okta or into ELK. Along those lines we also enrich that data. We add GOIP information to that and we also normalize the data across our infrastructure.

What I mean by normalizing the data is, any event that comes in that has a username tag to it, we take that field and we actually normalize it to use our ID. We do the same with Okta. Our incident responders, when they're looking at ELK they can say, “Give me the user ID of this username and then it'll pull up all the access requests from that username.

We build that whole employee behavior model for our instant responders to quickly look at things. This is where we want to be. Again, we started our journey, I think we've done quite a bit in regards to Okta but there's a lot more that we can do. As Jason alluded to earlier, global MFA, we need to enable that across the board.

We're trying to find ways to justify that to the business and also make it easier for the user to adapt. Jason also alluded to this a little bit earlier. Increase the granularity of the Okta Log data that we're receiving. Ideally we’d love to have the device name within the Okta Log.

We can take that information, compare it to our CMDB and essentially start identifying rogue devices that are connected to our network. That'll help us understand how many rogue devices are connecting and how can we put controls in place to secure those end points?

Finally we want to continue to enrich Okta Log data. Since we have a lot of flexibility within our ELK stack to develop plug-ins and custom [percers 00:26:29], we want to start maybe pulling in threat information based on source and destination IP as well as reputation information based on source and destination IP.

That'll give the instant responders more context when they're actually into an incident and looking for compromises across the infrastructure. Another thing we want to do I we’re moving [Alasik 00:26:50] search to basically a new infrastructure so we're revamping that.

One of the modules we've purchased is machine learning. If we can normalize our log data enough and make it consistent across the board, we can start applying machine learning analytics to it and start identifying abnormalities with user behavior or employee behavior. That's the IT guy answer.

Jason Biak:  I'm going to talk about the non IT guy answer here in a second.

Seth Paxton:  Another thing we're looking at doing is, like Jason said, we manage the physical access control system so the badging system is one of the things we manage. I think it'd be really interesting if we grab that badge data and put it into ELK because then we can look at where is the user’s physical location in correlation with Okta's login location information?

Then we can start saying, “Okay, is this user logged in or badged in at Scottsdale but it shows they're logging in from the UK? There's a potential compromise there. WE can build a lot of automation learning around that to start identifying those pieces. Now I'm going to hand it back to Jason. He has some really interesting thoughts on the physical security side and employee safety side.

Jason Biak:  It's really interesting. I’ll tell a funny story when I took over this team and one of my instant responders, we had an end point with some suspicious activity in India. I go in there and I say, “Okay, great, what are we doing?” I'm thinking like a cop, we have a guy in a room, then we lock the room, then we call somebody or are we going to get the guy out of the room?”

My employee said, “Well, I set a search to run in Taniumto tell me when the device is online.” I said, “Well, did you pick up the phone and call the user?” “What?” Like, they're an employee, pick up the phone. They're green on Lync right now, literally. Just type, “Hi, are you there? Can I get into your device real quick to check something out?”

That's the vision and the culture struggle on our team because IT people think about IT. They put their head in the computer. I look at all this data and say, “Man, what an amazing just body of work that I can play with and use.” We talked about some things like access control.

We have physical access control; we bring that into our seam. What about concur data, what about travel data? Now I can say, “What about their HRM, what about work day data?” Now I know where the employee is supposed to sit, I know where they badged into, I know where their travel itinerary is supposed to be and I know where they're accessing the network from.

Now I have four data points that I can play with. I don't have to just say … It's not IFTT, it's pretty simple. You just say, “Wait, now I have three or four things.” Because what's that going to help us do? That's going to reduce the number of alerts. It's pretty funny how these things translate one for one when you actually straddle the line between the two organizations.

I got to GoDaddy on the physical security side. Out of I think 450 badge readers. We have 500,000 alarms a year. I'm like, “That's just noise, it doesn’t tell us anything. We have to get that number down.” How do we get that number down? You have to attenuate it.

It's the same thing here. If you have more sensors, you have more data points; you can drive that number down. One of the use cases that I'm really excited about … Part of what we do is duty and care and international travel. If anyone remembers the Nice attack it was shortly followed up by the Munich attack last summer I guess.

We had two employees, actually according to our concur data we had one employee going to Munich or Frankfurt and then Munich. We pick up the phone and call him after the Nice attack and say, “Hey, listen, this is what's going on. There's going to be more cops where you go, there's some issues, prepare yourself.”

He goes, “Okay, what about the guy sitting next to me?” Because the guy next to him hadn't booked in concur co we didn't have visibility on that. There's another data point that we're going to worry about. We want to account for those employees that book outside of our travel system.

Now these guys get to … I think they were going to Frankfurt. One of the employees, his family was flying out and they were going to go to Munich the next day. That's when that Munich truck attack occurred, or some attack occurred in Munich. I don't remember now. It's pretty scary that they're all going together at this point.

If we had had Okta Logs that were enriched, we could've quickly … Because we couldn’t get them on the phone. He changed his SIM card so that his phone will work in Germany. Now we can't contact him. Now if we were able to quickly get into our Okta logs and see when was the last time he accessed the network, where from and could he have possibly travelled to Munich from Frankfurt in that time?

No, okay, check him off the box, we can assume that he's safe. It's about taking that data and looking at it from 360 degrees. Not just saying, “Okay, there's some unique user behavior activity” … Seth laughed when he said it. I don't believe in that term. The term is employee behavior.

Because there is a human, that human has hands and legs and a physical badge and a car and they go places and they do things. If we don't account for that, that's the gap. When you see these conversations about physical and cyber collaboration, there's still going to be those gaps in the middle.

You have to overlap them in a van diagram to truly close those gaps. Whether that's the model that we take which is one team in one organization which is pretty easy because when they hired me I reported to the seesaw. It wasn’t really a turf battle. In the other model there's two near peers that are communicating and collaborating.

I think it could go either way. It's really important to call out like Seth did. We do have four other GoDaddy employees that are at this conference and we wouldn't be doing any of this without them. We're the people that jump into this tool from a security perspective and say, “Hey, can you help us out and think of this? Can you help us out and think of that? Can we get this policy going?”

I'm sure like everybody in the room you’ve all got unlimited resources and manpower and budget so you could do whatever you want with whatever you need. Including me and I really wouldn’t include me as a resource because I don't know how to do half this stuff. We have nine people for all of that, for the entire globe.

That's how we have to get there. We have to quickly look at this data, we have to evaluate it, we have to be able to action it. It's one thing to; circle flashing red, hey there's a problem. What are we going to do when that circle flashes red? How are we going to resolve that issue quickly and efficiently?

Unfortunately I think we're about seven minutes ahead but we're also the last one of the day. Would anybody be truly upset if we called it a couple minutes early? I'm sure Joe can talk or whatever.

Joe Diamond:  Definitely, no problem.

Jason Biak:  Actually there are a couple more slides.

Joe Diamond:  There's no more slides here.

Jason Biak:  There we go.

Joe Diamond:  Maybe it's a slide of a logo. We purposely left this as a pretty tight session for you guys because we figured all of you guys are starting to build some programs here and trying to figure out how do we go down on some more path and how do we actually extract some insights that are actually actionable and useful from the soft data? If anyone has any questions for Jason, Jason or Seth, please go ahead and come up to the mic in the middle here and let's tackle those questions.

Speaker 1:  Who's first up? Thank you.

Audience:  Two questions. One, you were talking about from [inaudible 00:33:58] perspective, identify, protect, detect, respond. You were talking about your ability to detect your sock monitoring pilling it all into your seam tools. What about correlating the physical data with the cyber data?

Which is critically important when you start to talk about threat and vulnerability management. From a TDM perspective, you’ve got all this threat information. You talked about how all your attacks were coming from a single IP so you were able to blacklist that IP.

As you begin to get all of this data it gives you a view into it but what about your ability to take, if from a TDM perspective and from a response perspective as well and say, “Hey, we've got a high likelihood that these IOCs are showing us that these are actors that we want to lock out from our system.

How do you then translate it into your response which is still seems like is a very automated response calling up the support to blacklist or something like that. How do you begin to take that rich data and begin to automate your response capabilities as well to say, “Hey, we know this is a bad actor, let's completely lock them out of our systems; across Okta, Across Palo alto, across that sort of environment?

Seth Paxton:  Since we started this Okta journey we haven't gotten that far but in the rest of our organization we have. When it comes to DDoS, 99% of our DDoSs are automated and blocked. What we've done is we take data from our IDS sensors, all these different systems and we automate the blocks through APIs that we built internally.

That automatically blocks bad actors. We've even went so far as building custom software to block whole IPs from that perspective. We already have that infrastructure in place and we already have that monitoring and detection in place as well. We need to get more mature around more sophisticated alerts to actually enable that.

We already have that infrastructure. All we have to do is essentially read the data that we already have in ELK and hit an API. It's simple as an API call that we've already created and a block for the IP.

Audience:  A quick follow up to that is how do you then keep that pressure? How do you know when to deprecate a threat line and when to renew on your pressure?

Seth Paxton:  Yeah, so we have policies already that will release the IP after a certain amount of time. If that IP is another bad actor it'll trigger it again with another DDoS system. We’d have some mechanism in place to do that, so yeah.

Jason Silvera:  Hey Jason, can I steal Seth? That's a great guy.

Jason Biak:  No.

Jason Silvera:  I'd really like to do some of that at Informatica. I got to say, that's exactly where we need to be at.

Joe Diamond:  I don't know if we're supposed to poach on stage.

Jason Silvera:  Sorry.

Jason Biak:  To answer your question too, one thing that I … The only thing I was going to say on it. When they asked us to do this we were joking. We said, “Hey, we’ll get up there and talk but I tell you, it'll be a really good presentation next year.” Honestly that's the maturity level. I think the key is that is you have that vision, you can execute on it. Yeah, no you can't have him.

Jason Silvera:  Crib notes, that's what we need. We need the cliff notes version. I think this is one of the greatest things about all of these conferences. When you get a large group of people together and you get these smart questions, you get to hear from other companies exactly what they're doing to advance their posture.

Those are the crib notes I need; I need those cliff notes because that's how we're going to continue to push things forward, that's how we get that vision, that's how we recognize our own gaps. People say all the time you don't know what you don't know. That's why you find other smart people to learn that lesson and figure it out.

Jason Biak:  You can also choose us over Wicks because of all that.

Joe Diamond:  Yeah, please. Wow nice. Shameless plugs. Go ahead, another question.

Audience:  Yeah, I had a question related to some of your third party outsource SAS solutions as far as how do you ingest security events from infrastructure that's not on prem? How do you transport that securely over the internet as a transport and how do you secure those events getting back to your seam?

Seth Paxton:  Yeah, so-

Joe Diamond:  Consistently?

Seth Paxton:  Yeah. Since all that data’s already centralized in Okta, we just use Okta events API to pull it. That's where we're at today. Eventually I think we need to move the SIS Log portion of it which I believe is encrypted and we can store that locally. We've just started with Okta but when we start moving data cloud providers like AWS and Google, they have the same mechanisms where they can offload that data and we can transport it over TLS or SSL. That's the idea at the end of the day.

Jason Silvera:  I will say that's exactly what Informatica does for all of our SAS providers. One of the major questions whenever you're on boarding a new application that's going through an enterprise review and infosec review, we ask that question, is there seam integration?

Can we get the logs of the application directly into our seam tool right away? We can use that with Okta's data to crosscheck and say, “Okay, we see that this person authenticated at this time. We know they’ve got an 18 hour session.” We see about nine hours into the session, that was a huge download that kicked off and then nothing happened again.

Then all of a sudden you realize, first thing in the morning, that's when the data is accessed. Because they kicked it off in the middle of the night, the let it all download. By having that seam tool integration at the application level we get that visibility. You start to build that employee behavior. I think that's a great word for it, a great term.

Jason Biak:  We comprehend.

Jason Silvera:  Yeah. I'm now saying crib but maybe this is what we have to do here.

Joe Diamond:  Any other questions?

Speaker 1:  Yeah.

Audience:  In the industry that we live in, businesses make very careful decisions in regards to where their infrastructure goes. Be it from virtual to physical, from on prem, to cloud. Interestingly enough, the cast majority of our customer’s or accounts out there are still using legacy MFA solutions.

At some point you guys had light bulbs go off and say, “Hmm, you know what, MFA for just VPN isn't going to cut the mustard anymore. We need to do more advanced multifactor.” What was it that happened to make you consider something like an in cloud MFA solution?

Then why Okta versus other vendors that may basically position their MFA as free as part of EAAs and so forth? I'm just curious with regards to what your thought process was because there's a lot that we could learn from your experience.

Jason Silvera:  I’ll take that real quick. To start with, Informatica recently made a complete switch. We had been an RSA house. Everybody out there has heard of RSA. Secure ID is the defacto standard for a lot of the on premise and multi factor environments. It really did come down to cost and usability.

All of a sudden you have to make this judgment call of what's the feature set that we're getting out of our RSA solution? What's the feature set that we can get out of Okta verify? What's the cost point per user, licenses over time? All of those things, they come into the equation.

Having that on premise system … Because RSA is a legacy system and it is on premise. Eventually you have to recognize there's an upgrade cycle, you have to keep these things up to date, you have to upgrade the servers, you have to upgrade the software and all those things bake into that cost and time.

Again Informatica has pushed the cloud. Focus on cloud first meant that the first thing we had to do was se, is there a cloud provider for MFA that will fit our bill, that meets our feature set that is secure in the way that we want it to be? We went with Okta verify and completely decommissioned RSA environment.

Jason Biak:  We didn't make that call. Plain and simple, it was an internal IT choice. What I will say is that when Seth and I sat down and talked about how we're going to do this … I revert back to my history which is you do the small things well. We invested in this infrastructure and we're going to do that well before we ask for anything else.

That's always going to be my point. We're going to protect the end point with a solution. We can talk about that offline if you want. Then we use Okta in the middle. We made a conscious decision that we're going to learn everything there is. That's why we're here today.

We picked up the phone; we called Barb and said, “Barb is there any training that comes with this?” She's like, “Yeah, here, go to Okta admin training.” “Okay, great.” “Is there a conference?” “Yeah.” We didn't expect to talk at it but thanks for the room.

Joe Diamond:  My pleasure.

Jason Biak:  I think that's the key point. The company invested in it, we're silly not to.

Seth Paxton:  Yeah, we're in the same boat, we still have RSA in the back end and we're still utilizing it across our infrastructure specifically on VPN. Again, like I mentioned, we're all in with Okta as an organization so why use both? Why not continue on with Okta and then retire RSA? Which is what we're going to do, save money.

Jason Biak:  To increase our posture.

Seth Paxton:  Increase our posture, yeah.

Joe Diamond:  I want to thank you all for taking the time to attend this session. We all hope that you guys extracted a lot of value from this. I also want to thank Jason, Jason and Seth for leading this discussion with us. If you guys have any questions after we're wrapping up here, feel free to pop on up and we’ll answer whatever it is you guys have in mind. Thank you everyone, appreciate it.

According to Verizon’s 2017 DBIR, 8 out of 10 breaches involve stolen or weak credentials. Clearly, authentication and identity play an important role in an organization’s security strategy. Learn how two companies, Informatica and GoDaddy, are using authentication data to help detect and prevent compromises as well as leverage this data in incident response processes and overall security.