Observability without identity is like using maps without landmarks. No matter how detailed you are, you can never get to where you are. My name is Cynthia Akiotu, a cyber security analyst, and I'm happy here today to be here today presenting this. Intriguing topic. Access is the new bridge. Why observability must start with identity? I would like to ask this question. When last did you conduct access reviews in your organization? Or how often do you conduct access reviews in your organization? Is it automated? Is it manual? Or you don't even conduct actor? I would like to tell you to try and conduct access reviews and you might just be surprised in what you will find in your system or within your environment. The blind spot in today's observability. Most tools, or most tools, observability tools we use in our organizations are good at checking logs, metrics, traces, like your downtime in the system, or the spike, there's a spike in your system, checking the system health, checking the server health, but there's a missing link. Can these observability tools or these logs also show who did what? Was this downtime as a result of the activity of a particular user? Was the, these spikes in our API, was there as a result of elevated permissions or misuse privileged? So, this is the blind spots. in today's observability, most observability tools, we are seeing these beautiful logs, these metrics, these dashboards, but there's no identity contest, there's no synergy between the traditional observability tools and our identity and assets management tools. And this creates a big vacuum in organizations, Those days we invest so much on firewalls. Permeter security. But now, identity is the gateway and the entry to our resources. This brings me now to this. Identity is the new perimeter. Identity is the real attack surface. Identities was attributed to just humans or human users. Now we have managed identities, we have service principles, we have bots in our system acting on behalf of users. With the complex nature of our technology landscape and the advent of artificial intelligence, we've seen lots of things, heard lots of things like AI, Agents working in our systems, bots working in our systems and all these now have identities. Hackers no longer put, initiate malwares. They are logging in and moving, they log in secretly and move laterally within our networks, our perimeters without getting unnoticed. About 80 percent of breaches now are all related to identity. We have the most common identity -related breaches. We have insider threats. As they always say, we are as strong as our weakest link. Insider threats are employees, vendors, third parties, affiliated to organizations. Who may innocently or even maliciously gain access to our sensitive information and leak it out or use this information in our organization to the detriment of our organizations. Unauthorized access. We have audit violation and privileged misuse of rights. This is the most powerful one where an admin can elevate his or her rights. and use it to conduct something malicious within our organization. I'd like to give an example in May 2023, I think to be precise, Tesla, ex -employees of Tesla leaked or divulged sensitive information of employees, about 700 employees in the organization to the media. This personal identifiable information include names, of the employees, their social security number, payroll data. As you can see, these are employees who had access to secret and confidential information and then, use those privileges to gain access into the sensitive information and violated the company's policy. because I know normally as an employee, when you join an organization you should be happy. OK, Ok, now we are going to see how to make sure that we sign some agreements or non -disclosure agreements and all that. So this is how we see the easiest way to our perimeter. It's our identities. I'll now like for us to see the visibility gap between our identity and assets, management tools and our observability tools. I like to put this quadrants here. This quadrant as you can see This quadrant as you can see We have the identity visibility and risk awareness. The identity visibility, basically, is we are aware of the identities in our systems. We know their names. We know the credentials of these identities. Then the awareness or risk awareness is we can easily monitor our systems. At the system monitored, can we monitor our activities within our systems? But now the main, what this quadrant is looking at is the likely challenges we may face when there is no synergy between our identity and access management and observability tools. The first quadrant, which is at the top, the green one, I like to call it the non -known, but I call it the visible fortress. Why do I call it the visible fortress? Because the identity and the observability tools are working hand in hand. We know what users are in our systems. We know what they are doing. We know the resources they are assessing. We can track their activities. That is the known known. And sometimes some people call it the safety net. But also, even within that quadrant, the known known, there is the risk. of overconfidence yes because sometimes you feel you have the right policies in place we have on boarded our systems properly we have different signals device are compliant we have our identities all in place we have good life cycle policies to see when an employee is is in the organization and when he exits the organization after changing different roles But there's also an issue of complaisance where an organization becomes so relaxed and then forget to monitor or conduct continuous access reviews of the systems. In 2022, an employee in Uber got compromised as a result of MFA fatigue, multifactor authentication fatigue. She was sent this login approver attempt several, until she clicked that link and that exposed Uber. So, the identity of the user was known. The systems of course are monitoring activities, but at that point it will be difficult because the issue is the system will flag this, flag the identity as an illegitimate user. Thank you. was tracking these activities without knowing that the system has been breached. Let's go to the right, the top right quadrant, which is the known or known. I like to call it identities living in fog. Imagine handling the keys to someone or giving the keys to your, of giving the keys to your company, or let's just say you have a small office. with several rooms. You give the keys to those of that office to a friend. Immediately you give that key to your friend, you don't even care what rooms your friend goes to check. You don't care what wardrobes your friend is checking, what files in your company or your house your friend is checking. So this is what I call the known or known. The identity is known, but you are not tracking or monitoring activities in your system. With the use of AI, artificial intelligence, we have shadow IT now. Employees downloading AI, large language models, let's say for example, chat GPT and using it for daily tasks in the organizations without being unnoticed by the IT departments. Two dummies. There might be data, there will be data exfiltration where these employees diverge sensitive information into these, um, large language models. This is a big risk because I call it the familiarity bias. You are familiar with these identities, oh, these are my employees, but the activities of these employees are not being tracked. That is where you have on -track software as a service. There's a free software on the internet. An employee sees that software on the internet, downloads it, and use his office credentials to access these resources without being noticed. Let's go to the bottom quadrant to the left, the unknown known. The unknown known, I like to call it, um, The ghost access is basically like seeing your infrastructure on a dashboard on fire without knowing who lit the matches or without knowing the cause of the fire. This is the unknown known, the unused roles, misconfiguration, policy gaps. Recently, where, um, a retail company, yeah, I think Mark and Spencer through third party was briefed as a result of third party. And this is because the third party, for example, it wasn't known that it was through the third party. For example, through the third party, hackers breached into Mark and Spencer's system. And this was a ransomware attack. Mark and Spencer were experiencing some fluctuations. within their systems without knowing what exactly has or what caused these fluctuations. So this is a case of unknown known. The biggest headache of SISOs is the unknown unknown. I call this the invisible people, or invisible identities in visible spaces. this is where we you can't we can't I identify the who is assessing the system, neither can we monitor this. For example, I would like to give an example. Recently, the Lega Aid Agency also experienced breach where their system was assessed and hacked, breached with personal information, personal identifiable information of Le people requesting legal aids were exposed, information for the past 15 years were exposed. This was difficult for legal aid agency to know because at that time it was an antiquated system, an abandoned system, so there was no way they could even track or know what was going on. Another recent one is the case of NHS Trusts were through a vulnerability of their third -party endpoint manager, mobile device management. They were also hacked as well. And then these hackers gained access to information about the devices, the mobile devices, the IMEI numbers, and even tokens as well. which could even be used in the long run for impersonation. So now we can see the risk of this when there's no synergy or interaction between our identity and access management and observability tools it provides a big vacuum in our organization and an easy way for hackers to gain access into our systems. I understand that many organizations are looking at investing in identity tools, identity and access management tools, observability tools, but let's not also forget that there are lots of barriers that has hindered this. Organizations operating complex infrastructure, like you have a hybrid system, you have on -premise systems, you have some in the cloud. So Thank you. Thank you. It's difficult to manage. You have your active directory somewhere. It's not synchronized to your intra -active directory. Or, I gave an example where in an organization, um, about 60 percent of, 60 percent of, about 60 percent of organizations state that they have 21 disparate identities per user. Thank you for watching. information or systems in silos. They are not even communicating with each other or we have a security incident if incident event management tool which is not communicating with the identity and access management tool. Let's not also forget costs. Cost is a big problem because when you sometimes will purchase this cloud infrastructure we are told we need to purchase licenses. In long run, we also told, Oh, there's an add -on license we have to purchase. So this keeps on incurring costs or we keep incurring costs in our organization. But if you look at this cost, sometimes some organizations may want to invest in these tools, but step back until a breach or a security mishap happens. And then they are now on their toes on investing on this infrastructure. So these are big barriers in our identity and our identity aware observability tools and operations. So how do we observe assets before it becomes a breach? The first thing I will say is to always correlate identity with system events. Let identities and management tools, let your logs, your your identity and access management tools interacts for example you have your microsoft sentinels your your intra id you should have these tools communicating audit permissions in real time this era we are in is no more about static role -based access controls now permission should be audited based on several signals based on location, device compliance, the identity of the users, all these brought together and this should be done in real time. For example, before a user signs in, there should be like, to be able to assess the state of the user at that point in time before that user can assess any resource. There should be detection of insider threats. Incorporate tools that can easily check for the use of shadow AI. Incorporate tools that can easily scan our systems and see different resources that are not meant to be used in our environment. Incorporate tools that can implement data loss preventions in your organization to avoid exfiltration of sensitive information. Align with Zero Trust. As I said earlier, identity is our new perimeter. So we should always assume breach and always verify every identity before they can gain access into our resources. And of course, we should enforce least privilege compliance. We do lots of, we have DEVRA compliance. From our health, for example, we have HIPAA, we have GDPR, we have NIST, we have many of them. We should be compliant to, to these rules and regulations. And this will also help us in auditing and checking for loopholes in our organizations. This will help us check out and review our assets and see what is lagging behind in our system. Thank you. I wouldn't want to call names, but we have lots of tools that we can use now in our organizations. We have the Microsoft Defender for cloud apps. You can use it to scan your cloud environment to see what applications are being used in your environment. We have Sentinel, good security, um, security incident and event management tools. We have data governance tools, data governance and compliance tools like the Microsoft Pub. Um, um, um, um, um, um, um. But I know that thing I would like to say is not about having these tools is about knowing that uh, we are sure that these tools are interacting with each order and are not in silo. I have stated all these frameworks, but at the same time, let's also know that this is not like a hundred percent. Where in which your system wouldn't be breached in any way. That is why there should also be need for good incident response. We should be able to contain and recover quickly from any breach that happens in our environment or in our organization. Matured cyber security isn't about how many attacks you stopped or how many cyber attacks you've been able to manage. What it is also about How you are able to contain and recover from any form of breach your experience because some of these breaches are actually unavoidable. For example, I gave an example about NHS, NHS Trust encountered a breach as a result of a vulnerability within their third party mobile device management software. so that is why we all need to have think about having good incident response plan in our organization i'll also now draw attention to this let's take time in our organization let's rethink about our observability our identity and access management because access isn't a checkbox anymore It is now an attack surface and observability without access is like a security theater because you are just watching without knowing who is assessing your resources, what activities are going on. So I would like to say with this, I enjoin everyone to look into this, look at the organization, check what's going on. is going on and how to improve in an identity and observability aware environment. Thank you.