How Companies Can Prevent Identity-Based Attacks 

Intro  0:01  

Welcome to the She Said, Privacy/He said Security podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

 

Jodi Daniels  0:21  

Hi. Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. That’s your turn. Indeed. Do you remember who you are? Thanks.

 

Justin Daniels  0:40  

So hi. I am Justin Daniels. I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels  1:04  

And this episode is brought to you by no one can see a finger pointing Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there is greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com. Today is going to be a security focused podcast.

 

Justin Daniels  1:47  

Is that exciting for you? Well, you

 

Jodi Daniels  1:50  

enjoy those because you’re the he said security.

 

Justin Daniels  1:54  

I think you should be like the she said ad tech.

 

Jodi Daniels  1:56  

Well, that’s a whole totally different kind of podcast, so we’re going to stick with the she said, privacy, and he said security. So you got to introduce our guest today.

 

Justin Daniels  2:05  

Okay, well, let’s get to our guest. So today we have Jasson Casey, who’s the CEO and co founder of Beyond Identity. Beyond Identity is the first and only identity security platform built to make identity based attacks impossible with 20 plus years in security and networking, Jasson has built enterprise solutions that protect global organizations from credential based threats. Welcome to the show.

 

Jasson Casey  2:31  

Thank you for having me. We always like

 

Jodi Daniels  2:35  

to start with, how did you get here to co founding Beyond Identity? So tell us a little bit about

 

Jasson Casey  2:41  

your journey. Let’s see the abridged version my first decade of work, I worked in telco and big data network infrastructure, so think like designing and building routers and firewalls, but kind of application specific routers, firewalls and proxies that got me into an area called Software Defined Networking, which is, how do you leverage as much as possible about the hardware in general scenarios to make the software go fast? I fell into some really interesting analytics problems at that time. Ended up working and running engineering for General Keith Alexander, the former longest serving director of the NSA, working on a really interesting problem, which was find the needle in the needle stack made my way up to security scorecard. Was a CTO there running a similar sort of problem, kind of global scale data intelligence for companies to manage their third party risk. And you know, through that journey, it became really, really evident that you know, the top three things that decide whether a company is going to have a bad day, whether you want to call that a breach or just a flood of security incidents, is, how does the company manage their identity stack? How do they manage the security of the devices that their workforce uses to connect to their services and data, and that was when I about the time that I met Jim Clark and TJ and Nelson and Mike, and we started the company back in 2019

 

Jodi Daniels  4:09  

What a fun and interesting story. It’s always my favorite part. I know we’re supposed to actually talk about privacy and security, but I really like career journey.

 

Justin Daniels  4:23  

See, so Jasson Beyond Identity was built to eliminate identity based attacks. What’s broken about traditional identity and authentication methods and what makes your approach different?

 

Jasson Casey  4:36  

So what’s broken when you think about so you read about breaches every day in the paper, right? This company has been breached today. That company has been breached the day before. Before an event becomes a breach, it’s a security incident, right? So like not every kitchen fire burns down your house, but some kitchen fires burn down your house, every kitchen fire is something that you don’t actually want to have. Enough, right? You want to prevent kitchen fires. They are timely. They’re costly. They soak a lot of energy in the corporate world, this is a security incident, right? Security incidents are things that you are forced to respond to, and the number one cause of security incidents is the identity system of an organization. So you may not think of this often, but every time you log into your work, every time you access a service related to work, every time you touch a piece of data, you’re actually going through an identity system to get that now it doesn’t matter if you’re an employee a contractor. It doesn’t matter if you’re working on work managed devices or if you’re working on a BYOD device. In all cases you’re going through the identity system to touch that service or data. And according to Verizon, they have this thing called DBIR database of incident response, Manian Threat Report, or crowd strikes. That report, 70 to 80% of all security incidents are kind of a failure of this identity system. So like, identity really is the number one cause of these problems, and we think at a high level, the reason is, identity was built around a concept of productivity. How do I get you to work fast, right? How do I get you to work fast doesn’t really have a lot in common with how do I make sure I don’t get the bad guy to your work fast too.

 

Justin Daniels  6:17  

So Jasson on this identity, access management, I’d be interested for your take on how this evolves, because look at all the money that banks, insurance companies have spent on voice, identity, access management, authentication, on top of I literally was able to make a deep fake of myself on Gemini Google’s AI with a picture of myself, and I sent it to Jodi, and it wasn’t that great, but I did it in like four minutes, yeah. How do we respond? I mean, it’s like, it’s evolved so quickly with identity, access, management. How does you know? How do you as in a professional and that’s, how do we respond to

 

Jasson Casey  7:03  

this? Yeah, I think it’s a great illustration of, like, a mismanagement of the problem. So let’s talk about the problem a little bit. The AI is this amazing tool that is the ultimate mimic. Right? With AI, I can I can sound like you. I can look like you and I can write like you, and this is a great productivity tool, right? Like I can actually get an editor and help me write faster and write better. Did you know I don’t speak English? I only speak Spanish this real time. Ai translation is great, isn’t it? You probably also can’t tell I got kicked by a horse this weekend, and so I don’t want you to see all of my bandages in my black eye. I’m using a real time AI engine to mask that. These are all real applications that already happen. Look at a company. They’re called Deep voodoo. It’s a company started by the same guys that did South Park, and it is using the exact same technology, not to deep fake anyone, but to actually lower the cost of production in movies and film. And it is real time. It’s real time audio, and it’s real time video. And there are many other examples of this. So you think about security, and you think about, well, how are how are you going to handle the mismanage of this? And you can see a ton of companies actually building deep fake detectors, and we think that is kind of a miscategorization of the problem, like, is this a deep fake? What is the utility of asking that question when I don’t even speak your language? Like, of course, there’s an AI engine translating me in real time. What is the utility when I’m using it to cover up my black eye from my farming accident? Like, what is the utility there? So we argue that’s not even a good question to ask, and from a technical perspective, it’s also a bit of an arms race. Every detector can be used to train the next generation of generators. So we think a better question is, Who is this coming from? What device is this coming from? What level of assurance around identity and authentication can I get with what’s actually going on here? And that is a solvable problem. It’s solvable in what we call a deterministic, not a probabilistic, way. I’m not telling you that 80% of the time this is correct with a confidence interval. I’m telling you that this feed, this may not be what Jasson looks like today, but this feed is coming from Jasson’s computer with the security controls that you would expect on Jasson’s computer, administered by Beyond Identity and Jasson’s approved a possession and a biometric factor at the initiation of this. Zoom chat. Zoom chat. So like there are absolute ways of, kind of leveraging the hardware around us to answer a different, but much stronger question of not, is this a deep fake, or is AI being used in the production of this content? But. Who actually is authorizing the production of this content, and we actually have the banking industry to thank for this. This is all rooted in technology that was initially rolled out in the support of mobile payments. When you pay for a cup of coffee at the coffee shop in the morning with your Apple or your Google phone, you’re actually using something called a Secure Enclave on that phone. It looks just like the Enclave on your credit card. It has a little signing key. A receipt is sent over the air to your phone. Your phone will then put a staple two bits of information to that receipt. One is some sort of proof of a possession factor, right? Like this is the this is the key that was enrolled. And then two is some sort of proof of some second factor, right? Usually you put a pen into your phone, or you put a or you put a, you smile, and give the phone a biometric right? And then, and then it will sign over that whole thing with that private key in that local enclave and present it back to the merchant. The merchant will verify it with their bank, and you know, the teller smiles and hand you your coffee. That technology now exists in almost all modern electronics, and here, Beyond Identity, we leverage it to actually answer real security questions in a very kind of careless and useful way, to allow people to get to work, to allow customers to transact faster and to allow companies to also build out automation in a more secure way.

 

Jodi Daniels  7:03  

Let’s talk a little bit more about what that looks like, because you shared before. One of the big challenges is everyone’s trying to log in to their systems. I have multiple systems. I have my traditional login. How does the description that you just provided, and that kind of mobile payment technology, and you said that you’ve built that in here. So what does that look like for a company who has their employees trying to log into all their systems? Where does Beyond Identity fit? And I’ll just, I’ll let you take it from there.

 

Jasson Casey  9:39  

So we’re an identity defense platform you plug up. So every company has an existing identity stack, and it’s probably based on a company called Okta or a company called Microsoft. Maybe you’ve heard of them. They have a platform called intra. There’s also some players out there, like like paying and Google workspace. We’ll plug into, or integrate into that, that existing identity provider, and we basically add a defensive layer, so your end users will see Beyond Identity at the authentication screen, and we’ll take charge of the authentication. The user basically gets to do away with password as part of the process, so they don’t have to to deal with that if the if the company chooses. But we guarantee that there will be no phishing based access or security incidents period for any of those users moving forward. And we help the company answer the questions of like, what user on, what machine with, what security controls is asking for, what data for how long in what geography? And we can answer that question deterministically. Traditionally, that’s kind of a probabilistic question, and we can answer it using kind of that, that that hardware backed provenance that I described, that largely we can thank the mobile mobile Well, we thank the mobile industry for introducing into mobile phones, and then we can thank the the CPU industry for being lazy, is not the right description, but they don’t want to build two things. They want to build one thing. So it turns out, almost every chip they build, whether it’s for a laptop, a workstation, a server or a mobile device, has a lot of the same common

 

Jodi Daniels  13:28  

components. That makes sense. Thank you. It’s really interesting. I do like my little double click when I got to go pay for my something with my Apple Pay.

 

Justin Daniels  13:38  

Well, I guess Jasson, if you have this whole system with mobile payments, I guess you’re saying it’s not proliferating because other people just want to have one chip, or because data breaches, you’re correct about what you said about identity access management. So I guess how come the problem is persisting if you’ve got companies like yours that use this technology or that the mobile payments industry seems to have developed and seems pretty mature.

 

Jasson Casey  14:04  

So you actually don’t have this problem stealing mobile payment keys. What you have is you have this problem with people actually stealing user credentials or workload credentials. So the technology hasn’t actually crossed the chasm yet. I would argue we’re really the only company doing it the way I described, and we’re also a very young company, so we have a handful of customers that are using this technology, and we’ve actually got a couple of use cases, with several of them showing the rate of security incidents dropping to zero of these categories. But, but just to kind of mentally think about it, right? Like most authentication today, that people experience is based on something they share, right? You remember a password and you share it. You then get to that second screen saying, Well, what’s your code? And you pull up your phone and you look at see what your code is, and then you share it. These things as they’re shared. They they have to travel, right? They travel. Through machines, and this creates an opportunity for someone to steal this data. Any piece of data that moves can be stolen, can be read by either by an insider or a malicious third party. By transitioning this concept to something that does not have to move right, a signing key, if you will, by something that never moves right. It’s hardware backed and it’s device bound. You actually remove the ability of credential theft, like it physically is not possible to steal it. And there’s some other things we do as well, because if the adversary can’t steal the key, then they may try and man in the middle of the connection and do something called a signing full attack. But these are actually solvable problems, if you solve them in the right way. And I would say we’re we’re seeing early success in our approach, but it’s still early times.

 

Jodi Daniels  15:46  

I want to go back to Justin, what you were talking about with deep fakes and AI and Jasson, you had some thoughts on those questions. These are real challenges that people have today. So can you elaborate a little bit more on how your approach and the questions that you were talking about, companies can try and reduce the reality of AI deep fakes and trying to protect their environments.

 

Jasson Casey  16:12  

So you’re not going to reduce the rate of deep fakes. In fact, we’re going to see that skyrocket. What you’re going to do is you’re going to figure out, how do I establish assurance that who I’m communicating with or the data that I’m consuming is legitimate and of the provenance that I expect? So it’s a slightly different problem. There’s a little bit of market education involved. But the answer there is, if I have device backed, excuse me, if I have device bound, hardware backed identity, right? Like I always know I’m talking to this person on this device with these security controls, it’s very easy to leverage or bridge that concept into now, attest to this piece of data, attest that this piece of data is, in fact, coming from that person on that device with those security controls. And so what that means, in practical sense is we built plugins for teams, for Microsoft Outlook, for zoom. In fact, that’s that’s what this green label is up here. And we built these plugins to where, when you plug us into your kind of productivity suite, we can actually start cryptographically signing this content, whether it’s real time or offline, so that when you consume it, you can actually understand, is this? Is this actually coming from Jasson’s computer? Did Jasson use a strong level of authentication when he generated or started the particular zoom session? It’s a it’s a much stronger question to answer than Is this a deep fake?

 

Jodi Daniels  17:40  

My follow on was going to be it today. If I have the traditional username and password, we have contractors who are Bring Your Own Device. I might have a mobile phone. I might have my work computer. And so you do have people who are kind of flipping between devices. Can you talk a little bit about how? How does this solution recognize that, and maybe that’s part of the plug in that you were just describing.

 

Jasson Casey  18:05  

So, so in our system, we have an authenticator, and our authenticator runs on the device you’re working from. If you’re working on your phone, it works. It runs on your phone. If you’re working on your computer, it works on your computer. Our authenticator does not require privilege, so our authenticator gets installed on BYOD. It gets installed on third party devices. So like, let’s say you have a consulting firm doing some work for you, it would be on their devices as they access your infrastructure, no different than how they would use an authenticator to access your infrastructure today. The only difference is, rather than pulling out a second device to get work done. It all happens on the device you’re actually working from, because we’re hardware backed and device bound, every authentication actually produces a unique signature that is unforgeable and trackable back to that singular device. So the unique thing you get in our system is every authentication in your log you can track back to a singular person, a singular device, and the controls on that device in that moment in time. It doesn’t matter if it’s BYOD, it doesn’t matter if you manage it or not. We help you understand exactly what it is. And the way customers take advantage of this is they may have more sensitive information that they won’t allow access. Under some scenarios, they may be a little bit more progressive where they’re going to allow BYOD, but they’re going to expect responsible management of that BYOD. They’re going to expect certain kind of good practices and security controls to be present. And as part of authentication, we’ll verify that those things are all true before essentially, we provide access.

 

Jodi Daniels  19:40  

Thank you. Really helpful.

 

Justin Daniels  19:41  

So as we alluded to you know, as I gave you those examples with AI and deep fakes, obviously this identity based threat is really evolving. And. And I literally have a consult coming up next week with someone like, hey, how do we rethink handling deep fakes from a security perspective, from your standpoint, with your years of experience in what you’re doing, how are you suggesting that security leaders rethink, not only identity access management, but more generally, what does security look like now that you’ve got to contend with deep fakes that could be on the internet of the CEO of a publicly traded company saying something that tanks the stock and it was fake

 

Jasson Casey  20:32  

the so a couple of things. Number one, I’d say the industry has spent the last 20 years focused on detection and response, and we’ve gotten really good at it, right? But detection and response is still being really good at putting out our kitchen fires. We now have an ability to actually prevent these kitchen fires. We now have an ability to actually change some of our architecture. So the number one thing I tell folks is to kind of rethink their assumptions of of how they’ve organized security, their security architecture, their security operations, and their approach to it, how much of it is responsive, because that was the best tool that was available when they established the program, versus how much of it could actually shift to be more preventative today, right? Prevention is always cheaper than response. And then as we, as we drill into some of these things around deep fakes, we’re still asking a question of authenticity and Providence, who signed off on this, and why do I trust that statement of who signed off on this? That question is valid for whether it’s a media clip, whether it’s a press release, whether it’s code that I’m actually compiling to build into a product to go install in the core of some infrastructure, right, like think about SolarWinds and sunspot and how Russia actually compromised the inside of some organizations by essentially piggybacking inside of critical software. It’s still a provenance question. Where did this come from? On whose authority with what security controls, and whether it’s with us or some other company, it is now possible to leverage strong identity or identity defense to answer a lot of these questions, from things like video to code to just basic application interaction.

 

Jodi Daniels  22:20  

Jasson, with all the knowledge that you have, I imagine, when you are out and about and people appreciate you are the security guy, what is your best security tip that you might offer them?

 

Jasson Casey  22:36  

The I mean, it really comes back to credential theft, right? Like when you look at, when you when you look at what companies work on right, like pull the ticket workloads from their their security operation center, or their MSSP, that’s actually working 70 to 80% of it has to do with credential theft. Now they may think, oh, it’s password theft. I have all these other controls. I train all of these people on this. I I already spend a lot of money on this. I would still come back to you’re spending time and energy on detecting and putting out kitchen fires. What if the kitchen fire never started? And did you actually know that most of them are are it’s possible to prevent them? How do I actually do that? How do I get in some of this device backed hardware or device bound hardware backed identity. The the other analogies that I would flip to is, you know, by by continuing to focus on after or post incident response, you’re setting your team up for failure, right? Like in the deep fake example, we’re literally sending humans to fight robots, right? Like, how do I know that link is really a phishing link? How do I know that QR code is, like, a legitimate QR code I should follow or not? Like, does this smell like chloroform? Like, that’s not a winnable question. It’s not even an answerable question. So you kind of have to change the equation, right? And and so it really is challenging our thinking and challenging our assumptions. A lot of what we’re doing today is the momentum of what we’ve been doing for a decade and a half. What are those fundamental assumptions and which ones used to be true but are no longer so well.

 

Justin Daniels  24:14  

Thank you. So Jasson, when you’re not out creating amazing ways to secure people from an identity, access, management perspective. What do you like to do for fun?

 

Jasson Casey  24:28  

I dream about the times. It’s been a pretty busy year. Been on the road quite a bit. What do I do for fun? I love cooking. I really everybody’s got to eat. I travel a lot. The easiest way to get to know folks is, is over good food. So I do try and spend a bit of time and energy, and I get a lot of help, actually, from some, some of my friends around, finding good spots, really interesting, kind of off the road spots in a lot of my travels. When I’m at home, I do try and cook a lot the it’s it’s relax. Practicing. It’s cathartic, it’s fun. It’s also, it’s kind of engineering, right? Like food is a science. Food is a bit of mechanical and chemical engineering. And you can, you can really surprise people by actually just thinking about some of the fundamentals sometimes too.

 

Jodi Daniels  25:12  

Do you have a favorite dish or cuisine you enjoy?

 

Jasson Casey  25:15  

I honestly, I enjoy everything. But like the, let’s see the the dish that I think the dish my wife likes the best is I figured out how to do a veggie ramen for her that actually is decent. And it took me, it took me a couple of months of experimentation during covid. It’s like a four day process. It’s not four days of work, but like, you’re doing something every day, and then kind of letting like flavors and and things kind of like sink in and kind of marinate the the easy thing that I do that’s always a crowd pleaser, though, is pizza, like a like an overnight fermented dough, and then just a Fresh sauce. And then our neighbors have this beautiful outdoor pizza oven. And so it’s, it’s pretty easy just to kind of cook really good pizza for folks. And it’s, it’s not a lot of work. And it’s, it’s definitely a pleaser.

 

Jodi Daniels  26:11  

I’ve heard about those really cool ovens. Those seem so neat.

 

Jasson Casey  26:15  

The they’re, they’re a lot of fun. They was, it was intimidating at first, but then you just try it and it’s not that big a deal. And you know, the gentleman who did it, he’s an architect, so he spent a lot of time and energy exactly about what it all looks like. So it’s like, it’s really, it’s really cool, but it’s also pretty, pretty primitive, right? You throw wood in the back, you get it up to 700 degrees, and you’re basically, your dough is it’s flour, it’s salt, it’s water, it’s yeast. Your sauce is literally tomatoes off the vine and salt and and cheese and herbs. And it’s amazing how good something so simple can be.

 

Jodi Daniels  26:51  

I love things that are simple. Well, Jasson, we’re so glad that you came to join us today. If people would like to learn more about Beyond Identity and connect with you, where should they go?

 

Jasson Casey  27:01  

Come to our website. We make a lot of material available on the website to read and to watch. You can certainly reach out to us through the website. You can reach out to me on LinkedIn or on X. I don’t really post much on X. I’m more of a lurker, but pretty active on LinkedIn and, yeah, just follow up in any

 

Jodi Daniels  27:21  

of those ways. Well, wonderful. Thank you again. We really appreciate it

 

Jasson Casey  27:24  

Absolutely. Thanks for having me

 

Outro 27:30  

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.