We hear all the time that identity is the new perimeter. If we place that much importance on identity, then compromised credentials can give away the keys to the kingdom. In an environment where hybrid infrastructures introduce visibility challenges, the need for advanced monitoring techniques for identities becomes clear.
In this episode, Paul Nguyen, co-founder and co-CEO at Permiso Security, discusses how Permiso enables organizations to fortify their defenses against insider threats and malicious actors. Paul is joined by our panelists, Trina Ford, CISO of iHeartMedia, and Eduardo Ortiz-Romeu, vp, global head of cybersecurity at Techtronic Industries.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Permiso Security
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we are talking about Permiso Security and what they’re doing in identity threat detection and response. The problem they’re addressing is compromised credentials. And helping us get answers to these questions are Eduardo Ortiz-Romeu, VP and global head of cyber security at Techtronic Industries, and Trina Ford, CISO at iHeartMedia.
So, Eduardo, let’s get started with you. Why are compromised credentials still a problem?[Rich Stroffolino] Welcome to Security You Should Know. Today, we are talking about Permiso Security and what they’re doing in identity threat detection and response. The problem they’re addressing is compromised credentials. And helping us get answers to these questions are Eduardo Ortiz-Romeu, VP and global head of cyber security at Techtronic Industries, and Trina Ford, CISO at iHeartMedia.
So, Eduardo, let’s get started with you. Why are compromised credentials still a problem?
[Eduardo Ortiz Romeu] I think based on misconfigurations from our admins and our IT counterparts. And also vulnerabilities. Not the vulnerabilities that are based on your vulnerability management program but also more on the identity side. Even in the last 2024 Verizon DBI report, 68% of the breaches involve a non-malicious like human element.
31% of those were stolen credentials. At least that was on the manufacturing side, but I think the global numbers are one or two percentage off. So, it’s still a big number for an industry for something that people consider very basic. But finally, it’s getting more attention with the ITDR, another acronym of our industry.
It’s still a problem.[Eduardo Ortiz Romeu] I think based on misconfigurations from our admins and our IT counterparts. And also vulnerabilities. Not the vulnerabilities that are based on your vulnerability management program but also more on the identity side. Even in the last 2024 Verizon DBI report, 68% of the breaches involve a non-malicious like human element.
31% of those were stolen credentials. At least that was on the manufacturing side, but I think the global numbers are one or two percentage off. So, it’s still a big number for an industry for something that people consider very basic. But finally, it’s getting more attention with the ITDR, another acronym of our industry.
It’s still a problem.
[Rich Stroffolino] All right, well, Trina, I’m going to turn this question to you. For you, why are compromised credentials still a problem?[Rich Stroffolino] All right, well, Trina, I’m going to turn this question to you. For you, why are compromised credentials still a problem?
[Trina Ford] I also agree with Eduardo. And I would say in addition to that, I think it has a lot to do with the fact that because most companies are more hybrid, IEM infrastructure, and they’re multi-cloud, so it makes kind of the visibility into behaviors a little bit more difficult to identify rogue, or anomalies, or what have you.
You have federated identities. You also have different business units that are always involved. They have their own instances. They have their own environments. And as such, there becomes a challenge into really managing and controlling identities. And therefore, when let’s say the bad guys get in, they come up with more sophisticated tactics, and we have to be able to basically have visibility in order to be able to protect our environments.
So, I think that has a lot to do with it as well, along with remote working. Right?[Trina Ford] I also agree with Eduardo. And I would say in addition to that, I think it has a lot to do with the fact that because most companies are more hybrid, IEM infrastructure, and they’re multi-cloud, so it makes kind of the visibility into behaviors a little bit more difficult to identify rogue, or anomalies, or what have you.
You have federated identities. You also have different business units that are always involved. They have their own instances. They have their own environments. And as such, there becomes a challenge into really managing and controlling identities. And therefore, when let’s say the bad guys get in, they come up with more sophisticated tactics, and we have to be able to basically have visibility in order to be able to protect our environments.
So, I think that has a lot to do with it as well, along with remote working. Right?
[Rich Stroffolino] All right. Well, today we’re going to be talking with Paul Nguyen, cofounder and co-CISO at Permiso Security. So, Paul, to start out we’re answering three essential questions. How do I explain the value of your solution to a CEO? What does your solution do, and what does it not do?
And what’s the pricing model? So, can you help us and give us those preliminaries?[Rich Stroffolino] All right. Well, today we’re going to be talking with Paul Nguyen, cofounder and co-CISO at Permiso Security. So, Paul, to start out we’re answering three essential questions. How do I explain the value of your solution to a CEO? What does your solution do, and what does it not do?
And what’s the pricing model? So, can you help us and give us those preliminaries?
[Paul Nguyen] Absolutely. We provide real time monitoring of human and nonhuman identities in the enterprise. And really the outcome that everyone cares about is detecting when those credentials are compromised or abused by insiders. And we provide that for both cloud and on prem as well. And we are pricing now by protected identities.
So, think of it as almost like LifeLock but for corporate identities. The challenge is that in some of our largest customers we’re monitoring millions of identities every day. So, we have to do that real time monitoring to determine whether we see any suspicious or malicious use by those millions of credentials.[Paul Nguyen] Absolutely. We provide real time monitoring of human and nonhuman identities in the enterprise. And really the outcome that everyone cares about is detecting when those credentials are compromised or abused by insiders. And we provide that for both cloud and on prem as well. And we are pricing now by protected identities.
So, think of it as almost like LifeLock but for corporate identities. The challenge is that in some of our largest customers we’re monitoring millions of identities every day. So, we have to do that real time monitoring to determine whether we see any suspicious or malicious use by those millions of credentials.
[Rich Stroffolino] And in terms of the pricing model, what are we looking at?[Rich Stroffolino] And in terms of the pricing model, what are we looking at?
[Paul Nguyen] So, typically for larger enterprises, it’ll probably come in somewhere around 100 to $200,000. So, it’s per unit typically about 40 to $50 retail for per identity.[Paul Nguyen] So, typically for larger enterprises, it’ll probably come in somewhere around 100 to $200,000. So, it’s per unit typically about 40 to $50 retail for per identity.
[Rich Stroffolino] Excellent. All right, panelists, we have the preliminaries. We’ve gotten a taste for the solution, but I’m sure we have a lot of questions here. So, let’s start with you, Trina. What other questions do you have about Permiso?[Rich Stroffolino] Excellent. All right, panelists, we have the preliminaries. We’ve gotten a taste for the solution, but I’m sure we have a lot of questions here. So, let’s start with you, Trina. What other questions do you have about Permiso?
[Trina Ford] Can your solution automatically take action on identified threats such as disabling accounts, resetting passwords, revoking MFA permissions, etc. without manual intervention?[Trina Ford] Can your solution automatically take action on identified threats such as disabling accounts, resetting passwords, revoking MFA permissions, etc. without manual intervention?
[Paul Nguyen] Yeah, that’s always a great question. Especially for me. I was the founder of the SOAR Market, which was the Security Automation Market many, many years ago with NSA and Bank of America as my first two customers. So, I would say yes, we can take action as long as the customer can express their tolerance for the downside of automated response.
So, potentially taking down a CEO’s email or taking down parts of the network. That’s always possible. We try to be very careful in providing read only permissions to prevent us from also being a supply chain attack. Because we came from Mandiant. And from Mandiant, we obviously saw a lot of nation state type of attacks and incident responses, too.
But yes, it is possible as long as it’s done in the right way within the enterprise.[Paul Nguyen] Yeah, that’s always a great question. Especially for me. I was the founder of the SOAR Market, which was the Security Automation Market many, many years ago with NSA and Bank of America as my first two customers. So, I would say yes, we can take action as long as the customer can express their tolerance for the downside of automated response.
So, potentially taking down a CEO’s email or taking down parts of the network. That’s always possible. We try to be very careful in providing read only permissions to prevent us from also being a supply chain attack. Because we came from Mandiant. And from Mandiant, we obviously saw a lot of nation state type of attacks and incident responses, too.
But yes, it is possible as long as it’s done in the right way within the enterprise.
[Rich Stroffolino] All right, Eduardo, what questions do you have for Permiso?[Rich Stroffolino] All right, Eduardo, what questions do you have for Permiso?
[Eduardo Ortiz Romeu] So, my question comes around the deployment. What’s a realistic full deployment timeline for a company that has between…let’s round it at 40,000 identities. In my case, I have six different business units. So, think about it, six totally different companies with different infrastructures.
Pick one. What’s a typical deployment time, and how much does it take from a resource perspective for a company like ours to deploy your product?[Eduardo Ortiz Romeu] So, my question comes around the deployment. What’s a realistic full deployment timeline for a company that has between…let’s round it at 40,000 identities. In my case, I have six different business units. So, think about it, six totally different companies with different infrastructures.
Pick one. What’s a typical deployment time, and how much does it take from a resource perspective for a company like ours to deploy your product?
[Paul Nguyen] I will tell you, I sold my last company to FireEye, and I ran the product business for Kevin Mandia. And one of the things that I did not like about that business was hardware, software. And we’re a completely SAS application, agentless. And the two values that we really cared about was fast time to integrate and fast time to value.
So, everything is self-service. You can deploy, depending if you want to integrate it into your identity provider. That could take less than 15 minutes, with read-only delegated access to it. Or if you want to deploy it in AWS, as an example, into your infrastructure, you could do that through Terraform or cloud formation stacks.
That’s totally up to you. But it’s completely self-service, and you could deploy if you want a fully large enterprise like that in probably less than an hour, depending on how much you want to integrate. The only challenge is it’s a little bit fragmented because infrastructure, and we also cover SAS.
So, if you want to onboard SAS as well, that would take some time. Probably 10, 15 minutes. Pretty simple.[Paul Nguyen] I will tell you, I sold my last company to FireEye, and I ran the product business for Kevin Mandia. And one of the things that I did not like about that business was hardware, software. And we’re a completely SAS application, agentless. And the two values that we really cared about was fast time to integrate and fast time to value.
So, everything is self-service. You can deploy, depending if you want to integrate it into your identity provider. That could take less than 15 minutes, with read-only delegated access to it. Or if you want to deploy it in AWS, as an example, into your infrastructure, you could do that through Terraform or cloud formation stacks.
That’s totally up to you. But it’s completely self-service, and you could deploy if you want a fully large enterprise like that in probably less than an hour, depending on how much you want to integrate. The only challenge is it’s a little bit fragmented because infrastructure, and we also cover SAS.
So, if you want to onboard SAS as well, that would take some time. Probably 10, 15 minutes. Pretty simple.
[Eduardo Ortiz Romeu] So, a follow up question to that. If we are hybrid, and we have on prem and not only the cloud, how does that affect the [Inaudible 00:06:10] that you just provided?[Eduardo Ortiz Romeu] So, a follow up question to that. If we are hybrid, and we have on prem and not only the cloud, how does that affect the [Inaudible 00:06:10] that you just provided?
[Paul Nguyen] So, the cloud part is the easier part. For on prem, we would have to find the right architecture in terms of potentially some log forwarding or deployment of a local agent. In a lot of cases with our customers, we are picking up logs from let’s say an S3 bucket or another central repository.
And that makes it a little bit easier. Because a lot of times, customers already have the logs aggregated for us. It’s a matter of just picking it up wherever it’s most convenient for you to make your lives easier. It doesn’t really matter for us. Because we care about just really bringing in all the identity logs, all the identity access information so that we can then understand, well, who’s in your environment, what permissions do they have, and what are they doing.
And for us in an IR scenario we can go back, and if you have logs back for three years we can bring them all in, and we can reconstruct every user and every user session going back as far as you have logs. So, it’s pretty simple.[Paul Nguyen] So, the cloud part is the easier part. For on prem, we would have to find the right architecture in terms of potentially some log forwarding or deployment of a local agent. In a lot of cases with our customers, we are picking up logs from let’s say an S3 bucket or another central repository.
And that makes it a little bit easier. Because a lot of times, customers already have the logs aggregated for us. It’s a matter of just picking it up wherever it’s most convenient for you to make your lives easier. It doesn’t really matter for us. Because we care about just really bringing in all the identity logs, all the identity access information so that we can then understand, well, who’s in your environment, what permissions do they have, and what are they doing.
And for us in an IR scenario we can go back, and if you have logs back for three years we can bring them all in, and we can reconstruct every user and every user session going back as far as you have logs. So, it’s pretty simple.
[Eduardo Ortiz Romeu] Okay, thank you.[Eduardo Ortiz Romeu] Okay, thank you.
[Trina Ford] Good stuff. So, since Eduardo stole my question, I’ll ask what type of authentication protocols and standards does your product support?[Trina Ford] Good stuff. So, since Eduardo stole my question, I’ll ask what type of authentication protocols and standards does your product support?
[Paul Nguyen] So, we obviously as an identity security product want to make sure that we’re enforcing strong authentication, so we enforce obviously multifactor where we can. Depending on the integration, because it vary by APIs, in most cases it’s either through delegated access, so like a delegated role that’s read only within the application itself, or like an OAuth token for like SAS applications.
We try to make those obviously not long lived tokens because we obviously don’t want to be able to have abuse on our side either. And we want to make sure that we’re pairing down permissions in terms of least privilege where we’re integrating into an environment. So, we support all the major protocols.
We provide SCIM integration for SSO as well into our application. So, you can SSO into the application like you would through Okta, or Pig, or Entra.[Paul Nguyen] So, we obviously as an identity security product want to make sure that we’re enforcing strong authentication, so we enforce obviously multifactor where we can. Depending on the integration, because it vary by APIs, in most cases it’s either through delegated access, so like a delegated role that’s read only within the application itself, or like an OAuth token for like SAS applications.
We try to make those obviously not long lived tokens because we obviously don’t want to be able to have abuse on our side either. And we want to make sure that we’re pairing down permissions in terms of least privilege where we’re integrating into an environment. So, we support all the major protocols.
We provide SCIM integration for SSO as well into our application. So, you can SSO into the application like you would through Okta, or Pig, or Entra.
[Trina Ford] Nice. A quick follow up… SAML as well?[Trina Ford] Nice. A quick follow up… SAML as well?
[Paul Nguyen] Yes, absolutely.[Paul Nguyen] Yes, absolutely.
[Trina Ford] Okay. Okay, perfect. And how does your product handle federated identities and cross domain authentication?[Trina Ford] Okay. Okay, perfect. And how does your product handle federated identities and cross domain authentication?
[Paul Nguyen] So, that’s actually the power of the platform. Let me give you a quick story. Because we’re worked some really large cases across a group called Scattered Spider. If you remember Ceasars MGM?[Paul Nguyen] So, that’s actually the power of the platform. Let me give you a quick story. Because we’re worked some really large cases across a group called Scattered Spider. If you remember Ceasars MGM?
[Trina Ford] Mm-hmm.[Trina Ford] Mm-hmm.
[Paul Nguyen] Those are actually proliferated, because I was on the offensive side. Adversaries are lazy. So, it makes sense to go after a federated identity, right? Because you’re now going to have access to all the applications through your SSO or SAML. And the way we think about that is we need to be able to follow a credential from where it originated to wherever it goes.
So, let’s say, for example, I start with Okta, and then I go into 365, and then I go into Jira, and then I go into Confluence, and I go into AWS. We package all the events from all of those different buckets and those different I’ll say authentication boundaries and construct it into what we call a user session.
And that user session is what we use then to provide visibility in terms of whether we believe it’s a malicious session or not. So, that’s a part of like follow the credential, reconstruct the sessions.[Paul Nguyen] Those are actually proliferated, because I was on the offensive side. Adversaries are lazy. So, it makes sense to go after a federated identity, right? Because you’re now going to have access to all the applications through your SSO or SAML. And the way we think about that is we need to be able to follow a credential from where it originated to wherever it goes.
So, let’s say, for example, I start with Okta, and then I go into 365, and then I go into Jira, and then I go into Confluence, and I go into AWS. We package all the events from all of those different buckets and those different I’ll say authentication boundaries and construct it into what we call a user session.
And that user session is what we use then to provide visibility in terms of whether we believe it’s a malicious session or not. So, that’s a part of like follow the credential, reconstruct the sessions.
[Trina Ford] Nice. Because visibility is everything, right?[Trina Ford] Nice. Because visibility is everything, right?
[Paul Nguyen] Yes.[Paul Nguyen] Yes.
[Trina Ford] That’s the challenge.[Trina Ford] That’s the challenge.
[Eduardo Ortiz Romeu] Okay, so my next question will be from a resources perspective ongoing, once we’re deployed… And I don’t think…if it was explained or not at the beginning. Do you offer the 24/7 365 resources as a service to sustain the platform and alert us, or do I have to put my in house resources?
And if yes, how many are needed typically for deployment per 10,000 users or something like that?[Eduardo Ortiz Romeu] Okay, so my next question will be from a resources perspective ongoing, once we’re deployed… And I don’t think…if it was explained or not at the beginning. Do you offer the 24/7 365 resources as a service to sustain the platform and alert us, or do I have to put my in house resources?
And if yes, how many are needed typically for deployment per 10,000 users or something like that?
[Paul Nguyen] On I’ll say the security engineering side in terms of the deployment and the O&M is pretty low friction because it’s a SAS platform. So, you don’t have to manage any infrastructure. We manage all the infrastructure for you. We partner with MDRs, MSSPs that would provide the analysts in terms… Because we’re generating alerts.
So, it would be folded right into your existing psych ops workflow for your level one, level two analysts. What we do provide as a value add is if you have a chance, check out our blog with P0 Labs. I went old school security, so we publish a lot of our research and our intel, and we open source a lot of tools because we believe that’s how you build good will in the community, and you raise a community up.
But our P0 Labs team also does ad hoc hunting. So, we also look for any weaker signals that we believe could be suspicious, and then we elevate those into whatever communication channels we establish. It could be Slack, Teams. So, think of us as a backstop. We’re all ex-Mandiant. So, you know, you just have these cloud experts in the background that will help you investigate.
And in the worst case scenario, if you need IR support, we have our also former IR people, and we’ll jump in. Not that we’ll charge you for IR, but we do have that skillset as well when a customer does need it.[Paul Nguyen] On I’ll say the security engineering side in terms of the deployment and the O&M is pretty low friction because it’s a SAS platform. So, you don’t have to manage any infrastructure. We manage all the infrastructure for you. We partner with MDRs, MSSPs that would provide the analysts in terms… Because we’re generating alerts.
So, it would be folded right into your existing psych ops workflow for your level one, level two analysts. What we do provide as a value add is if you have a chance, check out our blog with P0 Labs. I went old school security, so we publish a lot of our research and our intel, and we open source a lot of tools because we believe that’s how you build good will in the community, and you raise a community up.
But our P0 Labs team also does ad hoc hunting. So, we also look for any weaker signals that we believe could be suspicious, and then we elevate those into whatever communication channels we establish. It could be Slack, Teams. So, think of us as a backstop. We’re all ex-Mandiant. So, you know, you just have these cloud experts in the background that will help you investigate.
And in the worst case scenario, if you need IR support, we have our also former IR people, and we’ll jump in. Not that we’ll charge you for IR, but we do have that skillset as well when a customer does need it.
[Eduardo Ortiz Romeu] Okay. So, the integration with an MDR is the ideal case? Okay.[Eduardo Ortiz Romeu] Okay. So, the integration with an MDR is the ideal case? Okay.
[Paul Nguyen] MDR or insource if you have your own analysts.[Paul Nguyen] MDR or insource if you have your own analysts.
[Eduardo Ortiz Romeu] Yeah, yeah. Yeah, we outsource, so… Thank you.[Eduardo Ortiz Romeu] Yeah, yeah. Yeah, we outsource, so… Thank you.
[Trina Ford] Paul, you mentioned human versus nonhuman identities. Does your product…is it capable of differentiating between the two? And if so, how does it kind of manage that?[Trina Ford] Paul, you mentioned human versus nonhuman identities. Does your product…is it capable of differentiating between the two? And if so, how does it kind of manage that?
[Paul Nguyen] That is a great question. And I don’t want to throw the AI buzzword around, but I’ll say we have built a human versus machine classifier that we’ve had for four years. So, this is not a human identity trend. I’m not sure why it’s a separate category. Because a credential is a credential.
You use a credential to gain access to an environment. I think the challenge for you all is why would you want fragmented solutions to do different things. So, the way we have it is we have a machine learning model and a classifier that determines what a human credential may look like because it’s more erratic in terms of behavior, versus a machine is a lot more predictable.
And we have a lot of other attributes that we use in the model to help classify that. It’s super useful when you’re trying to do an investigation. As an example, a customer may ask us…and we just had this… “Hey, can you tell me which human users have MFA or no MFA?” And you have to discern it. Because in a large environment, in our largest customer, you’re talking about millions of identities.
So, you have to whittle it down to a very precise list that’s actionable to say, “These are the human identities without MFA or nonhuman identities,” as an examples.[Paul Nguyen] That is a great question. And I don’t want to throw the AI buzzword around, but I’ll say we have built a human versus machine classifier that we’ve had for four years. So, this is not a human identity trend. I’m not sure why it’s a separate category. Because a credential is a credential.
You use a credential to gain access to an environment. I think the challenge for you all is why would you want fragmented solutions to do different things. So, the way we have it is we have a machine learning model and a classifier that determines what a human credential may look like because it’s more erratic in terms of behavior, versus a machine is a lot more predictable.
And we have a lot of other attributes that we use in the model to help classify that. It’s super useful when you’re trying to do an investigation. As an example, a customer may ask us…and we just had this… “Hey, can you tell me which human users have MFA or no MFA?” And you have to discern it. Because in a large environment, in our largest customer, you’re talking about millions of identities.
So, you have to whittle it down to a very precise list that’s actionable to say, “These are the human identities without MFA or nonhuman identities,” as an examples.
[Trina Ford] And I agree with you. I think one of the biggest challenges for us though is we have so much focus on the human that it’s the nonhuman that seems to catch us off guard more often than not. And I think that’s why there is the… We need some help. That’s where the technology and your product comes in.
How do we make sure that we have the visibility and the focus on both? Because one tends to get away from us. Versus the other one is in our face.[Trina Ford] And I agree with you. I think one of the biggest challenges for us though is we have so much focus on the human that it’s the nonhuman that seems to catch us off guard more often than not. And I think that’s why there is the… We need some help. That’s where the technology and your product comes in.
How do we make sure that we have the visibility and the focus on both? Because one tends to get away from us. Versus the other one is in our face.
[Eduardo Ortiz Romeu] So, a question that I have after reading your website… Permiso is described as an ISPM and ITDR. We’ve been talking about ITDR mostly. Because when I read that, I said, “Okay, I can eliminate a few other technologies and combine something to simplify my technology stack.” Is that the case, or is that kind of like a selling point?[Eduardo Ortiz Romeu] So, a question that I have after reading your website… Permiso is described as an ISPM and ITDR. We’ve been talking about ITDR mostly. Because when I read that, I said, “Okay, I can eliminate a few other technologies and combine something to simplify my technology stack.” Is that the case, or is that kind of like a selling point?
[Paul Nguyen] That’s the case. So, I was a former CISO. I think my claim was I was the youngest CISO in the federal government at the time.[Paul Nguyen] That’s the case. So, I was a former CISO. I think my claim was I was the youngest CISO in the federal government at the time.
[Eduardo Ortiz Romeu] [Laughs][Eduardo Ortiz Romeu] [Laughs]
[Paul Nguyen] So, I’ll put my… But when I think about a risk protective, risk is made up of, yes, the threat side where we started, which is when you detect and monitor, which is a way to mitigate risk. But when you’re talking about remediation of gaps, or vulnerabilities, or exposures, our journey with our customers, several of them were breached.
So, guess what? They didn’t want it happening again, so we had to move into prevention because post breach they cleaned it up. They said, “We can’t have this happen again.” Well, what were the root causes? One is zombied accounts, orphaned accounts left over. You’ve mentioned some machine identities that were left over.
Well, sometimes we don’t know about them. The other two was over-permissioning. So, we had Okta [Phonetic 00:13:46] users that had access to GitHub and Jira because this group went after intellectual property. And they hadn’t touched GitHub or Jira in three years. So, there was a least privilege aspect.
In the risk perspective, what I want to be able to answer for you because I’m bringing both vulnerability and threat to you is who are your top ten risk use identities right now? In a dynamic fashion because we’re doing the real time monitoring, I can tell you when it changes second by second. If someone, for example, gets a BEC.[Paul Nguyen] So, I’ll put my… But when I think about a risk protective, risk is made up of, yes, the threat side where we started, which is when you detect and monitor, which is a way to mitigate risk. But when you’re talking about remediation of gaps, or vulnerabilities, or exposures, our journey with our customers, several of them were breached.
So, guess what? They didn’t want it happening again, so we had to move into prevention because post breach they cleaned it up. They said, “We can’t have this happen again.” Well, what were the root causes? One is zombied accounts, orphaned accounts left over. You’ve mentioned some machine identities that were left over.
Well, sometimes we don’t know about them. The other two was over-permissioning. So, we had Okta [Phonetic 00:13:46] users that had access to GitHub and Jira because this group went after intellectual property. And they hadn’t touched GitHub or Jira in three years. So, there was a least privilege aspect.
In the risk perspective, what I want to be able to answer for you because I’m bringing both vulnerability and threat to you is who are your top ten risk use identities right now? In a dynamic fashion because we’re doing the real time monitoring, I can tell you when it changes second by second. If someone, for example, gets a BEC.
[Eduardo Ortiz Romeu] Okay.[Eduardo Ortiz Romeu] Okay.
[Rich Stroffolino] All right, Paul, well, we’re just about out of time here, but what’s one thing we didn’t ask about that we need to know?[Rich Stroffolino] All right, Paul, well, we’re just about out of time here, but what’s one thing we didn’t ask about that we need to know?
[Paul Nguyen] I think the most proudest thing I have at the company is just the experts that we bring. I think you learn the most in breaches… And this is a bit of a Kevin Mandia story. Is when you’re in the breach, you learn where you have gaps in terms of visibility or what controls failed. And I think that’s a formula we’ve used in terms of building detection and now into prevention to help you consolidate that human/nonhuman identity prevention detection response.[Paul Nguyen] I think the most proudest thing I have at the company is just the experts that we bring. I think you learn the most in breaches… And this is a bit of a Kevin Mandia story. Is when you’re in the breach, you learn where you have gaps in terms of visibility or what controls failed. And I think that’s a formula we’ve used in terms of building detection and now into prevention to help you consolidate that human/nonhuman identity prevention detection response.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to permiso.io. Thanks to Eduardo Ortiz-Romeu and Trina Ford for helping us learn more about Permiso Security. And thanks to Paul Nguyen for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to permiso.io. Thanks to Eduardo Ortiz-Romeu and Trina Ford for helping us learn more about Permiso Security. And thanks to Paul Nguyen for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe. Tell your friends and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com.
Or just email us at info@CISOseries.com. Thank you for listening to Security You Should Know – connecting security solutions with security leaders.[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe. Tell your friends and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com.
Or just email us at info@CISOseries.com. Thank you for listening to Security You Should Know – connecting security solutions with security leaders.