Season 1, Episode 4

Attackers are only as powerful as their permissions: Identity Security lessons from inside Mandiant IR

“Incident response is just project management with stress.” Urgent deadlines. High-stakes recovery demands. And a lot more than just technology and forensics.

In this episode of the Identity Decoded podcast, hosts Roy and Rob go inside Mandiant Incident Response with Chris Linklater, Practice Leader for Mandiant Consulting—one of the largest global IR firms—to talk through what his team is seeing across real-world breaches today, and the top recommendations Chris leaves with every client after an incident.

Key takeaways include:

  • Why “Hackers don’t break in—they log in” has become a cliché for good reason given the identity-based attack patterns Mandiant encounters on repeat
  • Why IR teams are almost always called in too late—and the concrete steps your team can take now to get ahead of an active breach before damage becomes too severe
  • The “identity tension” that exists in every breach: how IR teams use identity to navigate the tradeoff between containing an attacker and ensuring business continuity—and how you can apply that mindset in your own organization

Rob Ainscough (00:00:00,080 – 00:00:12,400)
Chris Linklater, practice leader at Mandiant, he spent his career deep in the weeds of infrastructure and cybersecurity, and now he’s leading incident response and security transformation work at Mandiant, a leading cybersecurity firm acquired by Google.

Chris Linklater (00:00:12,400 – 00:00:19,120)
The recovery aspect of helping an organization is actually pretty interesting. There’s more to it than just recovering the technology that exists.

Rob Ainscough (00:00:19,200 – 00:00:24,320)
In this episode, we get into what happens when identity fails and how most breaches really begin.

Chris Linklater (00:00:24,520 – 00:00:29,960)
For this year, for the first time ever, vishing, voice phishing surpassed traditional email-based phishing.

Roy Akerman (00:00:30,040 – 00:00:39,920)
Attackers aren’t breaking in the way we think anymore. Chris shares how identity has quietly become the easiest way in and how it’s the hardest thing to fully secure.

Chris Linklater (00:00:40,160 – 00:00:51,120)
There’s a number of initial entry vectors that do sort of equate to an attacker just logging in. The attacker, they’re finding the credentials somehow and they’re just logging in.

Roy Akerman (00:00:51,760 – 00:00:55,520)
We’ve all heard the cliches, identity is the new perimeter.

Rob Ainscough (00:00:55,760 – 00:00:57,440)
Attackers don’t break in, they log in.

Roy Akerman (00:00:57,720 – 00:01:03,360)
Yeah, but what’s actually happening in identity security and why? And that’s when things get vague.

Rob Ainscough (00:01:03,920 – 00:01:14,480)
And that’s why we created this show. This is Identity Decoded. We’ll be having honest conversations about what’s working, what’s broken, and how to get ahead in identity security. I’m Rob.

Roy Akerman (00:01:14,960 – 00:01:16,640)
I’m Roy. Let’s dive in.

Rob Ainscough (00:01:16,920 – 00:01:17,440)
Let’s do it.

Roy Akerman (00:01:23,760 – 00:01:24,560)
Welcome, Chris.

Chris Linklater (00:01:24,800 – 00:01:26,240)
Hi, thank you for having me.

Roy Akerman (00:01:26,640 – 00:01:41,920)
Thank you for dedicating the time. I know that you’re a very busy persona with everything that is happening in the world, incident response in the age of AI and other things. We’ll be very happy to hear a little bit about your background and if there’s any attachments to identity around that, it will be even better.

Chris Linklater (00:01:42,280 – 00:01:54,240)
First and foremost, thanks for having me on. I’m a little jealous. It looks like the studio that you guys are sitting in is very cozy and I’m here in my office. So next time we’ll do this in person.

Roy Akerman (00:01:54,240 – 00:01:55,280)
In your office.

Chris Linklater (00:01:55,280 – 00:02:21,200)
But just a little bit about me, you know, I work with Mandiant and I help lead our remediation practice, our incident response remediation and security architecture practices. So What that means in practicality is, there’s a lot of teams, anytime there’s an incident, there’s a forensics team trying to figure out what’s going on. There’s legal teams, there’s crisis communications teams, but we’re the team that’s sort of tasked with helping sort of contain the incident.

Rob Ainscough (00:02:21,440 – 00:02:21,560)
Wow.

Chris Linklater (00:02:22,160 – 00:02:38,720)
And then, you know, put those steps, so those practical things in place that organizations can do, so the same thing is less likely to happen again in the future. So, as you can imagine, we stay very busy in this day and age. it’s been super fun.

Rob Ainscough (00:02:39,040 – 00:02:50,160)
Amazing. And how’d you get into that? Like, that must be so stressful, constantly running towards fire with these incidents with different clients. Like, how’d you get into that, Chris?

Chris Linklater (00:02:50,640 – 00:02:55,760)
Yeah. I mean, I think incident response is just project management with stress, right?

Roy Akerman (00:02:57,360 – 00:02:59,280)
That’s true. Nobody admit that.

Chris Linklater (00:02:59,280 – 00:03:17,040)
The deadlines are urgent. That might be true of anything cybersecurity related, not just incident response. But no, look, my background is in IT operations and engineering, right? So, you know, many, many years in IT, I somehow found myself in this role at Mandiant. And it’s been a lot of fun.

Roy Akerman (00:03:17,360 – 00:03:43,120)
And for just laying the ground for our discussion, I just want to mention that I found it interesting that you’re not just responsible for saving organizations in situations that all the security controls were failed and these organizations were pwned and under a breach. You’re there as well when they’re trying to recover to rebuild the stack to make sure that nothing will reoccur, right? So you’re actually helping them to rebuild the trust, the system, the processes?

Chris Linklater (00:03:43,280 – 00:04:53,560)
Yeah, so the recovery aspect of helping an organization is actually pretty interesting, right? Everybody thinks about that as we need to rebuild, you know, workstations, we need to rebuild servers, and that’s certainly a part of it. But there’s more to it than just recovering, the technology that exists. There’s the process of, helping a business restart. And then there’s the hardest part is the final part, which is helping other organizations trust that the organization that’s been through this terrible event is safe to do business with again, right? So the first thing that happens anytime an organization has an incident is all of their business partners will disconnect from them to protect themselves. It’s a perfectly natural thing. The challenge we run into is there’s no sort of predefined standard of when do we reconnect back so that it’s safe to do business again. And every organization has sort of its own threshold from when it’s willing to say that it’s safe to reconnect. So we help organizations with that piece as well. And that can be the, it sounds like the easiest thing, like, hey, just turn us back on. But there’s a lot of thought that goes into, is it safe to do business with this organization? And what assurances can we provide? But it is safe to do business with them again.

Roy Akerman (00:04:54,000 – 00:05:26,080)
Some cliches that we have in the market that may be true. I don’t know. It will be great to hear it from you. Let us know if you think it is true or not. I know that Mandiant have like the risk report as well, based on all what you’re seeing. Thousands of organizations, like thousands of incidents. The first one is hackers are not breaking in their login. You probably heard this thousands of times. And the second one is 80% of the incidents are based on compromised identities, or at least go through a compromised identity in some point.

Chris Linklater (00:05:26,480 – 00:06:29,040)
Well, I would certainly agree that the first thing definitely happens, right? So Mandiant every year releases is a report called M-Trends, and it’s essentially a look back at the previous year, all the trends and all the things that are changing, things that are staying the same in some cases. And one of the things that we do see is that there’s a number of initial entry vectors that do sort of equate to an attacker just logging in. Now, it could be reused credentials, it could be stolen credentials, it could be phished credentials, or this, here for the first time ever, vishing or voice phishing surpassed sort of traditional email-based phishing for the first time. So I would sort of put all of those categories into the idea that an attacker, they’re finding the credentials somehow and they’re just logging in. It’s not, you know, exploits still remain #1. They’ve been #1 for a long time in terms of how attackers get in, but I would say that just logging in is gaining on it year after year.

Roy Akerman (00:06:29,560 – 00:07:05,680)
The first gate is breached, right? We trusted that the password will hold like people back or like the bad guys are back. This is where an incident starts, but it’s not after a lot of lateral movement and mess in the networks that happens that you’ve been brought in, right? I bet that it’s not the second that somebody broke in that you’ve been invited, right? So can you please walk us through the typical time frame, and it’s probably be a wide time range, but time frame in the kill chain or like the IR chain. that you and your teams are being typically brought.

Chris Linklater (00:07:05,760 – 00:07:44,800)
Earlier is better, but unfortunately, earlier is probably not where we usually end up. So I would say most of the time when we’re brought in, it’s after the threat actor has achieved whatever their mission is, whether that’s to exfiltrate data, whether that’s to cause some damage. or whether that’s simply to do some sort of espionage tactic where they’re just sort of hanging out in the background and observing. So I would say, most of the time when we show up, it’s later than we would have liked to have shown up. And it’s towards the end of that attack life cycle or that kill chain, depending on which term you prefer.

Rob Ainscough (00:07:45,120 – 00:08:15,280)
I suspect you’re going to say it’s hard to characterize this, but you know, you’re saying you’re getting brought in later than you wish into these things. Is it because companies still aren’t able to detect and make sense of what’s going on in their network, in their systems? Or is it because they see stuff, but they’re not responding quick enough and then they get into a position where they need your help? Like, why is it that it’s late in the day that you’re getting called in, you know, once that attacker’s, you know, late stage in what they’re trying to do?

Chris Linklater (00:08:16,400 – 00:09:02,640)
I mean, I think a lot of organizations don’t realize that they’ve been breached until something bad happens. A destructive attack is the easy example here because everybody knows that something works, right? That’s pretty straightforward. But what we’re seeing more and more is less destructive attacks and more attacks that are just based on data exfiltration. And we’re even seeing a lot of organizations that don’t realize that they’ve had data exfiltrated from inside their networks until some of these threat actors are posting it on these what we call DLS or download shaming sites. And it’s at that point they realize like, okay, the first step is we have to figure out is our data actually been exfiltrated? And once they sort of determine the answer to that is yes, then they have to go, well, how did that happen? And it’s at that moment that we often get brought in.

Rob Ainscough (00:09:02,920 – 00:09:47,520)
And that’s really scary, I think, from an identity perspective, because when I talk to people working in identity, they’re often very focused on the most critical things, the highest level permissions, the domain admins, the backup admins, the hypervisor admins, right? And they’re super important, right? And I’m not saying they’re not. But what’s scary about what you’re talking about is you could have a fairly innocuous level of access. into a data set and complete those goals and be able to achieve those financial gains for an attacker. And that’s, from an identity perspective, pretty scary because we talked earlier about what’s privileged access. What is privilege? Well, you don’t need much privilege to go and do that kind of attack once you’re in a company. And that’s pretty scary.

Roy Akerman (00:09:47,840 – 00:10:16,640)
That’s true, but I would try to attack this from another angle. Maybe it comes to like, what’s the place of IAM in that tactical room or like tactical table of dealing with this attack? Are they just getting orders, marching orders from the security team, or there’s something else that you can bring to the table in order to mitigate or at least limit the damage faster? I wonder, like, each of you, like, what do you think about that? I mean, or how do you meet this in reality?

Chris Linklater (00:10:17,680 – 00:10:54,880)
Yeah, I mean, I, so the question I, you know, started asking myself when we started to see disruptive attacks decline, but extortion sort of continue on at the same pace was, what’s leading to that? And the one thing that I keep getting drawn back to is the barrier of entry to steal data is very low, right? To your point, hypothetically, if you have the account of a recruiter in HR, you probably have access to a significant amount of personnel data. That’s not a privileged account in the traditional IT sense.

Rob Ainscough (00:10:55,120 – 00:11:29,680)
Right. And I think almost non-technical, some of those attacks, right? So if you get or guess a credential, for example, against a cloud IDP that’s linked to a load of applications, you start clicking around, you’re probably going to get into something eventually, and you’re probably going to get to something interesting that, as you say, you can copy out or export a CSV that it will generate for you. And you’ve done nothing particularly technical to this point, right? The barrier to entry of that attack is having a computer. and an internet connection, right? And it’s pretty scary.

Roy Akerman (00:11:29,840 – 00:11:39,760)
And that’s why I think that attackers really love identity, right? The idea is that you can actually get impossible, like to imagine powers without even exploding and doing anything.

Rob Ainscough (00:11:40,000 – 00:12:39,280)
The thing that’s always interested me about incident response is often it felt like the actions we took were almost never in identity terms. It was, isolating hosts or, changing network configurations and locking things down and cutting things off and doing things that are big changes to the business through almost anything but identity in the past. And even our identity tools where they have been used to like, it’s quite a sledgehammer, right, to go to say mass disabling or mass removing privilege or, it’s very disconnect from the internet. I was going to use the word agricultural, but I think that’s a bit unfair. Like it’s the tool you’ve got, but it’s kind of an interesting place to be if the main vehicle is identity and how can we be more surgical, I guess, about that recovery, right? Because I guess that’s key for you. Like I don’t want to impact the business more than I have to, But I also must contain this thing. It’s an interesting tension there.

Chris Linklater (00:12:39,680 – 00:13:45,280)
It’s a very, tension is a great word for it, especially in organizations that don’t necessarily have any concept of what business function a particular identity may or may not serve, right? So usually human identity is great because it’s, you know, one identity assigned to one individual. It’s pretty clear who we’re going to impact if we, you know, make a change to that identity. But when you get into the space of service accounts and non-human identity, there’s a tremendous amount of fear that if we disable an account or deprivilege an account, we’re going to stop some business function. And in some businesses, that might be fine. But when you get into spaces where there’s industrial control systems or manufacturing or healthcare, there is the potential that turning off an identity can turn off some critical life-saving service. And those are the situations where obviously the more sort of intelligence you have about the identities that exist in your environment, the more surgical and the better off you’re going to be responding to it instead.

Rob Ainscough (00:13:45,600 – 00:13:46,120)
I agree.

Roy Akerman (00:13:46,120 – 00:14:43,360)
Yeah, so we’re creating some sort of separation, and please feel free to disagree with me, between containment and between blocking the ability of the attackers to largely move or like to escalate, right? In the first one, we’re taking a pwned or compromised identity and we’re trying to bound it in a way that the legit machine or person will still be able to use it so that if life critical missions are being operated there or whatever, it will keep doing, but the attacker will be stay out or at least very limited. So we’re trying to contain and not let the spread goes on. And from the other hand, you know, we’re trying to make sure that the next steps of the attacker will not truly be successful. Or maybe it’s oversimplifying it. I am trying to just distill it for IAM-driven missions.

Rob Ainscough (00:14:44,160 – 00:15:35,360)
What’s really interesting about what you just said is the same tension in containment and recovery of what can I do with this account? What will it mean to the business? And, you know, is that acceptable? It’s the same tension that means you don’t put in those controls proactively. right? That you don’t touch service accounts because you don’t know what they do. That you’re scared of breaking something on behalf of your business as you try and protect it. And it’s really interesting, as we say, tension that’s in there. But I’m curious, from an identity perspective, is there anything, any tool, any lever that you wish you had to more surgically kind of contain whilst you’re keeping the business running? Like what do you wish you had that you haven’t got today in most companies?

Chris Linklater (00:15:35,440 – 00:16:27,040)
My wish list is probably always very extensive. And just like I think we said, you know, everything bad that happens to security happens on a Friday when you’re on vacation or leaving for a vacation. I think the other universal truth is organizations that have some of the very basics in place around understanding their own assets, including their identities, always fare better in an incident than those that don’t. That will never not be true. So the one thing that I’m always hopeful an organization has when they call in their time of need is just a very good understanding of what all of their assets are, how many they have, what those identities link to, what applications go down if this service account is turned off, et cetera. We don’t even realize what’s out there.

Rob Ainscough (00:16:27,280 – 00:17:32,320)
Yeah, and I completely agree, right? It’s foundational proactively, it’s foundational reactively, still a struggle for a lot of companies out there that I talk to as well. But I think from them from a kind of controls perspective, and I think about lateral movement and the possibility to move through identity, really often that’s only limited by permissions, right? Like how extensive and broad are the permissions and how’s that going to limit or facilitate my movement laterally or vertically within the environment? And that’s a difficult spot to be because permissions are gnarly difficult things to work with at the best of times. I think about the network and how we use the network to limit movement and possibility of movement. And I really think kind of network concepts of it being the vehicle for movement is really transferring into identity and how do we have those levers that say, hey, this identity can only move or be used in this way. That’s a really important enabler for like a surgical recovery from these things through identity.

Roy Akerman (00:17:33,280 – 00:18:02,400)
I think that You’re speaking about levers in a given condition, right? We have a system that got compromised that probably like was built with a few other vantage points for the attackers or vulnerabilities or misconfiguration or something like that. As A responder, you want to gain full control on each identity and decide, kind of like being in the middle and decide if it can do something, yes or no, right? Regardless of how the system is built.

Chris Linklater (00:18:03,600 – 00:18:39,240)
Yeah, I mean, we use the term all the time, network segmentation without identity segmentation is fundamentally useless, right? It’s the identity that lets you cross the boundary more often or not than it’s like, hey, this is the specific protocol we’re going to block between, you know, two different data centers. The reality is you have to be able to log in ubiquitously across both of those data centers. So again, if you don’t segment the identity, the network segmentation work that you’ve done isn’t necessarily all in waste, but it’s certainly not as effective as it can be if you do those two concepts together.

Roy Akerman (00:18:39,680 – 00:18:50,800)
I’m interested in the common ground, or at least trends that you’re seeing across organizations. What’s the things that those organizations, or many of them, are missing when it comes to identity that attackers then leverage?

Chris Linklater (00:18:51,200 – 00:19:55,680)
You know, the number one thing that, maybe not the number one thing, but certainly a rising trend that we’ve seen more and more is The ability to control groups, right? So organizations are always creating some concept of groups for their identities. This group of people can do this one thing. This group of people or this group of identities can go do a certain thing. But what they don’t often look at, and this sounds fundamentally simple, but we see it all the time, is who can control what’s in the group? So what we find all the time are accounts of a lower privilege level, say like a normal help desk administrator, but that help desk administrator has the ability to add an account to a domain administrator, right? So yeah, the groups were set up perfectly. You’ve got your permissions delegated as you should. But because you didn’t decide, who has the ability to manipulate the group memberships, now you’re in a tough situation. The same thing happens not just to, traditional IDP groups. We see the same thing happening within privilege access management systems all the time.

Rob Ainscough (00:19:55,840 – 00:20:51,600)
Completely agree. I saw this in my world, right? And My word, this was difficult to do. We went through all of the delegations in our active directory first, then we went into the cloud and looked at, you know, who’s delegated to reset a password on behalf of another person, right? How many people? And it was way more than we were proud of at that time and covered a lot of different accounts because, you know, you’ve got to assume if a help desk account can reset any other privileged account, than it is any other privileged account, right, by default. Who’s got the permissions to add a privileged group to an account, right? What are the restrictions around that? And it’s a very detailed place to get to, but so important. But I don’t see a lot of companies who talk about that, think about it, because it’s almost too hard a problem to chew down and think about. But it’s so important to that risk posture.

Roy Akerman (00:20:51,600 – 00:21:08,400)
What’s the best practice? I mean, from the security angle, I think that I saw someone that broke the record. It was, again, a 4Gen, let’s say Fortune 20. Yeah, there’s like not to number it, that had a few hundreds of thousands of employees and the same number as groups, which sounds crazy, right? So like.

Rob Ainscough (00:21:08,400 – 00:21:56,320)
It’s not unusual is the difficult thing. And then people are surprised when they say, oh, there was a nesting change made and suddenly there’s all these permissions that we didn’t know and we’re lucky we found it. And you’re like, this is… This is not the primary thing we need to control, right? It’s too complex. It’s built up again over 25, 30 years of operating a business. We’re too scared to touch it because we might break something in the business. But then what do we fall back to? Because, you know, if that’s not effective and we have privileged accounts with username and password authentication, static permissions always on. For me, that’s like the worst toxic combination of loose permissions control Plus, easy to exploit accounts, right? That feels dangerous.

Chris Linklater (00:21:56,880 – 00:21:57,440)
Absolutely.

Rob Ainscough (00:21:57,440 – 00:22:00,000)
Is that what gets exploited though? Is that what attackers are looking for?

Chris Linklater (00:22:00,920 – 00:22:32,080)
All the time, right? And a lot of that’s born from, we have a lot of organizations that have a compliance-driven mindset. Compliance might dictate that you need to have role-based access control for an application, and the easiest way to have role-based access control is to have groups of… roles, right? But again, there’s no sort of next step in that compliance check that says, oh, we have to make sure that there’s some process by which we’re always auditing and ensuring that nobody ends up in the wrong role. It’s just that you have to have the role-based access.

Roy Akerman (00:22:32,720 – 00:22:36,400)
Yeah, so there’s a convoluted network that we have over there.

Rob Ainscough (00:22:36,720 – 00:22:52,720)
If you thought about… identity and some of the recommendations that you’re making to your clients after these things happen. What sort of things, what are the top three things maybe that you’re saying to them that are really important for them to get on top of and you leave them behind with?

Chris Linklater (00:22:53,600 – 00:22:58,720)
so the terminology that we like to use is identity modernization.

Rob Ainscough (00:22:59,080 – 00:22:59,200)
Okay.

Chris Linklater (00:22:59,880 – 00:23:10,160)
A lot of organizations have the same fundamental identity structure in place that they’ve had. You know, we joke there’s a lot of identity providers that are old enough to buy beer.

Roy Akerman (00:23:11,920 – 00:23:12,920)
And this is true.

Chris Linklater (00:23:14,080 – 00:24:03,440)
And so we need to revisit that, right? We need to, you know, not just look at the IDPs, but we need to look at how we’re doing identity segmentation. Do we want to move out of what we would consider to be legacy identity providers into something that’s a little bit more modern, whether it’s a cloud-based identity or a hybrid-based identity, it gives us a lot more flexibility to sort of move the business forward. And again, we try to wrap all of that around the concept of modernization, right? Identity and access management is not going to go away for any particular organization, but if we look at it as like, okay, you know what we’ve we’ve had for 20 to 25 years isn’t working. What do we need to move to so that we have a better chance of keeping bad things from happening inside of our environment?

Rob Ainscough (00:24:03,520 – 00:24:50,800)
Yeah, and I think something that I think about is consistency, is building this kind of level playing field in terms of identity, because what I tend to find is organizations might be much stronger in the cloud than they are on-prem. or they might be strong in one provider than another provider in the cloud. And I think for me, from my perspective, again, that’s what attackers are looking for. They’re looking for inconsistencies. They’re looking for the lowest common denominator and the least protected thing. So I think being able to modernize, to gain consistency and build consistency, how do we build consistency of this thing that is identity? is something that I talk about a lot because I think it’s probably the most important thing in defending against these kind of attacks.

Chris Linklater (00:24:51,120 – 00:25:12,200)
Yeah, I would agree 100%. And I think, The easiest way to find out what’s wrong with how consistent you are is to hire a red team. They’re going to come in and they’re going to very quickly show you where your flaws are. And it’s significantly less expensive than a cyber insurance claim. So we certainly encourage organizations to do that.

Roy Akerman (00:25:12,200 – 00:25:38,400)
I want to switch gears a little bit before we’re starting to decode some of the lessons that we’ve learned. When we’re speaking about the progression to AI and everyone speaks about AI models at your, you know, at your service, As an attacker or defender, have you ever faced AI models as part of the attacks that your team needed to deal with? So like you’re fighting against a model or like a model-based actions that were there?

Chris Linklater (00:25:38,760 – 00:26:05,960)
I don’t think we’re quite there yet, but I think it’s coming soon. I think the one thing that the introduction of AI into this sort of attackers versus defenders conversation is doing, is forcing everyone to realize that you do have to have the fundamentals right, because you won’t have time to react. So what I think AI is actually doing is it’s forcing us to speed up what we’ve gotten away with being slow at in the past.

Rob Ainscough (00:26:06,000 – 00:26:42,640)
I completely agree. It’s going to expose all of that stuff that we’re not quite proud of that’s gone on over the last 25, 30 years. You know, The things we might call legacy, we can’t forget about. They’re not legacy if they’re used by the business and working for the business, right? They might be our legacy. We might not like them, but they’re not a legacy to the business. They’re important to the business. And that’s where we’ve got to bridge that gap, I think, in terms of modernization. It’s not that easy. But how do we harden up things like Active Directory, right? Without saying, oh, I’m going to move to the cloud, but that will take me five years. And in the middle of that, I’m just going to run that risk.

Roy Akerman (00:26:42,640 – 00:27:27,360)
I think my commander in the army was always like saying. To some people, you’re not ready and you don’t have time, right? And I think that sometimes it’s kind of like we need to reinvent and we need to do some out-of-the-box actions in order to just accelerate our readiness. Sometimes we cannot restructure and make an alignment and consistency. Sometimes… we need to act fast in order to be ready that something will be happening. And then at least the protocol of response will be much stronger and that will bring the Mandiants in order to save our lives or learn our business. At least we’ll be able to respond right. And I think that it’s time to rapid fire questions. And I bet that Chris is used to those things, right? He needs to answer burning questions.

Rob Ainscough (00:27:27,880 – 00:27:34,880)
On his feet, seat of the pants. So we’ll start off. What’s one identity myth?

Chris Linklater (00:27:36,200 – 00:28:15,880)
that’s a hard one. I think an identity myth is that there is a one-size-fits-all password policy for all organizations. We get asked all the time, like, what should my password policy be? It’s a good question. But the answer isn’t uniform for all organizations. And I think there’s a lot of people that would love just have a very simple answer to that question. But I think the myth is that it’s simple. I think the reality is that every organization needs to look at their own particular needs and figure out what their identity and their possible policies should be based on what their threat model is and what it is they’re trying to accomplish as an org.

Rob Ainscough (00:28:16,240 – 00:28:22,000)
I completely agree. So the second one, what is one thing that leaders get wrong?

Chris Linklater (00:28:22,480 – 00:28:34,080)
I think one thing that I’m starting to see is that organizations have spent the past five years securing the human identity.

Rob Ainscough (00:28:34,160 – 00:28:34,440)
Right.

Chris Linklater (00:28:35,080 – 00:29:08,280)
And we’ve actually gotten pretty good at it. We have MFA. The first maybe pass at MFA wasn’t wonderful. We had push-based MFA. We had two things that didn’t work right. But we’ve had another go at it. We’ve gotten really good on it. So the human identity is getting, it’s not maybe in a great place, but it’s in a significantly better place. But all the attention that’s gone with the human identity, I think, has equally taken away from the focus on the non-human identity. And I think within an organization, both of those have to be treated with the same level of informs.

Rob Ainscough (00:29:09,040 – 00:29:26,720)
Yeah, agree. I see different companies indexing on one or the other and probably over indexing on one or the other. And I think it’s really important to get that balance right because there’s different, you know, there’s different methods that are going to be used, but they’re both important. They’re both potential avenues. So the next one, what’s one hard truth?

Chris Linklater (00:29:27,320 – 00:30:06,480)
I think the hardest truth right now is admitting that we have no idea where we’re going to end up with the attacker versus defender and artificial intelligence and AI. We just don’t know what that’s going to look like. There’ll probably be some tough days ahead. There’ll probably be some big wins ahead. It’ll probably go back and forth. But I think a hard truth is we simply don’t know where that’s going to have us as an industry in two to five years from now. And I think anyone who can tell you exactly where we’re going to be with AI in two to five years is probably, it might be very confident, but I wouldn’t be very confident in their answer.

Rob Ainscough (00:30:06,880 – 00:30:11,760)
Yeah, I think the only thing that’s certain with it is uncertainty. So I think you’re totally right.

Roy Akerman (00:30:11,840 – 00:30:13,840)
We should enjoy our days now, right?

Rob Ainscough (00:30:15,320 – 00:30:20,120)
Enjoy it while it’s good. And our final one, Roy, do you want to hit us with the final one?

Roy Akerman (00:30:20,120 – 00:30:25,440)
The one that I like most is Give us like one trend that you think that is overhyped.

Chris Linklater (00:30:25,760 – 00:31:04,360)
There’s lots of things that are overhyped, and as an industry, we’re good at overhyping things. So I feel like this is the target-rich environment. But the one thing that I hear a lot of organizations starting to talk about that doesn’t fit into their threat model is post-quantum cryptography. I think we will get there collectively as an industry. We will get to a post-quantum cryptography world eventually. And I think a lot of organizations are spending time thinking about how to solve that problem when they have significantly lower-handed fruit that they could be spending time on to improve their security policy.

Roy Akerman (00:31:05,000 – 00:31:05,600)
Interesting.

Rob Ainscough (00:31:05,920 – 00:31:06,080)
Yeah.

Roy Akerman (00:31:06,080 – 00:31:29,440)
Very cool. I mean, it is a problem, but there’s like more burning problems for sure. And with that, Chris, we really want to thank you for being our guest today. We’ve much enjoyed the conversation and I think that there’s a lot of takeaways for us. We need to prepare for the next war as IAM and as security, hands to hands together, marching through the sun. Yeah, and with that, thanks very much.

Chris Linklater (00:31:30,640 – 00:31:31,840)
Well, thank you for having me.

Rob Ainscough (00:31:32,520 – 00:31:34,880)
That’s it for this episode of Identity Decoded.

Roy Akerman (00:31:35,120 – 00:31:41,280)
If this conversation changed anything that you thought about identity security, share it with someone who’s working through the same challenges.

Rob Ainscough (00:31:41,520 – 00:31:44,880)
And don’t forget to follow the show so you don’t miss what’s next.

Identity Decoded

with Roy Akerman & Rob Ainscough

Subscribe so you never miss a new episode.