Susanne Senoff 01:00:00.000
You really have to start thinking about minimum viable enterprise. And that’s how we’ve started doing. Resilience is it’s like, what are the business processes that have to come up, the systems that support those, the data that has to be there. And that’s how you start to look at the production.
Roy Akerman 01:00:12.240
Suzanne Sarnoff is the CSO at Kona and CSO advisors at Pros.
Rob Ainscough 01:00:17.040
Suzanne brings firsthand experience on what happens when an agent stress tests our traditional security systems.
Susanne Senoff 01:00:23.400
The future is AI. We have to make some assumptions that the AI agent is going to try to access this. The same way that we look at threat actors, it’s just the agent is going to be faster.
Roy Akerman 01:00:33.560
We dig into one of the biggest questions right now how companies can go about securing AI agents.
Susanne Senoff 01:00:40.320
You have to have identity security engineers. You have to be the one that’s looking at setting the standards, validating that IAM is actually working. And so if you’re not doing that, do it now.
Roy Akerman 01:00:50.480
Identity isn’t just an operational problem, it’s a security one. And most teams are figuring out in real time.
Rob Ainscough 01:00:57.240
This is Identity Decoded, the podcast where we reverse engineer the meaning of identity security. Sharing candid conversations about the people. Building, fixing, and rethinking identity security from the inside.
Roy Akerman 01:01:09.260
I’m Roy Ackerman.
Rob Ainscough 01:01:10.700
And I’m Rob Ainscough.
Roy Akerman 01:01:11.980
Let’s dive in.
Rob Ainscough 01:01:13.060
Let’s do it.
Roy Akerman 01:01:19.620
There is a notion that we need to understand what’s going on in the network, but with the nature of AI agents performing, I don’t know, 70% of the traffic nowadays, 50% of the traffic. It’s really, really hard to understand what’s human and not what’s non-human around there. And the other day, you actually told me a great story about an experience that you had. Happy, if you can share it with our audience.
Susanne Senoff 01:01:40.220
Oh, absolutely. I think that all of us who work in companies that are really AI heavy, a lot of the way that we formulated our security strategy is based upon. Huh. So this is what that agent is going to do back in the early days, you know, when agents first came out, we were all excited. You know, we said, hey, this is going to revolutionize ourselves. And and we thought we were doing this great job of inventorying, making sure we had the right products in place. And so this one day, my security team gets an alert through our cloud security provider that said, oh, look, you’ve had a reverse proxy script run in a memory dump on one of your most important databases, going back to the tears. And we kind of went, oh, crap, you know, which, you know, thankfully we had the alert. Right? And then, you know, luckily, one of the engineers that we were working with as we were triaging this incident was like, you know, these scripts really looked like something an AI agent would write. And so then we were able to trace it back to a laptop for the administrator for this database. And she was like, oh, yeah, I was just doing a health check, you know. And what had happened was the agent was failing the health check and it was saying, I don’t want to fail the health check. And so it started behaving like a threat actor.
Rob Ainscough 01:02:53.360
And this was like totally sanctioned use of an AI product that you use. So everything legit? Yeah, but the activity? Not so.
Roy Akerman 01:03:01.470
Much. So, Suzanne, you know, identity is the new perimeter. We’re seeing this all over the places, right? And sometimes they feel that it’s holding us back, like we’re making the same mistakes that we did with network security.
Susanne Senoff 01:03:12.230
I find the concept of identity as the new perimeter to just be. It’s like some identity company, you know, marketing department said, hey, if we throw this out there, people are going to grab it and then we can sell more stuff. When I started security, it was all about the moat. And you got to protect the moat with network security. And I feel like there’s this intention of, hey, if we just get our identities right, then we’ve got a new moat. And I think that’s really damaging, actually.
Roy Akerman 01:03:36.510
So you practically hate that notion, right? Oh, yeah. And this cliche, Rob, we spoke about this a lot prior to the show. Like, what do you feel about that?
Rob Ainscough 01:03:45.070
I’m going to disagree a little bit. I read the statement a little bit differently. Right. It’s a marketing statement. That’s the first most important thing to say. It’s just a marketing statement. But I think the way I read it is what it’s saying is we’re falling back to identity as the front line, the most important thing in securing our businesses. I don’t read it as a castle and moat statement. I think the perimeter is just everywhere and it is expressed through identity. And when I speak to companies all over Europe and things like that about identity, a lot of them are running like really, really open, right? There’s a big chance for people to move across those surfaces with identity. And I actually think for some of them, even if you bought in a little bit of moat thinking it’s going to be better than where they’re at today, it’s not the final answer, but it’s certainly a start.
Susanne Senoff 01:04:31.370
And you really have to start thinking about like minimum viable enterprise. And that’s how we’ve started doing. Resilience is it’s like, what are the business processes that have to come up, the systems that support those, the data that has to be there. And that’s how you start to look at the production.
Roy Akerman 01:04:44.210
When I’m thinking about the security perspective out of it. So, you know, we’re primed with the idea to run detection mechanisms, right when something is going wrong. And in this time you can not really understand what’s or define what’s that something. Right. What’s the identity that we’re trying to protect. What’s the actor? Is it a stable actor. How do we put a framework for this? Get visibility, discover, write, detect, respond, remediate, recover. And we have that feedback loop that is going on.
Susanne Senoff 01:05:11.150
You work for nest.
Roy Akerman 01:05:13.630
Oh I’m about and I appreciate the framework. However, I think that we’re in a different world right now. It’s kind of like everything is collapsing so that we’ll need to do everything together. And when where does it meet authentication? Where does it meet the IAM practice?
Rob Ainscough 01:05:28.430
I think it’s really interesting coming kind of coming back to that idea of the minimal viable business, right, or minimal viable enterprise. I think what I see in companies when I talk to them about identity is, you know, often there’s a focus on tier zero, right? And they go tier zero. We put all this effort into tiers like great. Well done you it’s important. But what about the bit where your business runs. Right. Because if you end up without your business apps but with tier zero, is that something your business really would want to pay for? And I think that’s such a common prioritization in identity That’s kind of resulting from do I really understand what’s important to my business?
Susanne Senoff 01:06:04.450
Well, I also think, you know, you’re raising something really important, which is this, this like siloed focus on certain things. And so like we think about it too from identity. Right. It’s like, oh, do we care more about users or non-humans or agents and which humans and which agents and the like. But you have to figure out the string, like how do they all run together. And I think sometimes that that can get missed.
Roy Akerman 01:06:26.690
We’re speaking about perimeter less world to some sort. Sorry, Rob, but the second thing is that basic privileges can be used for malicious intents or allegedly malicious intents. How do you put a framework around those agents that you cannot really stop their adoptions? I mean, there are millions in your organization probably now in ours as well. I cannot even think about.
Susanne Senoff 01:06:46.050
I don’t think we want to stop their adoption. The future is AI. It’s back to we have to know what we’re trying to protect, and we have to put those things in place. And we have to make some assumptions that the AI agent is going to try to access this the same way that we look at threat actors, it’s just the agent is going to be faster. And, you know, we may not always see it coming in the way that we used to see a threat actor. And so again, this is kind of fun. Like it’s a fun problem to solve. Okay. So I have a 15 year old and I actually think about agents like my 15 year old. You know, I personally think I’ve done an amazing job. My husband and I raising this, this amazing human being. Right. She’s gotten all the right instructions. You know, she’s gone through all the right training. You know, she’s got all the right framework and everything’s great. She’s now 15. She’s going off into the world. You know, in another couple months she’s gonna have her driver’s license, you know? And so she’s got an identity. Fabulous. Right. But what I’m dependent upon now are, what are the controls out in the world that are going to be able to see where she is? And by the way, I do have a tracker on her that is part of it.
Roy Akerman 01:07:50.790
She knows.
Susanne Senoff 01:07:53.390
From her perspective. But, you know, it’s things like, you know, in the United States, you have to be 21 to get into a bar. So I’m pretty sure she can’t get into a bar, you know. The driver’s licenses have amazing capabilities. You know that really hard to to fake them. And it’s like we also know that there’s behavioral controls. You know, she starts weaving in and out of traffic on the freeway. Some cameras are going to catch her and some cops are going to pull her over, you know. And so when we’re designing security in the organization, you know, we need to think about it like a 15 year old that’s going to do whatever they want.
Roy Akerman 01:08:25.140
A nondeterministic 15 year old. Or something like that. Yeah, I can understand that. For me, it’s really hard to deal with the fact that she has privileges to drive a car, right? She has privileges to spend money on things. Right? There are areas that those privileges can take some wrong turns. If we’re speaking back on an agent right now, like this. Health check or reverse proxy that will keep a consistent network capability for the agent or connectivity. It’s the same framework of privileges still holds. Can you still describe the world with a prescriptive, I don’t know, list of this. What you can do in this, what you can do. Do we have the language to actually put the controls in action in the right places?
Susanne Senoff 01:09:07.400
Know you know, it used to be identity was very two dimensional and flat. And then, you know, I saw the migration to user non-human AI identity. Right. And it’s just not enough. Right. Because now it’s like identity is expanding to not just be that two dimensional, but the three dimensional intention and behavior. And so you can’t just take one, you have to take the combination.
Roy Akerman 01:09:30.040
And if we’re doubling down on behavior, what would you want to know in order to be able to control based on that sensor that understand what is it being done? It’s just not associating with a malicious intent. It’s like, what? How do we see that? It’s interesting. It feels to me that this area that gives us an opportunity either to go back to how security evolves every time. First, we’re detecting all the bad things, then they’re trying to build mechanisms to prevent some of them, you know, before anything is happening and the first steps of the attacker. But then we’re remaining with some peculiar balance between controls that we’re not really operating in the right time, so that we again need to detect and purchase an alert that we could have even avoided.
Rob Ainscough 01:10:14.220
I think what’s interesting here is some of the levers that maybe we’ve relied on in the past in terms of whether it’s detect and respond or, you know, whether it’s patching for vulnerabilities, the window for those things is collapsing and the opportunity space to use those as primary controls for this thing is so narrow and probably erodes away over time. So then we come back to identity as a key pillar of this thing and say, well, what do we need to do differently? Right. It’s great saying, you know, intent is the thing, right? What does that actually mean? What are we going to do differently? Right. What does that mean for us? And I think that’s a really difficult challenge for us to solve. It’s a whole new way of thinking about this problem. Right? It’s not about governance or filling out a form right, or getting an approval is too fast for that. So what are we going to do differently? Is my key thought.
Roy Akerman 01:11:04.880
If in that day you’re sitting in the SOC room and you’re you’re seeing live like the alert that comes from that reverse proxy from the cloud vendor and whatever, what will make you say let it in or just block it?
Susanne Senoff 01:11:21.040
Here’s the thing. It depends. Right. You know, and this is what I think is changing. We’ve all known for a long time that if your SoC is not integrated with your business, if you don’t have the context immediately available, we don’t have time anymore to call up an engineer, file a ticket and say, hey, is this right? Is this affecting you? We have to get, you know, almost predefined views of is this malicious or not? And so like in the example that I gave you guys, we shut it down. It looked like a threat actor. We shut it.
Roy Akerman 01:11:50.600
And before understanding.
Susanne Senoff 01:11:51.880
Before understanding because it looked like a threat actor. And I have to tell you, the product, the executive, they were like great, perfect thing to do.
Rob Ainscough 01:12:00.420
And I think it probably generates that thinking where maybe security’s been reluctant to get in the way of the business, right, and take those difficult decisions and say, I’m not going to let that happen, right. Because we’re trying to make the business work right. We don’t want to get in the way. But I think with the risks from an authentic perspective, maybe we can be a bit more front foot with what’s saying, here’s what we’ll tolerate and here’s what we won’t tolerate for the things we really care about. So maybe it’s a bit of a new era in terms of like the assertiveness of what we’re able to do and the boundaries we put on the business and say, look, because this is a new thing, right? This is a new thing.
Roy Akerman 01:12:37.380
I do think that by the end of the day, we’ll need to come to a mechanism that will allow this nature of new things happening and new behaviors happening, and not block by default. If we’re seeing something that may be of a use of a hacker, intent is an interesting point, that maybe it’s floating in the air right now. It’s the new buzzword intent, firewall, intent, protection, and whatever. But if you would understand that the intent is a health check, and this agent is operated from a laptop that is owned by a human, a trusted human that you verified well, that the trigger on blocking would be a little bit different, or that you’ll still behave the same. That’s that’s the big question for maybe bringing agents to make those decisions for us to hone that layer of uncertainty that we have, like who did what and why and tell me now what’s the context in that exact second and fractional second before I’m allowing the traffic to pass or not?
Susanne Senoff 01:13:34.290
Yeah. And that’s, you know, really forward thinking cloud security providers. That’s what they’re doing. You know, they’re pulling in that context immediately and they’re realizing that they can’t just give you the discovery of an issue. I did want to get back to something you guys said about speed. The Cloud Security Alliance produced a paper recently in reaction to Mythos and Glassing that had this chart in it that I was like, oh my God. And I sent this off to my entire team. And it said that, like in 2018, the time from discovery to exploitation for vulnerabilities was like, I don’t know, 50 or 60 days, something like that. And in 2026, it was 20 hours. Just the exponential, you know, going. And I think with AI it’s going to get down to minutes.
Roy Akerman 01:14:19.150
What does it mean to for us I am people. I mean we need to get ready. We need to be part of the story. But what can our audience actually do differently when it comes to, I don’t know, like Monday morning, right. I need to come with a new initiative that will speak to my CISO and to the team. How can we be part of that game? I mean, for me, I keep going to the to the privileges, things you cannot say. Yeah, it has privilege to do that. So that’s fine. Okay. Because you don’t know who is it. And you know, you don’t know what’s the privileges. You see, just like the effect or some of the effect, you don’t know where it leads to. So you need to build a new framework in order to protect that. So IAM should be more on the behavioral side, more in the real time side of decision making and less in the administrative side. So it’s not yeah, I’ll set up the control and I’ll, I, I’ll pray to God that it will work. Right. It’s something else. Uh, and Cecil should invite IAM to that party as well. Right. And you should sit there. It’s like. Hmm. Like, did you let this thing do it? Uh, what does it mean? Where can it go?
Rob Ainscough 01:15:23.810
That’s what’s ultimately important to businesses, right? And coming back to the theme, we’ve talked about what’s important to the business and what am I doing to protect that thing. And I think it is the difference. And this makes sense in my head. It may not make sense to anyone else, but it’s a difference between protecting identities to protect things versus protecting things through identity. Right. And that’s actually quite a big difference when you think about it. Right. What’s really important and how am I going to use this identity lever of, you know, behavior, intent, context to make those decisions about what’s appropriate in terms of risk and what’s not.
Roy Akerman 01:15:57.890
And so to answer, what would you expect from the new generation of your IAM people to be more able to do?
Susanne Senoff 01:16:04.310
Remember we talked about speed, right? Humans are limited in the speed that we can look at things. So you were also talking about AI agents protecting AI agents, right? I can’t remember where I heard this, but the theory is that for the next two years, the offenders, you know, it’s mythos really goes live, have the advantage. And I don’t know who came up with two years or where that came from. But you know, but then at the two year mark, for some reason, it’s very magical. You know, the defenders take over. And I do believe that the defenders will take over. There’s going to be a world where, you know, our AI agents are moving at that speed and they’re giving us they may be blocking, but it might be a fraction of a second until they figure out the context.
Roy Akerman 01:16:49.830
So you need to build what an IAM unit that has, I don’t know, 50% of it are AI agents that are operating in order to verify before they’re trusting every transaction, every milliseconds. And I bet that we’ll need to have new, different controls that will be able to be deployed in real time. But what do you hear from those new vendors? What are they? How do they look at that world?
Susanne Senoff 01:17:11.250
I don’t think that vendors have caught up yet. I think there’s a general feeling of, hey, we have to sort this out. What is a moat? You know, in certain cases, I’ve heard that, okay, it’s not the technology anymore. It’s the execution, the marketing. And, you know, being able to be ahead of the the market. You know, that’s one theory. Another theory is that it’s going to end up just like when SaaS came up. I mean, years, remember it was the oh, well, why do we need to buy anything? Because we can just build it ourselves, right? And people didn’t do that because they didn’t have builders on their team. They had operators, they had defenders, they had risk thinkers. So I don’t know yet. Like I think we’re figuring it out right now.
Roy Akerman 01:17:49.330
And let’s say that tomorrow you’re coming back to IAM world and you need to rebuild a unit or, I don’t know, revive a unit of IAM operators and Leaders. What’s one thing that you should do differently in order to deal without allegedly wrong agents with? To deal with those challenges to be more flexible?
Rob Ainscough 01:18:11.790
Great question. It’s a big question, Roy. A big one that so I think.
Roy Akerman 01:18:15.470
Have great expectations for the answer as well. Just out of the box.
Rob Ainscough 01:18:18.870
Just just lower your expectations a little bit here. So I think for me, it comes back to some of the basics that we’ve talked about. Right. And I think there’s been a big narrative out there probably since RSA and around you know, obviously mythos has kind of doubled down on this around doing the basics well, around certainty, around making sure you’ve got coverage for what really matters. And if that’s, you know, behavioral context if it’s hard rules at this point around what you really care about and what can and can’t happen through identity, I think that’s a great start point, right? Because it’s all about we’re not going to solve the world today, right? It’s a big problem. And enterprise is so large and so complex technically that it’s not going to be solved overnight. So you’ve got to come back to those basics, come back to what really matters to your business, and be able to measure what you’ve done right. And I think that’s really key. And often a gap in identity, in our ability to explain the controls we put in place and what it means for the business and also the trade offs we’re making. Right. Because we’re going to say, if I see something looks high risk for this key data store, I’m just not going to let that happen.
Roy Akerman 01:19:24.580
And I think that for our audience, if we’re trying to decode this discussion into like, what should we think about is that from an IAM perspective, what are those controls? What are these triggers to change those controls, to use them that we need to have or expect to play with and grow with in this new reality, right. That we cannot be in line of the building process, that we cannot be in administrative time and configure things. We need to do things on the fly. We need to say yes and no. Now, in a fraction of a second.
Rob Ainscough 01:19:55.700
That’s going to become the key capability. I think at meantime governance really good. important. But is it really going to do what you need it to do when you need it? That’s the real question. And getting into that, that real time enforcement, getting into setting those guardrails and rules, I think it’s going to become the thing that identity teams need to achieve. It’s not going to be about just operating a business or getting joiners up and running or any of those things. We just have to do right. It’s still important, but it’s moving beyond that now into security.
Roy Akerman 01:20:23.520
And CISOs may need to be a lot more full tolerance when it comes to the outsiders. IAM that coming into the security stack.
Susanne Senoff 01:20:31.560
I don’t actually think that I am is outside. You know, I think sometimes the operation of IAM can be there, but if you don’t already have it as a CISO, you have to have identity security engineers or architects. Rather, you know, you have to be the one that’s looking at setting the standards, validating that IAM is actually working. And so if you’re not doing that, do it now.
Roy Akerman 01:20:53.600
And in crisis mode.
Susanne Senoff 01:20:54.760
Oh yeah. Absolutely. I mean that should have happened three years ago at least.
Roy Akerman 01:20:59.500
I think that Rob earnest with the answer that he gave to start our last session, which is the fire questions.
Rob Ainscough 01:21:06.620
Rapid fire for questions. Right. We do. We talk to every guest about these. So we’re going to talk about a myth, a malpractice, a hard truth and hype. So the first one a myth. What’s one identity or security myth.
Susanne Senoff 01:21:20.180
One identity security myth that non-human identities have completely different processes than human.
Roy Akerman 01:21:28.260
That’s interesting. There’s a hype. People are still absorbing or like ingesting that hype. There’s a lot of non-human identities. And there are some vendors that say like, no, you need to do something differently, but you’re claiming something else.
Susanne Senoff 01:21:40.700
Yes, I am claiming that not all. To be fair. You know, there are some differences, but this idea of you have to discover them, right? You have to figure out what their privileges are. They have to be discovered in inventory. You have to know who owns them. You have to know what do they have privilege to make sure they’re not overprivileged, and you have to have the ability to shut them off.
Rob Ainscough 01:22:06.520
I have to say, I do agree with you on this, right? I think the difference is not as great as we’re led to believe. I think there’s overlap there in terms of what we need to do. Right. What capabilities do we need for all these things? I think there’s a definite overlap there that’s not talked about. All right. Second one malpractice. So what is the one thing that leaders. I assume that’s identity or security leaders get wrong.
Susanne Senoff 01:22:32.040
We get so much wrong. Where do I start? Where do you want me to start? I think the thing that a lot of leaders get wrong is the idea that this is a technical problem. Okay. I find that they’re really effective. Security leaders are the ones who have figured out how to influence and partner with the entire business. And that is a skill set that is developed. Sometimes you have it naturally, but it is still amazing and you have to develop it. And so I think sometimes we get it wrong to think that we can only solve this from a technical perspective.
Rob Ainscough 01:23:13.340
Technology is important, but it’s not enough.
Susanne Senoff 01:23:15.340
No. And especially when you implement technology without a process underneath it, it’s like it’s just a tool and then it doesn’t work as well as it needs to.
Rob Ainscough 01:23:22.820
I always thought in my old company, right, 400,000 people, I was like, this is more like changing a small country than a company with all the different people, people working in shops, warehouses, the office, so many different countries with different requirements, like you got to treat it as a people problem, right? And it’s about doing that in the right way.
Roy Akerman 01:23:40.500
Yeah. And of course security perspective or like a hacking perspective. Hackers are not trying to break the system. They’re trying to break into the process, steal money, steal data. So if you don’t understand that, yeah. You’re missing. Yeah.
Rob Ainscough 01:23:53.540
Question three. Hard truth. What’s one hard truth?
Susanne Senoff 01:23:58.260
Back to my 15 year old. I think security is a lot like raising children. Meaning every time that I think I get it right and I know what I’m doing, something new shows up.
Roy Akerman 01:24:09.170
What is the most overhyped term or buzz that you’re hearing right now?
Susanne Senoff 01:24:15.130
Oh, you mean besides identity is in your perimeter. Yeah, I still think it’s zero trust. It shows up all the time. And the principles of zero trust are absolutely beautiful. You know, however, there is no such thing as zero trust. It’s more about explicit trust, you know, and really understanding what are the layers that we’re trusting. How are we trusting them back and forth?
Roy Akerman 01:24:42.370
I got it. So the next time a vendor hits your inbox like zero trust should not be in the subject line.
Rob Ainscough 01:24:46.610
Now in terms of what we talked about, you know, we’ve talked about a few things there. We’ve talked about, you know, a genetic obviously we were going to talk about that at some point. We talked about what’s really important to business. If there was kind of one key takeaway that you had to give our viewers out there in terms of identity and in terms of what we talked about, what would that be?
Susanne Senoff 01:25:06.430
What I would recommend is that if your team is not already thinking about how to use AI, learning how to use AI if you’re not already looking at your skill set and thinking about what your team should look like in the future, you need to do that now.
Roy Akerman 01:25:22.950
There’s a lot of people that are still behind that waiting to see what will happen.
Rob Ainscough 01:25:27.430
Thank you so much for joining us. It’s been a great conversation. I’ve loved it.
Rob Ainscough 01:25:32.270
And thank you for coming all the way to Houston to have that conversation.
Roy Akerman 01:25:38.750
It’s great. Thank you.
Rob Ainscough 01:25:40.270
That’s it for this episode of Identity Decoded.
Roy Akerman 01:25:42.830
If this conversation changed anything that you thought about identity security. Share it with someone who’s working through the same challenges.
Rob Ainscough 01:25:49.110
And don’t forget to follow the show so you don’t miss what’s next.