The Challenge
Product

Platform

Non-Human Identity Security

Agentic AI Security

Secrets Security

Capabilities

Discovery & Inventory

Discover AI agents, NHIs, and secrets across your environment

Classification

Add context to all identities with ownership, permissions, and lineage

Posture Management

Identify and prioritize risks & exposures, and right-size excessive access

NHIDR™

Detect and fix real-time threats and abuse of AI agents and NHIs

Zero Trust, PAM & JIT

Enforce least-privilege access across clouds, agents, and vaults

Lifecycle Management

Manage your identities from creation to rotation and retirement

Integrations
Verticals

Financial Services

Healthcare

Travel

SaaS and Technology

Retail

Entertainment
Use cases

Governance and Administration

SOC Automation

Compliance, Posture, and Reporting

Securing Public Cloud and SaaS

Secure the Private Cloud

Mergers & Acquisitions
Customers
Company

About us

Partners

Careers

Contact
Knowledge center

Blog

Videos

Resources

News

Events

Home » Knowledge center » Videos

Webinar: Non-Human Identities – From Data To Action

June 26, 2025

Security leaders sit down to discuss critical Non-Human Identity data and what security leaders should do with it.

Speakers

Paul Groisman
Francis Odum
Matt Tower

Video

Transcript

00:00:00
Okay, we went ahead and gave everybody a few minutes to join. If uh people are still trickling in, which I think that they are, we will record the beginning of the conversation and um you won’t miss a thing. So, I am just going to go ahead and start by introducing our awesome experts and speakers and panelists, whatever you want to call them. Um, and then I will push it over to Francis. So, Francis is a well-rounded founder as far as the founder for the software analyst cyber security research, which means he brings

00:00:39
us all things data research, the unbiased point of view, and he brings the expertise of the cyber security industry as a whole, analyzing how our how our industry is shifting, changing, and evolving in real time. So he’s going to present all of the data and give us the context of the conversation we’re going to have today. And we also have Paul here who is a seasoned cyber security leader with decades of experience. He um is a person who has experience as a practitioner to a CISO and he is

00:01:17
bringing us the practitioner and leader perspective connecting that data to actions that cyber security teams and leaders are taking and we will be able to have a back and forth conversation with him as well as asking questions to both of them. And then last but not least we have Matt Tower from the intro team as well. He is bringing us the perspective of how this industry is evolving, how people are talking about non-human identities. He also has decades of experience in the cyber security world and speaking with all

00:01:51
types of people from practitioners, engineers, founders, analysts to help solve the problems that everybody faces as far as securing our um non-human identities or machine identities. I am Kelsey Purcell. I am on the intro team and just a couple team of housekeeping. Sorry, Francis. I’m getting some feedback. Just a couple of housekeeping items. The Q&A is open. Please submit your questions. Uh this should be an involved conversation and we want to hear from you and speak directly to you.

00:02:27
The chat uh should not be used just so I don’t miss anything, but if you need something pressing, feel free to put in the Q&A box and I will be monitoring that. Okay, Francis, I am going to pass it over to you. Amazing. Well, thank you very much um to the intro team um and and thank you all for for having me and and welcome anyone wherever you’re joining us from. just really excited to uh give this presentation on my behalf and and I think from my perspective. I come from a a neutral perspective in

00:02:59
terms of bringing in the research uh perspective. And so a lot of these findings are that I’m going to be presenting shortly are all summary discussions of the conversations I have with AM and identity security leaders um and that we’ve had over the last um few months here. So, my goal here is to give almost a mid 2025 update as it relates to non-human identities or machine identities as um depending on what camp you you fall on. But more broadly to talk about this, I think at this point

00:03:36
in 2025, I think the reason why we have this as an update is really we believe at this point in time, there’s nothing new, right, about non-human identities. There’s nothing completely new about the risk. There’s not there’s not a whole lot of new things. This I feel um for many practitioners who’ve been following the industry for give or take about a year now or so we’ve all heard about the different risk the importance of of non-human identity. So a big part of these conversation is to really talk

00:04:08
about where we are across that adoption life chain and that’s a big part of what my presentation will be about. So the goal here is to say okay from early 2024 you know I think this time last year there was a lot of hype there’s a lot of excitement about the role that NHI’s play and throughout that phase of 2024 up until now you know what has really I’m not going to speak to every single detail on the slide but I think at the most part I think we’ve seen a lot of new research this year from octa

00:04:43
delineia even cyber arc some the the big companies showing that initially we had felt that 20 to1 was maybe the number and we’re seeing new research showing that that number is actually significantly higher due to what’s happening with aentic security. So that’s one context or baseline that we’ve seen maybe happen over between last year and say um now where we’re currently at. For many of you who have maybe followed some of my past research as it relates to the um industry, I will

00:05:15
still say it still remains a key problem for a lot of enterprises and and this was a prediction that I we talked about last year as it being a a core problem for CISOs and that still remains very much more so the case as of now. Um we’re still seeing companies moving into this buy overview um trend and I think we’re going to talk about that later on with Paul around what’s happening as it relates to how you actually go about solving this problem tactically cuz there was as of last year you know some security felt as

00:05:50
though hey I have some solutions internally I could use to manage my service accounts however we’ve seen that starting to change and then unified visibility is is another thing I think we’re we’re going to talk about later on with Paul. So, one of the core I I I’ll speak through just five major trends again that we’ve seen throughout this year. Again, the goal isn’t to go too deep into them. Going to I’m going to share the slides and make them available for all of our participants so it’s easily

00:06:20
accessible. So, if we move very fast on things, you will know all the reason is we’re going to share the slides with you and a lot of the materials here are very easily readable. So I’ll just talk very at a high level about each of these things. So I will say as of now June 2025 or give or take mid 2025 I will say the conversation within non-human identity has really shifted to the role that agentic AI and MCPS will play and I think that’s maybe been the biggest change compared to this time last year.

00:06:53
I think last year obviously there was talk about the role agents will play as it relates but in my conversations with security leaders I think a lot of the security that I speak to as well are already start thinking hey look now aentic AI seems to be something that’s going to be happening much more faster than we had actually expected it and now we want to actually have visibility into what our agents are actually doing again all of these markets are still relatively early but a lot of these

00:07:23
leaders are thinking about their roadmap over the next three years and and obviously MCPS now have increasingly um growing in adoption and many vendors and companies are rolling them out and so we’re seeing a a huge um huge adoption trend and I do have lots of data point on here that actually shows leadership from many top leaders are requesting some level of uh visibility into what agents are actually doing because what one another data set we’re seeing in the 96% there is many leaders are gradually

00:07:59
getting comfortable with letting agents you know tackle um somewhat what we would think as maybe high critical task but maybe not security focused but more around office related type Microsoft 365 a lot of your core basic productivity um enhancements within the enterprise companies are letting agents do this and in inspire as they think about how we want to actually go about doing that. The next big question they’re asking themselves now is what are the security risk and and how do we actually

00:08:29
understand what the agents are actually doing. So this is a big trend that has actually happened. I will say also over the last 12 to 18 months we’ve seen an increasing number of attacks and so a number of these increasing attacks that we’ve actually seen over the last um few months have also again most of in the slides you’ll find all the data points for where where we get a lot of these data as it relates to all the work we’re showing but a lot of the increasing attacks on non-human identities over the

00:09:01
last 8 to nine months we’re seeing more and more attackers leveraging a lot of these loopholes, it’s leading to the calls for detection and response capabilities on the vendor side of things. And so what that means is we’re moving gradually away from visibility just being the core driver. Yes, visibility still is the reason and on the 48% they’re on the right. But what that data actually also showed was companies are getting relatively comfortable with the visibility that they’re gradually getting from a number

00:09:34
of solutions and now they’re actually emphasizing we need a lot more detection capabilities. We need a lot more DNR um capabilities to complement a lot of that same visibility. And so that’s new data points that we’re increasingly seeing. Another point that we’re we’re currently seeing is as it relates to third party risk um third party risk and a lot of how you go about actually managing a lot of your secrets. So this one has to do primarily with the sense of what we’re

00:10:06
seeing currently on the market today is um as a what we’re seeing now is the average time your average credential you know takes about 627 days. A lot of credentials are leaving for over 627 days. And think about that that’s that’s how long it’s taken a lot of companies and and 70% of NHIS are never really rotated uh within the set policies that companies are actually putting and furthermore 97% of these non-human identities are exposed to external parties and external vendors and so what

00:10:42
you’re seeing now are companies are looking for solutions to better help them enhance and manage a lot of this operational nightmare as it relates to how they go about rotating a number of the NHIS. And further towards the right, another new development in this market is the OAP’s top 10 as it relates to a number of the top 10 non-human identity risk. And that was released um about a few months to help companies think through some of this risk. Then the last one here I’ll just share is the

00:11:14
challenge between in-house solutions versus vendor based solution. I think we’re looking forward to our discussion of with Paul shortly where he’s going to give us that perspective of you know based of my conversations with CISOs as well as security leaders you know some leaders are fine with some of the solutions they have inhouse that they maybe build to track and manage a number of their um service accounts primarily or the different API solutions inhouse and a lot of these are like solutions

00:11:43
you stitch together and I think there’s also that whole debate of like okay what about actually having a vendor that actually helps you solve all of these problems. And so at our ecosystem more broadly, what we’re seeing now is many different vendors and many different providers are racing towards wanting to solve this problem at the intersection. Secret managers, your human identity traditional core vendors and then obviously you have your pure play NHI vendors and a lot of your cloud devops

00:12:13
companies. Everyone’s racing towards how we actually go about helping to solve this problem. I think many leaders are struggling to decide, you know, do I do I leverage my in-house solutions? Do I use some of these existing solutions you might already be using internally and complement that or do you go for pure play vendor like some of our conversations much later tonight? I think we’re going to look forward to Paul to help us on that. I won’t talk too much about this, but ephemeral

00:12:42
workload certificates and just in time secrets is another trend that we’re increasingly seeing and they need to go about managing that. And and last but not the least is here is around discovery posture and and remediation. Again, we we give a lot of descriptions as it relates to a number of these trends here and they’re very easy and easy to go through. So I’ll I’ll just wrap that up by just saying across the ecosystem there are a number of trends we’re seeing as it relates to aentic AI

00:13:13
how companies go about actually managing detection and response capabilities to complement a lot of the visibility solutions they have how they go about managing third party risk as well as the whole challenge around sifting through all the different solutions on the market relative to what they have inhouse and then we shared a number of extra complimentary trends which participants could look when we share the slides. So without further ado, I will pass this over to Kelsey where we will do more of of our uh when we’re

00:13:46
talking about practical implications. Thank you so much Francis. Wow, so much information, so little time. Luckily, you are gracious enough to send the slides. there were a couple of points that really resonated and wanted to connect to uh first Paul’s experience but also I think you said u the average NHI like life cycle without being rotated is something over 600 days and there was another data point that our co-founder who unfortunately couldn’t join today he had an emergency referenced from I think it was an IBM

00:14:19
report where um it actually on average takes nearly 300 days for security leaders to find NHI that was involved in a breach or was compromised. So those are some pretty scary stats when we start looking around the data and the potential impact that it can have in real time. Paul, on that note, I would love to hear what was the defining moment or what was the exact characteristic that you were experiencing that kind of catapulted you into prioritizing NHI security, especially as a CISO, you know, limited

00:14:56
budget, limited resources, and needing to secure all of the things. Yeah, absolutely. Thanks, Kelsey and uh Francis. Great great overview on that. So so many different data points to really take into consideration. I think when we think about this particular area, right, and just the identity landscape in in general overall, right? Really when you see the threat actors and the fraudsters, right? They’re not having to break in anymore, right? They’re logging in. So think of the identity of the new perimeter. Of

00:15:25
course, tend to overuse that, but it’s it’s really quite true, right? Especially in today’s landscape where everything is cloud first and cloudnative and heavily relying upon SAS applications. The way that we uh develop and build applications is is vastly different from the way we used to do it 10-15 years ago in a more traditional environment. Right now we have a lot more agile, a lot more focus on DevOps, right? And building new applications and services that much quicker and faster,

00:15:53
right? And that really requires a microservices. And we think about identity and the way we need to connect these things is through the non-human identity, right? And and and for practitioner that have always been really focused on the traditional IM, right? Around your end users, your your vendors, your business partners, right? Even your privileged accounts and service accounts. The whole realm of non-human identities is something that really hasn’t been thought of uh as much, right? it hasn’t been an area of

00:16:22
focus really the last you know up until more recently as particular as to uh an attack vector. So it’s really it requires a new approach and a modern way of thinking right of way to protection and first and it starts with visibility right and kind of knowing and everything what you have out there. Um so and and a lot of what it described earlier in terms of you know meantime and data discovery is quite common right uh because of the mass proliferation of of so many non-human identities everywhere

00:16:51
right if you’re uh logging into something it may or may not look like regular routine behavior right so unless you have additional detections and response and capabilities and analytics built into u um a lot of these areas of focus it’s going to go unnoticed and might go unnoticed until It’s too late. Certainly. Absolutely. And I want to lean into the visibility aspect because I think that for people like us who talk about this every day and we’re so ingrained in it. It might seem like of

00:17:21
course obvious we need to know where and what non-human identities we have in order to eventually secure them, create the baseline, understand their behavior, and um and make sure that we’re flagging anything that’s abnormal. But I would love to hear from Matt because I think that probably out of all of us, he speaks to the people who um are still learning. They’re still trying to figure out how to take that first step to securing their NHI. So they might hear um I saw a couple of stats 42 45 or

00:17:55
we’ve even seen upwards of 92 non-human identities for every one person, but that’s a jarring number regardless um throughout that scale. So, how are how are people approaching this? What do they need first? What are you hearing from them from people that you’re just now talking to um about non-human identity security and what’s their biggest challenge first? Thank you, Kelsey. And to to your point and uh Prince, I know you had 46 to1 and to Kelsey’s point that is we are seeing a

00:18:28
higher number. I was actually at a talk with Cyberark last week and they were referencing 82 to1. um NHIS to non to human identities. So the number is big and getting bigger especially with agentic AI. What I’m seeing is obviously what the problem of people trying to solve is they’ve Francis to your earlier point they they’ve I I would say somewhat have recently have fully opened their eyes and realized okay my developers are creating these NHIS security really doesn’t have oversight.

00:18:55
What I say all the time is security is in an interesting spot because while they’re responsible for what the engineers do at the end of the day and what they put in the code in the company, they’re not the direct manager and and really these engineers are able to kind of per permission and scatter them at will around the organization and no one really has visibility or true inventory of where everything is within an organization. So really, I mean, Kelsey, I know you referenced the the IBM report. I was going to do the same

00:19:20
thing. But I mean, yeah, it’s it’s now because I’m speaking to CISOs, heads of IM or heads of application security every day. They’ve really grasp onto the problem of, okay, I’m doing this for my 2026 budget. I need to fix this somehow. Can we start P? So, but yeah, I’ll uh I’ll digress and uh and pass it off to the next person. The one point to add on that right what what Matt mentioned right when you think about the proliferation of SAS applications and uh you know when I talk to other peers or

00:19:47
other leaders they may or may not have a really good grasp of their GitHub right uh identities right the way they manage their applications pipeline tools like Circle C right everyone remember they had a a massive breach not that long ago right and that’s quite a an effort to rotate on all those you know keys and identities and secrets and it’s so and from from my perspective You know, I might have one thought where we have like a number X of nonhuman, but it’s really times times two, right? When you

00:20:16
think about, you know, other applications like Jira and and Confluence, right, and and your public and private repos that you have identity sprawl everywhere, right? And that’s the reality. So, you got to have good visibility and with that going to require some some tooling and platforms. Yeah, you definitely need visibility. That’s I mean first and foremost to know where everything is and then once you have that you need to take it a bit to the next level and understand okay when is someone you whether it be internal or

00:20:43
external doing something that is that is out of band right when is when is is a developer taking an NHI and put it on a confluence page or put it on SharePoint or one drive or sharing on teams or slack um or when someone from external from the organization is trying to exploit. So you you need you need both sides of the uh the coin there. I’d love and one last thing to add if Okay, sorry. Okay. No, go ahead. Go, Francis. No, just the last thing to add is that I think even um I just wanted to echo your

00:21:11
point as well around just the the the numbering of non-human relative to humans. But I also think in the future of god give or take two to three years as agentic AI matures, what you’re going to have is agents creating other processes and proc tools. And that’s just think about that replicating process of agents creating their own and and leveraging tons of tokens and what that actually how that significantly increases the vastness of of what you need to manage and so you just it just speaks to how this problem will only get

00:21:48
complex over time. Absolutely. And I think that the tying it together with um the sheer number of NHIs that people have to discover, but also this adoption of Agentic AI, the usage of NHIS um especially being in cloud first organizations. The um point of it is being able to move at enormous speeds and be able to innovate faster and to do more, be more efficient, and be eventually more successful within the organization itself. So, there’s going to have to be that happy medium, right, of reclaiming

00:22:29
control of these non-human identities while Paul, I’m sure that you can relate to this, but while also encouraging innovation and not wanting to put a stop to it, which I’ve heard from other CISOs that they want to secure this and they are also a little bit hesitant around putting these these blockades in place because they don’t want to break anything and they don’t want to uh you know halt business or accessibility. So I’d love to hear because Paul I know that you um you evaluated NHI solutions

00:23:04
you ended up going with intro. What was the biggest challenge when choosing when um you were implementing it or when you were overseeing that take place within the teams? What’s the biggest challenge and what advice do you have to other security leaders who are saying this is a colossal problem? I know it. I hear Francis’s data. How do I start beyond just um you know evaluating their environment when I’m putting it into place? Yeah. Yeah. Certainly. Thank Kelsey. And I I think you know first and foremost you know

00:23:40
since this is a a rapidly evolving area right it’s you have you got to follow what’s the best practice right? what are your policy standards, recommendations, you know, guidelines as it pertains to NHIS, right? Because you can’t treat it like a regular end user, of course, right? And we think about, you know, things like multifactor authentication, MFA, right? That doesn’t really work with with NHI, right? So, you know, yeah, we’ve had a mandate to, you know, to have MFA anywhere everywhere, right?

00:24:05
That doesn’t really help for for NHI, right? So, what is the best practice? What’s the best uh uh recommendation on on how to manage it? And in in in in terms of evaluating a a platform, right, everything I’ve always done and always did in in in current and uh prior organizations always take a riskbased approach, right? What is it that we’re trying to protect at the end of the day? What’s our intellectual property, right? Is it our code? Is it our secret sauce? Right? Regardless and and and and how

00:24:31
are we protecting that from a from an ecosystem uh perspective, right? When it comes to evaluating, you know, tooling and technology in this space, right? We talked briefly about visibility. That’s kind of come kind kind of comes first and foremost. But we know right everyone’s got a variety of applications and tooling and platforms that they want to integrate right from their SIM, from their automation, from their EDRs and MDRs, right? And how does Entro kind of play well into that, right? Um, a lot of

00:24:59
our thoughts was, you know, we we needed to uh implement Hashi Cororp Hashi Corp to manage all of our secrets, right? Hashi Cororp super popular very easy to use and implement for cloudnative environments right so we think about how you know and hashorp works well with with those identities that you know about right but how do you identify identities that you don’t know about right in NH NHI space and force dot into the hashior corp right so kind of enabling a connector with hashi corp ventro a big big uh differentiator right

00:25:31
and a big capability right so those were some of the say some of the some of the criterias to look for Otherwise um you know easy scanning, easy discovery and actionable information right I know you know a lot of organizations are hesitant to give full you know access right to third party tools to take action on your behalf right a lot of that comes with some kind of level of maturity right and kind of organization have been at the kind of maybe more early stage maturity where we’re not ready to allow you know

00:26:00
another platform to take action on our behalf right we want to have you know uh an analyst an engineer uh you know evaluate right what is the potential risk right what’s the timing what’s involved right and then make an educated decision on whether getting that you know moved over or not right operationally so I would say there’s a there’s definitely a maturity and a learning curve to this right uh depend upon the organization depend upon your compliance needs your audit needs right

00:26:29
so the platform has all the capabilities right but you want to take a risk based approach you know based upon your own organization risk tolerance, right? Especially for applications that have, you know, mission critical, right? And require 7 by 24 uptime, right? So, really need to kind of take a risk-based approach. Do your evaluation, you know, follow best practices in terms of getting not just evaluation, but also getting implemented, right? In terms of integrations and at the end of the day,

00:26:54
what it is that we’re trying to protect and and and is it meaningful, right? Is it working for us? Could I question? Absolutely. Uh just like a just building on that Paul I was curious like did your organization also face the challenge of we already have hashi for our sequence managers we might have some palm solution we might have some other solution inhouse and we might just want to build our own internal processes like how did you wrestle between some of the in-house tools you had as opposed to

00:27:26
then saying hey you know what we actually need a pure play vendor to help us solve this problem. Yeah. Well, it’s a great question. So, Francis, right, I mean, it’s it’s it’s a it’s, you know, from my vantage point, it’s a different, you know, a different tooling, different technology altogether, right? When you think about, you know, privileged account management, whether it’s a, you know, a cyber arc, a delineia or, you know, uh, like a hash court with more of a vault, right? Your secret storage,

00:27:52
right? It’s a storage repository versus a way of, uh, to discover, right, and identify all of your NHIS. And some might work well just within your cloud, right? Within your cloud environment, whether it’s GCP, Azure or AWS, right? But what about everything else, right? So you see a lot of tooling work in their own silo, right? Doing uh discovery and analytics within their own kind of domain, right? But really don’t have the ability to kind of transcend across multiple platforms and an

00:28:24
application, right? That’s kind of where I see uh a lot of the power right and capability of Entro and the ability to kind of integrate and play well with with all of our with all the other kind of applications earlier mentioned right and then provide actionable results with some ident risk analytics right whether this is critical or high medium low and requires immediate attention right so you highlighted earlier around the detection and response capability right that’s not necessarily you know the

00:28:53
function of a of a PAM tool right? That’s more of the function of a a platform, right? Built specifically around NHI. So that’s kind of where I see the differentiator and kind of the the landscape continue to evolve specifically around the detection response capability. Matt, I’d love to hear your perspective as well because a couple of things stuck out to me when Paul was talking about how he implemented this with the team and any challenges he ran into. So, one thing is we talked about evaluating the the

00:29:24
current risk. What’s our current environment look like? And Matt, I’m sure that you know that we’ve had some people say, shameless plug, that they spent a month trying to discover their non-human identities. I think they found 10 and then they’re like, “Let’s try an intro assessment.” We do them bare bones and offer the free assessment because knowledge is power. And I think they found thousands of non-human identities. So, it’s the NHIS that you know exist and then the NHIS that you don’t know

00:29:53
about, but they are likely out there. So, Matt, I’d love to hear the teams that you see most impacted by this. Are there characteristics beyond just cloud first industry size? Paul mentioned maturity. So, I’d love to get your perspective as well. Yeah, I mean, I think it’s definitely changed. Um, I would say 6 to9 months ago, I found myself on calls often and literally explaining to folks what a what a non-human identity was. And I I I somewhat joke um that that folks like Paul had some sort of WhatsApp group

00:30:26
chat going and said, “Hey, we need to figure this out. This is this is an industrywide problem.” It has it has been has has some massive headwinds uh behind it. Um, I would say industry-wise, I mean, obviously to Paul’s point, the cloud native and cloud first organizations were definitely the first to grasp this, but I find myself in conversations all the time, um, like over the past week with large big banks and healthcare solution, healthcare companies where in in your head you’re

00:30:55
like, oh, well, they’re they’re traditionally onrem, but at the same time, they they have heavy heavy compliance risk within the organization and none of them have an inventory of I mean, they’ve tried I mean, I’ve talked to companies that have taken an in-house and tried to build an in-house product to figure out where all their non-human identities are and where they’re living, but it’s static, right? It’s not it’s not constantly scanning and things like that. So, you can’t uh store all these

00:31:19
in an Excel spreadsheet and attempt to have a inventory and a grasp of who owns what. And to Paul’s early point also when something does go ary and when someone’s keeping things in a gold mine on GitHub and has 20 uh secrets or energize in one place or or or on SharePoint or one drive, you need to have that level of visibility and insight into and then I I need to know who’s who’s who in the company is is sharing these around when they shouldn’t be. Yeah. I I think one important piece

00:31:47
you could you know we mentioned compliance earlier, right? you think about from a you know regulatory and compliance framework you know and and and you know compliance is always kind of catching up right to to to the threat landscape in somewhere where I think it’s you know kind of uh you know speaking with others that some of the compliance frameworks haven’t caught up caught up yet or really caught on to this area right it’s still kind of rapidly evolving but it’s kind of looking to see you know does it fit into

00:32:12
any particular you know realm right identity access management you know network you know security awareness right for instant response you know where does this kind of fit right it’s still kind of maybe to be determined at least from from my perspective right whether it you know where’s PCI going to really focus on that you know you generally have a process for your service accounts right I mean privilege accounts right but this is this is still somewhat different somewhat newer where a lot of compliance frameworks haven’t

00:32:39
really caught up yet to some of these to some of these risks so that’s that continues to evolve right I think we’ll see more more uh more attention kind of given that even within your larger more regulated uh you know hypothetically more mature organizations at some point. Yeah, it’s uh you you’d be surprised. It’s funny. I whether it be PCI or NIST or ISO whatever one of the compliance frameworks I think most of them nowadays have a key rotation mandate within them and it’s it’s it’s incredible to me how

00:33:08
regulators dig in some areas and don’t dig into others. But I digress there. But yeah, it’s it’s knowing that okay, you have x amount of keys in the organization that haven’t been rotated in years or not not just days, multiple multiple multiple years, and it has access to a critical resource in the organization. That’s a risk. Um I I think that it’s interesting and connecting the compliance because obviously somebody is responsible for continuing to make sure that the organization is adhering to the

00:33:36
necessary compliances and regulatory aspects. But we got a question in and I want to hear Paul’s perspective. And then I have a second question coming in that’s geared toward Francis. So when we talk about the compliance aspect and also just taking a hold and reclaiming control, who are you seeing or who on your team is responsible for managing these NHIS? And then once they’re discovered and we do have the detection and response, how critical was that for them to be able to take that on as a

00:34:11
team while also continuing to secure and do their other jobs and responsibilities? Yeah. Yeah. I that’s a great question, right? I mean, originally I had this kind of slotted within identity and access management, right? You know, identity access management architect, right? In terms of the the the traditional landscape. Now in terms of you know cloud first and cloud native organization right the way I’ve kind of worked with that the ones that actually taken actions are your infrastructure team your SRE your

00:34:40
engineering right your devops engineers those are the ones that actually kind of uh own uh uh the action at the end of the day right and we need to work and collaborate with those staff to to actually take action right and remediate and address so uh I I I I see it truly as a joint ownership at the end of the Right. Uh I I I see as a cyber security leader, I need to have full visibility. I need to have metrics. I need to have my dashboards and, you know, be able to identify risk, right? But I’m going to

00:35:12
need to partner with my, you know, operations teams, my engineerings, my my uh you know, developers as well, right? Whether it’s, you know, something to identify in QA or production or other environments, right? You need a you know, you need an all hands-on approach at some point, right? And if you don’t have good policies and standards, you know, you may have different ways to remediate as well too, right? So, kind of falling back on your on your basics, right? So, make sure we have what is a

00:35:37
desired way to remediate, whether it’s a vault, whether it’s rotation, right? And having good visibility, you know, it it’s going to require a joint effort at the end of the day. Yeah. And I think that that adds to the efficiency part of it, too, right? Even if you’re starting this and you have thousands of non-human identities and you’re looking to take control back, it’s going to be a huge endeavor in the beginning and processes put in place so developers are using better practices and um not over

00:36:09
permissioning or sharing within hardcoded aspects or putting putting their secrets um and API keys through Slack. It’s important to put those processes in place so it’s not a problem that continues to grow and and be out of hand for the team. So I really like that you said a couple of things that I’ve heard come up before which is go back to the basics and also this is a combined effort right the security teams can identify and help mitigate the risks around non-human identities. However,

00:36:42
developers and engineers, we need to have a process in place so we are not sharing secrets and API keys and insecured ways. We’re not having the over permissioned aspects if it’s not necessary. And that’s part of the detection and response aspect where we say, okay, what’s the baseline behavior that we expect? Because we want to use these non-human identities. What’s the baseline behavior from them? And do we need to flag this or do we not need to flag this? Is this what we expect or is

00:37:09
somebody from a country that we don’t even do business with trying to access this API key with sensitive information in it? Okay. Uh Francis, the question that is coming through for you is how are you seeing this data shift as you do your research, as you analyze and speak to, you know, dozens and dozens of uh different experts and organizations and solutions and founders. How are you seeing the data shift especially over the last you know sixish months um from what they are looking for in NHI

00:37:51
solutions what are they focused on is it hey this is a problem we need to solve it but are they focused more on the discovery aspect are there other elements from NHI solutions that they really need and is there a better understanding from what you’ve collected to secret scanners versus a full-fledged, you know, NHI security solution. What What are you hearing and discovering out there? Yeah, for sure. I I would say yes. So, I would say like definitely like if you take us to like early part of 24, it was oh my gosh,

00:38:27
like obviously I think everyone had this whole thing of like um just an awareness of non-human identities. a bunch of companies really popped out and increasingly just really became the talk of the town at RSC and and a lot of people were just like okay we got to like get a a whole graphs a good graphs at this. I think back half of last year, you know, a number of the vendors over like Entro had to do a lot of education, market education to just really help help leaders, help the market really understand what are the kinds of threat

00:38:59
that you could be exposed to, what are the risk that you could be exposed to and even just highlighting a few or number of risk and at that point I would say you started to get some appetite from some forwardlooking CISOs. I would say more forwardlooking CISOs who were like you know what like this is actually a real risk I should be putting some budget around this and I think you ended last year with a case of like many didn’t have the budget last year and we’re like okay we’re going to put this

00:39:25
into 25 as like something we got to do and I think coming into 25 you know visibility was the number one use case inventory we just need to have some I think Paul has highlighted this a number of times that’s the number one capability We want a vendor that actually just give us that centralized visibilities of all the different types of um energizing cloud onrem as well as different SAS environment. So visibility inventory still remains the core use case. Um and I think you still have some leaders who and I think this is the

00:40:01
challenge though many leaders do acknowledge I think the numbers are like close to higher 90%. there’s no one who you would but when you actually say are you actually putting money are you actually putting initiators and project actually behind this you start to see a little bit of um the numbers obviously get down but I think that number is growing up as more leaders and their boards and their executives really understand the huge need um to the last half of the question of like what are we

00:40:28
seeing now I think a lot of leaders who adopted solutions last year you know and I would love to hear from Paul I think they’re moving away from inventory and visibility now to okay what are the other use cases you could actually really help me so ownership assigning of ownership attribution like who are the human owners and how are you making sure you’re talking to my octa and being able to attribute ownership I think detection and response I think given Paul acknowledge mentioned that as well I

00:40:57
think how we actually go about rotating secrets in an automated way across all of our um different how do we move to a world shortlived credentials. I think those are some of the features now that are increasingly becoming important. But I think Paul had something to add here. I would say you know on uh you know definitely taking a a risk based approach you know to that you know when it comes to you know some of the shortlived identity think about you know crawl walk run that’s definitely a a

00:41:25
higher more mature uh way to get there right uh you know you know when I think about organizations that are maybe ripe for this type of uh technology and platform right we think about you know digital transformation and business transformation right those organizations regardless of their vertical and size, right, that are experiencing, you know, the shift to move to the cloud, right? That to the point, right, is inherently when you need to start to look at, you know, is is a NHI solution appropriate,

00:41:53
right, for my organization, right? And you think about the, you know, the rapid uh adoption, the utilization of of SAS, right, as well too, right? So it kind of goes hand in hand. We we already identified that, you know, organizations that are, you know, have already do have a number of of of of NHIS that may or may not be aware of, right? But if they’re exploring and kind of undergoing any kind of digital transformation or migration to the cloud, right, you really need to stay ahead of that and

00:42:21
that’s where you really need to kind of focus on on on your NHIS, right? Because you’re going to have them whether you like them or not, right? And that’s regardless of your vertical, your your shape and size of your organization, right? So it kind of goes goes hand inand uh of from my perspective, right? And you want to get ahead of it before it becomes of of more of a problem, right? Because we know a number of the breaches and the and the incidents are all kind of uh taking advantage of of

00:42:46
non-human identities in various different locations and applications, right? So this is continuing going to be only a bigger problem as we as we move on. Absolutely. And I think we’re seeing it’s one of the most common breaches which of course is if people don’t know it’s actually how Entro started. Um our co-founder was breached by a non-human identity multiple times and it happened in multiple different industries from when he was at Microsoft and also the CISO of a major healthcare organization.

00:43:19
So now I think it’s the most common or the second most common and the most costly type of breach. But I want to go back to a couple of points and pull in Matt’s perspective as well because we talked about the speed the digital transformation era especially, you know, in the last few years and the exponential growth. When we look at that, we say, okay, our people are still humans and they’re such a critical element of our teams and they’re expected to sometimes work at machine speeds. And um so I want to hone in on

00:43:53
the importance of the detection and response because we we have to sleep and eat and there are element human elements involved here. So we can’t possibly be 24/7 365 detection and response and how critical and how like important is it for the automation aspect that Francis talked about this evolution of hey we just need to know where our NHIS are and what’s happening to all right now that we know what do we do with that information and how can we automate it so there is a level of efficiency and we

00:44:28
don’t have to have people you know at the helm every second of every day because within minutes somebody can breach and it can be detrimental. Yeah. So to that point, you obviously need a solution. Obviously I’m I’m slightly biased working for Andro, but you need regardless of solution, you need the ability to first and foremost as a security leader, you have dozens of tools, right? You can’t be clicking around just monitoring it every single day. You need that solution to automatically send out whether it be a

00:44:56
Jira or Service Now ticket to that individual owner, a Slack or Teams message, an email, what have you. So when something is critical, like yeah, the stuff that’s low priority, listen to your to everyone’s point, there’s only so many hours in the day, like let’s not worry about that, right? But stuff that is high and critical, you need to have a policy in place or just things in place to automatically send out remediation and working with some sort of platform to automatically then rotate the given

00:45:22
key to take it out. Right? So once it’s rotated, obviously that older key has no no longer has access to the environment. So you do need do need those those kind of checks and balances in place to move forward. But like I like I said, security teams have dozens of tools. They need them all to to speak to one another. So to help you actually be the most efficient in your organization to actually get things done. And to that earlier point, it is the most it actually did surpass fishing. It is the

00:45:49
most frequent attack vector now. That’s from the Verizon report. I think the IBM report as well. The bad guys have caught on to this. People need to figure out how they’re going to fix this. Bad guys have realized that these are scattered on organizations and they are overpermissioned and once they get a hold of one, it’s uh I don’t want to say game over, but it’s pretty hellish to get uh to get to work out who owns it. what it’s plugging into and what is the uh kind of attack path. So yeah, I I um

00:46:14
I think that the the data uh speaks to that as well, right? We uh we have the data to show that not only does it take you know 300 days almost to detect them. Then you have to remediate. Then you have to understand um did the bad actor you know move laterally within the organization? Did they try to find a non-human identity that had more permissions to more um sensitive information? And being able to not only identify that, but the lineage between access point, the lineage between non-human identities to human

00:46:52
identities. And it really is, you know, all necessary within an organization to continue to build, evolve, innovate, but also it’s necessary to have the checks and balances in place. So, we have a couple more minutes left. I would love to open it to Paul and Francis. Add any last minute thoughts, ideas, and action items, takeaways that people can use all this great information and run with it at the speed of light hopefully. Yeah, I can I can uh chime in on that. Right. So, I would say, you know, for anyone

00:47:22
for anyone or any organization looking to, you know, better understand, you know, what their risk posture is, you know, definitely do do some kind of assessment, right? do a PC, do a POV, you know, identify what are your, you know, critical app applications and and cloud infrastructure and and start there, right? There’s really no need to uh boil the ocean, right, so to speak, right? You can take a riskbased approach, right? We talked about some of the communication tools, you know, like Slack and uh Jira and Confluence and

00:47:52
GitHub, right? Have a good starting point, right, as to where you really feel you maybe have have an exposure, right? and and and and and run a risk assessment and that’s a good way to kind of uh you know evalue it, right? Different tooling and and different platforms, right? Um and if you don’t think it it’s it’s a risk at all, well, maybe do a pen, you know, do a pent do a red team exercise, right? Uh bring in an outside uh third party uh you know, firm or organization to evaluate, right? Help

00:48:20
you kind of hold your hand if you if you feel you may or may not have enough expertise to kind of come to some determination, right? There is expertise and out there, right? to kind of help provide a perspective and uh provide you with actionable you know uh real-time data and and recommendation as an output. So that that that’s something I would highly re recommend you know regardless of organization size and scope. Yeah. No just uh I think Paul really hit it on the nail. I mean yes do an assessment obviously understand your

00:48:49
risk internally then do some assessment u with a number of solutions out there. I think the benefits of just having one solution that just centralizes and gives you that unified visibility overwways a lot of like stitching a number of other solutions internally. So, so that would just be based on what our findings and I do think um this is especially for forwardlooking leaders because I think the pace at which AI is evolving and moving quite fast it’s faster than any other technology that we’ve had and I

00:49:21
think the one the biggest risk point will be around identity um and a lot of the new identities within the enterprise. So I think for leaders I think it’s it’s an onus to uh to start thinking about for many if you’re a vendor who doesn’t have a solution yet in place start to look at solutions because the pace at which things are moving at you want to be ahead of it and yes I think we all have different research solutions and we’re all easily accessible if you have questions on the

00:49:49
ecosystem at all. Absolutely. Thank you. I’m going to wrap this up with saying that I completely agree with those sentiments and Paul’s point earlier getting ahead of this problem. It’s only going to get worse. It’s kind of like it can’t be ignored. And I’m paraphrasing, apologies, Paul, but it can’t be ignored. And the number of non-human identities and the potential risk factor is only going to continue to grow and the solutions being purposeful in securing non-human identities and

00:50:18
letting the solutions that were doing what they were created to do and working on that instead of trying to fit a round peg into a square hole. NHI are are not a new problem and we know that they’ve been around for a while. However, the digital transformation growth, the growth of Agentic AI, this is all impacting it. Knowledge is power. We want to feel empowered in how we secure our environments and taking a look at those environments as well. So, I want to thank everybody for joining us today.

00:50:50
I especially want to thank Francis, Paul, and Matt for the wonderful discussion, the great expertise, and helping other people keep the world more secure. That’s why we do what we do and it’s really important. So, uh we will be sending out slides, additional information and how to stay connected with our wonderful panelists today. If you want to stay connected with me, I am not an expert to that degree, but I do bring the fun and sometimes funny. So, uh you’re welcome to connect with me as

00:51:21
well. Thank you everyone.

Want full security oversight?

See the Entro platform in action