Hackers Don't Break In, They Log In

It's three. I guess we can get started. Well, good evening everyone. I'm Diva Bala Subramanyan. Don't attempt to try that at home. Uh, but I'm a mom with a huge passion for food, handcrafts, and of course, cyber security. By day I work as a cyber security leader in Southwest Airlines and by night I experiment with food handcrafts and my poor husband gets to bear the brunt of all those experiments that let's say didn't go as planned. Uh but tonight thanks to Bsides he gets a break because I'm here driven by my passion for identity security and I'm really hoping that you know we can talk a little bit more about identity security here. Before we start, I'd like

to extend my heartfelt gratitude for all of you for giving me an hour of your life and I really hope to make it worth your while. And this slide is going to have a little bit polls. I know how we all feel about you know QR codes but um I just want to give you a heads up that we will talking through we we will I'm hoping that some polls can keep this going on a little bit more interactive than always you know single- conversation. But before we get into the polls I'd like to go through an agenda quickly. We're going to start with a very quick review of the Verizon's DBIR report which is the data breach

investigations report and then we'll do a really deep dive into the pillars of IM which is identity and access management. We'll kind of try to relate it with an airport analogy. I work in Southwest right to somehow link it back. uh and then we'll get into a little bit more details about why identity security matters and what happens if it doesn't and then we can just take a quick glance of how small and medium businesses can get started on identity security and Andy did an incredible job before me in talking about how to break into cyber as a whole just shrink that down into identity security we'll go over that in a bit and finally I will stop talking

which is my husband's favorite part of the day any day so we'll get to eventually. All right, so if yall don't mind, um, phone's up for a quick Slido. I mean, this poll is from an app called Slido. I'm not making it up. I am 100% not a hacker, so I won't even remotely think of going anywhere. But we just have like three slides or three polls around, so if you don't mind scanning in this way. This is an interactive poll where if you scan the QR code and type your answers, it's going to pop up right here on the screen. This way you all can kind of see what yall are thinking besides just this being me having a

one-sided conversation. All right. Well, anyone willing? So, when you all first heard about cyber security now before, what was the first thing that came to your mind? Hackers. Yes. My most favorite part. Hoodies. Oh, that's my person. Yes. That was my first thought. Hoodies. Look complex. Yep. Protection. Nice. Money loss. Ooh. Work. Yep. It pays. It pays a lot sometimes. Privacy keys. Awesome. Love it. Breaches. Yep. Yep. Cool. Protecting devices. Yep. Love it. Love it. Love it. As you all can see, so many different perspectives, right? But I'm a little bit hurt that nobody talked about identity and it's expected. I'm definitely not surprised about it. But I'm hoping that maybe after me rambling for the next hour, the

next time when somebody asks you all what you all think about cyber identity may pop up in your mind. Well, at least I'll hope. All right. First up, the Verizon's data breach investigations report. How many of youall are familiar with that? Show of hands. Awesome. Love it. Love it. For those of you all not yet familiar with that, it's an annual report that analyzes security breaches that have happened across the globe. Tell us how it happened, who was behind those attacks, and how organizations can help prevent them. This year, the team has analyzed about 22,000 is security incidents, out of which 12,000 were breaches that happened in organizations of all different sizes and shapes. This

report is from about 139 countries. And these data points happen between the time frame of November 1st, 2023 and October 31st, 2024. All right. So, I'm here to talk about identity security and the only category up there that kind of sounds related to that is privilege misuse, right? And that's sitting at this year 6 percentage. That's kind of a little bit insignificant in the larger scale of things, right? But if you double click into that category, that means those specific attacks in that category are when the credentials was deliberately misused. So let's double click into each of those other categories to reveal another underlying common pattern. First up, system intrusion. This is where attackers try all those, you know,

common tested methods, exploiting vulnerabilities fishing stolen credentials. In that category, 20%age of the attacks have happened because of stolen credentials. Next up, social engineering. I don't think that category needs an explanation, but all those of all those attacks that have happened in that category, 40%age of those attacks were related to suspicious login. In the basic web app attacks, which is where weak credentials are exploited to the larger scale, 88%age was related to weak credentials. In 2024, think about 2.8 billion passwords, hashed or otherwise, was up for grabs in the criminal forums, either for sale or just for free. Year after year, DBIR report has shown that logging in with credentials is one of the most common ways in which your

attackers get in. We can build the tallest walls, buy the most fanciest security tools, but if your credentials are being handed out in the dark web like free samples at Costco, then none of that matters. So if you don't take care of the basics, your attackers, they just need patience and keyboard. They don't need an AI or a zero day. So that's why in today's session, we're going to focus on identity security. To me, it's like a gym membership of cyber. Almost everybody has one but not many use it that responsibly. Right. So what is this I am? I know like in his speech before what did you say I what was your expansion for IM?

Yeah I accidentally misisconfigured right. Well I could not get over that but that's not I am it is identity and access management. This discipline of cyber security ensures that the right individuals get the right access to the right resources at the right time for the right reasons. Yes, I got it. Yes, that's a lot of rights to kind of get it right. All right, so that's the overview and it can be broadly divided into four pillars. Directory services, identity governance and administration, access management and privileged access management. Before I double click into it, of course, when all of you are going back to go search about it, you may see another different variation for four

pillars. Authentication, authorization, administration, and audit. Just know that that is a technical angle around which protocols are built. And what we're going to look at today is the market angle around which product suites are built. Just know that these are just two different ways to slice the cake. But as long as you understand the concepts, you should be fine. First up, directory services. All right. So, how many of you all know the name of every single person that works in your company or goes to college with? What access they need, where they live? I really hope no one. So, we need a place to store all that information, right? So, that's where directory services come

in. As it started as a user data store, but in today's world is evolved into way much more. It stores information about devices applications non-human identities and so on. Next up, identity governance and administration. So you have a place to store all the data, right? You have to manage the life cycle of the data. So just to create, manage and retire those identities and its attributes. We have to make sure that all our identities are unique, authoritative and traceable. Right? So many organizations as you all know use multiple systems in on-prem in the cloud in SAS wherever. IGA also takes care of syncing those identities and for provisioning deprovisioning and syncing across all of those systems. This system

also ensures that it it defines what an identity can access it cannot and what are the access certifications that need to be done and auditing. Next up is access management. So you have your identities, you have a way to manage the life cycle. Access management is all about showtime. So this is a set of tools and protocols that ensures how your identities access a specific resource using authentication and authorization. This discipline covers like single sign on, SSO, MFA, multiffactor authentication, your session management and risk based access. Next up, privileged access management. These are tools and frameworks that kind of manage privileged accounts, right? The your accounts with elevated access, your admins of the world. This includes tools

like processes like credential walting, just in time access and so on. This helps mitigate some of the insider threats and also prevents lateral movement during breaches. All right. So if any of youall are like me, you've learned the master or mastered the art of sleeping with your eyes wide open because after those boring definitions, I really cannot say how many of y'all are awake. All right, so let's try to make this more relatable to real life. As I said, of course, I have to pick on the airport. So how many of you all show of hands have a passport? Awesome. So that's your identity right there. All of your passports are going to be stored somewhere, right? in a

directory somewhere and then it your passport must be unique, authoritative, traceable otherwise we'll be in it for passport forgery right so you have a passport and you decide hey I want to take a trip let's say to Paris probably the wrong sequence let's say to Paris right you go to the airport you can roam around all we want in the chicken counter but at some point you've got to go board the flight right do you think you can just walt right in and go board the plane Of course not. TS people are going to be right there. They're going to make sure that your boarding pass is legit. You're not trying to board a flight today for a flight that's

2 days from now. Your passport's not expired. Cuz if any of that happens, they're going to kick you right out. So that's your access management in play right there. But how do they know that this person cannot be in the airport this many hours before the boarding time? Right? They thought every TSA agent is not just going to make up that random number. So that's where your IG comes in play. They define the rules, right? So if access management is your TSA agent, then IGA is the airport's entire governance system. They decide who gets the badge with the TSA privileges, what doors that badge unlocks, right? And who issues those badges and approves those badges.

Finally, privileged access management. Legit passport check. Boarding pass. Great. You're trying to board the flight. That's for today. As you board the flight, as you get in, you look at left and then you're wondering what are those 50,000 buttons in the cockpit are for? Or even more, how does the pilot know what to press when? I mean, there's like what, 10 buttons in the microwave. I still stare at it for 10 minutes before I press on something. Right? So, if you're like me, you're wondering, I just want to take a closer look, right? Do you all think you can do that? That's a definite no. I work in an airline and they won't let me anywhere near that,

right? And it's all for the right reasons. The more privilege an access has, the more scrutiny it must have. It's called privilege for a reason. Well, everything I said sounded like it's so simple. It's so basic. Why are we even talking about it? Right? Well, if the Verizon's DBIR report talking about how much stolen credentials are one of the main reasons attackers get logged get, you know, get to compromise a company, then let's take a look at couple of real world breaches that was caused by failure of AM, which could probably motivate you'all a little bit more. This was yes um May of 2020. Suddenly, when Twitter, now called X, became the world's worst investment platform, we

all saw one day when Elon Musk, Barack Obama, Apple, many other high-profile people were all giving us the same financial advice. Send me your Bitcoin. I'll double it for you. Well, if that doesn't seem scream like scam, I don't know what else does. So, what happened in this case? A bunch of attackers, I mean an attackers, a bunch of teenagers pretended to be IT support that was troubleshooting a VPN issue. They called up Twitter employees and asked them to enter their ID and password into a fishing website. Some of them did. Attackers took that information, entered it into the real website. That prompted for an MFA. Some employees entered the MFA also into the fishing website. Now

the attackers have all the information they need. They went and they eventually found their way to the internal admin tools, basically god mode. Those tools had the permissions to reset accounts, you know, clear up passwords, basically take over any account in Twitter. And that's exactly what they did. They took over about 130 Twitter accounts and then they posted the Bitcoin scam. They got about $110K from this scam. It's not a lot of money, but the impact that this did was exposing a vulnerability in a social media giant. I mean, we've all seen how detrimental a tweet from a high-profile person could be. It could shape your financial markets, cause diplomatic incidents, and so much more. In the

hands of a very dangerous adversary, this hack would have been far more detrimental. So, what's a lessons learned? Don't fall for fishing, y'all. Why would Elon Musk spend his Wednesday afternoon trying to double our money? Right? And the next time you get a call from somebody saying like, "Hey, this is ID support. Can I have your password?" You can say, "I'm Nick Fury. The last time I trusted someone, I lost an eye." But in all seriousness, security is always about defense in depth. That's why it's not always about you do this one thing, you're all set. It's never that. In this case, if those privileged accounts were managed with more rigor and nobody had god mode by access or

they did not have a standing god mode access, this Twitter hack could have been prevented. Well, as an everyday person, we may not care much about that attack. Probably because I know you don't check Twitter that often or you're wondering, man, this sounds so much like a modern-day Nigerian prince scandal. I'm not going to fall for that. But what if one of those hacks is impacting your day-to-day life? Fast forward May 2021, half of southeastern United States woke up to their gas stations being shut down. Lines snaked around the block and the gas prices shot up in some places. Panic buying started in states like Florida, Virginia, Alabama, and North Carolinas. And no, this was not a

hurricane and this was not a supply chain strike. It was a cyber attack. One single compromised account brought down a major piece of US critical infrastructure to its knees. Because of one password, Colonial Pipeline had to shut down 5,500 miles of natural gas pipeline which resulted in fuel shortages about like in 10,000 gas stations. So what happened? As you all know organizations these days after like you know all of us going virtual VPN is one of the important factors for people to login remotely. In this instance one of an old VPN account was not deactivated. To make it worse the password on that VPN account was reused in multiple other places. The attacker got hold of that password from

a completely different beach. Tried it on this VPN account. They got in. They gain unauthorized ac access and in this case the attackers a hacker group called dark side they installed malware on colonial pipelines IT systems. The company proactively shut down their OT systems their operational technology systems in this case their pipelines to prevent the spread of the malware. Right? Of course this was a n a threat to national security. So an emergency was declared. Five days later, Colonial Pipeline paid about $4.4 million in Bitcoin ransom to regain access and restart services. They've spent way more money than million dollars in this entire recovery password. That's one very expensive password. I wish I know what that was, but I don't.

So, what's the lessons learned from here? Do not leave ghost accounts behind. If you do, it will come back to haunt you. When Bob leaves, Bob's skis leave with him. And MFA, it sounds so normal, right? But you would not believe how many organizations do not turn on MFA. Any MFA is better than no MFA, right? Because at the end of the day, human race will go if if there is a threat to our livelihood, human race will go as far as hoarding gas in grocery bags. You won't believe that that did happen during the Colonial Pipeline hack. So, I'm really hoping that these are just not true stories and then these are wakeup calls, right? If

privileged access was managed with way more rigor, your high-profile or highly influential figures wouldn't have turned into Bitcoin scammers. If IGA, governance and administration and access management was done better, panic buying wouldn't have started. So I really hope these could serve as wakeup calls for us. So start paying more attention to our basics. If that helped you all at least starting thinking about identity security and if you all are working in an organization like a small and medium business organizations right we really have to start thinking about okay what can I do to protect my company right but before we start just a quick another survey. So, if any of you all are using your

shared admin passwords today, how do you all share that? Okay, nice. I like that one person's using that. We don't use shared accounts. Much better. Anyone else?

All right. Cool. So, whoever is using the secure password manager, hopefully you're not trying to trick me, but if you all are, then great job. But if you're using sticky notes, let's talk. So, getting started from scratch. It's not hard, right? Of course, it's not going to be easy, but it's not hard either. So we'll just today go through a a a very simple series of steps that a small organization probably like about 25 employees can get started with. But if you're a larger organization and you have not yet started anything on identity security, these steps could help you. First up, identify and clean up your current state. You first have to take stock of what you have, right? Take

a list of all your databases, all your servers, all the applications that your employees are about to logging into. Get everything out there. Then identify the crown jewels. what data you don't want out there. Of course, you know, you want to protect everything, but then cyber security is also about balancing business needs with your security investments, right? So, identify your crowd dwells, the information that you do not want out there. And then do a cleanup. Just make sure that you just have identified that you're not using any unwanted tools, unwanted applications. Get rid of all that. Get a clean inventory. Next, map your access. Sometimes, you know, we just tell them like, "All right, here's your admin

access. just go get this done, right? So, there would be lot of lingering accounts like that. Map out every employee that has access to all your systems, especially the ones that you want to protect and also your admin accounts and your shared passwords if you'all are having any. Next up, clean up. Anybody that's no longer in the company, if they still have access, you've not you've not yet cleaned up those ghost accounts, get rid of them, right? And then for every people that's still remaining in your company, make sure that you remove any access that they no longer need. Right? So hopefully at the end of this exercise, you have a list of all your systems that you're

using and a list of all the users that really need access to that system. MFA, something that we've kind of bet to death even in some of those previous sessions. MFA anything that you can pretty much all applications these days do support multiffactor authentication. uh even if you don't want to do it on every system, at least do it on the systems that you really intend to protect. This is way more inexpensive compared to any breaches that you may encounter. Next, manage privilege accounts, right? So, I noticed that some of you are either trickingly or really using Bitwwarden and other tools, but that's amazing. If you're not, definitely get started on that. Right? It may not be

that convenient. So first your your first step should be to avoid any shared admin accounts if you have one. It's it's a little bit more intense more involved steps to kind of cleaning that up just in case you're in a situation to have a shared account if you're not able to avoid it. Get those get those you know the systems like bit warden or one password store your admin accounts there let oral employees log into that with their own ID and password right and also try to MFA their login into that if they need that admin account they better check that out from one password and then use it yes it's a pretty manual and

tedious process but what's your alternate right store them in sticky notes share drive pen drive none of them are safe so Yes, as much as it could be annoying to do that double step, that's much safer than your sticky note option. Next, monitoring and audit. Enable logs wherever you can. You just have to make sure to balance your, you know, your um storage costs that would come with like turning on complete logging. Make sure you at least turn on the logging that you need, right? And also enable monitoring. Don't you don't have to monitor every single thing but identify like okay um 10 login attempts have happened in the last five minutes. Set an alert right and have retention

tiering for your logs. For like longer logs you can keep them for like 30 to 90 days but for the special security events keep them a little longer but make sure you do have monitoring and alerting turned on. All right life cycle. In step one, we did the spring cleaning, right? We identify all the devices that you want access to. You've identified all the people. You made sure it is right. Remember that that's not a one-time exercise. You have to sustain that. Even if it's in a spreadsheet, that's better than nothing. At least quarterly, try to review to make sure that your people that still need that access are still the people that need access. Don't just

keep granting admin accounts as and when you feel the need for it. training and awareness. Pretty much some most of the speakers I spoke before have also talked about fishing, right? So that training and awareness is becoming way more important these days. There are a lot of free tools available to also do this fishing based education. Please make sure that if you're a small and medium business organization, definitely include some of these free resources as a part of onboarding a new employee. It doesn't hurt. Knowledge doesn't hurt at all. Scale as you need. So we've talked about some of these steps being for like really smaller organization. You grow more. Try centralizing your identities and stop

creating local accounts. Let's say you go to 100 employees. Then buy an identity federation tool and consolidate your single sign on and multiffactor into that one tool. You grow to like 250 300 employees. Go to an lighter version of IGA, right? So that that can manage the life cycle. you grow more larger than that. Then consider an enterprise level suite. Remember that effective cyber security is not about spending more, it's about spending smart. Every dollar you invest must be mapped to a business risk and not to the fear or hype of missing out. Do not turn your cyber security investments into how I go for a Black Friday shopping. Well, that's really hot in the market. Maybe I

need it, right? Or, man, this is the best deal on the coffee maker. I don't drink coffee, but maybe one day in the future, I will. Let me buy it. Or my neighbors and friends, they're all buying an air fryer. Maybe I need it, too. Nope. You don't need that extra coffee machine. You don't need that air fryer, right? So, make sure it's not about having the most tools. It's about having the right ones. So, make good choices. All right. I hope that helped about how you can get started with an organization. But organization is compo composed of individuals like us, right? So if you do not know what identity security is or how to make those good

choices, how are you going to help the company? Andy kind of um trust me I don't know Andy before the speaker in the session before I don't know him but pretty much most of her slides cover almost the same thing. So I'm not going to go too deep into it uh because he did do a really great job on that before. But a few things that I'd like to emphasize is that no matter what field you're breaking into y'all, it could be identity, it could be like you know pentesting, whatever. The first thing you need to do is understand the basics. It sounds so simple but there's a difference. I want you all to try one

thing. Understand with the intent to teach back. Understand with the intent to teach back to a 5-year-old. you'll see a whole world of difference, right? How many of you all have interacted with like 5-year-olds? Yeah, they are notorious for their wise, right? Like for example, I'm going to tell my engineer, hey, SAML is an identity federation protocol that's used to for single sign on, right? You need an ACS URL, you need an entity ID, etc., etc. I go on, my engineer takes good notes. SAML, ACS URL, entity ID, check. Try repeating that to a 5-year-old. SAML is a federation. Why it's used to federate? Why you need a ACS URL? Why entity ID? But why? You just give up.

But that actually will completely redefine how you understand those concepts. Try asking yourself for anything that you've learned recently. Try asking yourself, okay, why do I need the ACS URL? Why do I need an entity ID? Right? Question everything you learn. That will completely shift the dynamics of how you understand. And the next time you learn something, try to reiterate that back to a nontechnical person. Your toddler may be a stretch, but give that a try. We've kind of, you know, knocked them down saying like we there were days where I want to jump out of a running car because I could not handle those wise, but that will really really redefine how much you understand and how

you understand. So definitely keep that in mind and try to apply that and see if that makes a difference for you. Well, this group is not a group that I want to talk about. Try hackme or attack IQ. But just so you all know, if you really understand and then you really want to try something hack hands-on, you definitely can try some guided labs like try hackme, attack IQ, hack the box, there are some IM modules which probably none of you all here looked at before because you all are all looking at like pentesting, hacking, everything hacking. But there are definitely some hidden IM modules. Just search for identity and access management or AM. There are some

pretty good modules out there. Some are AWS specific. But nonetheless, concepts are the same. But if you're like, man, I'm not this lab person. I'm not going to spend money on that. I just like, you know, I am I'm going to build everything from scratch, right? Yes, there are home loss labs that you can build as well. It could be either SAS hosted or you can build it in your own deployed in your own VM. Octa and Ozero, they both have like a 30-day trial license that you can get to build some of these IM applications. But if you want to go deeper, there are some opensource IM tools called like Hansen project and I

think keycloak there and WSO Identity Server. These could really really get you going on the home labs if you're interested. RAP whether you just finish up with understand or you go the apply and the experiment route, it's up to you all. But either way, do a rap with a blog, right? Or even like talk to somebody, put it on LinkedIn, put a post. If you're doing some your some of your own experiments, take an take a real world scenario, try to build it out and put it out in the GitLab because the what you understand and what you know should definitely be out there in the market, right? So, I've talked so much about this. How

many home labs do I have? Zero. because I was not looking to grow my career in the technical role, right? I am more into leadership at this point. But that's where one other thing that I would want you all to take as a homework is to find your superpower. We all have one, right? Or not all roles are technical. It doesn't have to be. Yes, as much as great it is, it doesn't always have to be a technical role for you to do right in cyber. Right? So I did start my career in project management in cyber security and then I didn't even know I was in cyber security when I first joined it. When I found out

I was like oh my god this is such a fascinating field and then I started putting myself more into an analyst role and then I moved on to like a technical project technical product owner and then eventually into leadership. So one of my superpowers that I found along the process is that I'm extremely lazy. You give me a job that I have to do like for an hour every single day, I would work my butt off to automate it so that it does the work in 5 minutes and I'll spend the rest 55 minutes doing something else and I can quickly seamlessly connect all the disconnected dots and I can find patterns where it does not obviously exist. Right? In

other words, I leveraged my soft skills to get where I am. So, not all roles, whether you're hands- on keyboard or you're like a spreadsheet, word document person, soft skills definitely go a long way. Again, I'm not going to go into too much in this information, but attention to to detail is not just about being nitpicky, right? It's about noticing those small details that others don't. Fishing is a great, you know, example for attention to detail, right? If all of us paid a lot of attention to detail, so much fishing attacks are not going to happen. analytical thinking. Even Sherlock Holmes doesn't have all the answers. It's all about asking the right questions. Questions that others do not

think much about. Process orientation. As much as technology has advanced so much, AI has all come in, still we just cannot wing it and go to production, right? Processes exist for a reason. And if done right, those processes kind of fade into the background and you won't notice it until something fails. For example, that VPN account was not disabled or process was not followed. So process is not just bureaucracy or something that will slow you down. If you do it right, you'll never even notice that it exists. Communication and collaboration. I mean, human race exists based on these two concepts, right? But why is it such a big thing? It's because try taking a really complex problem,

breaking it down into a simple format and try explaining it into users. Especially try convincing them saying that no is the right answer or the option that they literally hate is the right option. That takes skills that takes practice and you'll get it the more and more you trying to practice into it. So that's communication, collaboration, problem solving. One of the common issues that I've noticed in all of these years with engineers sometimes is that they are really great problem solvers. But why is that a problem? Because people tend to solve problems and not the root cause. Again, it goes back to asking the question why. Why does this problem keep happening? What can I do to prevent it

from happening? Right? So, don't just be problem solvers. Find the root cause and try to solve that. All right. Here's some really quick career paths. I'm just going to quickly run through this. So, if you're starting, I mean, engineering role is like pretty straightforward work, right? Engineering is all great, but one thing that you notice here is I did ask scrum master and help desk as a starting point, right? Because not all roles have to be technical. There are definitely definitely non-technical parts. If either you, your family member or your friends are interested into breaking into cyber joining the good fight on the good side, but if they're like me, they are not hands- on keyboard, they cannot

light write green lines of code on a black screen. It's okay. There are roles that they can still get into. Encourage them to join as non-technical roles as scrum master, project manager. That's totally fine. The one thing you have to do is going back to that understand concept. Whatever role you are in, whichever discipline of cyber security that you are in, understand what you're doing because without that you won't be able to make a difference for your team. So these are some of the roles that you could like make progression engineering thing is like extremely straightforward and I personally know somebody that joined cyber security as a scrum master and they made it made their way to the

product owner. So if me and she can do it, y'all can definitely do it. All right. So here's the time of one more slide and this is the last slide. So we are getting closer to the time where my husband looks forward to me finally stopping to talk. But let's try this. If you can just do one I am thing tomorrow hypothetically at least, right? What do you all think you'll do? I explicitly did not put none as an option cuz I'd be really hurt if you'all choose that. So to protect myself, I kept none out and left these options for you all. So you have to choose something. All right. Push MFA. Nice. Yes, ghost accounts will haunt you.

Cool. Talk to your team about lease privilege. Nice. I am so glad I did not put none as an option there. Awesome. Cool. Well, all right y'all. I have basically talked your years off about IM the piece of cyber security that does not get the spotlight but it's the quite hero because at the end of the day hackers don't break in they just log in. Now I understand that I am is not as glamorous as pentesting you know ethical hacking and all of that. I mean, nobody's making a Hollywood movie out of access reviews, though. I'll totally watch Fast and Federated if they make one. But AM is the thing that keeps the light on, doors locked, and stop your

admins from running wild with admin accounts. In a world of AI where AI is like mimicking your voice, your face, your Tik Tok moves, your car is driving yourself, your fridge is ordering groceries, the need for identity security is becoming much more prominent. Yes, in the old days it was probably just about passwords. That's why nobody paid attention. But these days, it's evolved into so much more. We have this passwordless authentication, pass keys, digital wallets, decentralized identities, non-human identities and so much more. So my ask here is that if more of us focus also on identity security, we can reduce the attack surface and we can hopefully make much much more advancements in this discipline of cyber

security as well. And with that, I thank you all for being such an amazing audience. And remember in I am trust no one, not even the coffee machine that ask for your Wi-Fi password. Thank you.