Panel Discussion | BNY Mellon & Jefferies: Identity Fraud & Passwords

Jyoti Punjabi:
So without any further ado, I wanted to move to the very first question of the day with the rapid deployment of remote working solutions. Cyber criminals are already exploiting weaknesses due to reduced IT staffing, and especially the use of personal devices and insecure public and home networks. What concrete actions are you taking to mitigate these risks? Jerry, should we start with you?

Jerry Kowalski:
Sure. Not a problem. So thank you for having me again. So there's definitely a few risks when it comes to remote workforce, you can group them by authentication, you have connectivity, you have help desk and so on. So looking at the basics, authentication is number one. Right? You need to make sure that two factor authentication is implemented for all connectivity outside of your corporation, that's exactly what we've done. We already have been practicing this for a long time so when the pandemic hit we had to extend the capability to additional users that did not have this capability.

The next area is password protection. I mean, it's common to have very strong passwords, but we, on of the strong password policy that we have, we also have implemented Azure ID, password protection capability, which analyzes and protects against weak passwords that are known out there. Right? So it's not just your dictionary, but also any passwords that have been exposed by the users. Connectivity, same idea, is we need to have a zero trust connectivity into Jefferies environment. So we look at this from two perspectives, one is managed devices and unmanaged devices. From managed devices, as in laptops and devices we provide our users, we do use [Prisma 00:01:59] as that provides that extra connectivity and the security controls to the users. And then for unmanaged, we use SSL VPN.

And before I hand it over to Christian to add his piece, I mean, one thing when it comes to remote workforce and the current environment, it's not just the users that are under attack, but it's also the help desk. Right? Because they're getting lots and lots of phone calls from people either not being able to connect or not being able to get their laptop connected.

So we've done two things. One, we ensured that verification to help desk is two FA as well. Right? You need to make sure that you know who you're talking to when providing sensitive operations to the users, but also to alleviate some of the pain for our users, we have extended the password expiry. Right? So I didn't want to have help desk assisting with reset passwords because that just adds more frictions to the users that can't log in because their laptop is not working or their wifi is broken, so we added a little bit of an extension to resist that frustration.

But yeah, so there's a couple of other things, I mean, without saying behavior analytics is a big component of this as well, where you need to start collecting data. Right? Data is your friend in this scenario where you need to start analyzing and finding out where are your risks.

Jyoti Punjabi:
Sure. Thank you so much for that. Christian. Do you want to share your thoughts on the same?

Christian Adam:
Yeah, actually I want to add to what Jerry said, which is stellar, every everything that he described about securing the integrity of the identity of the person and know your employee, wherever they are. I wanted to add the friction that we all may have had, specifically dealing with remote workers that may not have the convenience of a web based, secure access to your company. And that is maintaining hygiene of your remote workforce, your computer assets, the laptops, the 50,000 plus laptops that you have to distribute, and not only distribute, maintain to the level of in security integrity that they would've been if they connected into the office. So at our organization, we already had in our corporate offices, a strong culture of swing desks, and work and pods, and move your computer around.

But the foundation of that was built on laptops, and to maintain the integrity of those laptops was challenging, especially when you're competing over that precious resource of that megabit connection into your network to VPN and do work. How do you get patching done? How do you get hardening done? How do you get push out an emergency vulnerability that must be remediated in 24 hours across the fleet of 50,000 machines globally? But we maintain that vigilance, right? And so on top of creative techniques to ensure that remote laptops and remote compute is an extension of the corporate network, not only with identity, but also with that hygiene. So we had to do a lot of engineering and hoops to maintain that integrity, so that way a machine can technically function securely. The worst place you want to be is allow a computer to connect to your network remotely, through traditional VPN, and that computer is poor hygiene infected, three weeks plus, two weeks plus, or even one day plus lagging with critical vulnerabilities.

Jyoti Punjabi:
Right.

Jerry Kowalski:
Spot on. I mean, just to add to that. I mean, the patching of remote workforce laptops and devices becomes a challenge, because at 5 o'clock you close the lid, you go and do something else. So how do you attach that device right at that point? So it definitely added a little bit more engineering effort into this.

Jyoti Punjabi:
Michael, I have another question for you. We hear more and more about passwordless solutions powered by biometrics authentication, and yet the number of cyber attacks due to identity compromises continues to increase. What, in your opinion is missing here?

Michael Engle:
Yeah. Passwordless has definitely, it's starting to go mainstream. Gartner called passwordless, one of their top 10 priorities for 2021. Right? They've got the 10 blue boxes and passwordless is right here and securing remote accesses is right here, which both go hand in hand. The problem is-

Jyoti Punjabi:
According to that quadrant, right?

Michael Engle:
Magic quadrant is one thing, they haven't even gotten to a magic quadrant for passwordless yet because it's so new, but I imagine they will soon. But this is just their top 10 targeted initiatives for 2021. And what's missing from many of them is actual identity. Right? So passwordless can mean a number of things. It could mean a password manager, which just put one password on top of all your other passwords, but it's still a password. And then you can have fancy ways to do public private keys and a phone and so forth, and we might talk about that a little bit later.

But if you can't come back and say with authority, is this Jerry Kowalski? Not just, does this person have a token or a fob or something like that, then you're really not solving the root of the problem. And we like to call that identity based authentication, not just passwordless, because if you use an identity, there is no password. There is no 2FA MFA, it's all built into the identity. Right?

Jyoti Punjabi:
Right.

Michael Engle:
It's fumbled in there together. So it's that combined with ease of use, is what's really hampering organizations from adopting it. And we think we're going to see a big change in how that's done over the next year.

Jyoti Punjabi:
Super. Christian and Jerry, you want to add?

Jerry Kowalski:
Yeah, no, I do actually, because I had a smile on my face when you were saying this because a couple months ago I was facing a problem where we have to hire 200 interns remotely. Right? So I had one week to do this, we were buck and forth, whether we're going to do it or not. And it was like, how do I provide credentials to somebody I've never seen, I don't know anything about that person, and yet they're going to be in our network. So it is those challenges of hiring remote workforce, maybe not in the numbers that we had, but we try to engineer a problem and use the data that we had, which is email and SMS, and try to send one time tokens to validate the user. But it was a patch, it wasn't really a proper fix. So the identity is such an important aspect of authenticating the users.

Christian Adam:
Yeah. I wanted to say that many of us in this profession probably don't know much about the onboarding of employees legitimately to a company. Right? You just do your day one joiner, your paperwork, you have to go into some physical office, they have to potentially fingerprint you and they have to do all this 20, 30 year old type technology to prove that you are who you are. But you know what happens at the end of the day, it's disconnected from here's your username and password. In fact, I don't know about you, but not this company, but a few companies ago, Hey, here's your user name and password, and you start this day. And it's like, okay, it's on a piece of paper printed out. And it just frustrates you that the two are disconnected.

So yeah, like Jerry with the 200 plus joiners, and throughout COVID, and probably throughout all next year, we're going to have these challenges of really, why does my staff have to physically come to the following one or two offices to sign a piece of paper, drop off this and physically show them an identity of a passport or some national ID or state ID that just, it's 2000 and late type technology. Right? We need to be a little bit more forward thinking and buying the two together. And personally, even go a step up further which is, allow me to present myself and my identity across everything. Right? So just want to add that.

Jyoti Punjabi:
Super.

Jerry Kowalski:
I mean, just to add on top of that... I'm sorry, but I was renting an RV for a family road trip and that was the first time I actually was faced with identity proofing. Right? Where I had to take a picture of my driver's license and turn on the camera and prove that it was me holding that phone and that driver's license. So I know it's here and we need to start enabling that capability for our remote workforce really, because if that is the level of identity proofing that it takes for RV rental, I think we need to think about providing access to our network. Right?

Jyoti Punjabi:
Right. That's it. Okay, moving on.

Christian Adam:
Actually it was just Jerry that had to do that because he's got some shady background stuff, I guess.

Jerry Kowalski:
True, but that's a different webinar.

Jyoti Punjabi:
All right. What do you tell organizations that have already invested in tools like hardware tokens, for example, and that may be tired of being continually sold the solution to all of the security problems without the intended result. Christian, you want to go first?

Christian Adam:
Yeah. I mean, look, tokens, multifactor authentication, better than a password, something you have versus in addition to something that you know, it's definitely a good speed bump and a good deterrence, and it's a good practice to encourage. The problem is, is that technology keeps evolving. And one thing that I guess we didn't realize years ago, and now we are in a situation now, is that these tokens, however they were created physically before to secure, now are just as good on these devices. Right? And historically the hacks that were done to software synthesize a token onto these devices did serve a purpose until those were hacked. The one time SMS text me did serve a purpose until SMS could be cloned and your SIM could be cloned. Or people, I don't know about you, but I know at all times when my cell phone has been compromised, my phone number, my personal email address, all the methods of generating a one time software code to be used on mobile devices.

Jyoti Punjabi:
Right.

Christian Adam:
Right. And I don't know about you, but I personally don't feel comfortable with having something that I plug into my computer and touch to send a one time code. I mean, those are pretty cool, but I just know that anybody could just touch it and grab it. So I'd rather have of an evolving technology. I mean, you have to accommodate for this, is that you have to have something that you know, but something that you know and something that you have that is physically and intrinsically tied to your identity. A hardware token isn't, it's just a serial number associated to something in a reference somewhere that says, ah, Jerry has that serial number token at that time. It needs to be something that is fundamentally tied to your identity.

Jerry Kowalski:
Agreed. And in addition to everything you said around the security of hard tokens, I mean, it's a massive friction from end user perspective. Right? I mean, it's like going back a number of years ago when you had to, it's really annoying to the point where we're used to now just using touch ID, face ID on your phone, that frictionless is expected from our users, from Jeffrey's users. They want that frictionless authentication that is secure. So why wouldn't you do that? We definitely need to bring our authentication to that level, because it is expected that if they can use this at home, that we need to implement very similar solutions in enterprises.

Jyoti Punjabi:
Michael, what are thoughts on this?

Michael Engle:
Yeah. I've been using 2FA since, well, the early days of RSA. And as Christian pointed out, it does serve a purpose. However, it's been compromised, a number of different ways, you can intercept, man in the middle, et cetera. The other part of it, which is a real burden is the manageability of it. So I personally have counted this weekend, I have 11 different 2FA types of tokens for various services. It could be my brokerage, my bank, my GitHub, my whatever, whatever, whatever. Right? And so we've added a layer, and we've added complexity, and we've added manageability, which ultimately can incur more vulnerability. So yeah, I think that the tide will be shifting here when we get back to identity, which I mentioned in my prior answer. So hopefully we'll see that shift coming soon.

Jyoti Punjabi:
Sure. The next one is more specific to, I think, 1Kosmos. Why are you the only company out there to focus on the indisputable ID proofing? Why do you think the competition keeps on disregarding this essential element?

Michael Engle:
Yeah. I'm not sure exactly why, but I'll explain what it is a little bit different about what we do. So we've got all these new fancy ways to authenticate, little tokens with your thumb on them, or keys, Fido is a great enabler, but again, that doesn't come down to identity. So in 2017, the government released a standard about how you proof somebody remotely, it's called the NIST 800-63-3 standard. And it's getting a lot of traction, banks have known about it for years from a retail perspective, you need a high level, it's called level three identity to open a bank account and be able to move money. And this NIST standard says, well, here's how you prove that this is Christian Adam at the other end of a line remotely. And an example is you need two forms of government ID, I need to see their live face, you need certain levels of encryption.

And so we put fingers to keyboard on day one, we started our authentication and identity proofing with that standard in mind. And what you've seen is in addition to the US, the European Union and countries all throughout the Asia Pacific region have also standardized their own flavors of this. And so if you start with that, you start with identity at this high level of government standard, everything else falls into place. And so you see everybody dealing with the password and the tokens in here, but again, they don't come back to identity.

So I'm guessing that a lot of companies that have legacy technology, they haven't adopted some of the stuff that's happened in the last three or four years because it's hard to change a product direction once you get set in a certain path. Right? So the last four years have been really instrumental for identity proofing, decentralized identifiers, and a better way to share public private keys. So that's what I think has been going on.

Jyoti Punjabi:
Super. So my next question is an open one, and I'm going to invite all of you in fact, to take it one by one. Now proving the identity of an employee is one thing, however making sure that the employee's information doesn't get found for sale on the dark web is another. How do you leverage Blockchain to store user data? Jerry-

Michael Engle:
Yeah, I'll go.

Jyoti Punjabi:
You want to go first? Oh, sorry, Michael. We'll start with you.

Michael Engle:
I'll start out. There's a lot of confusion around the word blockchain, right? There's all kinds of different flavors of it and implementations, and especially when it comes to crypto currency. Right? So there's many types of blockchains that are public blockchains, where you have a ledger that can be verified by lots of peers. And I think we all agree, Christian, Jerry, that you don't put any data in a place where people can get to it long term, even if it's encrypted. So we use private blockchains, which you can think of as a better way to store data, right? Just it's an enabler, a better way to store your identity data. So if you're going to have something like your live biometric stored somewhere, you don't want it in a traditional database. So changing the paradigm of a centralized database, the centralized password, central keys, and pushing it out to the edge where Christian has his key, Jerry has his key, it just pushes the attack surface way out to the edge. And of course, you've now just changed the attack surface tremendously. So that's one way that I've seen it be implemented.

Christian Adam:
Yeah. I was going to add that this concept of a distributed ledger, if it was public, the information that I would want put onto that ledger in a very, almost like a book and record to ensure, it would be my activity that I choose to publish on that ledger. Right? So it would be authorizations for, let's say opening up a credit service for me, authorizations for any type of financial instrument that I choose to allow to leverage that piece of information. How many times, I get frustrated at least with fraud capabilities, and people are always buying these services to protect your identity, because all it takes right now is someone to leverage something you know, a social security number, your address, your phone number and your name to open up some financial instrument on your behalf.

Jyoti Punjabi:
Right.

Christian Adam:
Why can't I publish on a ledger a very secure message that indicates I'm authorizing from this period to that period for that activity to be sanctioned. So I want to publish on public ledger's information that I sanction for other consumers to appreciate and to use as an authoritative source, that no one else could falsify. I'm with Mike on the private ledger, I think the private ledger of having a secure way to ensure that my identity is no longer persisted at rest in just one place, it's distributed, combined with ensuring that maybe that private ledger is shared with maybe even a consortium of other industry financials, or others that could be keepers of that ledger, I'm a very big fan of. And also there's logging on the ledger, setting a system of record that this is what Christian did, this is where Christian authenticated, this is Christian's service that he consumed at this time with that ledger, I think is a very valuable tool to use, especially for non-refutation.

Jerry Kowalski:
Agreed. And just to add on top of that, is putting the customer or the user in a position where they have ability to create profiles of what I want share with whom, is really the power of it. Right? Where if you're creating a new Gmail account or signing up for a newspaper weekly where different information probably needs to be shared, you may need to share your banking information with one versus just fundamental information with the other, the profile aspect of it is powerful. But there's definitely, I think you started saying this Christian, where inter connectivity of private ledger, there's definitely a benefit of this when it comes to know your client. Right? And not having go into the same process of verification, definitely simplifies workflows a lot.

Jyoti Punjabi:
Okay. In continuation to the future of employee authentication, since we started on this discussion, I also wanted to talk about decentralized identifiers. Okay, in a nutshell, if you were to talk about what is a decentralized identifier and why does it represent the future of identity and authentication? Perhaps, I mean, whoever is comfortable going first.

Michael Engle:
Yeah, I can get started. I've been following the decentralized identifier space since I joined 1Kosmos a little over two years ago, and I'm fascinated with its potential. And I'm not the only one, Satya Nadella the CEO of Microsoft, in his keynote few weeks ago dedicated three minutes of his keynote to talking about identity. And Microsoft and IBM have leaned into decentralized identifiers in a really big way. Just Google either of those companies and the word decentralized identifiers, and you'll see that they're really validating this technology. And what the technology does, it's really not widely known yet what these technologies can do, but it allows you to exchange information between two parties in a safe, privacy preserving way, where the user always has control of the dissemination of the information. Right?

So you can think of it, we all know that PKI is a great technology with private certificates and things like that, put them on a smart card. You can think of a decentralized identifier as a way to do that without having to have a smart card infrastructure, almost like a distributed, decentralized public key infrastructure. And the benefit is that you can exchange credentials with somebody remotely, without having to rely on essential authority, you can prove who you are, and you can prove certain attributes about you.

So three recent examples, especially since COVID, are proving you work for a certain entity, proving you have a certain educational degree. Right? Education and transcript fraud and things like that are a huge problem, people taking tests for other people. And here's the most recent one, is having a COVID credential, there's a form of credential that you can put into somebody's wallet that proves they have a COVID immunity. So I'm really excited about it, I think this is going to be one of the big disruptors of how we authenticate and prove ourselves in 2021 as well.

Christian Adam:
Yeah. I just want to add, anything decentralized with identity, just shift the point of attack. Right? I hate centralized identity from having to secure, jump through hoops, secure identity, trusts, more and more rings of trust. One place to go, where you can compromise the identity and compromise a whole treasure trove of identities and passwords and credentials. It's a lot harder to attack the surface area of people in decentralized identity, rather than one treasure trove of passwords. Right? One treasure trove of... I don't know about you, but when you log into these websites and they want your method of authentication, the first thing that pops into my head is like, oh man, where are they storing this stuff? What is this website?

I wish I just knew, as a tech professional, the infrastructure of where they're storing it. Then you get a little bit more comfortable when you realize, okay, they have some type of hookup where I don't have to give them identity, I could use a trusted third party to provide identity. And then you keep following that, and you're like, I like that approach. And you have one place to go. The one problem is that I just don't, I want to be the keeper of that identity. I don't want to put my, dare I say, any other social network identity to use, to log into other service. I don't want that because I don't want to expose what I'm doing with that service.

Jyoti Punjabi:
Right.

Christian Adam:
So to me, it's the world is shifting already to decentralized identity. I just don't like the trade offs of giving social networks the privilege of using my identity at this time. I think it's just, it's too much. So we need a solution out there.

Jyoti Punjabi:
Right.

Jerry Kowalski:
It definitely has to be driven by user options and profiles. At the end of the day, you have to be in control for the, not only the simplicity, but also adoption of it. Right? That's really what this technology brings to us, it's a security aspect of it, it's being in control of that data. So that definitely is going to push this agenda forward, for sure.

Jyoti Punjabi:
Now that you all think that decentralized identifiers are important, what do you think will have to change in a CISO's mind to adopt decentralized identifiers? What do you think could be the takeaway for them?

Michael Engle:
Yeah. I can go first. I think there's two applications for decentralized identifiers. And so you could put them into different buckets because they're different ways of thinking about it. The first is how a single organization can adopt them. Right? Like Christian said, the password or the equivalent of the password stays decentralized out with the user. And that enables this, now identity layer, to sit on top of your IAM stack and be able to prove who somebody is. So you can adopt that as an organization today, in my opinion, without having to turn your IAM system upside down, so there's all those benefits.

Long term, and say in a couple years, you'll be able to take your identity and be able to share it cross network. So when Christian leaves BNY and goes to work for Jerry at Jefferies next year, it's conceivable that he will take his identity with him. He's already proved his citizen status, he's got a driver's, license passport, et cetera, approved, and let Jefferies consume that because they trust the underlying network. And that underlying network is evolving, and that's where we're going to see massive shifts as those networks get stood up.

And you could think of it the way, say credit cards evolved over the past 50 years, somebody had to come get this piece of plastic and take it to the first restaurant and say, Hey, would you trust this piece of plastic? And a couple of restaurants in New York said, sure, we'll do the Diner's Club. And you can now use plastic at all these places. Now credit cards are ubiquitous and that same thing's going to happen to identity. So today you have all the benefits for an organization, and they're very real and viable, and the network's going to be involving with consortiums, maybe the banks, maybe the telcos, maybe the government that bring them all together and let them evolve up and then come down. I hope.

Jerry Kowalski:
Yeah, definitely would resolve some of the issues that I mentioned earlier around hiring, because that's really what the technology will provide in terms of immediate fix for remote users. Right? Whether it's interns or new employees that identity that already is pre-verified, that comes along with all the data behind it, that solves so many headaches. Right? Not only for HR, but also for cyber security.

Jyoti Punjabi:
So Christian, you want to share your thoughts as well?

Christian Adam:
Yeah. I mean, to me, it's about reducing the friction in terms of quickly enabling and de-provisioning. Right? So large enterprises, I mean, good luck to you if you... Well, congratulations to you if you figured out one place, one button to press, that immediately disable everything. Gone. Right? When cloud and SAS applications, and unless you were very vigilant, knock on whatever wood or formica or whatever this is, that you've been adopting these services and tying it to one credential or one place to push the big red button. But you struggle, you struggle with connectors and feeds and pushes to systems and disablement. And I know Jerry and the world of identity access management, we struggle with an entire series of activities that have to happen when you provision or de-provision, and push the button and reconcile. And did it fail? Did it push? Is their identity still active out there somewhere in some sales force out there? Mm. Put it in a way to make that simpler and I think that removes that friction. That's one of my key focus areas.

Jyoti Punjabi:
So we've been managing time very well. We've already started getting quite a few audience questions, in fact, some of them are really long. So we'll take two questions from our discussion and then we'll open it up to the audience. So given the unpredictability of the current situation and the fact that we do not know when it's going to end, what are companies that you think are doing differently today, or planning to do, to address remote work and the associated risk? Jerry, do you want to take this one first?

Jerry Kowalski:
Sure. Not a problem. I think it's, we're planning to continue what we have been doing, which is definitely collecting a lot more data on the remote workforce, the works stations laptop devices, data has to tell us the story. But there is more, it's not just the technology aspect of it, we also have been pushing some of this work, if you will, or data points to the users.

So when there is a password change, we're asking the user to tell us, was it you? It's similar to what you probably have been used to in credit card space, where you go to the store, you never been there before you swipe and it says, it's declined. You get a text message, was it you? Right? So we're trying to employ our users to tell us a little bit more about some of that. I think it's very important. But having covered everything within Jefferies, the next thing that you need to do is find out what's happening outside of Jefferies, or your organization. You definitely need assistance with threat intel. Right? And get services that look after users and accounts that have been compromised within your workforce, whether it is due to a phishing attack, whether it is due to compromised systems that we don't have control over, SaaS applications. You need to have that so that way, every intel matters and you need to start building that thread.

Jyoti Punjabi:
Michael, you want to go next?

Michael Engle:
Yeah. Yeah. I mean it really comes down to just getting rid of the passwords, it has to be a focus. The Verizon Data Breach Investigations Report, it is like the report in the industry for security, it's called a DBIR. And they called out that 81% of security breaches are because of compromised credentials, usernames, and passwords. So starting there, I think everybody is focusing on that, trying to get rid of not only the poor user experience, but close at 81%. So that's going to continue to be what the focus is, just at least start with the remote access, the VPN, the Citrix, et cetera, and close that off. Right? Even if you can't get the windows UNIX and all your web apps, and you'll really be moving things forward from a security perspective.

Jyoti Punjabi:
Sure. Christian, do you want to share your thoughts on this? What do you think that the companies will be doing differently?

Christian Adam:
Yeah, I think at least the one area that I will be doing differently too, is from an analytics perspective, now that I can understand where identity is being used across my services, I think there's some interesting fundamentals that you could keep embedding into this technology. Embedding a rules engine, embedding different analytical capabilities to find out where identity is being used. I think historically we think it's a silver bullet to get rid of a password, potentially I think it is. But I think in addition to that, what else you could do is to mitigate fraud and put some great rules, without embedding rules in your applications and your services, you could leverage the ledger based nature of decentralized identity and perform any type of preventative or even corrective controls. Right?

So how many times have we struggled, at least in our industry, to look at ways that we were trying to mitigate credential loss and theft. And we tried to do things like step up and prove a couple of secrets, or you can not possibly log in from this part of the world and that part of the world at the same time. I think all of this new generation of opportunity of rule based authentication with identity, I think it's going to create a whole ecosystem, a potential. I've been thinking a lot about what happens after we think that fraud is mitigated, because you just can't steal my identity. How else do you leverage that platform? Right? So I think it going to open up a lot of creative technology capability, not only with sanctioning access and sanctioning the use of identity by other companies, but also how to leverage that information across organizations.

Jyoti Punjabi:
Super. So now I'm going to read out my last question. I'm going to give you 30 seconds to think about it. And while you are thinking about it, we're going to open the audience poll as well. My last question to you is, what COVID related interesting project or challenge have you worked on in the last six months?

Christian Adam:
Yeah, basically leveraging the metrics around COVID infections, have they spread country by country throughout 2020, and early to late 2019. You find some interesting analytical opportunities, especially if you cross reference the data with, let's just say, scanning activity against your perimeter. It's very interesting, an exercise that my team and I have done, and shared with a few others in the industry, around the cycle of... I'm not going to name certain countries. But you can think of certain nation states where actors have historically operated. And if you cross reference their COVID infections and their COVID deaths with targets of opportunity that they normally attack and scan for, you'll find some interesting correlations.

So one of the areas I did early on during COVID was I came up with a hypothesis that said, I bet you we can identify nation state actors based on the change of behavior. Instead of scanning us from their normal notoriously, deceptive, hidden areas of the world, I bet you we can identify them based on COVID impacting their country. And be surprised, get yourself access to your perimeter scanning activity and your web application logs and all the external services you have out there, and just do a simple time series and analytic of countries that have been scanning, and specific internet providers and [inaudible 00:38:53] providers, with certain countries of interest, and you'll find some interesting correlations. So I won't give too much details, but if you do want to reach me afterwards, I'll gladly share that. But that's a cool thing that we did, and it actually was enlightening. Not too often you get the opportunity to correlate worldwide pandemic impact and how it influences technology.

Jyoti Punjabi:
Jerry, you want to tell us about your project or a challenge that you've encountered during COVID?

Jerry Kowalski:
Sure, it may not be as exciting as Christians, right? But one of the things that many of us have to do is manage the workforce that wants to be in the office, and prefers to be in the office. So from Jefferies perspective, we needed to manage that. Right? So we had to do a little bit of correlation of physical access to users getting at the stations. But the requirement, we needed to ensure that everyone coming into the office does it at the station, and a questionnaire based on whether you're in contact, whether they felt okay, et cetera.

And we needed to tie the actual physical badge entry to a user getting a questionnaire right on their phone and having to complete it before they enter the building, or having completed the night before. So that correlation is needed and it helped us to get that data ready, actually we're planning on integrating physical security into IT security for over a year, so we already had the data and we were able to support the business and safely allow users to return to work once they completed the questionnaire, if they have to.

Jyoti Punjabi:
Super. Michael, do you want to give your comments please?

Michael Engle:
Yeah, I got a real quick one, it's kind of fun. We're working with a Caribbean country, so the travel industry's been decimated, they're down 90% from the beginning. They're getting back up to 50 for the upcoming cold season here, but they needed a way to know that somebody has a COVID immunity test within 72 hours. And instead of a piece of paper, which can be forged, we are issuing a digital credential for that. So you get to the airport, you show them your phone, scan a QR code, and there's your Quest Labs or your Lab Corp certificate in digital format, and it's matched to your passport. Right? So just a neat project that is a real enabler.

Jyoti Punjabi:
That's great.

Michael Engle:
Yeah. So just kind of a fun one there.

Jyoti Punjabi:
Super. Super. So I have questions ready, some of these are directed to either of you, or they'll be open questions. So Michael, the first one is for you. The COVID-19 pandemic has actually fast forwarded us to adapting to ICT almost unprepared with consequences regarding security. How does one protect themselves from the security threats?

Michael Engle:
Did you say ICT? I missed it because-

Jyoti Punjabi:
Yes. I said, ICT. Adapting to ICT almost unprepared. Yes.

Michael Engle:
So how does one protect themselves from today's threats using this type of technology?

Jyoti Punjabi:
Right.

Michael Engle:
Yeah. Well, as I mentioned, the concept of a digital wallet is getting lots and lots of traction, my analogy of the credit cards starting to get traction. So there's a number of forward thinking organizations out there that are embracing this technology. And whether it's our company or other companies, if they're based on open standards, you just need to get involved in the industry, understand how these privacy preserving technologies work, and solve security problems. You need a seat at the table early, otherwise you'll be a laggard and trying to catch up later once the wave has passed.

Jyoti Punjabi:
Okay. The next one is for Christian and Jerry both. User data stored encrypted in the blockchain represents the future, especially for industry like financial services. What is required for executives in your industry to believe in the benefits of blockchain offers... That blockchain offers, sorry.

Christian Adam:
Oh, yeah. I can say, outside of the world of identity, I think my organization and banks in general, understand the benefits of blockchain tremendously in terms of, I think early on we were all wondering if this distributed general ledger was going to be the next ability to have to remove the need for batch reconciliation processing, improving that. So I think executives already know the benefits of blockchain.

I think the challenge is letting them know how to leverage a blockchain based backend with the concept of identity. I don't think executives are going to need to know those technical nuances, to them, they're going to need to know that the concept of a decentralized identifier maintained on something that you already own, like a phone, is the way of the future for them to understand it.

And you present it to them in terms of, gone is the friction with having to change your passwords, gone is the friction of having to worry about your remote workforce keeping post-it notes at home stuck to monitors because they think they're safe at home, and then their kids run up to the computers. Gone is the friction of forgetting what you set your password to and calling the help desk and creating millions of dollars of service, because now you have the ability to just reset your password securely with an identifier as well. I think that's how you sell it to the executives in terms of, you assure them that it's obviously secure and hard, and strong and protected, and you also give them the positives of cost reduction, of friction reduction.

And also the marketing capability of, especially in industries like ours, where now you can leverage that identity and remove the friction of working with different companies. I don't know about you, but we have others on the call, we have to manage identities across so many SaaS platforms. So not having to manage all of those identities as individual pieces of tech and code and onboarding, and all that friction, gone is that too. So I think that's how you sell it. I don't know if, it's an art to try to explain security to executives, and most times they just go away and say, am I more secure? Yeah, you're more secure. Okay, here you go. But it's-

Jerry Kowalski:
You're spot on. You don't have to explain the tech, you have to explain the benefits. And currently you have to define the problem, right? The problem statement is clear, but also the benefits, I don't expect to explain blockchain technology and encryption to executives. They may know the buzzwords, of course, they have been used in the past, but there is no need for that. Right? They rely on us to analyze technology and make sure that it is safe, that cutting edge technology is being implemented to reduce that risk and that friction as Christian mentioned. So I don't expect executives to challenge us.

Jyoti Punjabi:
Okay. Michael, the next one is from you, and it is from David. How do you identify a legitimate user from a fraudulent user without impacting the user experience? What about contextual authentication? And are device certificates part of the comprehensive approach?

Michael Engle:
Yeah. Well, device certificates, if you're using an MDM, certainly is part of the equation of when you let somebody into a corporate network. But from a citizen perspective, if you're a consumer retail operation, you introduce the identity proofing in stages. For opening a new trading account, you do it right up front, because the process is far better than what they have to do for KYC by doing it all on the phone in real time. But for your existing customers, you now have the ability to step up incrementally.

Jyoti Punjabi:
Right.

Michael Engle:
So, Hey, current customer, you're about to do this high secured transaction. Today you'll send them a text message, which as we all have talked about is compromisable. I need to prove that you are you to protect your own identity and protect your account, so just show me your driver's license or your passport or some other type of credential, so you phase it in as the risk profile is required. And to the other part of the question on device, you just need to do the traditional zero trust checks on the device, is it jailbroken? Are the right policies in place? Does it have the latest operating system? Et cetera. Combine those things together and you have a much better picture of who's coming in, and the user experience will actually get better because you're removing passwords. Right?

Jyoti Punjabi:
Super. So Christian, the next one is from Vivek [inaudible 00:48:29], this one's from India and it's almost 10:30 in India, so Vivek has stayed up to listen to you. Okay. How do you overcome identity spoofing on social media, where hackers using internet protocol spoofing, which also... Okay, wait. Also spoofing someone's IP address, which may also be spoofing someone's IP address? Do you want me to read that out to you again?

Christian Adam:
Yeah. I guess I'm trying to understand is like, okay, how do I handle a person's personal persona on social networks being compromised with a spoofed IP address? I mean, first off, I don't trust any persona on social media, but I'm also greedy. If anybody wants to link in with me, I don't care, I'll link in with you. You know why, because I love the analytics, I love understanding my cloud and who wants to link in. I take an image of whoever it was and I'll Google reverse image search it as well, just to see if they're compromised. And I like gathering compromised identities of personas on social networks. You know why, because I like seeding that information and seeing it in my organization as another indicator of compromise.

If I know there are identities out on the social networks that are easily compromised, I actually grab those identities and I feed them internally to my analytic, and I see if they're authenticating or trying to send emails to us using that purported identity. It's a treasure trove for indicators of compromise on social networks.

Now, obviously we do user awareness and education, right? It's about educating your employees about how to maintain your social presence on social networks. What to say, what you shouldn't say, how to brand yourself, and also how to secure yourself. Right? How to secure yourself to make sure that at least with today's technology, dare I say, unless one day one cosmos or password list adopts those organizations, you do have to multifactor yourself. Right? You do have to secure yourself from those identities, and you shouldn't leave a password that leaders of the free world can be easily guessed. Right? So thanks for setting up that joke, I wanted to squeeze that in here. But yeah, I definitely wanted to say that it's a combination of educating your workforce, educating your staff, and don't be afraid to use that data. Use that data for your organization to mine it.

Jerry Kowalski:
Make passwords great again.

Jyoti Punjabi:
Okay. This one's open for all three of you. As a CISO, where do you stand, one on securing remote worker authentication and passwordless authentication? Where does this stand in your priorities? I think you've spoken enough about it, but Martin wants to know if you recommended it to your peers as well?

Jerry Kowalski:
Yeah. So I'll go first. So definitely we have been exploring passwordless authentication, before even this pandemic, and it's really around reducing the frictions of the users to authenticate. So we are in testing phases of passwordless technology, and it definitely is one of our priorities after we have handled the basics, passwordless is next.

Christian Adam:
Yeah. I got to say don't treat this as yet another technology that I will buy and add to my portfolio for security, this is a cultural change. And early adopters will be able to handle that cultural change, early adopters of passwordless would've already realized that they have to do end user AB testing and understand what that cadence is of how do you roll this out in the organization? They will understand some of the friction you'll have with application teams and other applications that people have to log into.

And you realize that you're changing a password to be from a password to a passwordless scenario, just to log in to your computer. Okay, that's one piece. What about the hundreds of other apps that you now have to integrate with that functionality? But you have to build that culture and that momentum, and for those that can be early adopters, you're just going to get way ahead of the curve in terms of understanding your landscape of where you have to remove a password. It's not going to be just a tech solution that you can just roll out and you're done, it needs good understanding of your application portfolio and your identity portfolio, so start early.

Jyoti Punjabi:
Michael, your thoughts?

Michael Engle:
Yeah. Early adoption is great, obviously, we've been doing this before it was fashionable. But the other thing is there's low hanging fruit, so you go after whichever password problem is impacting your help desk the most. Right? Typically, that's a Windows workstation or your remote access. And the benefit of that, nothing gets people excited about saving money or solving security problems. And you can measure the amount of money saved with this technology in months, which is very difficult for a security product, because you had 100,000 help desk calls last month. And after you deployed, you had 80,000, right? You could measure that down to the penny. So it's a real easy place to start with this, and a nice way to be an early adopter in a place that makes a difference.

Jyoti Punjabi:
Okay. We're almost out of time, I'm going to take just this one last question. A recent study also suggests that three quarters of millennials in America use the same password for more than 10 different devices, apps, and other social media accounts. Why do you think there is still such a trend? Is it simply due to lack of password creativity? Or is there anything more to it?

Jerry Kowalski:
No, that's it. It's hard for, humans aren't creative. And I do it, I'm like, I don't... Well, I don't use the same password, but when I have to give a password to a family member, I'm struggling. What are they going to remember? So yeah, I think it's just user behavior is hard to change. So if you get rid of them, you're solving the problem.

Jyoti Punjabi:
Right.

Jerry Kowalski:
Yeah. The concept of password is just complex, I think we need to start using pass phrases. And that's a little bit easier to understand. I mean, when I talk about giving passwords to my kids and my family, it's always phrases, very simple things, very simple phrases that you can remember. You know, I love, passwordless is a great password. But as long as it's not a password with dollar signs and very hard to remember things, that's why they probably have one password and reuse it. Pass phrases is probably going to be that breaker.

Christian Adam:
Yeah. I'm going to share a little story and then I'll just wrap it up real fast, but it all starts with where the Millennials, or whatever you want to call them, Gen Zers or Xers, whatever, where they come from. And they come from this concept of that wonderful individual who created the password. That seems to perpetuate throughout your academia, and through your college, and through everything as a password, what do you expect? And it's going to get worse. I mean, it's not just millennials and that ratio, it's like, look at what has happened in terms of applications. Applications have become decentralized, there's websites everywhere for everything, there's an app for everything.

Jyoti Punjabi:
Right.

Christian Adam:
So, I mean, it's a combination of that. I found myself reflecting on how to change this behavior when my daughter started school in COVID, and she was given a Google Chromebook and she was given a QR code based way to log into the Chromebook. It's pretty cool, instead of typing in a password, she had to show a QR code.

Christian Adam:
Now somebody can photocopy that, I'm not even getting into that. But you know what the teacher did, she translated the QR code to a post-it note and stuck it on the laptop. My daughter comes to me and she goes, "Well, dad, what's this? Why did she put my password on here?" I said, "Get rid of it. Get rid of it. In fact, if you ever forget or lose your code, it's better to reset and just get a new code than to write something down." And she's like, "Yeah." And so it starts with educating your own children, stop the culture madness of passwords. Right? And if you-

Jyoti Punjabi:
And how proud were you when she said that?

Christian Adam:
Oh man. I mean, the daughter of a security professional, please. That's great.

Jyoti Punjabi:
Thank you so much for your time, and good day everybody, thank you so much.

Michael Engle:
Thank you.

Christian Adam:
Thank you.

Jyoti Punjabi:
Thank you.

Jerry Kowalski:
Take care.

Jyoti Punjabi:
Bye.