Name: Defining Cyber Resilience with Francis Odum
Uploaded: 2026-04-30T19:16:13.333Z
Duration: 58 min
Description: Defining Cyber Resilience with Francis Odum

Transcript for "Defining Cyber Resilience with Francis Odum": Welcome, everybody. Thank you so much for making the time. We're gonna get started in just a minute here. Awesome. Okay. I'll go ahead and, go ahead and kick us off here, just so that we stay on task and make the most of everyone's time. Well, welcome and thank you for joining us today for Defining Cyber Resilience with Frances Odum. We have some really exciting content lined up for you with Frances, founder and CEO at Software Analyst Cybersecurity Research, and Noam Perel, Rubrik's security field CTO. But before I hand it off to Frances to walk through the agenda, just a few housekeeping items. First of all, this webinar is live and we want your participation so please drop your questions, comments, and reactions throughout today's session. If you navigate to the right hand side of your screen, you'll see a chat, docs, and q and a tab. Please share your questions in the q and a tab if you can. It's a bit easier for us to navigate and ensure everything gets answered. And then we'll have time at the end reserved for, to answer questions but please don't wait till the end to post them. We'd love to see them come through so we can plan accordingly. And that's that's pretty much it but the chat's open so we'd love to hear your reactions live. I'll go ahead and hand it off to you, Frances, to, to kick us off. So go ahead. Hi, everyone. Could you guys hear me well and good? Perfect. Amazing. Well, it's a pleasure to be with you all. Thank you to the Rubrik team for having me. And I'm really, really it's a pleasure to be joined, to be joining, Norman Perrault. Maybe shortly here, I will pull up my presentation, but my name is Francis. As Anna introduced me, I'm founder and CEO of Software Analyst Cyber Research, with and I'm also one of the lead research analysts where we do a lot of work across the cybersecurity ecosystem, but identity specifically being one of the major areas where we do extensive research with practitioners, CIOs, CSOs, as well as the vendor ecosystem, cutting across multiple areas of identity, I'm IDP, IGA, PAM, NHIs, and now more importantly than ever, agentic identity and how that market is evolving. So we talk to the practitioners. We also talk to all the vendors, and we combine those insights together to share our findings and thoughts. So today, when I start my presentation here, the goal is really to share some of the perspectives that we see on the market. The the concepts we're gonna be even covering today are concepts that, needs, deserve attention and and maybe we, a lot of previous work in the identity ecosystem hasn't done justice. So I think that's gonna be part of our goal. But maybe before jumping into that, Norm, I would love for you maybe to introduce yourself first, and then, we'll hit the ground running. Yeah. Of course. So super excited for today's call. It started with, I think, Francis, you and I went back and forth, and it was in Identifers last year. They were like, Yes. hey. What are you doing here? Right? And I was like, yeah. I have a lot a lot a lot of news to share with you, and the conversation started rolling there. So I'm really glad we got to this point to share, some and parts of our conversations. So super excited about it. A bit about me, I love it. I joined Rubrik for an acquisition they made, in the security space, and then I couldn't be more excited and and privileged to be to be acquired by Rubrik. And and the reason is when you join a bigger company, you know, people ask, so how's it going? And then they tend to say the the generic, yeah, it's exciting. But when you come from a start up, one of the main concerns you have is can you keep pace of innovation? Can you and and, Francis, you do this day in, day out. Can you see what's happening in the market? Can you listen to customers and keep up the pace? And one of the big privileges that I have to do with Rubrik is keeping up with that pace and then truly innovating. So that has been a true privilege and really excited about today's conversation. Amazing. I'm good. I'm just gonna try to see if I could share all of my screen, so my entire window shows. Let's just try this one more time so everybody could see my entire slide. And I just want everyone to confirm if this is good. Oops. No. Actually, no. Just gonna get this. There we go. Yep. Okay. Is everybody able to see this as well? Sure. Great. Awesome. So thank you all so much. And, yes, Software Atlas Cyber Research, for those who might be launching, we're an independent research and advisory firm, you know, solely dedicated to cybersecurity. Some of what I do, where we do a lot of work across the CISOs as well as the vendor, and we publish research analysis, vendor advisory, education and speaking work. And part of the goal today is to talk through some of those areas. So maybe let's start with this, beginning. Like, let's just, I love to always set the the the groundwork, the framework. Let's just set the framework and and level set on a number of areas. You know? So overall, broadly, you know, when we talk about identity security more broadly, you know, it it really is all about we've had this whole space, and it's evolved for quite a long time, the human identity section of your IDP, your Active Directory, your your Entrez, your your Microsoft of the world. You know? Identity really broadly has been human centric, in terms of its spanning, identity security broadly across human identities. Increasingly now, we've had nonhuman identities. But even in the human identities, we've had areas like I'm that deals with all of your entitlements, in terms of all of your users and the actual, and, authentication of access, your IG, which governs, you know, a lot of their, their access and how those access reviewed or processed, you know, your PAM, category, you know, which governs a lot of your privileged access, ISBN, which really looks at, your the visibility and the posture and misconfigurations. And we will speak to to some of that as well. And then, obviously, ITDR for the tools to write that. There's a lot of your identity trends, you know, as well. And then the last few years, you know, the the bottom half of this has become more important, and and there's been a more more spotlight around that, you know, in terms of your known human identities across your ecosystem, in terms of accessing how your NHS hybrid access all of your, different systems, your service account, API keys, tokens, and secrets, and then how we actually have a governance model, you know, that sets across this. And and by the way, this is gonna lead us to our topic today of identity resilience, but really important for us to really understand this. Because when we think about this entire infrastructure stack, you know you know, like, the underlying theme for which we're gonna come to is identity resilience, and that's gonna be a major, major theme of ours. You know? It's the fact that, identity resilience is something that cuts across all of this. Right? It intersects with your identity infrastructure, which I very much have there at the bottom, in terms of what actually is needed to help your business have business continuity. And and this is this underlying identity infrastructure where there hasn't been a spotlight in terms of what actually needs to be done to that underlying infrastructure. So part of our goal here today is really to uncover that a little bit more just to set the context of at least SSCR and our firm, how we look at identity more broadly. Obviously, since 2025, you know, we we especially, any chance were a theme, but we knew nothing was brand new with any chance in itself. There weren't necessarily anything new, in in terms of of what needed to be done. However, you know, since last year, with the evolution of, agents and the and the evolution of agents, which people will say maybe several months ago, in terms of agents and capabilities, you know, we now have fully autonomous systems that are fully capable of running goal oriented task within your environment. Right? And those same agents, you know, whether it's Claude, whether it's, Entropic, Chachapiti enterprise, whatever you're using Salesforce, Copilot, you know, these agents now need the same identities. Right? They need to access your IDP. Right? They need to they need to access those same identity infrastructure we just spoke about. Right? They need to access all those systems. They need those credentials and, let you know, an MCP to access our enterprise systems, whatever you have on prem, whatever you have SaaS, whatever you have running your environment. So increasingly now, this is a new conversation we wouldn't have had two years ago, but now this has actually now made our identity infrastructure much more complicated that that that leaders have to increasingly think through about. Right? And and if we abstract that previous layer, you know, into a little bit more, you know, when we actually think about now in today's world, you know, every organization is moving as quickly, you know, to to meet the agentic the agentic era, you know, and where we're at right now. You know? The goal really is all about, you know, agentic identity. We need to make agentic identity system in an agentic world where your agents are gonna be unique identities. They're gonna be leveraging the same sometimes, the entitlements, the credentials, access that your human identity users use, your contractors, your admins, and service accounts are gonna be interactive. This fuse the system. When we think about our control plane and our execution plane, you know, we really need to think about identity resilience, you know, because identity agentic identity, you know, really makes the conversation around identity resilience more important because the number of actors now, the number of changes has to actually evolve very, very quickly. And so this is this is just the world that we're living in. It's this complete execution point now. We need to think about how do we make all of these systems completely resilient, to the world we live in. And I think this this this maybe brings up to this point where I'll probably love to get, this is maybe we we this is an insight we did get from the team here at Rubrik where, I'll be happy to have Norm even chime in here for a moment. But from our research, you know, layering on those three to four major parts. You know? I think the reason why now in terms of if we start to think about what does identity resilience really mean, you know, I think how we really define it is is really the core that all of our identity systems today across human, nonhuman identities, and now increasingly agents. You know? We need to think about how we build a cyber resilience strategy across our identity systems because now identity is no longer just a login layer. You know? It is it really is now a control layer for the entire enterprise. You know? And when when you have an identity that's been compromised, you know, every other system or recovery system, becomes slower, riskier, you know, and even becomes much more manual. So I think the hardest problem today now is no longer detecting identity. It's not only just, I would say, detecting identity compromise. You know? The it's really about how do we restore all of these identity systems, you know, especially if an attacker were to break in. You know? And this goes from our sources of truth all the way to all of our authentication layer, which is the huge and the foundational truth and all of your, adjacent systems. Well, I'll. be happy to hear your perspective here. Maybe to add some thoughts here, Norma. I'd love to bring you in here. Yeah. No. Of course. I agree. If we look just look at this slide. Right? If we go back to ten, fifteen years ago, we only had on prem AD. It was very simple, and then we can connect could connect our systems through on prem AD, and we didn't have this web of connectivity. Then we moved to cloud. We moved to a lot of SaaS applications. So we added the modern IDP, so it's Entra ID or Azure ID as some people know it. And there's connectivity between AD and that. Then we added Okta, and some companies opted into that. And then look at the connectivity between all the different SaaS applications that we have, all the different cloud applications. And then in order to authenticate into the IDP, we added a whole new layer of HR systems, and those sync into your IDP. So when we think as as you mentioned, Francis, when we think about the breach, when the disruption happens, right, it could be a cyber breach. It could be just a mistake, someone misconfiguring Workday, and that and that triggers a workflow in Okta that that removes access for thousands of people, on any given day. And and we see that day in, day out with customers. So it's the complexity of the identity system. And as you mentioned, oh, by the way, we haven't even talked about how AI as soup like, has a lot of complexity to this. It's just about assuming assuming that disruption will happen either from a workflow, someone mistakenly trying to update something, someone trying to run an agent and and that agent goes rogue, or a cyber attack that uses the identity layer as a target of disruption. Right? So so that's the assumption that we see today, and this this slide just depicts the complexity of the problem once something goes wrong. Yeah. And and no. And I I really, really and I just I thought the visuals, like, just absolutely really display displays the complexity that. those, that these does require. And and, you know, identity attacks, you know, they're no longer just, instant or one time event. It's it's lateral movement. You know? Once an attacker gains access, you know, they're able to escalate privileges. They move to move laterally. They could deploy a backdoor, you know, and. then lead it, like, cost significant amount of the future. I think by the time the organization even realizes the scope, you know, it's it's already too late because course. the identity, it's it's significantly faster. So I think and I think many of our participants today, you know, you kind of resonate with with a little bit of this. So maybe for our next slide, let's just go over, you know, kind of, like, an example. Again, really love the same, analogy here, and I thought it was perfect perfect, you know, to just depict the scenario. You know? Like, you your organization might be at risk of us. Your organization might be at risk of, you know, like, this is just a war room example of, you. know, maybe to bring to life what we're we're we're talking to. You know? In in the case of let's just take an example of one of your, your employees go fish as an example to your social engineering, you know, and they they get legitimate access, to specific credentials. You know? Obviously, it doesn't look like there's any incident happening, but, obviously, this is a breach that has happened. And thirty days, forty days after, you know, you might have an attacker who's already into your systems, you know, and he's able to escalate privileges. They're already moving laterally. They're able to create potential backdoors, you know, and be able to bypass potential policies. And then before you know it, you know, I mean, some days, it doesn't even have to last 45. It doesn't even have to be by the 100. You know? They could delete your backup systems. You know? Your systems could also be encrypted. You know? And then the harder question really is, you know you know, can we trust the your identity environment, enough to recover from something like this? You know? I think this is the question every organization should ask themselves because this is really a reality, that is happening, and this is how companies have to pay significant amounts of ransomware. You know? By the way, maybe I'll just pause here maybe to to just this is just a real life example. This could happen in many different ways and different attacks, and it doesn't have I don't even think these attacks are as long as day zero even anymore. I think it will much shorter in terms of how much they're able to cause harm into your organization. Mhmm. You know? But I'm I'm curious to hear your thoughts on this as. well. You're you're right that the attacks can be shorter. The the idea that if you think about the last slide showing the complexity and showing this slide, obviously, this is by far the worst case scenario of attackers having enough dwell time that they could target the backups, move to full detonation. And now when you have the incident response teams coming in, you bring in a firm. If we look at this case study, only the as as I mentioned mentioned here, manual active directory forest rebuild. Right? If you have a full compromise and the and the attackers gain persistence inside of your environment, for active directory, and this is one of the takeaways of today's conversation. Think about an active directory to remove persistence, you need to rebuild your entire forest. Only that can take organization sometimes up to a week, just that part. So in this case, it took them a few good days, but think about all the complexities connecting your your multiple IDPs. Most organizations today are in hybrid mode. They don't just have AD. They have AD and Entre. So think about in that interdependency alone is not only about the active directory force rebuild. So in this organization, it actually took them a month to fully recover from an identity attack. And I think, you know, in this example, day zero starts us with social engineering. We saw a health care attack that started with bypassing MFA. There's always some new way that attackers will find their way in, and people just need to assume operate under the assume breach mindset. 100%. 100%. And and, you know, one last before we move on here. You know, In in most identity incidents, even from the work we do as well across IGA, Pam, you know, or one of your your IDPs, are breached. You know? You know, the recovery clock, you know, doesn't start when the systems go down typically. It typically is it's just, like, typically, indirectly starts when trust is broken, and. and you can't trust who's in your system and what they're doing. And if something were to go down in your AD environment for the you know, how long would you redo this? So I think this is just one of many examples, but I think this should lead everyone to start thinking about your own individual organization, you. know, in terms of, how do you build that trusted access, you know, if if you were to have a compromise, you know, to. your core app within the system. So by the way, this, brings us sorry? quick. Yeah. For for the audience, I will mention that this was an RSA slide which we anonymized, but this is a public case study around about the state of Nevada. So this is public information out there. Use it. Learn it. I would highly encourage, organizations to learn from that and and then be accordingly prepared. Yeah. Thank you for giving that context in case, our our participants wanna read more. So let's go into, let let's start thinking through some solutions. Obviously, let's let's just speak through some some some challenges, you know. But but as we think about, you know, thinking about what modern, legacy approaches versus modern resilience could look like as each and every one of you think about your individual organizations. You know? I think the the core thing here is, you know, legacy recovery is still very much very passive, still very much manual, still very bold, build, don't blind, rollback. And, and, honestly, even from our work, we we do extensive amounts of work in identity. We're good. We evaluate identity. Some of you are gonna be there. You know, reach out. But in most of our work, you know, we don't hear a lot about the conversation of identity resilience or recovery or or how to think about backing up your system. I think everyone just has this assumption that, you know, we would be fine or our identity systems would never be appreciated. And and it's something that attention really hasn't been paid for. And, unfortunately, like, whether it's it's the example we had in the last slide and many more organizations. You know? I think many organizations are still in this very manual rollback methodology where they build, systems internally. So we think some of the ways people have to start thinking about is how to actively think about this category shift. You know? We need to think about how we make identity much more modern systems that are very focused on active evidence based, changes, you know, in terms of making legitimate changes while removing malicious assistance that could exist in your environment. You know? And and, also, I think a key theme without maybe going into depth, you know, is I think the real innovation is really having a, it's it's not just about having a backup plan or, like, having a cyber backup program or cyber backup. I mean, I think the the the core thing, the core innovation really is about knowing what changed. Like, if you're able to answer that question to your board, your leader, terms of what changed, what's safe, who has identity towards, how would the users be created if were to be breached. You know, what could what could be malicious, what couldn't, you know, and then what should be reapplied. You know? And I do think in in today's modern world, especially with human identities, we're also, agents making that much more complicated. You know? I do think the key the four major themes is thinking about your recovery strategy, data integrity, clean point, as well as business impact. Like, you should be able to access yourself in the case of any attack or risk. How do we actually navigate through this? Don't know if there's anything you wanted to add there, Norma, as as people think about. I I think I think you're spot on around the the right approach here. And I'll I'll I'll I'll let's start with with a a basic example for a legacy approach. A lot of customers can say to me, hey. For active directory, you have a VM level backup. I'll just restore from a VM. The problem is if you think persistency and you think modern day attacks, we think about let's say, give give a very specific example, a golden ticket attack in active directory, that will mean that you can reintroduce the attackers into the environment if you just do a simple VM level backup. Right? So that's one. Another thing that people don't don't think about is if you think your Entre ID or your Okta, they think, hey. That's SaaS. That's available. Right? But what if someone changes or tampers with conditional access policies in Entre? And we've seen an attack that attackers used or utilized, weaponized Intune to inflict further damage. Right? So don't think your traditional users and groups. You need to think of all the other objects that, you know, make up a modern day IDP. Now you also need to think about the interdependency between those tools. Right? So so that's the one two legacy approach. Now when we think data integrity, Francis, I think I think you nailed it on the head. When when organizations think, okay. We can use the backup, but if you go back in time in in your IDP, right, so you went back in time three weeks ago, think how many changes will you have lost during those three weeks. So it's not only can we find clean. Yes. You need your backups to be available. You need your recovery system to work, but you also need a way to reintroduce the legitimate changes. So do you have a plan to collaborate with your SOC to find that clean, find the legitimate changes, and then reintroduce them to your IDP? Right? So that's that's the thought. And, again, end of the day, this is what we're talking about is is how do you minimize the impact of of the downtime? How it's all about that that reduction because that that just means downtime people can access. It's that's that's how simple the business impact is. Yeah. And I and I do think there was something you mentioned that I think we should double click on a little bit, you know, in terms of, you know, act when you think of active directory, you know, like your Microsoft directory for all your identities, for your users, but it's, like, but it's not just users. It's not just a single piece of data. You know, it's it really is distributed as we think about its its groups, its its computers, its policies, its its authentication policies that have been incorporated Correct. together with, obviously, your domain controllers that you might have. And so I think one of the risk many enterprises face today, you know, is, any attack or any breach on your, on on your active directory or your domain controller, it's it has interdependencies. And I think this is, like, naturally, obviously clear to like, a privileged group membership changes, you know, that happens. It could avoid it could affect a number of users and identities or a service principle, and it could roll out and it could be it has distributed effects, in terms of how it actually helps. And so we think in today's world more than ever, you know, yeah, basic redundancy, you know, whether that might be just having multiple domain controllers or so, you know, would help prevent against, hardware fillable. These are just some things we do think, leaders should just increasingly think about the interdependencies of the risk and why, you know, resilience has to be you have to think about this from a distributed method, as opposed to in isolation. So those are just some themes, and some talking points we do believe that that we do think are, important. Obviously, we I don't think we need to speak too much, about this deck as much, but, you know, still going over the fact that, you know, identity persistence, obviously, is is becoming one of the more important long term risk, you know, in, in in ransomware and a lot of cyber incidents, you know. And and most times, you know, you know, whenever a new breach hits, you know, a lot of times, you know, it does the next thing is really the challenges of the business versus the security trade off, you know, which which means, like, maybe a traditional rollback, you know, creates a lose lose recovery, paradox between the business versus security. You know, how do we do we move faster? How do we not manage through that? You know? And then the whole idea the the real question a lot of the time, and then I know many businesses face this, and and we hear this as a cyber research firm whenever we speak to CSIS, you know, is the real question is not sometimes it's not simply about, like, how fast can we restore. The real question is, you know, how fast can we restore cleanly and appropriately. You know? And and always obviously, working with the different teams, your I'm team, your security team, your IT team, your infrastructure team, to to make sure you could manage to those trade trade offs as well. And then, obviously, operating on change, the the the speed, defining resilience, and then, obviously, making sure identity is is is is your source of truth. I think these five things are sometimes some of the biggest challenges we think organization have. And and that's why we have that quote of you don't have a recovery strategy until you can remove attack persistence, you know, without breaking and affecting the business. I don't know if there's any quick thing you you wanted to say, think it's fine. I think it's fine. Yeah. I agree. Yeah. So if we think more, you know, again, kinda like spotlighting a little bit more into just thinking about what happens, you know, in in today's identity systems, you know, post compromise. You know? You know, as we think about more broadly what this actually looks like and maybe some of the challenges as you all think about solutions to solve it for this organization, you know, is really the fact that modern recovery, you know, requires, you know, ingesting lots of signals, you know, correlating context, you know, and driving clean recovery, you know. And and what do I mean by that? You know, it means for us to do a really, really good job in terms of helping to manage trust, you know, in terms of helping to restore, a broken active directory or compromise or to to get back up to speed in terms of putting resilience into AD, Ultra, whatever, identity systems you have. You know? We need to have multiple correlating signals. We we need to be able to get more context, you know, to create, better recovery mechanisms. And I do think organizations today increasingly, you know, organizations really need to think may will need to rebuild active directory in in such a way that allows them to be very, very resilient in case of an attack. Because as you see on the image on the left, many organizations might have the EDR. They might have their defender. They might have HIRS. They might have whatever systems that they do have. All of these signals, you know, they help you determine all of the, you're getting a lot of context from your EDR on the endpoint, your Defender, what's happening, what's changing. You know? And then right in the center, you know, you're able to correlate, and you're able to reach a lot of your identity states, you know, and and have using that same shared context to create a unified intelligence, across your I'm infrastructure. And then the ideal goal with getting context as well as ingesting and centralizing all of this is to allow you to have better and faster cleaner recovery so that you're able to detect a cleaner recovery point or keep legitimate configuration or orchestrate recovery or even monitor, you know, in the case of after a resistance. So I think that the the best way to maybe, summarize this slide generally is really, clean identity recovery. It's not just a simple restore button. It's it's a sequence of decisions. It's a sequence of validations. It's it's a sequence of control reactivation steps, from signal to unification to get you towards that recovery state. But happy to hear maybe some of your thoughts in terms of how you think through the flow Yeah. from signals, you know, if I I think I think you. defined it well. Right? First is is is your recovery system, will it withstand the attack? Will it be available? And when you think of which systems, just a few examples here. Right? We talked active directory. We talked about armchair ID. Organizations need to think about Okta as well. So it's it's thinking, can I can I even recover? Right? Can I recover specific Okta policies and workflows that, again, an attacker could be could tamper with them, or it could just be an operational mistake? Once you recover or you actually essentially need to go back in time, right, for a to a specific backup, do you have all the right signals, and signals could be a crowd strike, a a defender, to say, hey. Which changes were the malicious changes? Right? But your HR systems or your IGAs could actually show all the legitimate changes that we do want to reintroduce into the system. Right? So let's give an example. There was a breach detected at a certain point in time. Then your SOC or your IR firm, they say, hey. You need to go back three weeks in time or a hundred days in time. This going back in time means that this is business data that that is lost. So you went back in time. You recovered the system. So you found clean. But is the data of the IDP, is it in in its current state? And the answer is no. And this is where you can we can use the integrations with different systems. So, hey. Let's say, hey. Hey. These changes are malicious changes. Let's not reintroduce them. And these changes from the IGA or HR systems, these are legit changes. So that if Francis joined three weeks ago, I reestablish Francis's access. It's as simple as that. It's you're hit, but you need to go to clean and current. So that's the idea of helping you post incidents sorry. Helping you post incident, not just recovering, but going back to, the current state as well. Absolutely. And I think a lot of this also builds on, a little bit of what we just talked about in terms of thinking through that operational continuity, across each of the systems. So maybe let's just, we can finalize and and finish up on this last slide. You know, as as you all are thinking of solutions and frameworks, to take with you, as you, as you as as you think about a framework, a system for how to think through how to go about solving identity resilience more broadly. I think the the biggest thing we wanted to get across here, obviously, with these three pillars is identity security and and governance. In terms of obviously, many organizations have a lot of systems around IGA, you know, our firm. We've written extensively about the governance controls that are required, the compliance, and putting really good governance in place that across your access control, your access reviews, you know, doing user reviews and and campaign management. Many organizations have, good programs established in as well as their path in terms of building policies. But we do think identity resilience, establishing this, you also need to have a similar governance model, that is also all about beyond, obviously, governing your identities and improving posture. You know? You really have to understand, you know, when you've answered the question of who has access, you know, where your privileged users, where your palm, or how access reviews are being done, we need to also ask the question of your identity configurations. You know? Are those systems in the place where they need to be? You know? Are those policies, you know, aligned with your security requirements? You know? And then do you have a good glue across your IGA, your PAM, your ISBN, and all of those systems. I think we showed much earlier, they have a resilient system. So you need to develop, operationalize that strategy, the first pillar. The second piece is really about okay. Once we have a centralized view of all of identities, then and by the way, one thing I will say before I go to number two is we do recognize the challenge. Many people organizations facing pillar one. You know, from my conversations with a lot of identity leaders, you know, these sometimes could be different department, different units, different projects. You know, sometimes it lives within the IT systems. You know? Some more mature organizations have an IAM team. You know? There's an infrastructure. There's a business. And so sometimes it is very, very difficult to have the centralized governance, but we definitely encourage this, you know, to help you move to pillar two and three. Right? Because without one, without that centralized view of a governance model, you know, it's it's extremely hard to get to to this pillar. And and, obviously, the core second pillar here is really about the operational side of things, which we kind of touched on in the previous slide a little bit in terms of, you know, being able to have really understanding of what happens in the case of a field login, analysis. You know? We talked about the business versus security trade offs. You know? How how do we get the business up and running in the case of of that? Like, a root cause analysis, you know, policy drift correction, like, a a disruption that does occur and and changes visibility or there's, like, a rollback that that needs to be affected. You know? So once you have that centralized view of all of your different identities and systems, you know, how do we make sure that if we need to get back up in an incident, you know, how do we get that? You know? And and how do we also ensure that some self inflicted outages are not caused by like, we're able to recover from those if we ever self inflicted ourselves. You know? And last but not the least is, identity cyber recovery, which is very much about okay. Once we understand all of our operational systems across our full identity stack, you know, how do we then go about collecting, have a clean recovery infrastructure in the case of a compromise? You know? How do we really make sure we have immutable backups? You know? How do we really make sure we have, things such as, you know, a validation? You know? We're able to still recover all of our credentials to get our users access. So this is, like, just a, organization or at least a simplistic framework. You know, we really like from the Rubrik team, in terms of how they think through the identity resilience. And I think this is something that also resonates very much with the work that we've also done. But happy to maybe hear quick thoughts from you, Norma, on this as well. How how you guys think about the three pillars as well? Yeah. Of course. So for for us, you you know, we're we're the assumed breach or assumed disruption vendor, which I encourage everyone listening in today. Just ask yourself, what do you do if when people won't be able to log in to their to their devices, won't be able to log in to their apps? What what do you do? What's what's the plan there? Right? And, again, it could be from an operational mistake, and then you you need to recover from that. It could be from a cyber event and a persistency event, and how do you recover from that? So it's it's a very complex answer to a simple question. How do we recover from an a cyber attack or an operational disruption? That that's that's the basic thing that that leads our customers and and how and where we can help. Absolutely. And last but not the least, I think I also like this framework. We also, we I I really like this framework as well, which we talked about. And then maybe the last one here, another framework or, I guess, for how to think through, removing of the systems, which this is also something I really liked, from the team here as well. You know? As we give you all frameworks, whether you use the framework from the previous deck or this as well, and this is just one that I really liked as well in terms of, you know, if you wanted to maybe really, really ensure yourself that you could recover well from a potential attack or from a potential breach, you know, you need to, first of all, have a good baseline. Again, it kinda goes a little bit to, like, the first stage in the previous is, like, what is your trusted baseline, you know, and for all of your identities? You know, could we trust this I could we trust this identity state, you know, to become the new control plane for the business? You know, how do we have this baseline to restore or rebuild the identity provided to the states before the attacker had control. Like, just being able to actually build that full trust. Yeah. This this slide, I I know there was a comment about this slide. We could find a better one, in-depth. We're happy to resend one that that gives a good depth. But you you wanna just build baseline in terms of being able to review to a precompromised point if you were breached. But just imagine that that first process. I think the second thing I really liked, and I think you're probably better would love your framework around this as well. Norman, Yeah. it's the it's the identity diff. You I think. you guys call. it identity diff. Identity think we right just trying to understand what happened. So if you went to a clean baseline, you went back three weeks ago, what were all the changes during these three weeks? By the way, legitimate changes as well. Again, we we gave the Francis example. Francis is a was a new employee in our enterprise, and he joined, within the period of of the last three weeks. So how do we know that, hey. We had a new employee that that we was was joined. And then once you gain this this picture of diff, you need to basically be able to call it classify all these changes into malicious changes, suspicious changes, and safe changes. And, again, Rubrik's not the end all be all for identity. We're not trying to say, hey. We will detect all malicious changes. This is where you can bring in other signals like a CrowdStrike, a defender to say, these were malicious changes. Plug into your IGA to say, hey. Francis is a new employee that just joined. You need to bring back his access. Right? So and that that by looking at the diff, by classifying that, and then applying that, we call that roll forward. So you own you the outcome is is is simple. The outcome is a clean IDP where we remove the persistence because we went back before point of entry. We found clean, and we only reintroduced legitimate changes. And with that, you have a clean state and current state of the business. Exactly. And and I agree. And I think the third piece and and that's a very good way. I really like the way you broke it down, but I think equally, even the third piece is is around how we think about change classification in terms of separate malicious, suspicious, and and and safe. You know, in terms of for every detected change, you know, for every detected change in the case of of change or or or something malicious that has, strict from beyond baseline, or or that deep of how we define. You know, we should be able to categorize that into malicious. Is this something that we know is very, very bad? You know? Like, we know it for sure. You know? Is this something that we think is suspicious, in terms of anomalies or or high risk, or is this safe, in terms of safety? And this is this legit to me, but you should be able to classify into either malicious, suspicious, or safe. Yeah. You know? And last but not the least is? a collaboration between the I'm teams, the IT teams, and the SOC as well. So this framework, Yes. right, what we're talking about here is how do you collaborate to bring to bring, your your IDP, your identity systems back to a good known state? It's not just about the I'm teams knowing that they can recover. It's not about just the SOC having the signal detecting and saying, hey. We stopped the attack. It's greatly stopped. But we need the SOC to work in collaboration with I'm teams to roll the business back or roll it forward to to. a good clean current state. So for the business that. leaders listening in, the outcome is basic for me. This these are capabilities that the business outcome is a lesser or a minimized downtime. That's that's the outcome. Right? As basic as that. Yeah. And and that's really it. So I think this, so this is really another framework, for how each and every one of you leaders. I think, Rubik has more detail actually about this, remove and persistence. And I think maybe, Anna might share that at the end of the presentation in terms of reading more, in terms of four stages of remove and persistence. But I thought this was something that was very important to highlight as well as you all think of actionable steps to think about identity resilience within each and every one of your organizations. I won't won't speak too much here, but I think the the the key takeaways here are very, very, important. You know, if you're I'm leader, especially, being a part of this, a SOC leader and infrastructure team and IT team, you know, depending on what part. You know? We need to shift, not completely away. I think other parts of endpoint centric are still important, but we need to start thinking of identity security identity centric resilience. You know? And I don't think this is something we cover enough, in the area in terms of thinking about your IDP systems. I just but just thinking most more about the recovery of what could happen in case of a breach. You know? We know identity is the thing. It's it's the new attack surface, especially with AI agents. You know? We need to add on that next question of, resilience to it. That's that's one. I think we think you you you won't be able to control your, you would not be able to have this central view, to help you get back to a clean state or to recover in the state of a compromised incident if you're not consolidating your system, which takes us to number two. Right? You need to consolidate visibility. We've published a report, and I think my firm will publish something next week on what's called ISBM. For many of you, you might be aware, identity security posture management and visibility, which is really about giving you good visibility across all of your identity systems. But you need to consider visibility across AD, Onshore, Okta, you know, because a lot of the time, you know, blind spots are typically where attackers, get the most. So I think this is is is very, very, important, especially in an era like this where most organizations are not just an entourage shop or an AD shop or or like you guys. It's a combination. Like, I love that initial image of the sprawl, Okay. across IG, I'm HRIS, SAS systems. It's a combination, but you need that centralized visibility. And, I ISBN, IVIP, these are some of the acronyms. Takeaway number three of this is really just the fact that today, recovery is through the bottleneck, and I think we've shared extensively talking to, why we all need to importantly, like, take this away. You know? This is very important. It's like building up recovery systems. And then and then in the in the case of an identity failure, in an outage, you know, how do we actually make sure we're we're ready, to cascade those? And then last but not the least, you know, the winning architecture, which we've talked about, is, having is is not just a collection of different isolated pack of tools. You know? It really is a unified identity protection system, you know, that allows you to have a, recoveries mechanism across your entire environment in the case of a breach. You're immune you have good immutable air gap backup systems, you know, in the case of an attacker on any of your systems. So these are just some some things. Obviously, there's more details and notes, within each of them. But I don't know if there's anything you have more to add here before we we go into q and a. I think I think this this summarized it brilliantly. Great. So maybe, Anna, we'll we'll kinda pass this back, to you, in terms of, if if they're participant's q and a. Thank you. And then, we're we're happy to maybe, take on a few. Yeah. Awesome. There's a couple. in the q and a. Oh, can you guys hear me? Yeah. There's a couple in the q and a tab right now if you navigate to the right. Be sure to to click read more, one from Mike and one from Robert. Do either of you wanna tackle that? Sure. So I think is Robert the first one, I believe? Yeah. I'll read it out loud. Sure. What is a privacy policy for human identities? There's a huge problem with data aggregators who do not respect our privacy, couldn't care less about breaches. People have been murdered because their personal information was mishandled, so it's pretty intense. Yes. It's a good question. I mean, I'm not a privacy, a data privacy expert. But, obviously, I'll be happy I mean, we could just give some some thoughts, but I I do think it's it's a very valid point, in terms of yeah. I don't think, obviously, we have my firm, we've done a lot of work in DSPM, data security posture management, and and kind of the work that needs to be done in terms of understanding where your sensitive data is, especially privacy, PII centric data, and being able to be compliant with, existing regulation. You know? But I do think, I mean, as we think about policies, you know, for organizations, I do think, you know, whether I I think, obviously, this is one way you speak to your data data team, you know, whether it's a data minimization strategy in terms of, you know, as a company, you're you're collecting all of the data that's necessary to authenticate, authorize, and recover access, and, and you don't wanna collect so much identity data because like, just being careful in the case of a breach. But this is this is a big thing. Retention discipline is one we hear a lot about. You know, least privilege and and stroke access controls are really the ways in which we've seen, companies maybe think through this. But it's a very, very good, it's it's it's lots of really valid points, that I do think, not a lot of people talk about. But, Norm, I don't know if you have any quick. thoughts on this. No. I I think I think you answered well. I'll take the the the mic, question on identity resilience. How would you characterize where customers are in the adoption journey? Are most still primarily in the awareness or evaluation stage? No. I think I think, Mike, I I will say, I've been dealing with identity resilience for the last two years. This has been the fastest growing product in Rubrik history. We have now more than a thousand customers to date around the identity resilience and thousands around our identity solution. The reason is that, honestly, it's just what's happening with with the identity. Right? If we say identity is a new attack surface, you'll roll your eyes. But what we're seeing is that it's not just a new attack surface. It's that it's a target of disruption in and of itself. It's not just a vector into your data as it traditionally was, but it could be used and weaponized against the organization, which is why we see such traction, with identity resilience. So, yes, the need to recover, but then the idea of it's not just about the recovery, but it's about reintroducing all the changes so that you're back to clean and current. So I would say the biggest customers that you can think out there and in terms of different sectors, Obviously, the financial one are the more advanced one from what I see. But, unfortunately, we're seeing a lot of, attacks on health care around identity, so there's there's tracks in there. If you look at the sectors that are being hit with identity attack, it's across all sectors from retail to health care. Yeah. It's it's it's out there. So there's there's a lot of understanding in terms of the market. This is not necessarily a new a new concept. Yeah. Thanks for that, Noam, and thanks for, answering the earlier question, Francis. I think we have time for maybe one more question that I think is commonly asked. I'll pose it to both of you. I don't know, Nom, if maybe you wanna take it first, but it's how is generative AI changing the speed at which identity perimeters are breached today? Bit of a loaded one. Yeah. That's fair. I don't know if they're necessarily just Gen AI, but call it, like, the agentic world that is is changing, what we we're seeing. So, a, from the ability of attackers to use AI, right, and to to utilize vulnerabilities or utilize misconfigurations, We just saw a couple weeks ago with Mythos, being released. We this is what we encourage organizations. You need to assume that attackers will find ways inside of your environment utilizing these new technologies. Now once they're in, they could further automate. Right? Francis talked about dwell time shrinking. Again, through to thanks to not thanks to, or due to automating workflows and and enhancing their capabilities to spread inside of an environment utilizing AI. So that's the concern. And for us at Rubrik, it's all always about you need to assume breach. You can't just rely on prevention and detection, and you need to understand how will you recover from these AI augmented attacks. Yeah. And maybe just to build on that last point too, I think, is is is also like, I think part of the reason why identity more broadly now has become more important or more I mean, it's always been very important and, like, it never has. But I do think the security like, for a long time, you know, identity was a very separate part of, security. Like, it wasn't really a security conversation, you know, but I do think in more recent years, you know, and and this is, you know, still how, like, the the the recovery and the resilient side. Like, more recently, we've just seen how I think, honestly, like, the last five years, and and and many of the leading firms have trading till reports showing, you know, how many sophisticated attacks are no longer, like, new types of malware. You know? But, however, now it's really around stolen credentials. You know, social engineering is a big one. I wanna say, like, Right. maybe the last eighteen months, you know. Yep. MFA fatigue is, like, another one. Like, I mean, there's so many oh, this is why, broadly speaking, identity is now the new way enterprises are being compromised because there's been a maximum of I mean, vulnerabilities now have been the thing with me. So it's in terms of exploiting those and and malwares and and has been one. But identity has really surged in terms of the nature of the attacks. And I think with the increased complexity, for enterprises now with agents, NHRs, accessing those identities, you know, more than ever, the identity resilience question or conversation has never been much more important because if the attackers now heavily gonna be focused now on your identity systems, then you really, really, really need to ensure that, you know, it's not the, single point of business failure. Right? You wanna make sure that you're resilient across those infrastructure stack. And I do think more than ever, you know, this is why, this is a topic, and I'm not surprised to see the growth which you guys have experienced, in this area as well too. Awesome. We have about five minutes left. I'd love if you guys have any closing remarks. Frances, anything you'd like to leave the audience with, a charge, a thought, a question perhaps? Yeah. I I think, like, the one thing that I I really, really like, you know, that is and I think Noah has kinda mentioned this, you know, is like, you know, if your identity systems are compromised today, you know, could your business recover? Could they withstand it? And I just think, what does that even look like? I don't think many call, call companies have that in terms of if your identity systems are compromised, you know, kind of the business to recover clean. I think that's kinda, like, just the the question. I'll leave most of our participants with you today. So What about you, Noam? Anything to add? Yeah. I'll I'll just say on a on a slightly slightly different note that that it's been a pleasure, Francis. And I encourage everyone, listening to hit hit me up on LinkedIn. Sometimes it's noisy there, but this is how, Francis and I initially connected. So, I'm always happy and open to have a conversation about what's happening in the market. We can talk about Rubrik. We can talk about just what's happening in security and how, and what we are seeing with customers. So it was a a pleasure and a privilege, Frances. So thank you very much, and thanks everyone for listening. Yes. Yeah. Thank you, everybody. pleasure. Thank you for doing this, Rubik. Thank you for having me. This is the Rubik team and and Norman. As I said, the team has a lot of amazing more resources to read more. So thank you for having me. It's. a pleasure, Norman. Yeah. Thank you guys so much. Just as a last call to action, know that there'll be an email, sent out about a day from now, which will include the recording from today's call, today's session. And then if you see in the top right hand of your screen, there's a little plug that says don't miss forward. That's our big user conference, big summit coming up in June. Would love for you guys to check it out. There's a lot of different sessions specifically around this that, you guys could, attend virtually or in person. We have an in person session in Vegas. So would love to see you guys there, but thank you for your participation and, for your time today. Thanks, Frances. And, Noam, you guys crushed it. Appreciate. you all. Thank you all so much. Bye bye.