Subscribe
Share
Share
Embed
Bel Lepe Reveals How AI Reduces Security Risks By Removing the Human Element
In this episode of Cyber Sentries, host John Richards is joined by Bel Lepe, Co-founder and CEO of Cerby, to explore how removing the human factor through automation can dramatically decrease an organization's attack surface. John and Bel dive into the transformative potential of AI in identity and access management, especially for applications that don't support modern security protocols.
Bel shares his insights on the current state of identity security and how Cerby is tackling the challenge of securing disconnected apps at scale. He explains how generative AI enables Cerby to build and maintain integrations for thousands of apps without relying on standards. The discussion also touches on emerging trends in identity, including the fragmentation of identity across multiple platforms and the growing threat of AI-powered impersonation attacks.
Questions we answer in this episode:
- How can AI reduce security risks by removing the human element?
- What are the key challenges in securing apps that don't support modern identity protocols?
- How will the rise of AI shape the future of identity security?
Key Takeaways:
- The majority of security incidents are caused by human error
- AI allows custom integrations to be built at scale without relying on standards
- Multi-factor authentication is crucial for protecting against emerging threats
Whether you're a security professional looking to stay ahead of the curve or a business leader seeking to understand the impact of AI on your organization's security posture, this episode is packed with valuable insights. Tune in to learn how AI is revolutionizing identity and access management and what you can do to safeguard your organization in the face of evolving threats.
Links & Notes
- Learn more about Cerby
- Learn more about Paladin Cloud
- Got a question? Ask us here!
Creators & Guests
What is Cyber Sentries: AI Insight to Cloud Security?
Dive deep into AI's accelerating role in securing cloud environments to protect applications and data. In each episode, we showcase its potential to transform our approach to security in the face of an increasingly complex threat landscape. Tune in as we illuminate the complexities at the intersection of AI and security, a space where innovation meets continuous vigilance.
John Richards:
Welcome to Cyber Sentries from Paladin Cloud on TruStory FM. I'm your host, John Richards. Here we explore the transformative potential of AI for cloud security. Our sponsor, Paladin Cloud, is an AI-powered prioritization engine for cloud security. Check them out and paladincloud.io.
On this episode, I'm joined by Bel Lepe, co-founder and CEO at Cerby, a platform for securing disconnected apps. Did you know the majority of security incidents are caused by the human factor? We discuss how reducing the human element with automation decreases your attack surface. In addition, we look at how AI allows the scaling of custom integrations and the threat AI poses to identity. This and much more. Let's dive in.
Hello, everyone. I am joined today by Bel Lepe, CEO and co-founder at Cerby. Thank you so much for joining. It's a pleasure to have you on here.
Bel Lepe:
Thank you, John. I appreciate the opportunity. Thank you for having me.
John Richards:
All right. Well, I wanted to start out by asking you, we talked to different folks who are co-founders and everybody's journey is a little bit different. How did you end up as a co-founder at a security company? What led you to this point?
Bel Lepe:
Absolutely. So I'm actually a second time founder. And I mention it just because my journey started at that prior company. But my last company was a company by the name of Ooyala that we founded in 2007, we being actually my brother Bismarck and one of my good friends from Google.
We ended up building that business to a good scale. We sold it in 2014. I helped run the business after. But long story short, we built some really strong customer relationships there that eventually actually ended up inspiring the idea behind Cerby. And specifically there was one customer that about four years ago approached us and said, "Hey, we have this problem. We have this problem of applications that live beyond what is called the identity perimeter. They see a lot of threat activity and we haven't been able to find a solution out there."
And so having been a founder before, I know that when a prospective customer comes to you and says, "If you can build this, we will buy it," that's a really strong signal and you should lean into that. That was really what inspired my second time as a founder.
John Richards:
How did you validate... It's always great when there's a problem, but how did you validate hey, this isn't just a one time thing? Or did that come later? Or did you start out right away saying oh hey, I found some other folks with this same challenge?
Bel Lepe:
We being my co-founder, Vidal Gonzalez, who I worked with at Ooyala, he helped us really get our operations outside of the US off the ground, especially in Latin America. What we ended up doing is that we probably spoke to about 80 CIOs and CISOs and just asked them about the problem. And they were very direct conversations around, do you have this problem? Where does it rank in your top five list of problems to solve?
And we got a very strong signal around everyone had this problem, but there was a really unique element to the feedback that we were getting, which was they had lived with a problem for so long that they had just kind of accepted the status quo. And we found that was really interesting that virtually every company that we spoke to had this problem, but they had just gotten used to it sucking. That this problem of unmanageable applications, applications that don't support modern identity protocols, that they just had to deal with it.
And so we took that as a challenge of hey, I think if we can build the right solution. We potentially have a very large market opportunity. And that ended up being the case.
John Richards:
So let's talk about the problem itself. So this idea of identity. "Hey, I've got a password. I change it regularly, I make sure it's got these special characters in there."
You're talking about more than that. So what is the risk here that's going on with people using these other systems and how are you looking to try and solve this problem? As you said, people would've just gotten used to it.
Bel Lepe:
The way to think about this is there was some first principles thinking to actually get to what is our core thesis today. So where the problem statement started was, I'm an enterprise and I have applications that don't support modern identity protocols like SAML or OpenID for single sign-on or standards like SCIM for lifecycle management. That's basically the standard that's used for being able to add and remove and update users inside of accounts [inaudible 00:04:59] applications.
And so that's where the problem started. And we found that more than half of the top 10,000 applications don't support single sign-on. And about 90% of the top 10,000 applications don't support SCIM. So the penetration of the identity protocols is actually not what you would expect.
You would expect most applications to have SAML or OpenID or SCIM support, and that's just not the case. So we originally set out to solve that problem, but as we were solving that problem, we realized that the core problem was not so much that there were applications that didn't support modern identity standards, it was more that any security chain at the end of the day still depends on a human user to carry out mission-critical tasks like login or to update someone's permissions or to remember to remove someone's access.
And so really the core thesis around Cerby today is that humans are the problem link in any security chain, right? There's a reason why according to the most recent Verizon data breach report, 74% of all security incidents are due to the human element. And so that is the core problem that we're solving. How do you lessen the dependency on the human? Because any system that is dependent on the human, they're going to be the attack vector.
And it just so happens that with applications that don't support modern identity protocols, the security posture is a hundred percent dependent on the end user. And so that's why we're starting there, but that's how to think about the problem more broadly.
John Richards:
How do you even go about tackling it? Because if they don't support it, they don't support it. And that's why, as you mentioned, people just live with this. And so I'm curious, what are you doing to try and remove that human element? Make it a little more automated?
Bel Lepe:
So instead of relying on the human to carry out API tasks or to, for example, carry out a task via the UI, we have an agentic platform that steps in and does that work for the end user. So you can think of it as an agent or if you want to also put it this way, a bot, that will interact with the application instead of the user.
So let me give an example. The social media use case is a very popular use case for us. Let's say that someone leaves a major broadcaster and they have access to a couple hundred Instagram account. What should happen when that user leaves, is that the passwords are immediately rotated for those accounts because those are shared identities that multiple people are using. But that rarely happens because that's a lot of accounts to go in and manually update the password for. Not to mention then going and terminating the session.
And so what Cerby can do in that sequence is we will receive the signal from Okta as an example of upstream identity provider, that that user is no longer a member of the team, no longer a member of the company. We will then go and look at their permissions tree and we'll determine that they have access to 200 shared accounts, let's say. We then have an automation platform that will step in and, one by one, update the passwords on all of those accounts, as well as terminate their active sessions.
And so that's an example of somewhere where you should have a manual compensating control, which let's be honest, most companies do not. We can step in, we can automate that work, and then we can ensure that it happens a hundred percent of the time versus just occurring some of the time if you don't have a Cerby.
John Richards:
How in the world do you scale something like that? You mentioned Instagram. I felt like you would have to build bespoke integrations with every platform. So when someone comes on or a new program shows up, do you have to go custom develop integrations to be able to build out and map out what security should be? Because they don't have the standards that you would want?
Or is there a way that you're tackling that to handle so many different... You mentioned you were looking at the top 10,000 most common applications.
Bel Lepe:
So that's where timing is everything, right? If we tried to build this platform 10 years ago, it would've been impossible. The technology simply did not exist to be able to manage this amount of heterogeneity at scale. To your point, you're effectively building a bunch of one-to-one integrations.
And so the key technical challenge in front of us is how do you manage that heterogeneity at scale? And one of the things that's possible now with generative AI is, I would argue you don't need standards as much as you needed them, right? Prior to generative AI, if you wanted to send a payload from System A to System B, you needed a standard to be able to normalize and structure the data and put it in a format that System B was expecting it to be in.
But now with generative AI, you effectively have a universal translation layer that can basically take Payload A and put it in the format that it needs to be in order to be accepted by System B. And so there's a lot of secret sauce that we've developed here, but we have found a way to be able to leverage generative AI techniques and then leverage signals from customers who opt in to be able to create and maintain these integrations at scale.
And so having that very decentralized architecture that uses those signals and leverages the right large language models, that's a key way that we've been able to build thousands of integrations to tackle this problem.
John Richards:
Wow, that's a fascinating use case. I've talked to a lot of different folks around this. I don't think I've heard anybody quite using it that way, but I love that it's letting you do things at a scale that just wasn't possible before and tackling these new things coming in.
I'm hearing buzz around trying to go password-less and this pressure to, maybe, we shouldn't have passwords or logins. What's your thoughts on the future of where the stuff will go? Do you see we'll always have a need for managing passwords on some level? Or what's Cerby's position as folks try to look into that? Is it complimentary or is that a whole different path?
Bel Lepe:
At the end of the day, whether you're authenticating with a pass key or with a password, it doesn't necessarily matter to us because authentication is just one part of the problem. Once you log in, you still have to manage users and their permissions.
But on the topic of pass keys, it's obviously a fantastic technology. We support that in our stack. But let's be honest, right? Pass keys today, I believe, are supported by fewer than 500 sites the last time that I checked. And it's going to take a while to get to any sort of meaningful adoption, let alone adoption within the enterprise.
And in fact, its adoption curve today is a little bit better than SAML and OpenID, but not substantially better. And you would think with the backing of Apple and Google and Microsoft, that it'd be going a lot faster. But it just goes back to the problem with standards, which is unless you have a central standards body that's requiring it, you get some early adopters, but then you see a very significant slowdown in how many applications are adopting it.
So what does that mean? That means that passwords are probably going to be around for a lot longer than we'd like to be the case, right? It's very unlikely that over the next decade we're going to get rid of passwords completely. I think the usage of them will substantially decrease, but there's still going to be a place for them. And the issue with passwords is today you are either relying on the end user or you're relying on the end user's usage of a password manager to manage them.
And so what Cerby can do is we can step in and help you manage the life cycle of those passwords, right?
John, for example, are you a user of 1Password or LastPass or anything like that?
John Richards:
Yes. I use the open source. The Bitwardens, who I use. I love the open source. So yeah.
Bel Lepe:
Which is a great, great solution. I'm not as familiar with Bitwarden, but many password managers or personal password managers, they have this capability. They'll tell you that your account has or your credentials have appeared in a breach. Which is great, but then you have to go do the work to go and update your passwords.
And let's be honest, most users don't go and do that. They won't go spend however much time they should spend to go and do that themselves. And so where Cerby can step in on top of your password manager is go and do that work.
Let's say that Watchtower, from 1Password, tells you hey, you've got 180 credentials that have appeared in a breach. Cerby can step in and go and do that work for you. And so the way to think about Cerby is we help end users achieve a security posture that is the equivalent of an Okta or Microsoft Entra ID because we step in and do the work that the end users frequently forget to or just don't care to.
John Richards:
Yeah. So what I'm hearing is there's this challenge of real time, there might be a breach and you're suddenly like, here's a bunch of new identities that were exposed. And you're able to say hey, here's your identities that maybe were passwords that showed up. Let's automatically go back and wipe all of those or reset all of those to something new without having to do that manually and make sure you didn't miss anything. Something along those lines.
Bel Lepe:
Exactly. Exactly. And let me give you another example. There's a statistic, I believe, from Microsoft that states that 99% of all security incidents could be avoided if some form of two-factor authentication were turned on. Now, we do a lot of migrations from password manager to password manager, from password managers to us.
One of the most interesting insights that we've generated is that fewer than 5% of accounts that are eligible for 2FA have 2FA turned on, right? Let me say that again. Fewer than 5% of accounts that support 2FA, some form of 2FA, actually enable it, which makes sense within the context of 99% of breaches could be avoided if some form of 2FA were turned on.
One of the other ways that we can help our end user is if we see you log into an account that supports 2FA, we can appear within the browser and say, "Hey. This account supports 2FA. Give us 10 seconds. We'll go ahead and enable it for you."
And so that's an example of another automation task that adds a substantial amount of value and all the user has to say is, "Go for it, Cerby. Take care of it."
John Richards:
That's so handy. Yeah, the 2FA pop-ups come up and you're like, oh, I'm busy. Don't have time for this or move on. And you kind of miss that. So you've got 2FA. You've got some of this talk around password, all these different things happening in identity.
What do you see as the future of identity over the next, I don't know, next five years? Probably ten's too far, especially with the rise of artificial intelligence and how that's scaling up, both how we're dealing with attacks, but also the tools that our attackers have.
Bel Lepe:
So there are a couple of trends that we're tracking, but I'll mention two. One is identity is becoming, at least in the enterprise, more fragmented. You can think of this architecturally where if you were to talk to a bank 10 years ago, they would say hey, we're moving everything to the cloud. And now if you talk to a bank or a pharmaceutical company or healthcare company, they'll have some stuff in a private cloud, some stuff in the public cloud, some stuff on premise. And so it leads to a very fragmented notion of identity.
And you're seeing that more and more. You also see that with personal identity where you've got a profile on Facebook, on LinkedIn, you've got a profile for your healthcare provider, for 401k. This is not unified by a central single sign-on system. Certainly there are folks that are trying to build that, but would you really want to intermingle your personal identity with your professional identity, right?
And so there's this notion that identity is becoming more fragmented. And you have your sources of identity truth, professionally speaking and personally speaking, you probably don't want the same party that manages your personal professional identities bringing them together. I think there's an opportunity to have a neutral third party who plays that role, and that's one of the angles certainly that we're looking at.
So that's one trend. The other trend that I think is mildly to completely horrifying is just the amount of impersonation that's possible now with the generative AI. There's that well-known attack that occurred in Southeast Asia, I believe, where a gentleman got... I believe it was gentleman, got on a Zoom call with an attacker pretending to be the CFO of the company. And they were able to trick that individual into wiring something like $20 million because they perfectly replicated the CFO's voice and image using generative AI.
One of the things that's interesting and challenging and motivating about security is it's so asymmetric. If you're an attacker, you only need to get through once. But if you're a defender, you need to have a 100% success rate to do your job, you might argue successfully. AI, at least right now, is further tipping the scales, I would argue in the favor of the attackers, because giving them many more avenues to be able to trick users into doing something they don't want to do or they don't know that [inaudible 00:18:30] be doing.
And so I'm excited to see how AI hopefully can tip the scales back more towards a balance. But right now what you're seeing with AI and with an identity is that it's making it more of a minefield for your average user, business user or non-business user to just navigate the digital world. Right now, this podcast that we're doing, it's putting a digital fingerprint out there for both of us that, in theory, a digital attacker could use. And that's horrifying, right?
John Richards:
Yeah. No, you don't think about it that way. And we've put all kinds of stuff out there and then yeah, somebody can take that information and use it and all of a sudden you're like, "Oh, how do I deal with?"
I guess, so maybe a follow-up to that would be then, what do you caution or what kind of advice do you give to folks out there, especially say on a security team, that are dealing with these trends of how do you prepare yourself for what this is? Is it really let's get back to basics and be strong there? Or do you really need to broaden, be like I need to understand what's going on to really be able to react in time to this?
Bel Lepe:
Well, first use Cerby, if you're in the enterprise context. That shameless plug. But more generally, what using Cerby would encourage a company to do. And today we're only B2B focused, but this advice applies to everybody, especially in a personal setting. Multifactor authentication. MFA. It does work. Use as many forms of MFAs as each application provides.
Try to stay away from weak forms of MFA, like SMS. Use TOTP or authentic error based forms of 2FA. Get hardware keys. Use pass keys if they're available. MFA really does work, and it's one of the core bits of protection that you can put in place that will thoroughly protect you in a digital context.
And it really is as simple as that. Use MFA. And if we were to go beyond that, try not to use shared accounts if it can be avoided. In some cases you can't avoid it, but try to have everyone having a single identity and then use proven solutions like Okta and Microsoft Entra ID or in a personal context, 1Password. The tools to protect ourselves do exist. We just need to use them.
John Richards:
Yeah. Well, that goes back to what you talked about earlier, where was it 90, 99% of attacks could be avoided if you use the tools or they're due to the human error and making these decisions around that.
Just so I'm clear, so when you talk about this multifactor authentication basically with Cerby, because you're using that as your primary way to authenticate with a platform that doesn't support it, you're getting the benefit of multifactor authentication through that as a way to pass in without having that, even though the tool that you're using doesn't support it. Is that a fair way to understand that?
Bel Lepe:
Correct. Correct. We are able to ensure that MFA is turned on, so if you don't have it enabled, we'll enable it for you. We're able to act as a form of MFA and we're also able to ensure that the strongest available form of MFA is what is used. There's another statistic here where the number of times that both SMS-based MFA and TOTP or authenticator-based forms of MFA are both available and that SMS is chosen over Authenticator app, it's something like in the high eighties.
And so even though you can set up the authenticator app, most users don't. And that is actually a far more secure form of multifactor authentication. And so those are places where Cerby lets you go into autopilot mode and we'll make those decisions for you and we'll make the right security decision for the best and most secure outcome.
John Richards:
As an enterprise, what's the way to build better awareness and knowledge on the value of this in your organization?
Bel Lepe:
There's certainly a security awareness training aspect, and that is where platforms like KnowB4 can be very helpful. You do ultimately need to equip your user because so much of the... The attack vectors that are leveraged to target the end user, so awareness training is key. And there are also vendors out there that actually simulate phishing and smishing attacks. And those are pretty cool because it's a polite way to do public shaming of hey, are you really paying attention? Are you cognizant of what these attacks can look like? So I think that's one foundational aspect of this.
The other aspects of this are using platforms like Okta or Ping or Microsoft Entra ID. These are platforms that work really well for the integrated domain of applications. And then on top of that, use a Cerby. And if you can do all three of those things, you are able to drastically reduce the size of your attack surface, or at the very least, have much more visibility and much more of an understanding around your attack surface.
John Richards:
But yeah, if you've got to win a hundred percent of the time, the smaller that attack surface, the more likely you're going to succeed at defending that.
Well, Bill, thank you so much for coming on here. Fascinating discussion around identity here. Before I let you go, how can folks reach out to you if they have questions and anything you'd like to promote or share?
Bel Lepe:
Absolutely. If you're interested in learning more about Cerby, we'd love to chat with you. Whether you're interested in a demo or just want to learn more, you can find us at cerby.com. That's C-E-R-B-Y dot com.
Or if you'd like to reach out to me, you can also reach out to me at Bell@serby.com. That's B-E-L at cerby dot com.
Looking forward to hearing from you if you'd like to learn more.
John Richards:
Thank you so much for coming on here. It was a real pleasure. Enjoy the rest of your day.
Bel Lepe:
Likewise. Thank you so much.
John Richards:
This podcast is made possible by Paladin Cloud, an AI-powered prioritization engine for cloud security. DevOps and security teams often struggle under the massive amount of notifications they receive. Reduced alert fatigue with Paladin Cloud. Using generative AI, the model risk scores and correlates findings across your existing tools, empowering teams to identify, prioritize, and remediate the most important security risk.
If you'd like to know more, visit paladincloud.io.
Thank you for tuning in to Cyber Sentries. I'm your host, John Richards. This has been a production of TruStory FM. Audio Engineering by Andy Nelson. Music by Amit Sehgi. You can find all the links in the show notes. We appreciate you downloading and listening to this show. Take a moment and leave a like and review. It helps us get the word out.
We'll be back January 8th, right here on Cyber Sentries.