Reducing the IAM Attack Surface with Identity Observability

All right. Welcome everybody to this Radiant Logic webinar about how we reduce the IAM attack surface with identity observability. We’re gonna give it just one more minute to let everybody join and get comfortable for the show ahead.

I see the number of participants increasing, so counting down. All right. Welcome everybody to this webinar about how we can actually reduce the IAM attack surface. We are joined today by Cameron Matthews and Josh Hunt. I’m gonna hand it over to you, Josh, to introduce yourself and then, Cameron, you can do the same.

Josh: Thanks Anders. Hello everyone, Josh Hunt here. I am in our solution consulting team here at Radiant Logic. I am a former Radiant Logic customer myself. Several years ago, I was previously head of an identity team at a large healthcare provider, with about two decades in healthcare overall. So, a little bit about me.

Cameron: All right, thank you, Josh. I’m Cameron Matthews. I’m the CISO for Radiant Logic. I’ve been in the game—security systems, software engineering—for thirty-eight years, a lot of that on the military side of the house. And then, something that’s gonna play largely into what I say later on, I’ve also been a virtual or fractional CISO for the last fifteen years, which means that I am the CISO going into a lot of the environments you’re gonna see examples of now. And, you know, that’s what I end up with as soon as I go in. So we’ll discuss that in a bit.

Anders: I appreciate that. So we’ve got some seasoned and qualified skill sets in the house. If you do have questions and you want some good answers to them, there’s a Q&A button at the bottom of your Zoom window. If you put your questions in there, we’ll make sure to try to answer them at the end of the webinar. But let’s get cracking.

Just to set the scene a little bit: just before Christmas, CISA and the Justice Department in the US discovered adversaries lingering around critical infrastructure service provider systems. They put out an advisory. This was not an ordinary type of incident. Essentially, the perpetrators were rehearsing for cyber warfare. This was not the typical smash-and-grab attack, not the typical noisy malware campaigns where attackers are trying to get financial benefits in bitcoins or cash.

The circumstances were critical, not normal. This was discovered in energy, water, transportation, healthcare—all the systems and services that keep societies running. The method here is more interesting than the target itself. These campaigns were not necessarily driven by zero-day exploits; they were driven by identity. Valid accounts, after hours, conducting administrative activities and lateral movements that blended well into what we would call business as usual.

The most revealing line in this advisory from CISA and the DOJ was that you need to hunt for after-hours admin activity and unauthorized new accounts. That sentence alone tells you everything about the attack model. This is a textbook example of identity being used and abused to gain access and to linger around in systems. This is what we like to call the blind spot in identity, and I didn’t really say how dangerous that is for systems and for keeping society running.

Cameron: If I could jump in just for a second?

Anders: Absolutely.

Cameron: One of the issues we have currently is that we’ve got foreign nation states—many years with the DOD were spent basically fending off these attackers. You’ll notice both of these examples are Russian groups. For thirty-plus years, the Chinese have been the number one attacker of the US. It started out as military sites, then federal, then went down to state, and now they’re at the city level.

The reason the Russians have now come on so strong is because they’re fighting a war, and that war is very costly. What they’re doing now is targeting critical infrastructure because once they hack in, they can sell all that access and data Anders just talked about to the highest bidder, including countries that are very angry right now with the US. They also hit commercial groups, especially those with unique IP—manufacturing processes, patented methods, vaccine or pharmaceutical “secret sauce.”

They’ll grab that using valid access paths and then sell it to the Chinese because they need the money. The Russians aren’t necessarily going to do anything with it themselves. The Chinese will replicate it and sell it for pennies on the dollar. That’s why we’re seeing a lot of persistent attacks on our critical infrastructure and on the commercial sector. They’ll hang onto access if there’s ever a war between Russia and the US, but they’ll also sell it to fund their campaign against Ukraine.

Anders: I appreciate that input because ultimately the ability to observe what actually goes on within your systems is what closes that gap. That’s what surfaces admin logins that happen at 2 a.m. from an unexpected context—maybe from Nigeria, maybe Portugal, maybe Brazil; it doesn’t really matter. If it’s out of the ordinary, it should trigger some flags and highlight new accounts that potentially have access they shouldn’t. That needs to be surfaced.

When attackers operate through identity, the kill chain becomes invisible unless you’re continuously watching what those identities are doing. So identity is no longer just a supporting actor; it becomes the most critical component, and that’s where the control plane is.

If you move to the next slide, regulators across both sides of the Atlantic have identified this as a problem. They’re making all kinds of initiatives to mitigate the risk. It’s not just about being cyber-ready as a tick-box exercise anymore. Cameron, I’m sure you’ve done those exercises in the past, but the game has changed. Now it’s about real time—actually being able to mitigate risk and reduce the attack surface. That’s really what the observability component is all about.

In Europe, for example, we have NIS2. NIS2 captures everything having to do with critical infrastructure: utilities, healthcare, power, water, waste management, food supply, etc. It exists to make sure the cybersecurity posture is improved, not only for the providers themselves but also for the wider supply chain.

That theme is common across both the US and Europe. Regulators know adversaries are already in our house. They’re poking around, hiding, preparing for something, and rehearsing for cyber warfare. So if you go to the next slide—and Cameron, you were mentioning some of the bad guys already…

Cameron: Right. So, real quick, Anders. You mentioned “continuous,” which is important because the US military went from static snapshots—monthly, sometimes quarterly—to continuous. That was nowhere near fast enough because threats are evolving at a phenomenal rate. Those three people you see on that slide (the nation-state leaders) have phenomenal resources at their disposal—tons of trained people on keyboards, and now they’ve got AI, especially agentic AI, which Anders and I talk about all the time.

The threat landscape is evolving at the speed of light. Continuous became a huge requirement for the US military. In their current Risk Management Framework, which all national security systems must implement, everything is now continuous. You don’t get to do static snapshots. You must have observability as number one.

That requirement is now being pushed down—to governments and eventually, I hope, to critical infrastructure—because everybody needs continuous visibility. Anders is going to talk about an IDVIP platform because without that, you’re going to develop all kinds of blind spots, and you won’t be able to keep up with attacks and vulnerabilities as they happen.

Anders: What you’re pointing out there is really important because we’re no longer dealing with “script kiddies” who download some script off the web, try it, and are happy when they succeed, or traditional criminals going after credit cards or doing ransomware for bitcoins or whatever crypto is in fashion. Now we’re talking about patient and well-funded strategic adversaries who know exactly what they need to do. They hide, they wait for the right opportunity, and they target influence, disruption, and leverage in an actual warfare situation.

That’s completely different from what we’re used to with normal criminal gangs. It makes them truly dangerous. Abusing identity and abusing trust—we’ve seen that with social engineering, for both nation-state threat actors and criminal gangs. They leverage trust; they use trust against you because humans are gullible and can be easily tricked.

So being able to continuously observe anomalies in your identity systems—or identities that all rely on identity as the control point—is critical. Moving on to the next slide, that sets the scene: identity has become the primary attack vector, whether you exploit it through social engineering or, as you mentioned, you buy access on the dark web. Someone else has already done the hard work and you just buy and leverage it.

My favorite reading every year is Verizon’s Data Breach Investigation Report. It’s funny, revealing, and highly recommended. It’s not just stats; it explains in an engaging way what the problem is. You can clearly read about how valid credentials are being used, how excessive privileges are an attack vector, and how to mitigate that. We talk about zero trust and the NIST framework. Inactive accounts, orphan accounts, shadow accounts—huge, huge problems.

Josh, take it away. You’ve been in the hot seat at a customer’s place. You’ve been at one of the critical infrastructure providers.

Josh: Yeah, definitely. As a practitioner, over the years I saw a shift away from traditional IAM teams, processes, and tools where the focus was much narrower than the full attack surface we’re talking about today. We’re not just talking about human identities but also nonhuman identities and agentic AI. That was less of a thing when I was there, but now so much has changed just in the last few years.

The biggest challenge I saw was that you might have a good handle on human identities, lifecycle management, and least privilege. But the nonhuman and agentic AI space has been a blind spot. Operationally, we were just trying to get our hands around basic questions: What accounts do we have out there? How do we know an account is nonhuman? How do we know it’s agentic AI?

Getting a better “pulse,” a better lens, on that information was what I lacked at the time. It’s something I look forward to talking about—how we can provide more context, discover these accounts, and respond in real time. Being able to remediate, not just discover those identities, but remediate them in real time.

We typically talk about identity sprawl. If we move to the next slide, Cameron, maybe you can explain what identity sprawl is.

Cameron: Identity sprawl is something I can speak to with a lot of battle scars. Every time I’d go into a new vCISO client, this is what I’d be looking at. All of these pieces the client had put together beforehand, especially if they’d grown “organically.” Organically means they started small and then grew in a haphazard fashion. Nobody was planning. You’ve got different business units all over the place. Everybody’s buying different pieces and point solutions. None of them talk; none of this is integrated.

When I go in, I have to fix this using human beings as the integrator. You’re talking hours at whiteboards, spreadsheets, etc., and then trying to manage this stuff going forward. We call the diagram the “spaghetti slide.” You’re trying to make heads or tails of it, and you have no visibility. You’re creating your own visibility by drawing diagrams and spreadsheets. It’s insane.

The orange box on the left of that slide highlights a huge issue: at the end of the day, everyone is mapping digital identities back to a human being. Each of us has a ton of different accounts. I tell people: go into your password manager—hopefully you’re using one and not a passwords.txt file—count the entries. They could be hundreds. Each one is a digital identity these systems are trying to map back to a human to ensure it’s legit.

All those systems hold different pieces of your information and digital identity data, and they’re all over the place, not synchronized. You don’t have the ability to see a single cohesive, coherent, correlated view of what the military calls the “master user record”—all that information in one place and associated with the human who owns those accounts.

That’s where fragmented data comes from. You want to put it together and you want everything to be dynamically updated as PAM gets updated, secrets change in a vault, governance rules change, access management decisions change. None of it is updated consistently. You end up with bad data replicated everywhere and no master.

What you need is bidirectional flow. Anytime somebody changes a correlated piece of information, it flows to all the systems and gets dynamically updated.

One of the biggest problems I run into is lack of basic hygiene. You’ve got all this stuff out there. Half my clients are critical infrastructure. There’s been a massive explosion of nonhuman identities. In startups, investors push explosive growth: scale, go, go, go. In the middle of that, it’s “go to the cloud,” then “come back from the cloud,” then “let’s do hybrid,” then “SaaS everything.” Each wave creates more spaghetti.

Without basic identity cyber hygiene, you’ve got gigantic gaps and blind spots. You can’t begin to fix anything unless you see what’s going on, and that frustrates me. It’s like the hood of your car being chained down. I need to see under the hood, see all the activities, look at the spaghetti, and say, “Oh my God, how am I going to fix this?” Without that visibility, I can’t.

What Josh was saying is we now have AI-guided remediation and AI-automated remediation to help you get through this.

Everybody’s also got audit gaps. For the military, it’s the Risk Management Framework. For utilities, it’s supposed to be the NIST Cybersecurity Framework. There’s CIS CSC, ISO 27000-series—lots of standards. You have to show compliance at any given time. Everyone’s going toward continuous, not “crank out a report every six months.” You must show compliance and due care on a dynamic, ad hoc basis.

If you don’t, especially when there’s a breach, you’ll lose customer confidence. If you’re publicly traded, your stock price plummets. In the US, you’ve got four days after a material breach to let the SEC know and file an 8-K. You need the capability to show you have visibility and are remediating dynamically.

Anders: On the European side, we have DORA for financial services and insurance. The deadlines there are even shorter, four hours to notify the competent authority or you’re in breach. As the Europeans like to do, they overregulate and penalize non-compliance. So the difference now is that traditional cybersecurity solutions might not be dynamic or agile enough to detect these patterns.

Josh, you’re going to walk us through RadiantOne Identity Data Cloud and how we bring observability into the picture.

Josh: Right. As we introduce the platform—I’ll spend a lot of time showing what we do today—I’m excited to share that. As these guys said, it’s about empowering complex organizations to eliminate identity sprawl, which continues to expand, and to transform and unify data in a way that helps address major risk.

The goal is to bring identity data—historically a challenge or roadblock—into a business asset so you have the right resilience for your IAM ecosystem. RadiantOne Identity Data Cloud is our identity visibility and intelligence platform. It’s the only platform that unifies all of your identity data: legacy systems, homegrown apps, cloud apps, nonhuman identity sources, agentic AI—into a single source of truth. That provides the foundation for your IAM program and architecture.

As a former customer, I’m very familiar with this. Some of you on the call may know us; we’ve been in business for decades, focused on a data-centric approach. That’s always been a key differentiator: aggregating, unifying, and transforming data across your ecosystem to serve as the data foundation. We want to reduce and eliminate blind spots, ensure the right data is harnessed to enforce policies and decisions around authentication and authorization, and ensure we have a closed-loop process.

We also feed data into pipelines for real-time detection and remediation. The goal is to be proactive. Historically, IAM teams have looked at batch processing—point in time, reacting to risk—often too late, putting out fires. We want to catch issues earlier, when they’re still vulnerabilities in the data.

By enhancing and expanding the platform with AI and analytics, we give you observability into your data so you get the right intelligence to make the right decisions at the right time, reducing risk.

While I’m switching to the demo environment, I’ll note that many old-school regulations demand snapshots and SoD (segregation-of-duties) checks. We support that, but we can also do real-time mitigation. That’s why we talk about the “Holy Trinity”: unify, observe, and act. We put everything under one roof to provide a single source of truth, then look at anomalies in real time. If you’re a bad actor trying to hide or move laterally, we can detect and act—either by automatically remediating (using AI to detect changes and remove access), or by working with other cybersecurity vendors like Okta, SailPoint, and others in the Shared Signals framework. We support that and can play well with others to mitigate risk.

The reality is you need both point-in-time and real-time capabilities. There is a time and place for auditing and GRC processes that look back and ask: are we achieving the right outcomes, minimizing risk, aligning with policies and regulations? But you can spend eighty percent of your day improving process and technology; you still need to ensure that all the hard work is actually keeping doors tight in real time. That’s where you need real-time data, a pulse on what’s happening, to make sure you’re staying ahead.

[Josh switches to the demo.]

Josh: Today, my focus is to demonstrate how the platform protects your enterprise from identity-driven risk by delivering end-to-end visibility into your identity state. I’ll walk through a scenario involving a compromised identity, privileged governance, risk, and identity hygiene gaps. The objective is to show how our platform can rapidly reduce identity exposure time, eliminate shadow access, enforce zero trust, and do that at scale.

First, I’ll begin with a free-text search in the product. I’m going to look for an identity named Samantha Schwartz. Using free text enables fast navigation. As an administrator, I now have clear visibility into Samantha’s full access chain. We see three different accounts—some from an Active Directory domain and one Entra ID account. We see group memberships: direct and indirect. We see what repositories or resources (applications, directories, databases) those rights ultimately belong to.

She has multiple groups and access rights. If I go into the “360 view,” it consolidates her entire access chain in a single location. We move from a list to a relationship model. You can see the relationship between the identity and different accounts, including nested group relationships. For example, we see an AD group and nested groups. In a hierarchical view, we can see that Samantha’s account has been granted a specific permission within an application—Confluence help desk technician permission—and the full chain from identity to account to permission.

We can then zoom out from “tree” to “forest,” looking at the department she belongs to—an IT business unit group—and see the access chain of that whole department. There are several people in that organization, and we can compare Samantha’s access to someone else’s, like Sue Walters. Samantha is an employee, Sue is a contractor. We can compare their access and see differences: Samantha has an Entra ID account, Sue does not. We see overlapping groups (highlighted with color) and also unique permissions, such as Samantha being a member of GitLab administrators, which we wouldn’t give to contractors. This visually confirms policy intent.

Moving into real-time control and risk detection: at the top of the dashboard, we have categories for authentication, identity lifecycle, privilege and access, and hygiene. Under identity lifecycle, we might look at “contractors with past end date and active accounts.” We see critical risk identified for several identities. One is Sue Walters. She has a departure date of August 20th. She’s left the organization, but we see she still has active accounts. From here, we can select all her accounts and directly disable access. That change flows quickly through our pipeline and unified data layer, syncing back to the sources. We can also integrate with other technology if remediation must occur outside our platform.

Another example: in an AD domain, we might have a rule “user account has password that never expires.” We classify that as medium risk (or adjust the severity). In this case, we see Mary Caldwell’s account has a password that never expires. From here, we can set her password to expire and remediate that in real time.

Looking at remediation policies: we can assign different remediation strategies—writing back directly to backend sources, integrating with ITSM (like ServiceNow) to open or update tickets, and more. You can define this by data source. We also allow custom observations: you define a query on some risky data state you want to track, like “disabled accounts with critical group membership.” If an account is disabled but still in admin groups, that’s an issue.

On each observation, we support alert configuration so you can integrate with Slack, email, Microsoft Teams. You don’t have to be in the platform UI to be alerted and remediate. The goal is to make it easy for the entire organization to stay informed and respond.

[Later in the Q&A.]

Question: Can you integrate with other ITDR solutions?

Josh: Like I said, we want to be able to deliver a feed to any ITDR solution you might have that’s focused on stopping a breach. That’s definitely doable. Short answer: yes, we can integrate.

Question: How do you identify account ownership? Is this customizable? It can be time-consuming outside of Active Directory or Entra ID.

Josh: The power is in how you model the data. For human identities, it might be your primary account in AD, clearly defined by a rule. That lets you join and correlate data. Many customers have basic rules like that. You can define ownership through multiple criteria—primary and secondary accounts, admin accounts, privileged accounts, naming conventions.

It’s important to ingest usage data—what those accounts are actually doing. That helps discovery and classification. You might also leverage data from PAM deployments, CMDBs, or application portfolios in ITSM systems to understand both account ownership and application ownership. There are different layers of ownership: IT owners, business owners. The key is finding the right path, connecting the data, making it visible, and then automating ownership logic.

Anders: If anyone has more questions or wants to peel back more onion layers and get a deeper understanding of our capabilities, feel free to reach out to us. We’ll make sure that either Josh, myself, Cameron, or someone else is there to answer questions and see how we can help solve some of your problems.

With that, I’d like to thank everybody. Thank you, Josh and Cameron, for participating, and thanks to the audience for tuning in and staying to the end. Have a nice day or evening, wherever you are. Thank you.