>> Hey welcome back everybody. Jeff Frick here with theCUBE. We're at Palo Alto at the Security in the Boardroom event, it's put on by the Chertoff Group. They do a couple of these a year, all across the country and they're all about security, but what's interesting is it's not really the tech conversation of security or the gadgets, or a lot of the things we typically cover on theCUBE but really more this event's about the boardroom. And making it a boardroom topic and a boardroom conversation. So we're really excited to have our next guest. He's Brad Hibbert, he's the CTO of Beyond Trust. Brad, welcome. >> Thank you, glad to be here. >> Absolutely, so you just got off the keynote stage, talking about CSOs and how do you help those guys do their jobs, they're in a crazy position. >> That's right, I was just talking about how to make them feel more comfortable talking sort of the boardroom language and ways they can work with vendors to help out with that. So it was a good panel. I think I had a number of good perspectives on the subject. >> Beyond Trust. Give us a background on Beyond Trust. >> Yeah, sure. So Beyond Trust we're all about helping people manage their risks, sort of the internal risks of the environment. It's new area for cyber-security, it's a new layer of security if you will. A lot of people are familiar with sort of the perimeter-based security things like vulnerability scanning, which we do, so attack surface closures and so on. This is really more about when somebody's in the environment or compromised accounts, how do you really secure the environment from that type of access. So we have a number of products that can solve certain use cases around that. >> So this must be the PAM that you guys talk about all the time. >> Brad: That's right, Privileged Access Management. >> Privileged Access Management. >> That's right. >> So you say Privileged Access, so as you just said, that's people that are already on the inside. >> Yeah, so it could be anybody from administrators, leveraging shared accounts, any administrators that need elevated credentials, making sure that you control access to those credentials, and making sure that you ensure that they're using them appropriately, so not misusing them or misbehaving in some way, with all sorts of auditing capability behind that. It could be your desktop administrators, your developers, you just need elevated access in some way. What we're finding is that what hackers are doing now is, they're going after things once they kind of get a footprint in the environment. They're going after the credentials, they're going after privileges, because that gives them more access to the corporate data. >> So is it just that they're a more rich target for the hackers? Or is it because they have a different behavior than your typical person at the end of my phone or your typical access point in? >> It's a bit of both. I think one is, hackers are going to the path of least resistance. So as I mentioned from a privilege perspective, once you're inside the environment, controlling and seeing what people are doing, typically goes under the radar of the traditional security defenses. So once they can get that access, it becomes much more difficult to detect when somebody's doing something inappropriately within the environment. Also, a number of these credentials are not being managed very securely, so a lot of people sharing credentials, they never change their credentials, they use the same password on every router in the organization, they never rotate it, those sorts of things. So there are a lot of weaknesses or vulnerabilities around credentials, just like in the past there's vulnerabilities around assets, and vulnerabilities around applications, now there's vulnerabilities around how you manage access and credentials. And that seems to be an area that people are targeting. >> So you would assume that people that have privileged access would have a little bit higher education, behavior, practices on avoiding things that they're not supposed to do, but it sounds like not necessarily, or? >> Well, yeah, certainly on-- >> On paper that's what you would think. >> On paper, absolutely yeah, I think the tradeoff sometimes is from a password management perspective, it's difficult to do that manually if you think about the number of passwords in our organization, shared accounts on systems and applications, on networks, network devices and cloud apps, it's just a number of things out there. So people really need a way to harness that and control that in a more automated way. And they just lack that today. Sometimes it's around operations. When I was an admin, bad to say but I used the same password a number of different devices because for me it was easy to remember. Complex and changing passwords becomes difficult to manage in some cases, right? So password management, part of PAM, one of the components that we have, enables you to manage those things in a more automated and controlled way without putting a lot of burden on the administrative team, which is what people are looking for. >> So how far are we away from a better method than password? It amazes that we have phones with fingerprint readers and it still asks us for a password to get into our phone. We have Salesforce at work, and Salesforce is very secure so they make us change our passwords, whatever it is every four weeks or six weeks. And I've gone through kind of my core, my top 10 passwords and it still won't let me in. So it's such a not great way to access, and as you said this expanding level of applications and stuff now, our interaction with so many different things are so password-driven. Two-factor authentication is obviously helping, but when are we going to get beyond passwords? >> Well I think from my perspective, I think passwords are going to be around for a long time, because it's not just users that use passwords. Systems also use passwords. Application to application interfaces now use secrets or some sort of passwords, and so on. They're going to be around for a long time, even the ones that administrators and shared credentials, they're going to be around for ten years-plus. And I always say, even with multi-factor there's always something you have and something you know. So I always think there's a good reason to keep them in a lot of cases. But even beyond the passwords, even once you log in there's still other things that you want to make sure are being addressed. You want appropriate logging and controls, and analytics around what you're doing with those credentials. You might want to restrict when you should have access, so maybe I don't want my administrators to be able to go start patching a system or configuring a system unless appropriate tickets are in the ticketing system during certain times of the day. So you start adding more controls around when they can actually use these passwords, and then when they use them, ensuring that they're using them appropriately. So there's a number of different aspects around Privileged Access Management other than just the passwords themselves. >> But it's just funny even with all the procedures and processes, you still have, at the end of the day, behavior. It sounds like so many times people don't follow the right procedure, they like you say, share passwords, they don't apply the patches, and so you're fighting kind of the people-process thing always, in addition to the technology piece. >> Right, and sometimes it's difficult. In some organizations you still have end users that have full admin rights on their desktops, right? So if they get phished, the hacker gets on that machine, they have admin rights on that machine. Then they can use that as a footprint to go elsewhere. Then once they're on that machine of course, they could have line of sight to anything inside your environment. So if those things inside your environment aren't properly secured, network devices and so on, they could be susceptible if they're not being managed properly as well. So it's a big problem, and as I mentioned before, in a lot of organizations it's a missing security layer that they just don't have today. Which is why the market's growing so quickly. >> Well Brad, I think you got a lot of job security. (laughter) >> Well thanks for taking a few minutes out of your day, appreciate it. >> Absolutely, thanks. Alright, he's Brad Hibbert, I'm Jeff Frick. You're watching theCUBE from the Security in the Boardroom event put on by Chertoff. Thanks for watching.