Published on: September 23, 2024
In this SafetyDetectives interview, we had the opportunity to speak with Tim Eades, the Co-Founder and CEO of Anetac, a company dedicated to addressing one of the most critical yet overlooked challenges in cybersecurity—service account vulnerabilities. With over 22 years of experience in the security industry and multiple successful ventures under his belt, Tim brings a wealth of knowledge on how organizations can better manage their identity vulnerabilities in today’s increasingly automated world. In our conversation, he discusses what inspired the creation of Anetac, as well as the innovative solutions his team has developed to protect enterprises from cyber threats.
Throughout the interview, Tim shares insights into the growing risks posed by dormant and improperly managed service accounts, which are often exploited by threat actors. He also delves into the strategies Anetac employs to mitigate these risks and streamline identity management, all while maintaining a fast and efficient time to value for clients. From real-world examples of vulnerabilities to the future of identity management, this interview sheds light on the complexities and solutions within this crucial aspect of cybersecurity.
Can you share a bit about your background and what led you to co-found Anetac?
My name is Tim Eades, and I’m the co-founder and CEO of Anetac. I’ve been in security for approximately 22 years, and this is my fourth company as a CEO. Before we started the company, we interviewed 35 customers—from banks to telcos to retailers to shipping companies—to understand the issues around service accounts. We asked: What is the trajectory? Is it a big problem? Is it growing? Why hasn’t anyone done anything about it?
We documented the responses, which gave us a deep understanding of the complexity. There was only one company, a bank in Europe, that said we shouldn’t move forward because the issue is too difficult and complex. Bigger, older companies have more significant problems. For a company that’s been around for 10 years or more, service accounts can become a mess. On-prem is ugly and hard, but the cloud is just chaos.
I’ve brought together people I’ve worked with before, and we’re using our past experience, creating a list of lessons learned from things not to do, and building something great. We made it simple to deploy with a fast time to value. Our sales cycle is currently 120 days, which is really fast in the security industry.
Can you provide an overview of Anetac’s mission and how the Dynamic Identity Vulnerability and Security Platform addresses current cybersecurity challenges?
Anetac’s mission is to create a dynamic streaming platform that discovers, monitors, and responds to identity vulnerabilities in enterprises. We believe our superpower is in the discovery side. Without getting too technical, customers have multiple control planes—like Okta, Microsoft, and CyberArk. We don’t want to be another control plane; we want to help enterprises understand, discover, and monitor their service accounts and then help them remediate by integrating with their existing control planes.
We’ve made the process extremely fast, and our customers can see value sometimes within 15 seconds to 90 minutes from the time we install. That’s something we’re really proud of.
Service accounts are a growing concern as companies increase automation. Can you explain how threat actors exploit dormant or improperly managed service accounts to infiltrate organizations?
The attack surface for threat actors is enormous when it comes to identity vulnerabilities. These accounts can be complicated to find and hard to manage. I can give you loads of examples: we know companies with service accounts that are 34 years old. We found credentials on a critical infrastructure system that hadn’t been touched in 19 years. A retailer we work with had credentials that were 10 years old, meaning every time someone swiped their card, all this was exposed.
Another issue is that people don’t understand the connections between these things. For example, if someone breaches a point of sale, can they get to the main database? Many don’t realize how interconnected these vulnerabilities are. Automation only accelerates the problem.
Developers don’t always follow best practices. We saw one developer create 5,000 service accounts in a week because he didn’t want to go through the security process. He used his own credentials, which is a complete no-no. This is a financial institution, and you’d think, “How could this happen?” Well, it did—and that’s why we started the company.
Given that there are an estimated 40 service accounts for every 1 employee, what strategies would you recommend for organizations to effectively manage and limit the privileges of these accounts to minimize security risks?
The first thing is getting discovery right. The efficacy of discovery is absolutely critical. If you try to change privileges without a full understanding, you could put a control in the wrong place and shut down a legitimate business process. Some people say, “I can change privileges in 90 days,” but they’re misguided. Some processes are seasonal, like tax season or holidays, and require continuous monitoring with as much context as possible.
Once you understand the connected risk, you can create treatment plans. For example, if it’s a dormant account from 20 years ago, you can just stop it. But if it’s over-privileged and actively used, you need a different approach. For the case where a developer created 5,000 accounts, you need a process in place to deal with that. Maybe it’s in JIRA or ServiceNow, but the key is compliance and ensuring that people follow the right processes.
Discovery is the most important thing, and from that, you can create treatment plans that are appropriate for the vulnerabilities you find.
What challenges arise when deciding to “kill” a service account, and how does Anetac help?
The key is thorough discovery. When you decide to stop an account, you must ensure that it doesn’t negatively impact business processes. That’s the first priority.
We need to protect the business while working with CISOs to align the security and business goals. CISOs today are more aligned with business objectives than ever before, and this really started with digital transformation and the rush to the cloud. Now, when we find vulnerabilities, we work with the business and help the CISO address them through treatment plans and processes that shut down the vulnerabilities without disrupting the business.
How do you see the future of identity management with increasing automation?
The future of identity management is super exciting. There’s a great opportunity to use modern tools to reduce the attack surface for enterprises. Ten years ago, no one used graph databases or time series capabilities to solve this problem. But time series is critical because, for example, a bad actor could elevate credentials at 2 a.m., go through the door, and lower the credentials again. If you don’t have time series or streaming capabilities, you won’t see this.
Service accounts behave in certain ways, and you need modern tools to monitor them. What’s exciting is that this problem is universal—whether it’s a small pizzeria or a large bank, everyone faces the same challenges. We’re in a massive market, and the key is building a product that delivers fast value. We onboard customers every week, and it’s great to see the impact we’re making.