Digital identities are the byproduct of progress. When the region migrated to the cloud and adopted hybrid-working practices, we did so as a necessary response to a pandemic.
While nobody wants a repeat of 2020 and 2021, we now know that if we ever had to introduce lockdowns again, businesses are a lot more prepared than they were previously because the infrastructure and policies are in place to absorb the shock.
“Actionable intelligence on how an account is being used (and could potentially be used to move undetected through the environment) is going to improve the security posture more than any point solution currently available.”Michael Byrnes, director – solutions engineering, iMEA, BeyondTrust
This is progress. But as the result of cloud migration, the need for rapid development, the rise of IoT, and OT’s merging with IT, we have seen a surge in the number of human- and machine-based digital identities. Not only do these identities spring up out of a need to perform new tasks at scale, but some are required just to manage other identities. This would all be fine if it were not for the lack of visibility security teams have of modern digital realms. There has always been a danger inherent in granting too many permissions to a new account. How can we see this problem if we lack the visibility to track cloud-access entitlements? Gartner’s prediction that by the end of the year three quarters of cloud security failures will stem from inadequate identity management should give us pause.
Now let’s unpause. What do we do? The answer clearly lies in identity threat detection and response (ITDR), something recently made possible by the shrewd combination of identity access management (IAM), privileged access management (PAM) and a range of other technologies and best practices. IAM and PAM already give high levels of visibility and control, but we still need the ability to identify the aspects of an identity that could lead to a security compromise. IAM tracks entitlements but does not alert security or IT staff to overprovisioning. And even where AI is available, it focuses on on-premises systems rather the Internet-facing ones. Given the increased sophistication of attackers, we need the ability to see suspicious activity while it is in progress. We need rapid ITDR.
A discipline, not a product
This will not be delivered through a single product, for ITDR is more of a discipline. By uniting the right technology capabilities and human skills, ITDR pinpoints the true threats, vastly reduces alert fatigue, and greatly increases an organization’s ability to fix critical security issues before they can be exploited. Traditional PAM delivered in combination with an identity-centric security model is the best approach to ITDR.
We begin by centralizing data around the concept of identity. Roles, policies, privileges, and risk are all addressed in each account. We ensure that all privileged accounts operate under a privileged credential management solution. There can be no exceptions. Every unmanaged privileged account is a security blind spot. If it is compromised, the threat actor will not be subject to password rotation or session monitoring and will be able to move at will, undetected.
There must be systems in place to detect orphaned accounts and expired privileges. When an employee leaves and only some of the accounts they used are disabled, the identity can be thought of as only partially disabled. The principle of least privilege calls for the minimal level of access required to operate in a role. Unfortunately, rights tend to be added as time goes on but not subtracted in areas where they are no longer needed. True ITDR calls for this “entitlement creep” tradition to be amended.
Another red flag should be the reactivation of a dormant account as this could represent an opportunity for lateral access for threat actors. Network-related dormant accounts like VPNs should be of particular interest to security teams, as should service accounts. And ITDR implementors should also take heed that even multi-factor authentication (MFA) can be subject to misconfigurations and misuse, including being disabled without the knowledge of the SOC. Such occurrences should be flagged in an ITDR environment.
We must also examine shadow IT, instances of which have skyrocketed since unpoliced remote-working employees began tweaking their productivity with unassessed software. Sometimes, these installs call for a cloud identity to be created without IT’s or the SOC’s knowledge. This may present a threat to the corporate environment, so security teams should try, at the very least, to prevent users creating accounts associated with a personal email address as compromise of this address could mean a threat to company assets.
And of course, we must address the remote login. Sessions originating from Tor, for example, are an obvious threat, so blocking network traffic from that domain is a good first step. It will prevent adversaries from having free rein but will likely have zero effect on legitimate users.
Back in the saddle
When we unite IAM and PAM we bring back an element of control over the identity landscape, but to be cloud-ready means implementing new tools and working practices that can correlate all the signals received and discern actionable information from them. The security stack must include smart and integrated analytics capabilities for this purpose. What I have just described is identity threat detection and response.
Armed with insights into identity security, the SOC has a microscope trained on the very vulnerabilities most likely to be exploited by today’s cyber cabals. Actionable intelligence on how an account is being used (and could potentially be used to move undetected through the environment) is going to improve the security posture more than any point solution currently available. ITDR, remember, is a method, not a product. Skilled professionals armed with new, open-eyed policies and advanced tools that talk to third-party sources like Okta and Azure Active Directory will allow security teams to stay one step ahead of attackers… and offer more safety amid the Great Identity Surge than we have seen in some time.
About the Author
Michael Byrnes, Director of Solutions Engineering for the iMEA region, BeyondTrust
Michael introduces this concept of ITDR (Identity Threat Detection & Response). He then goes on to explain how organizations can go about building a comprehensive ITDR ecosystem.