[By Shlomi Yanai]
It’s rather obvious to most in the IT sector that cybercriminals consistently and successfully exploit stolen or weak online identities to gain unauthorized access to businesses of all types. It’s these identities in an enterprise that are clearly the pathway for online attacks. But the irony remains that many identity and security leaders don’t yet recognize that it’s not enough to invest in identity security controls like Active Directory, SSO, MFA, PAM, etc. if an organization does not invest in making sure such tools are delivering the required protection.
Only focusing on what’s happening within the realm of identity and access management is a failing strategy. And that’s because identities, both human and machine, are everywhere in an enterprise – there are countless instances of unprotected and unmanaged identities across cloud, SaaS, and on-premises. They’re often far from the confines of identity infrastructure controls, yet cybercriminals can just as easily exploit them.
Attackers take full advantage of the fact that humans are human. Yes, some internal bad actors exist, but identity exposures are often created because of people, process, and technology challenges. For example, to maintain a competitive advantage, R&D teams are tasked with introducing new applications and services at warp speed. If the processes for rolling out new applications aren’t sufficiently coordinated across the organization, identity security blind spots can be created, such as production systems that aren’t managed by any directory or applications that can be accessed without MFA by a local account with an extremely easy-to-crack password. Even if processes are well aligned, identity blind spots can happen as changes to systems are made and new people join the organization.
Beyond blind spots, the sheer complexity of an organization’s identity and security technology stack can lead to misconfigurations that weaken the identity security controls put in place. A common example here is an exposure introduced by MFA misconfigurations, such as applications where MFA is not enforced due to session token duration issues or applications where step-up MFA to sensitive applications is not functioning as expected.
Service accounts are another common source of misconfiguration challenges. A common bad practice is associating a service account with a human user. This creates potential security risks, such as unauthorized access to the service account if the human user’s credentials are compromised. Furthermore, if the human user leaves the organization or changes roles, the service account could be left entirely unmanaged.
The reality of identity blind spots and misconfigurations demands that security and IT teams must have real-time visibility of all identities that exist and their activities. After all, that arms them with the ability to discover and resolve identity exposures proactively and respond to cyberthreats that target identities and identity systems.
To achieve this needed visibility, enterprises should consider integrated solutions that combine Identity security posture management (ISPM) and identity threat detection and response (ITDR). ISPM provides continuous monitoring to enable organizations to discover and resolve identity exposures before a threat actor can exploit them, maintain the resiliency of their identity systems, and improve day-to-day identity operations. ITDR solutions help enterprises quickly detect and respond to cyber threats that target user identities and identity-based systems in real-time. By providing an identity-focused lens, ITDR complements other threat detection and response systems to reduce the time it takes to identify and respond to identity-based threats.
An organization can have all the latest automated tools and costly security investments, but without eyes on everything from local accounts and MFA misconfigurations to something as simple as dormant accounts or unsanctioned SaaS services, identities can remain unchecked and still provide the main doorway for attackers. Just recently, it was announced that Microsoft fell victim to a password spray attack that ultimately compromised a legacy non-production test account that afforded cybercriminals the permissions they needed to access some executive email accounts. If a tech giant such as that can find itself vulnerable to such identity-related attacks, it’s clear that greater visibility is required.
So, the goal for IT leadership should NOT be to change their approach to cybersecurity radically but simply add a layer of deep visibility into identity activities with ISPM and ITDR that can work in tandem with existing security investments.
Shlomi Yani is CEO and Co-Founder of Maryland-based AuthMind (www.authmind.com), an identity-first security provider that protects an organization’s identity infrastructure and detects identity-based threats in real-time.
