A focused research area from the Gartner IAM conference is how identity is fueling improved threat detection, investigation, and response (TDIR), especially when it comes to accelerating response actions by the security operations center (SOC).
It is becoming obvious that there has been a disconnect between how identity is primarily associated with granting access to business infrastructure vs. how identity can be leveraged by security operations teams to properly monitor and detect inappropriate access that applies equally to an internal or an external threat actor. By resolving that disconnect, organizations can achieve more effective policies, monitoring, and enforcement of identity-based security policies across applications, networks, and devices.
Identity-Based Attacks Are Escalating
Identity-based attacks have become the primary mechanism for successful breaches by threat actor groups targeting organizations. Some of the examples of extremely complex or well-hidden attack campaigns that Gurucul is able to quickly detect much more effectively than current SIEM, XDR or identity-based solutions include:
- Stolen credentials through advanced persistent threats finding password stores, often sold in bulk off the dark web
- Password spraying to quickly find passwords due to overly simple or common words used (think “mypassword” or “abcd1234”)
- Phishing campaigns using emails and text messages that are also setup for credential theft
- Security gaps based on cloud migrations and remote workers, especially when current IAM or PAM solutions are not fully cloud-native or architected from the ground up to work in the cloud
- Social engineering to gain user information to access to confidential data stores
- Insider threats whether intentional or inadvertent
Cloud environments are particularly vulnerable to identity-based attacks such as credential stuffing, phishing, password spraying, and more.
Most of these attacks are extremely difficult to surface since they are impersonating or using credentials to authorized users with varying levels of access to resources.
Identity and Zero Trust
Although secure identities are a core component of Zero Trust, the approach is generally focused on tying the whole IT stack to the identity and tightening access controls. Really, this is about adopting a “least privileged access” model, which means users get access to the minimum set of resources needed, based on their role (i.e., identity). So, it is less about network or application access, per se and more about granting a finer grain level of access across the board.
Adopting a Zero Trust architecture also benefits the security operations center (SOC) and Insider Risk/Threat teams as well. Limiting the ability for users’ movement through privileged access policies can potentially help security teams identify access outliers or violations. Unfortunately, these types of security events are often not triggered, and a security analyst must rely on other data sources to manually conclude that they need to investigate access and usage rights, which generally requires support from the broader IT group.
But how do you know you’ve set up your access policies and controls correctly? Trial and error? Red team testing? How do you know if an ex-contractor’s access was never revoked? Did someone on the supplier team tell IT? What if a threat actor stole a bunch of harvested credentials off the dark web? All these unanswered questions can make Zero Trust extraordinarily untrustworthy. Since most small organizations (500 identities and above) already use more than 25 systems of identity, IT and Security Teams are often hard pressed to invest the time and effort to baseline existing access policies. Let alone monitor and secure them.
Identity Analytics Is the New Buzzword for 2022-2023
The current crop of Identity Analytics Solutions that were featured and discussed at Gartner IAM 2022, unfortunately, have once again been convoluted by over-ambitious marketing teams. In discussions with various vendors and prospects, it was obvious that most identity, XDR and SIEM vendors have one thing in common: they use the word analytics to represent basic correlation rules. Putting together multiple sets is the most rudimentary for of “analysis” there is. Worse, most identity analytics solution claims are based on scraping Active Directory information and claiming “analytics.”
Combining Identity analytics solutions, that interrogate IAM and PAM solutions for access privilege information, roles, entitlements, etc., with solutions (i.e., XDR, NGSIEM, etc.) that monitor user/identity and entity behaviors, network traffic, application, and endpoint (including IoT) analytics, not only provides full observability of your network in preparation for furthering Zero Trust goals, but also enables security teams to determine identity-based threats.
Gurucul delivers an integrated Security Analytics and Operations Platform with the broadest depth and breadth of security analytics to accelerate the automation of data collection, detection, investigations and improve the accuracy of response based on a risk-driven approach. To learn more, please check out the following resources:
To setup a demo of how Gurucul’s Identity and Access Analytics can help you, please contact us.