How to Communicate the Identity Security Imperative to Your Board

June 1, 2021 Corey O'Connor

Communicate Identity Security to Board

Despite numerous business-level issues jockeying for space on the board agenda, there isn’t an executive team on the planet that isn’t talking about cybersecurity today. The SolarWinds breach, unrelenting ransomware attacks and evolving digital threats have kept the topic high on the priority list.

As a CISO, security leader or director of IAM, you may feel some relief that security responsibility has spread far beyond the walls of IT, across lines of business and into the board room. But this relief is likely tempered by increased scrutiny and pressure to communicate cyber risk in ways that executive leadership and the board of directors can more easily understand and act on.

Gartner IAM Summit: “Cybersecurity Begins and Ends with Identity”

In her recent Gartner Identity & Access Management (IAM) Summit keynote, Tricia Phillips, Senior Director Analyst, Gartner, described how the COVID-19 crisis disrupted every aspect of life; introduced a new distributed, decentralized world; and accelerated transformation projects. In this sustained period of disruption, she noted, identity has become the “ultimate attack surface,” and now “cybersecurity begins and ends with identity.” She urged IAM leaders to take their place as the first, and often last, line of defense against the malicious use of human and machine identities.

Communicate with Confidence: An Identity Security FAQ for Executive Leadership and the Board

With identity as the new security battleground, it’s clear an assume breach mentality, based on Zero Trust principles of “never trust, always verify,” is absolutely critical. You’re living and breathing this reality every day but may be searching for ways to strengthen your message for non-technical business decision-makers. Use the following FAQ to guide your board room discussions and help articulate why Identity Security matters now — without getting lost in the weeds.

Q: How can we protect our environment from advanced attacks like those seen in the news?         

A: Cyber attackers are constantly innovating, and even the strongest defenses can be breached. Because of this, we are enforcing multiple layers of security to reduce the greatest amount of risk. And by “assuming breach,” we’re focused on finding and stopping threats from within before they can reach critical systems and cause harm.

We know that nearly 100% of major cyberattacks follow a similar attack chain: 1) Steal and abuse the identities and credentials to get inside; 2) Use these legitimate credentials to move around the network looking for high-value targets; 3) Exploit privileged credentials that provide powerful access to accomplish their goals.

Identity-based security controls are critical for detecting and thwarting attacks that have already made their way inside the organization’s infrastructure. With them in place, we can focus on protecting our most valuable assets to prevent data theft and disruption. Without them, we are at risk of a data breach similar to the major attacks that keep making headlines.

Based on recent Gartner guidance* and analysis of several major breaches, we know what specific improvements are needed in to minimize exposure. During an initial rapid risk reduction effort, we will put in place key controls that make it much more difficult for attackers to carry out these types of attacks against us.

Dig deeper: Learn why adopting a “sprint mindset” is one of the most important factors in achieving rapid risk reduction. It helps spark a sense of urgency and progress — without the overarching pressure of resolving an actual breach.

Q: Why are privileged identities and credentials a priority compared to other security goals?

A: Identities are everywhere in our IT environment. And due to the mobile cloud-based nature of our business, every corporate identity — both human and machine — can have privileged access under certain conditions. For example:

  • A developer who requires access to source code to create new software offerings
  • An application that needs high-level privileges to access corporate resources to perform its intended task
  • A third-party vendor who needs to access sensitive corporate data remotely to deliver services

According to Gartner, “The identity and access management (IAM) system is clearly a rich target opportunity for advanced attackers” and “privileged accounts are a primary target.”*

With privileged accounts and credentials, an attacker can access intellectual property, business secrets, and sensitive customer information. And with high levels of access to information systems, the attacker can also deactivate existing security technologies, such as multi-factor authentication, data encryption, firewalls, and detection systems — often without raising red flags.

Gartner states that “Mitigating this risk often requires privileged accounts to be managed by a Privileged Access Management (PAM) tool. PAM tools help vault privileged passwords, limit accesses to authorized users, rotate credentials frequently and monitor the usage of privileged accounts.”*

Dig deeper: Explore the anatomy of the SolarWinds attack chain to see how threat actors used highly privileged credentials to successfully bypass endpoint and network-based security controls.

Q: What techniques are attackers using to launch identity-based attacks?

A: According to the latest Verizon Data Beach Investigations Report 2021, 85% of breaches involve the human element. The first step in the attack chain is often marked by a spear-phishing or impersonation attack aimed at stealing an identity’s credentials. Users are tricked into clicking on a link or opening an attachment in an email that downloads malware to their workstation. Ransomware infections work in similar ways — and as tactics have evolved, the number of successful ransomware attacks has doubled since last year.

Once the malware is downloaded onto a desktop, laptop, or server, attackers can gain entry to the environment. For example, in Windows environments, they take advantage of the way devices store credentials: Password “hashes” are saved in computer memory for all users who have recently logged into that machine. By stealing the hash for an administrative password, an attacker can get access to multiple machines. They search each machine’s memory for other password hashes that, in turn, provide access to more valuable machines like database servers or, the biggest prize, the domain controller used to manage access to all computing resources. Once they reach the domain controller, they can create “tickets” to log into any critical asset on the network, shut down security systems and take full control of information systems.

Dig Deeper: Explore the unique challenges of securing identities in hybrid cloud environments and three real-world attacks

Q: Which user groups within our organization are most at risk of identity-based attacks?

A: Attackers used to go straight for IT admins with high levels of access. But recent research shows that non-technical user populations are being targeted with increasing frequency, such as business users with access to sensitive data (i.e., payroll and HR), senior leadership, and third-party vendors.

Developers are also a key target for advanced attackers. Gartner notes that “SolarWinds’ code was compromised in the development process, which has significant implications for the development community.”*

By compromising a privileged identity like a developer or pipeline orchestrator or infrastructure manager, attackers can dramatically scale their reach and impact — infecting customer-facing products and services and threatening the stability of the entire digital supply chain.

The urgency around protecting software development pipelines is coming from the highest levels of government. The White House issued a cybersecurity executive order this month, noting in a statement that “Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road.”

Dig deeper: Explore use cases and best practices for securing privileged access in development environments, from validating the integrity of all code and builds to enforcing just-in-time access policies in these highly automated environments.

Q:  How will you increase protection of identities and privileged credentials?

A: We’ve adopted a Zero Trust approach to security, in which no actor can be trusted unless they’re continually verified. Zero Trust isn’t a specific technology but instead an approach that helps to ensure every user’s identity is verified, their devices are validated and their access is intelligently limited to just what they need —and taken away when it’s not needed.

Our strategy is to implement Identity Security controls that are foundational to this Zero Trust approach. These control center on defending against three of the most common attack chain phases and will be deployed in risk-prioritized phases to help:

  1. Block credential theft on the endpoint and prevent ransomware attacks
  2. Stop lateral and vertical movement
  3. Prevent privileged escalation and abuse

This approach aligns with best practices recommended by leading authorities such NIST, CISA, and NSA.

Dig deeper: Discover how the CyberArk Blueprint can provide your team with measurable risk-based advice to defend against identity-based attacks.

Q: How are other companies tackling identity-related challenges, and how do we benchmark our progress against industry peers?

A: A vast majority of recently surveyed security leaders see Zero Trust as key to mitigating risk: 88% say transitioning to a Zero Trust model is “important” or “very important.” To do this, Identity and Access Management (IAM) controls were cited as the No. 1 priority by 45% of respondents.

We’re following proven maturity frameworks from NIST and the Identity Defined Security Alliance to baseline, report on, and continuously measure the progression of our Identity Security posture. We’ve also tapped into guidance published by a group of Global 1000 CISOs on protecting identities and privileged access while transitioning to Zero Trust.

Dig deeper: Explore these five fundamental steps to help you establish parameters for your Identity Security program, define your risk tolerance and use meaningful metrics to report on outcomes. And see how the CyberArk Blueprint can provide your team with measurable risk-based advice to defend against identity-based attacks.

Q: How will Identity Security help advance our core digital transformation initiatives?

A: Implementing stronger security controls that minimize breach impact and protect what matters most is a core objective. Equally important is enhancing productivity, user experiences, and customer value. This is what will ultimately define our success as an organization. An identity-centric approach to security can help us achieve these objectives in unison.

Dig deeper: Aligning with business leadership requires an understanding of their own challenges and priorities, and the ability to think like a businessperson first (and a security person second). It’s important to demonstrate how Identity Security solutions can enable the digital business.

Q: What do you need from corporate leadership to make an Identity Security program successful?

A: By setting the right tone from the top, you can help ensure that we can successfully deploy a new set of Identity Security controls across the enterprise. Although security will drive the project, the affected systems are owned by the business. It will require cross-functional support. Some stakeholders will balk at the changes that must be made, such as giving up access rights or following new processes. Direction from leadership is crucial to moving ahead rapidly and maintaining momentum for sustained success.

Dig deeper: When making your business case for Identity Security, make sure you’re armed with data that demonstrates how the right approach can drive operational efficiencies and positive financial impact. And don’t go it alone: Enlist the support of others, such as risk management teams, to make cyber risk data “real” in the context of broader business goals. 

Attackers understand that all roads lead back to identity. Without adequate controls to protect identities throughout the cycle of accessing critical assets, organizations leave themselves exposed. Gaining executive-level support for an Identity Security program is the first step toward strengthening overall cyber resilience. Use this FAQ to make those critical conversations count.

*Gartner, “Top 10 Lessons Learned From the SolarWinds Attack,” 17 February 2021. Peter Firstbrook

Previous Article
Why Cybersecurity Executive Order Takes Big Steps Toward Marshaling US Cyber Defenses
Why Cybersecurity Executive Order Takes Big Steps Toward Marshaling US Cyber Defenses

Sometimes, it takes a significant event — a “forcing function” — to catalyze significant change. It can eve...

Next Article
RSA 2021: How CISOs Can Build Cyber Resilience for the Road Ahead
RSA 2021: How CISOs Can Build Cyber Resilience for the Road Ahead

From captivating keynotes to impromptu coffee line chats to networking party hopping, there’s nothing like ...