“Black Swan” author Nicholas Nassim Taleb once wrote that “intelligence consists in ignoring things that are irrelevant (avoiding false patterns).” Organizations must take this definition to heart as they incorporate Identity Security intelligence – an essential element of any Zero Trust cybersecurity strategy.
Many organizations have dedicated Security Operations Center (SOC) teams responsible for their threat detection, investigation and response efforts. To the layperson, SOC teams often seem like the all-seeing eye of an organization, immediately detecting any bad behavior across infrastructure, applications and endpoints. In reality, though, monitoring for threats, remediating vulnerabilities and executing incident response plans are a ton of work. SOC teams must work across the security organization to collect and analyze the right data and ignore false positives (a.k.a. irrelevant things). In the case of Identity Security, this means analyzing user behavior analytics that enable rapid responses to anomalous or risky privileged access to infrastructure and applications.
The 2022 CyberArk Identity Security Threat Landscape Report reveals that credential access is the most reported risk of all tactics in the MITRE ATT&CK framework. This isn’t exactly shocking. Most cyberattacks take the path of least resistance: compromise an identity by stealing credentials, move laterally and escalate privileges.
Yet despite this understanding, many organizations struggle to apply enhanced threat detection to their most significant source of cybersecurity risk: compromised identities and credentials. To embody Zero Trust and an assume-breach mindset, organizations must improve their ability to respond rapidly to identity-centric attacks.
Why It’s So Difficult to Detect and Remediate Identity-related Threats
To better understand the challenges of detecting and mitigating identity compromise attacks, let’s dive a bit deeper. Organizations face several challenges with identity threat detection and protection, such as:
1. A wide variety of attack methods. The bad guys have lots of effective methods to compromise identities. From phishing, social engineering and credential harvesting to ransomware attacks that aim to compromise local admin accounts on endpoints, attackers have a big arsenal of tactics used to steal credentials and passwords.
It may take time to realize passwords have been stolen. And insider threats pose another significant complication. When employees break bad, they can use their existing, valid credentials. To defend against internal bad actors, organizations need holistic data and context to identify anomalous or high-risk behavior.
2. Internal access control friction. It’s not always easy for Identity Security and SOC teams to get along. Identity Security programs manage access control policies, provisioning entitlements while adhering to audit and compliance requirements like the rule of least privilege. These teams also own authentication and authorization policies that may be designed to address usability requirements from their developer, admin and workforce stakeholders. This can cause more permissive access control policies than the SOC team might design to prioritize risk reduction.
At the same time, SOC teams may need to use administrative accounts outside of their regular responsibilities when remediating security incidents. Without clearly documented incident response plans and policies granting access for automatic remediation, SOC teams can face slower response times.
3. Siloed technologies and processes. Remember the point about ignoring false patterns? It’s important that threat analytics capabilities in privileged access management (PAM) or Identity as a Service (IDaaS) solutions integrate with the tools SOC teams already rely on. Key examples include security information event management (SIEM) and extended detection and response (XDR) solutions. Without the full data that these integrations provide, SOC teams may not be able to see the full picture and could identify false positives.
Even worse, without proper data correlation to generate alerts, Identity Security solutions might not allow SOC teams to see the signal in the noise. Without full context, SOC teams might miss valid patterns that could indicate compromise. For example, an organization with siloed IDaaS and PAM analytics may be able to detect individual low-risk actions like an administrator entering a low-risk command in a privileged session or accessing a web app from an irregular location. In combination, these “low-risk” events may be a strong case for a closer look. But with siloed analytics, SOC and Identity Security teams may not spot the valid pattern.
Threat detection capabilities are only as effective as the data they can analyze. If Identity Security and SOC technologies are not integrated for multi-directional data sharing, SOC teams may face a high number of false positives or worse – a low number of threats detected.
How Can Identity Security Intelligence Streamline Security Ops?
Security is a team game. As with any other security challenge, solving this gap in identity threat detection and prevention requires a combination of people, processes and technology. Here are some recommendations:
1. Document and automate processes for responding to identity-centric attacks. Documented plans in incident response scenarios provide a standardized playbook to help ensure alignment and accountability between SOC and Identity Security teams. And in many cases, documented incident response plans can also help satisfy cyber insurance, audit and compliance requirements.
As a best practice, building clear plans for responding to different types of security incidents (e.g., dedicated actions for remediating a phishing attack) can also streamline response processes, helping minimize the business disruption of security incidents.
2. Centralize threat detection across all user access. Multi-contextual analysis of user access can provide SOC and Identity Security teams with a complete picture of a potential security incident. This data correlation can help accelerate detection and response.
For example, Identity Security Intelligence, a shared service of the CyberArk Identity Security Platform, analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed by privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure. The CyberArk Identity Security Platform analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed of privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure.
Multi-contextual user behavior analytics in Identity Security Intelligence
Armed with sharper, multi-contextual insight, SOC and Identity Security teams can identify and respond to combinations of behavior that may signal identity compromise, such as an irregular login time, and then entry of specific commands in a remote session to a corporate server.
3. Integrate Identity Security and SOC Team tools. Identity Security teams must arm their SOC teams with the data their solutions naturally detect. Data and alerts from threat analytics services like Identity Security Intelligence can accelerate the SOC team’s ability to detect stolen credentials, insider threats and other identity-centric attacks.
Similarly, SOC teams must configure integrations between their tools and Identity Security solutions to remediate threats. For example, if a SOC team identifies potential abuse of a privileged account used to maintain Windows servers, integration with a PAM solution can automatically suspend or terminate the session. Or in another scenario, if Identity Security Intelligence sends an alert on a risky command entered on a Linux server, security teams can use CyberArk’s identity orchestration capabilities to automatically prevent the employee from using privileged accounts through PAM.
Putting It All Together: The Need for Identity Security Intelligence
Intelligent identity threat detection efforts require a holistic view of user behavior that helps teams spot only the relevant patterns. Identity Security Intelligence can help organizations reduce the risk of identity-centric attacks by eliminating siloes between teams, documenting processes and integrating technologies to rapidly detect and respond to identity-centric threats.
Battling the Three Forces of Identity Security at IMPACT23
Identity security: it’s a battle being waged on three fronts – and a rallying point for global cybersecurity professionals attending CyberArk IMPACT23, the identity security event of the year,...
Non-humans are everywhere these days. Sure, you’ve seen the much-deserved hype about how AI-powered tools like ChatGPT are going to change everything. But there are plenty of more mundane...
Healthcare cyberattacks are increasing in “frequency, severity and sophistication,” said Nitin Natarajan, U.S. Cybersecurity and Infrastructure Security Agency (CISA) deputy director, in his...
Secure Identities With These Five Intelligent Privilege Controls
If you’re reading this, a major part of your job is making the case for security-related issues you know are urgent. You may be among the 97% of CISOs being asked to present to their...
Bad Droid! How Shoddy Machine Security Can Topple Empires
The need for strong identity security protocols for humans has been a given for years. Your organization likely has multiple layers of controls to ensure that access to sensitive assets is limited...
The people closest to your business can sometimes cause the most damage. Yet while top-secret data leaks are headline news today, most insider threats are well-intentioned people who just screw...
Australia’s Growing Focus on Critical Infrastructure Cybersecurity in 2023
In recent years, several major cyberattacks targeted critical infrastructure in Australia, including a major telecommunication company, which suffered a devastating data breach in September 2022....
Twitter’s recent decision to turn off SMS two-factor authentication (2FA) for non-Twitter Blue users created a stir. While media and tech pundits questioned the company’s motives, many users...
Cloud Identity Security: It Doesn’t Taste Like Chicken
There’s a scene in the original “Matrix” movie when Neo is sitting in the grimy kitchen with the rest of the crew and eating gray, runny slop. No matter what new version of gray slop...
ChatGPT’s Role in the Evolution of Application Development
When I wrote my first applications in high school, coding was a lot more time-consuming. I didn’t have libraries I could shop through with ready-made bits of code to drop in to save myself time...
AI, ChatGPT and Identity Security’s Critical Human Element
In 1999, a far-fetched movie about a dystopia run by intelligent machines captured our imaginations (and to this day, remains my favorite film). Twenty-four years later, the line between fact and...
Quantum Computing Is Coming… Here are 4 Ways to Get Ready
Ask a cybersecurity professional what keeps them up at night and you’ll get answers about insufficient staffing, IT complexity or constant attacks on their business. Quantum computing isn’t likely...
How to Map Identity Security Maturity and Elevate Your Strategy
The ultimate goal of Identity Security is to provide secure access to every identity for any resource or environment, from any location, using any device. Yet ever-evolving technology and dynamic...
LTT Attack Targets Session Cookies to Push Crypto Scam
Crypto scams are skyrocketing: In 2022, the FBI tracked an 183% year-over-year increase, driving $2.57 billion in losses. Last week, the popular YouTube channel Linus Tech Tips (LTT for short) –...
Protect Passwords, Don’t Just Manage Them: A Game Plan for CIOs and CISOs
When 921 password attacks occur per second, it’s time to treat everyday employees’ credentials like the true operational risk they are. Today’s attackers assign a level of value to employees’...
There are nuances to how Zero Trust security is defined — but at its core, it's a strategic cybersecurity model enabled to protect modern digital business environments.
Secrets Management: Meeting Developers Where They Are
There’s always a balancing act when it comes to building and deploying cloud-native applications in environments like Amazon Web Services (AWS). The whole point of moving production to the cloud...
Phishing is a big problem that’s getting even bigger as cybercriminals find new ways to hook employees. With threats coming from every direction – emails on company computers, text and voice...
How Automated Identity Management Can Help Solve the Compliance Puzzle
Have you ever received a puzzle as a gift from a well-intentioned friend? They likely thought something along the lines of, “Hey, this person’s into solving problems — I bet they’d love putting...
Most companies now recognize the serious and insidious nature of cybersecurity threats. But many fail to grasp that the digital transformation, remote work, automation and cloud migration...