“Black Swan” author Nicholas Nassim Taleb once wrote that “intelligence consists in ignoring things that are irrelevant (avoiding false patterns).” Organizations must take this definition to heart as they incorporate Identity Security intelligence – an essential element of any Zero Trust cybersecurity strategy.
Many organizations have dedicated Security Operations Center (SOC) teams responsible for their threat detection, investigation and response efforts. To the layperson, SOC teams often seem like the all-seeing eye of an organization, immediately detecting any bad behavior across infrastructure, applications and endpoints. In reality, though, monitoring for threats, remediating vulnerabilities and executing incident response plans are a ton of work. SOC teams must work across the security organization to collect and analyze the right data and ignore false positives (a.k.a. irrelevant things). In the case of Identity Security, this means analyzing user behavior analytics that enable rapid responses to anomalous or risky privileged access to infrastructure and applications.
The 2022 CyberArk Identity Security Threat Landscape Report reveals that credential access is the most reported risk of all tactics in the MITRE ATT&CK framework. This isn’t exactly shocking. Most cyberattacks take the path of least resistance: compromise an identity by stealing credentials, move laterally and escalate privileges.
Yet despite this understanding, many organizations struggle to apply enhanced threat detection to their most significant source of cybersecurity risk: compromised identities and credentials. To embody Zero Trust and an assume-breach mindset, organizations must improve their ability to respond rapidly to identity-centric attacks.
Why It’s So Difficult to Detect and Remediate Identity-related Threats
To better understand the challenges of detecting and mitigating identity compromise attacks, let’s dive a bit deeper. Organizations face several challenges with identity threat detection and protection, such as:
1. A wide variety of attack methods. The bad guys have lots of effective methods to compromise identities. From phishing, social engineering and credential harvesting to ransomware attacks that aim to compromise local admin accounts on endpoints, attackers have a big arsenal of tactics used to steal credentials and passwords.
It may take time to realize passwords have been stolen. And insider threats pose another significant complication. When employees break bad, they can use their existing, valid credentials. To defend against internal bad actors, organizations need holistic data and context to identify anomalous or high-risk behavior.
2. Internal access control friction. It’s not always easy for Identity Security and SOC teams to get along. Identity Security programs manage access control policies, provisioning entitlements while adhering to audit and compliance requirements like the rule of least privilege. These teams also own authentication and authorization policies that may be designed to address usability requirements from their developer, admin and workforce stakeholders. This can cause more permissive access control policies than the SOC team might design to prioritize risk reduction.
At the same time, SOC teams may need to use administrative accounts outside of their regular responsibilities when remediating security incidents. Without clearly documented incident response plans and policies granting access for automatic remediation, SOC teams can face slower response times.
3. Siloed technologies and processes. Remember the point about ignoring false patterns? It’s important that threat analytics capabilities in privileged access management (PAM) or Identity as a Service (IDaaS) solutions integrate with the tools SOC teams already rely on. Key examples include security information event management (SIEM) and extended detection and response (XDR) solutions. Without the full data that these integrations provide, SOC teams may not be able to see the full picture and could identify false positives.
Even worse, without proper data correlation to generate alerts, Identity Security solutions might not allow SOC teams to see the signal in the noise. Without full context, SOC teams might miss valid patterns that could indicate compromise. For example, an organization with siloed IDaaS and PAM analytics may be able to detect individual low-risk actions like an administrator entering a low-risk command in a privileged session or accessing a web app from an irregular location. In combination, these “low-risk” events may be a strong case for a closer look. But with siloed analytics, SOC and Identity Security teams may not spot the valid pattern.
Threat detection capabilities are only as effective as the data they can analyze. If Identity Security and SOC technologies are not integrated for multi-directional data sharing, SOC teams may face a high number of false positives or worse – a low number of threats detected.
How Can Identity Security Intelligence Streamline Security Ops?
Security is a team game. As with any other security challenge, solving this gap in identity threat detection and prevention requires a combination of people, processes and technology. Here are some recommendations:
1. Document and automate processes for responding to identity-centric attacks. Documented plans in incident response scenarios provide a standardized playbook to help ensure alignment and accountability between SOC and Identity Security teams. And in many cases, documented incident response plans can also help satisfy cyber insurance, audit and compliance requirements.
As a best practice, building clear plans for responding to different types of security incidents (e.g., dedicated actions for remediating a phishing attack) can also streamline response processes, helping minimize the business disruption of security incidents.
2. Centralize threat detection across all user access. Multi-contextual analysis of user access can provide SOC and Identity Security teams with a complete picture of a potential security incident. This data correlation can help accelerate detection and response.
For example, Identity Security Intelligence, a shared service of the CyberArk Identity Security Platform, analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed by privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure. The CyberArk Identity Security Platform analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed of privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure.
Multi-contextual user behavior analytics in Identity Security Intelligence
Armed with sharper, multi-contextual insight, SOC and Identity Security teams can identify and respond to combinations of behavior that may signal identity compromise, such as an irregular login time, and then entry of specific commands in a remote session to a corporate server.
3. Integrate Identity Security and SOC Team tools. Identity Security teams must arm their SOC teams with the data their solutions naturally detect. Data and alerts from threat analytics services like Identity Security Intelligence can accelerate the SOC team’s ability to detect stolen credentials, insider threats and other identity-centric attacks.
Similarly, SOC teams must configure integrations between their tools and Identity Security solutions to remediate threats. For example, if a SOC team identifies potential abuse of a privileged account used to maintain Windows servers, integration with a PAM solution can automatically suspend or terminate the session. Or in another scenario, if Identity Security Intelligence sends an alert on a risky command entered on a Linux server, security teams can use CyberArk’s identity orchestration capabilities to automatically prevent the employee from using privileged accounts through PAM.
Putting It All Together: The Need for Identity Security Intelligence
Intelligent identity threat detection efforts require a holistic view of user behavior that helps teams spot only the relevant patterns. Identity Security Intelligence can help organizations reduce the risk of identity-centric attacks by eliminating siloes between teams, documenting processes and integrating technologies to rapidly detect and respond to identity-centric threats.
5 Strategies for Setting the Right Cybersecurity KPIs
Cybersecurity key performance indicators (KPIs) measure the efficacy of an organization’s cybersecurity program. In a rapidly changing threat landscape characterized by new identities,...
Mission Possible: Securing Developer Access, CI/CD and Code (With Love)
Okay, so you’re a security leader at your enterprise – congratulations! It’s a big, challenging role, as you know too well. You or a colleague are likely responsible for securing the cloud and...
CIO POV: Rethinking Data Security Post-Snowflake Customer Attacks
Watching the recent Snowflake customer attacks unfold felt a bit like rewatching a horror movie with predictable attack sequences and missed opportunities to run to safety. But this time, the...
What ‘Passwordless’ Really Means for Privileged Access Management
Privileged access management (PAM) programs aim to secure the highest-risk access in an organization, including using privileged credentials like passwords, SSH keys and application secrets. So,...
Why Implementing Identity Security Doesn’t Have to Be Complicated
Every organization is different, with its own unique needs, challenges and goals. That means that IT solutions, and especially IT security, must be complex tools that are highly configurable and...
Serving Secure Access: Inside the Privileged Access Ice Cream Parlor
Imagine standing in your favorite ice cream parlor, gazing at myriad flavors chilling behind the counter. The choices are tantalizing, from traditional vanilla and chocolate to a swirl of the two....
A few weeks ago, my wife asked me why stopping threat actors from impacting our lives is so difficult. In this digital age, the necessity to connect online brings inherent exposure to...
Cloud Migration Simplified: SaaS Secrets and PAM Strategy
In the era of rapid digital transformation, organizations are prioritizing cloud transformation projects to enhance their operational agility, scalability and cost efficiency. However, this shift...
Financial Highwire: The Critical Role of Identity Security in Finance
In the highwire act of the financial services sector, identity security serves as the essential safety net, meticulously engineered to intercept any missteps before they precipitate a fall. Just...
CIO POV: Building Resilience in a Complex Threat Landscape
As a CIO, I often wish for a world where the threat landscape is less expansive and complicated than it is today. Unfortunately, the reality is quite different. This month, I find myself...
Securing a Lifeline: Why Identity Security is Paramount in Healthcare
In the intricate healthcare ecosystem, cybersecurity is akin to the human immune system – a vital defense that safeguards the body from external and internal threats. Healthcare cybersecurity is...
Triage Your Cloud Security: Risk Prioritization Methods
It’s a familiar post-disaster scene in seemingly every television medical drama. A ferry has crashed, or a train has derailed. Patients flood into the ER, each requiring urgent medical attention....
Synchronized Swimming: The Relationship Between Privacy and Cybersecurity Teams
Data theft, data protection and the leakage of passwords or secrets are the top two cloud security concerns for 2,400 cybersecurity experts, according to the recently released CyberArk 2024...
IMPACT 2024: It’s Time for a Paradigm Shift in Identity Security
What a week! We just wrapped up CyberArk IMPACT 2024, the world’s largest identity security-focused conference. It was amazing to be joined by thought leaders and practitioners from around the...
The Future of Identity Security: Insights from CyberArk IMPACT 24
CyberArk IMPACT 24 in Nashville was a week packed with firsts for me: My first time in Nashville. My first time at our flagship global event. My first time being involved in a genuinely significant...
Predicting the Future of AI in Identity and Access Management
In the rapidly changing cybersecurity landscape, Identity and Access Management (IAM) is a critical pillar, safeguarding organizational data and access across different enterprise systems and...
The Growing Threat of Identity-Related Cyberattacks: Insights Into the Threat Landscape
The last 12 months have witnessed a rapid-fire round of innovation and adoption of new technologies. Powerful new identities, environments and attack methods are shaping the quickly changing...
CIO POV: Navigating the Deepfake Pandemic with Proactive Measures
We’re in the throes of another pandemic, but this time, it’s not transmitted through the air – it spreads with just a click. Welcome to the world of deepfakes. While COVID-19 significantly...
CyberArk at 25: Udi Mokady on Milestones, Identity Security and Humility
Let’s head back for a moment to when some of us were partying like it’s 1999, in 1999. Among that year’s notable milestones were the release of The Matrix, the introduction of the euro –...
There’s currently a cybersecurity adage with varying verbiage and claimed origins – the point, however, is unmistakable: “Attackers don’t break in. They log in.“ This saying underscores the...