What to Do When Digital Identities Start Doing “Stranger Things”

July 20, 2022 CyberArk Blog Team

What to Do When Digital Identities Start Doing “Stranger Things”

The long-awaited volume 2 of “Stranger Things” season 4 dropped this month. Fellow fans likely tracked three unique storylines this season, and it was a good thing the last two episodes were feature-length, because we had a lot of questions. Now that CyberArk Impact 2022 has wrapped, we have some time to get caught up!

A particularly gruesome “Stranger Things” plotline that kept everyone guessing was the one in which teenagers across the town of Hawkins started getting killed, one by one. But before each person met their untimely demise, they started acting … well, strangely … experiencing headaches and nightmares suggesting that Vecna, the mysterious evil being from the Upside Down, was beginning to take hold. This foreshadowing helped viewers brace for the grisly scenes ahead, and fed fan theories about how the season would play out. (We won’t give away any more than that!)

Beyond the Upside Down in a different shadowy realm, cybersecurity teams also look for digital clues such as hashes, domain names, IPs and DNS requests that could signal potential problems. Many rely on security information and event management (SIEM) tools to aggregate and analyze large volumes of threat data. But when it comes to detecting strange or risky behavior linked to authorized users – workforce or privileged identities within their organizations or those associated with third-party vendors – these teams are often in the dark until after systems have been compromised and damage is done.

A big part of the problem is that identity-driven attacks from inside are especially hard to detect. While most organizations have made Identity Security investments to secure privileged access to sensitive resources, they lack visibility and control over what is being done during legitimate user sessions and how confidential data is being handled. Unlike “Stranger Things” viewers, security teams don’t have the benefit of looming grandfather clock visions or ominous ticking noises in the background to put them on high alert.

Instead, malicious insiders (or external attackers posing as legitimate insiders) abuse credentials to progress their attacks, quietly looking for ways to bypass privileged access management controls on sensitive systems. Without a reliable, automatic way to respond to such attempts, organizations have a significant blind spot: 80% of enterprise security leaders report employee misuse or abuse of access to business applications, which often contain high-value data like financial records, customer or patient information, or intellectual property. And nearly half say they have limited ability to view user logs and audit user activity, making it difficult to pinpoint risky behavior.

How to Detect and Block “Strange” User Behavior – Before Time Runs Out

Manually investigating questionable user activity eats up time and valuable resources, as does auditing entire user sessions without the aid of risk scoring to flag strange or risky activity. These inefficient processes can often cut into other critical cybersecurity priorities, such as shoring up ransomware protection and bolstering incident response.

Fortunately, much like the headaches and creepy background music signaling that “stranger things” are about to take place on the TV show, behavioral abnormalities (i.e., abnormal login behavior or signs of potential theft of privileged credentials) can indicate that risky or malicious activity is happening in your IT environment.

Identity Security programs take advantage of analytics to build behavioral baselines for the workforce and privileged users within an organization. Using this baseline, and with the help of artificial intelligence, teams can continuously analyze user behaviors and workforce identity patterns at scale, automatically detecting strange or risky privileged security events earlier in the attack lifecycle. For instance, they could configure security controls and define rules to receive instant alerts if an employee enters a risky command during a privileged session or tries to delete or export sensitive files from a web application.

Teams no longer need to dig through logs to figure out what went wrong – and if they do opt to review logs and session recordings, they can skip ahead to the moment the risky behavior occurred. This enhanced, real-time visibility into user activity can help reduce the risk of stolen credentials for both workforce and IT users as they access web applications and infrastructure, while helping organizations to quickly detect and respond to potential threats before they can cause damage. And if an identity does show signs of influence from the villainous “Upside Down,” threat detection and protection capabilities give teams the right info, right when they need it, to take quick action, such as terminating user sessions.

It’s time to stop wondering why your organization’s digital identities are doing “stranger things” and how you might respond when they do. Get the real-time identity threat intelligence needed to secure your digital business from cyber attackers coming from the inside, outside or upside down.

At CyberArk, we view continuous identity threat detection and protection as an essential element of an Identity Security program that spans all workforce and privileged users. By embracing a unified approach, organizations can apply intelligent controls that correspond to the risk of a user’s session.

Identity Security Intelligence, our enhanced AI-powered analytics service that provides continuous identity threat detection and protection for workforce and privileged identities, is now generally available as part of the CyberArk Identity Security Platform shared services, enabling CyberArk SaaS customers to holistically protect their workforce and IT users. This service is just one of many enhancements and major additions to the CyberArk Identity Security Platform showcased at CyberArk Impact 2022.

 

Previous Video
The CyberArk Blueprint: Achieving Privileged Access Management Success
The CyberArk Blueprint: Achieving Privileged Access Management Success

Learn the guiding principles and key stages of the CyberArk Blueprint, a prescriptive guide to help build e...

Next Article
IMPACTful Women in Cybersecurity
IMPACTful Women in Cybersecurity

While cybersecurity as an industry aims to close gaps, cybersecurity as a profession has notoriously strugg...