Siloes of Failure: Identity as the Unifying Control (guest blog from The Cyber Hut)
This is the second of a three part guest series where I’m taking a look at the issues with classic identity protection and monitoring architectures and how organizations can benefit from an identity-centric and detection-led approach to preventing evolving identity attacks. The first part discusses the rise of moving from protection to detection engineering.
Hybrid Landscapes
- Variety of identity types
- On-prem, PaaS and SaaS
- Inconsistent tools and coverage
The identity and access management industry is facing numerous challenges. Not only is the variety and volume of identities increasing, organizations are having to handle the management of those identities across a varied and diverse deployment landscape. On-premises directories need to be seamlessly managed alongside subscription-based SaaS applications, containers located in cloud service provider (CSP) platform-as-a-service (PaaS) ecosystems and integrated against API and data services located in all three.
The identity backbone that links the endpoint, data and network worlds is located in a hybrid set of locations, but all need to comply with the same security and regulatory requirements. Strong authentication or a passwordless-migration strategy needs to be deployable against all systems in all locations. Access control and authorization becomes of limited use if applied to only a handful of systems under management. Complex and expensive privileged access management (PAM) platforms need to cover service, non-human and workload accounts in all locations – not-just a subset of the riskiest infrastructure services.
To that extent organizations are having to support an ever increasing number of security controls and compliance requirements with inconsistent tools, coverage and user experiences. Not only within the IAM landscape but also across the data, endpoint and network security worlds too. Overlapping and often competing security controls inhibit strategic assurance that should cover all systems in all locations.
Isolated Protection Strategies
- PAM, IGA and MFA specific and narrow
- Identity as major new attack surface
- Exploitation examples
To that end, organisations have witnessed and invested upon linear expansion in identity related security controls. What does this entail? Well the core pillars of the IAM fabric – such as privileged access management, identity governance and administration, multi-factor authentication and least privilege access have all continually evolved in the past 5 years to deliver a range of enhanced security and usability controls. The recent advent of AI-powered technologies – such as co-pilots, data analyzers and querying tools – have improved many of the core IAM controls too.
However, these controls are often specific and narrowly tailored to a subset of applications, users or use cases. The end result is organisations who have invested in some core IAM capabilities are still being hit by adversarial activity, data breaches and exfiltration.
As IAM has moved from being a tactical and operational technology component – often sitting under the CIO with productivity, compliance and cost savings objectives – to being a strategic enabler for security and revenue, it has also become an adversarial target. The core functions of something such as the joiner-mover-leaver process for employee automation was not originally designed with security in mind. B2C customer engagement often had usability as the main design priority too. A combination of a fragmented technology landscape and increasing responsibility and importance for IAM has seen it become the main attack surface priority for the mid to large enterprise.
Initial Access Brokers (IAB), biometric-evading deepfake tools, session hijacking techniques and MFA bypass concepts are all common trade craft – and are constantly iterated upon by adversarial networks and dark-net market places. The rewards are high – either in the form of intellectual property and data exfiltration, PII that is in turn used for further identity-related attacks or the rise in employee fraud – often conducted by highly skilful and well connected technology-gangs.
The existing IAM fabric is often not equipped to deal with the ever-changing techniques, tactics and procedures being developed by external adversaries and are often not measured against their integration to concepts such as the Mitre Att&ck framework or cyber kill chain. The core metrics for B2E IAM success often lay within productivity or connectivity – and for B2C usability often trumping security entirely.
Identity as Modern Control Point
- Thinking end to end
- Left shifting of assurance and right shift of activity
- Monitoring and interception points
However, the increasing importance of our IAM infrastructure also provides a solid foundation for strategic advantage as it pertains to detection and in turn security response. In an ever changing world of advancing technology and adversarial threat activity there are two components that do not change: the identity and the object being accessed. Be that identity of a person or a workload, the object a file or online payment – the access path between the two becomes the foundation of security, data collaboration and productivity. To that end we need to consider identity as a life cycle firstly, and also break the analysis into both a data and runtime activity point of view too. The data aspect being focused on profiles, permissions and policy – and all the misconfiguration and governance issues that occur at the level.
From a runtime point of view we need to consider analysing the post–authentication event landscape. Contextual analysis of login events is critical to identify stolen credentials, impossible travel and device–related risk. Session analysis and downstream application activity is then key – looking for unusual behavior, suspicious use of permissions, or privilege escalation attempts. Each activity within an application must be correctly attributed to an identifier too – and ideally biometrically associated with a carbon life form if the focus is on people-centric activities.
Our existing IAM infrastructure often thinks in pillars and resources – whereas the adversary is really only thinking about the access path and the identities and permissions needed to gain access to the final object or transaction. We need to be able to monitor the entire lifecycle and be able to find differences, anomalies, comparisons to existing TTPs and the ability to identify “unknown unknowns” too. This monitoring needs to be continuous with strong integration potential for a range of identity and non-identity related signals providers to help support composite analysis of risk.
An important aspect of using identity as the control point from a continuous monitoring and response point of view is the remediation. The type of remediation activity and the time of response become critical. Inflight response including changes to session and access is possible as well as ultimately tying back into future authentication and policy enforcement events to prevent future malicious activity.
Forensics and post–incident investigation is also improved by taking an identity-centric view of activity and access and the ability to overlay information from IDPs, network and applications. Supporting organizations to avoid alert fatigue is critical – and being able to deliver high fidelity discovery of critical events a priority.
As organizations embrace new technologies and ways of working including AI, cloud and remote access, the identity control plane becomes the critical glue to deliver collaborative data sharing and transaction processing. But that layer needs to be continually monitored for malicious usage and behaviours.
About The Author
Simon Moffatt has nearly 25 years of experience in IAM, cyber and identity security. He is the founder of The Cyber Hut – a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.