Moving from Protection to Detection (guest blog from The Cyber Hut)
This is the first of a three part series taking a look at the need for a more end to end approach to identity life cycle security, a focus on IAM detection engineering and the capabilities needed to deliver success in this area.
For today’s modern enterprise, isolated and resource-centric security investment and controls are no longer working. Data breaches leveraging the identity and access management infrastructure are common, on the rise and impacting organizations in every geography, sector and size. As organizations look to improve their security posture, investments in existing technology components is no longer enough. Organizations wish to move a preventative security model – which reduces impact and cost of recovery. However, they can’t get there, as they are often limited by highly focused protective controls.
Endpoint security, data security, network security and the basic tenets of IAM such as proofing, strong MFA, PAM and IGA are now just table stakes architectural patterns. Interoperability, proprietary data management systems and a lack of holistic thinking is leaving huge gaps in both visibility and responsive control.
Issues with Protective Controls
➔ Resource Centric
➔ Limited Visibility Before and During Breach
➔ Difficulty Measuring Coverage and Assurance
The historic design pattern of resource-centric and isolated identity products has led to a vertical expansion in controls. Whilst incremental innovations such as strong MFA, passkeys, governance-focused co-pilots and just in time provisioning are hugely important and to be actively encouraged, they are often linear in their application – focusing only on a subset of systems or users. Interconnected security is typically limited resulting in clear blind spots.
Traditionally identity governance and administration products often cover only around 20% of all applications – with specific constraints around connectors, workflows and onboarding. PAM is typically used for on-premises resources deemed to be at most risk of administrative attack. Whilst there are great innovations in the authorization space such as movements to just in time provisioning and zero standing privileges, organisations are still often early in the migration journey – with only a subset of applications under this modern approach.
So whilst strong controls exist in vertically integrated ways, they are often too narrow in execution or can be subverted by attackers who will simply migrate to the most effective way of gaining access. Why attack a single biometric on an identity, if you can simply attack the underlying profile store that holds thousands of records? Why attack the IDP, when it is perhaps easier to simply steal and manipulate the issued access token instead? To that end we start to see big gaps across IAM infrastructure pillars, where no behavioral analysis is taking place.
Even with the advent of tooling such as CNAPP, CSPM and EDR, the monitoring aspect is resource-specific – not looking holistically at the end to end identity and activity life cycle. Scanning for misconfiguration or even for specific patterns of malicious activity using indicators of compromise is often too focused on a particular system and its known vulnerabilities. Attacker behavior is often altering more dynamically making these linear approaches unscalable.
Defenders Thinking in Vertical Resources
➔ Inconsistent Experiences and Expectations
➔ Poor Controls Assurance and Visibility
➔ Identity as the Binding Security Factor
Risk management based on various models such as NIST Cyber Security Framework, ISO 27001/1 or the Center for Internet Security all provide IAM specific control points. From better management of identity data and the reduction of excessive permissions to stronger authentication and onboarding – but they are often deployed in siloes – within specific commercial products, or for specific subsets of users or applications groups. Inconsistent experiences rapidly emerge – for both end users and administrators of the management plane.
Security response is also impacted, with poor overall visibility of deployed controls – and a lack of assurance guarantees for capabilities such as deprovisioning, strong authentication and contextual access controls – with each often being configured differently and implemented independently. The only consistent factor of course for every interaction – is that of a subject and object they wish to access.
If we start to think of risk management through an identity lens, we can start to consider the entire life cycle of the identity – from creation and usage and credential management to access control and account activity analysis. In this more holistic approach, we can start to understand more about the end to end risk associated with an identity – and see the emergence of specialist identity risk management functions. This allows us to move beyond both point based controls but also static rules and declarations that are often too coarse grained and fragile. Detection of vulnerabilities at both the identity data and runtime behaviour layers, provides a flexible foundation for adaptive responses across a range of control points. It is important to first understand the gaps in coverage, but then in turn be able to analyse the impact and likelihood of threats across the identity management data and usage plane.
Defenders are often incentivized to manage specific resources and systems – perhaps managing only cloud systems, or the API team not interested in front-end security, or the data management group not interested in the API layer.
This resource-centered and isolated approach to risk hinders both security and operational overhead – perhaps with overlapping and ineffective ways of both detecting and responding to threats.
Detection as Horizontal and End to End
➔ Need to Consider End to End Journey of Identity
➔ Understand Hand Off Points Across Systems
➔ Supporting Strategic Response Functions
If we start to think of identity risk and control as a more end to end activity, we develop both an overlay model of security, but can also start to support a more agile and responsive approach to change – including adversarial change – and build a foundation for remediation and automated response.
This end to end approach should also consider both human and non-human identities – and the possible linkage between the two often separate worlds. But first we need to consider what we’re detecting and what data points we need to make that work. IAM “detection engineering” is highly reliant on data – the more data you have, the better the decisions you can make. This will include IAM infrastructure components, applications, data access, cloud service providers and network activity, as well as use of external threat intelligence platforms that include the techniques, tactics and procedures of a range of threat actors.
The more data we have, the broader the set of use cases and threats that can be detected. This can cover both internal and external adversarial activity – from malicious insider threats, through to complex lateral movement or data exfiltration use cases – use cases that historically have been very difficult to both detect and respond to, due to siloed management.
This holistic approach to detection will also support new stakeholders – including security operations for improved investigation, identity and access management teams for improved account takeover detection and credential breaches and security teams for improved identification of control weakness.
The strategic success point is not only detecting malicious activity – it is the ability to assist in more flexible and inline ways of responding to threats – with both automated and semi-automated remediation functions. The remediation arsenal will cover a range of options – such as inline changes to sessions and access, deception and degradation, right through to changes to policy and future access.
About The Author
Simon Moffatt has nearly 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut – a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.