Kapil Raina, Identity Protection Evangelist at CrowdStrike, explains why identity protection is crucial, how this differs from what IAM vendors provide and what organisations need to know when they evaluate security vendors.
As organisations have strengthened protection for their networks and endpoints, compromising identities has become a focal point of infiltrating organisations. We’ve seen a rapid rise in the prevalence of identity-based attacks: nearly 80% leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection. Organisations must be experts at understanding adversaries and their motivations in order to detect and respond to these threats.
While the cybersecurity industry may have various definitions of XDR, Gartner recommends choosing an XDR tool that includes at minimum: endpoint, data lake, orchestration, source of identity data for correlation, and threat intelligence.
The problem is, most XDR vendors fail to integrate identity protection in a meaningful way. While Identity and Access Management (IAM) is important, it does not fully defend against identity-based attacks. XDR vendors as a whole are not designed, from the ground up, with the necessary telemetry to identify modern identity-based attacks in real-time across hybrid environments, remote workers and multiple identity stores without disrupting users.
Where IAM falls short
It’s always about the keys to the kingdom. An adversary’s ultimate goal is always to gain access to critical data, typically as a privileged user, and move about undetected.
IAM vendors are extremely effective at managing digital identities across their life cycles, from provisioning to de-provisioning, allowing organisations to manage users’ digital identities and ensuring all users have access to the resources they need to perform their roles. Many organisations lean on these vendors as part of their Zero Trust efforts.
The problem is, these IAM solutions have been on their own ‘island’ for a while now, leading to potential blind spots. In some cases, the IAM provider has challenges in securing its own infrastructure. When attackers use compromised credentials, they can infiltrate a network and circumvent the existing security solutions that organisations may have in place. This blind spot was not fully understood or appreciated until recently. Organisations need to seamlessly marry detection and enforcement in order to prevent this type of activity.
Identity protection: Asking the right questions
Identity-based attacks are increasing the speed at which an adversary can gain access to, and move throughout, an organisation. It takes an average of one hour and 24 minutes for attackers to move laterally within an organisation — typically using identity-based attacks. If an adversary uses a valid credential, it’s much harder to determine that it’s malicious. You need real-time, full visibility across your security stack in order to identify potentially malicious behaviour and quickly act on it.
Can you detect and defend against identity-based attacks? Ask your organisation the following:
- Do you have enough information from native and third-party sources, including behavioural analytics?
- Can you process what’s happening and stop it in real time? Do you leverage risk-based conditional access to minimise false positives?
- Can you see and protect everything in your environment, including unmanaged or legacy systems?
- Can you take proactive action to contain a breach? This may include using risk scoring to block a compromised identity from being used at other endpoints or ensuring segmentation to prevent lateral movement.
The majority of today’s XDR solutions lack the capabilities to help organisations answer the above questions. We’ve seen most XDR vendors have a particular area of expertise, whether that’s starting at the network or making a SIEM or SOAR solution appear more attractive. However, by Gartner’s definition, they have to do it all if they’re going to call themselves an XDR solution.
While XDR extends detection and response from the endpoint across all environments, you can’t forget the individual or the identity in all of this — and you certainly can’t forget the threat intelligence aspect. Newer XDR solutions have trouble correlating attack patterns to determine whether an identity is compromised (i.e. identifying in real time an unmanaged endpoint, but a known identity). To understand when/if there is an attack, you need the endpoint and identity telemetry, but you also need to have massive adversary knowledge to compare the threat vector to.
XDR with identity protection: Better together
There is a real complexity that exists in identifying and responding to real-time attacks if you’re only looking at one piece of a fragmented puzzle, or you have swivel chair syndrome with your security tooling. IAM is only one piece of the identity protection puzzle. A holistic XDR solution – one that connects endpoint, identity and threat intelligence together, ensuring coverage everywhere (cloud, on-prem, mobile, unmanaged devices and more) – is the only way to solve this effectively.
When it’s done right, organisations have unified cross-domain detections and investigations to effectively connect the dots, understand the context and automate the risk response to stop or contain adversary attacks. XDR with identity protection not only stops threats but improves the bottom line. For example, Safelite’s CISO, Grant Sewell, spoke at a conference about the operational expense savings: a 75% reduction in support password resets, an 8% reduction in phishing susceptibility and a 32% reduction in unnecessary user access rights. A holistic XDR solution that can correlate native and third-party cross-domain telemetry – spanning network, email, endpoint, identity, web applications, cloud and SaaS apps, workloads, third-party systems and security tools and more – wins.
Whatever you do, don’t neglect the importance of identity protection within your XDR solution.