The Complexities of Identity Security Today

Organizations today are navigating a treacherous and highly unpredictable digital landscape. The motives of malicious actors – ranging from financial gains to cyber espionage and disruption of critical services – are as varied as their methods. At the same time, organizations are managing internal complexities, from intricate application stacks to dispersed, globally distributed hybrid workforces and a variety of devices accessing their applications and systems. The challenge for IT security and operations professionals has evolved from ensuring that systems run smoothly to playing protagonists as vigilant defenders against a host of cyber threats.

As organizations continue to grapple with increasingly sophisticated cybersecurity threats, there is a demand for holistic access and identity management tools combining multiple capabilities. AI is one of the emerging technologies that can be applied to identity security use cases. Although AI itself is a threat because attackers are devising ways to leverage AI tools to launch sophisticated attacks, there is no denying that cybersecurity teams can benefit from AI capabilities to improve identity posture and bolster identity security.

The Complexity of Access Management Today

Access management is a key area where organizations are facing significant challenges today. Attackers are getting better at providing valid credentials. According to insights from research conducted by AppOmni on SaaS platforms, the use of legitimate credentials to gain access is becoming increasingly common. Levene, the principal product manager at AppOmni, further remarked that “most of the time, threat actors are trying to enter through the front door,” an approach that has become highly effective and with a significantly high ROI. The increased sophistication and use of valid credentials by attackers underline the complexities of access management to ensure only authorized users have access to enterprise networks and systems.

Organizations need security solutions that understand the behaviors of their end users and detect events requiring attention and action. The reality of the threat landscape today implies that organizations need the tools to respond if bad actors maneuver past their defenses. The attack playbook has revealed the need to provide users with additional protection beyond passwords and second authentication factors. Effective access management solutions must go beyond the traditional push request. The Uber hack exposed the vulnerabilities and flawed nature of push notification 2FA as a multi-factor. Having push notification 2FA is better than not having any form of MFA, but its inherent weaknesses imply that, in today’s context, it is an ineffective access management method for protecting against cyberattacks. MFA is an important security measure, but it’s not enough on its own. The fact that organizations are facing more sophisticated threats implies that there is a need for additional layers of security.

In the Global Threat Report 2024, security firm Crowdstrike highlighted that the dynamics of access management today mean that sophisticated attacks can be launched successfully in minutes. Part of the reason for this is the fact that adversaries today are accessing credentials in multiple ways and using techniques such as interactive, hands-on keyboard attacks and legitimate tools to evade detection. Adversaries can gain access by authenticating to enterprise networks and systems using valid credentials or by stealing session cookies and tokens to appear as legitimate users. The Crowdstrike report indicates that threat actors such as FANCY BEAR conduct regular credential collection and credential phishing campaigns to capture credentials from unwitting users. This emphasizes the need for organizations to prioritize protecting identities.

Identity is the New Perimeter

By now, you’re probably hearing this statement for the umpteenth time. The relevance of the argument that identity is the new perimeter cannot be understated because of the criticality of the evolution of the security perimeter from traditional to identity-based. The underlying argument behind the claim that identity is the new perimeter is the value of identity as the common denominator. In other words, identity is directly linked to corporate access, and it’s used regardless of contextual factors such as device, network, or location. Access to enterprise resources can only be granted through identity authentication and authorization.

Identity is the central control point where all access authentication and authorization decisions are based. As such, this makes identity granular in that it is possible to build policy around it to improve security. Considering the declining signal of corporate networks, there is no doubt that identity is the new frontier in cybersecurity. Organizations should adopt security models focused on identity and access control as a more agile method of providing protection from cyber threats. At the same time, this approach is not the most straightforward because of the complexity of securing identity as a perimeter. Without proper visibility, threat detection, and response, identity infrastructure provides the opportunity for adversaries to gain access and infiltrate systems. ?

It is evidently clear that effective identity security is integral to preventing cyberattacks. IT and security decision-makers understand the prevalence of identity-based threats and are working diligently to tackle them. However, the key challenge is that there is still a dependence on static, manual techniques involving human effort and skill. The identity attack surface has become more dynamic, and cyber criminals are leveraging automation and AI to launch sophisticated large-scale attacks. This implies that the current identity security techniques will not be able to keep up with the nature and sophistication of cyber threats.

Identity security is complex. It requires oversight of multiple components, including:

·???????? User Identity: This represents specific users, and it is usually associated with unique credentials required to authenticate and grant access.

·???????? Device Identity: This can be uniquely identified with specific users. The status and trustworthiness of a device affect the user’s access to different resources in a typical system.

·???????? Attributes: These include the user’s roles, location, department, etc. These properties are used to determine and enforce access policies.

·???????? Permissions: These determine the rights given to an identity to access resources based on what they should access and the actions they can perform upon gaining access.

Trends in Identity Today

Identity-based attacks have become more frequent in recent times. The culprits include some of the largest technology companies, such as Google. Gmail and YouTube users have been victims of attacks launched by targeting Google’s 2FA security and locking legitimate users out. A quick glance at the support forums of Google products such as Gmail and YouTube reveals desperate users asking questions about account recovery. Arguably, most of these users are victims of session cookie hijack attacks , which often comprise phishing campaigns and malware designed to capture session cookies.

One of the key trends in identity today is based on the rationale that the identity surface is rapidly expanding. The expansion of the identity surface can be attributed to the increasingly complicated infrastructure and the lack of visibility across tools. As a result, organizations are struggling with what is known as identity sprawl. This occurs in environments where users have multiple accounts managed by different systems that are not synchronized, which is common in today’s environment. This situation presents a continuous security risk and complex operational challenges for many IT and security teams. Identity sprawl is an evolving challenge because it becomes more challenging for security teams to identify how credentials get compromised because they are obtained from devices that may be outside the organization’s visibility. The increasing adoption of perimeter-less work culture and practices such as BYOD are a visibility nightmare for organizations because a significant quantity of identities go unmanaged or unchecked.

Another key element contributing to this is the fact that in the modern workspace, employees often have multiple identities across multiple systems, platforms, and applications. These digital identities can range from email accounts to access credentials that allow employees to access internal systems and platforms that are part of the application stack, such as Slack, Okta, AWS, and Entra. From a cybersecurity perspective, the proliferation of digital identities has implications for security and productivity. The increase in digital identities is also due to how organizations today have an internationally dispersed workforce. This implies that there is a cacophony of employees, clients, contractors, and third parties who can access the enterprise infrastructure from different locations on different devices, operating systems, and networks. This introduces additional complexities and vulnerabilities because the various users can access system data and resources from a greater scale of endpoints and networks. Additionally, this reinforces the concept that context is the new MFA because identity security is constantly evolving. Without putting in place proper security measures, organizations can leave potential security gaps and vulnerabilities that can be exploited to launch identity-based attacks.

The other key trend is the increasing complexity of identity attacks. Attackers are coming up with clever ways of circumventing access controls by targeting weaker posture areas and then moving laterally after gaining access. The identity threat landscape is rapidly evolving, and trusted identity providers are falling under attack. Attackers can obtain initial access through nefarious methods such as brute force attacks, malware, or access brokers. After gaining initial access, attackers can then operate undetected inside the environment by masquerading as authenticated and valid user accounts. Lateral movement and privilege escalation allow adversaries to gain administrator access to own the entire trust fabric. Having elevated privileges will then enable attackers to cover their tracks and maintain their covert access for long periods.

The Need for Comprehensive Identity Security

There is no denying that organizations today are struggling with managing endpoints requiring access to corporate data and applications. There is a multitude of unmanaged devices residing outside the control of corporate Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) solutions, which increases the security risk. Trust in users is vital but no longer enough because the addition of external vendors, contractors, and other third parties adds complexity to a closed, managed endpoint-only access policy. The starting point for establishing device trust and guaranteeing identity security is gaining a comprehensive understanding of the devices, including the operating systems, browsers in use, the patch levels, and how they comply with corporate security policies. These are granular-level elements that can be addressed through identity and access management policies.

One key fact that is evident is that visibility is a major challenge. Gaining visibility into and securing multiple devices is still a continuous battle, especially for organizations and industries with a diverse pool of endpoints. The variability of devices in the modern environment makes it challenging for corporate entities to guarantee visibility and trust without a dedicated security layer.

Visibility across the identity infrastructure requires organizations to have continuous monitoring across identity and the broader application stack. This kind of visibility is a must-have when addressing the wide range of identity attacks that attackers can concoct. Strong authentication mechanisms should be at the core of the security posture as an important line of defense that allows organizations to confirm the identities of users accessing the network. However, it is important to acknowledge that robust authentication is just one piece of the cybersecurity puzzle.

The lack of visibility is a major challenge because organizations can’t protect what they can’t see. Additionally, organizations lack a consolidated view of the identity infrastructure. The lack of a consolidated view poses a major challenge, not because organizations don’t have the tools in place but because identity-based detection is either too specific or too general. Identity-provider solutions are too specific, which contributes to limited visibility and adds to the complexity because of the lack of context and correlation.

Meanwhile, SIEM solutions are too general because their detection logs are too broad and limited response capability. It can be difficult for SIEM tools to enrich data sources. The challenges associated with visibility, or its lack thereof, result in ineffective alerting and slow response. Ineffective alerting is caused by noisy identity alerts and identity detection that is prone to many false positives. Meanwhile, the slow responses contribute to the ineffectiveness of methods to limit the blast radius and slow workflows for remediation.

The dynamics of identity security today indicate that organizations should implement comprehensive identity security solutions. Identity-centric security is a dynamic and multifaceted endeavor that demands organizations implement comprehensive and adaptive strategies that integrate advanced authentication, endpoint protection, continuous monitoring, network security solutions, and an informed and cyber-aware workforce.

The key goal is to have an identity management platform that can improve visibility into the identity ecosystem by connecting the different sources into an identity graph to gain insight. An identity graph helps security teams understand what is happening in the identity and access environments by providing insights into areas such as MFA adoption and usage and privileged accounts and activity. A comprehensive identity security tool should cover the four pillars of identity security: identify, detect, protect, and respond. Improved identity security reduces the risk of a breach, improves compliance, and enhances incident response.

How Can AI Improve Identity Security?

The challenges associated with identity security prove that organizations can deploy multiple solutions to manage and secure their ecosystem but still find it challenging to gain the requisite visibility into all the devices accessing their hybrid environments. This is especially true for organizations outside the control of the IT department, such as those used by contractors, third parties, and remote employees. IT and security teams often lack visibility into these devices. With this, it becomes challenging to verify their authentication status and validity before granting access to system data and resources. This leads to increased cyber risk and non-compliance with security policies and regulations. The question then becomes how AI can contribute to identity security in modern enterprises.

The potential of AI as part of the cyber defense strategy is immense. AI can play a key role in identity security to surface information and support human oversight to improve accuracy and effectiveness. The true value of AI is its ability to analyze large datasets and identify anomalies that people would not detect and respond to in time using manual methods. AI can enhance identity security in two main ways.

·???????? Intelligent Authorization: An intelligent system can define and optimize authorization policies to ensure they can be applied automatically. This approach can make it easier for security professionals to do the right thing by moving identity security into the background.

·???????? Intelligent Session Monitoring: Using intelligent systems for session monitoring can help security teams uncover, prioritize, and tackle identity security risks. Intelligent AI systems can tell which reports or anomalies should be prioritized so that the security teams do not waste time reviewing logs or pursuing false positives. AI can surface important data and provide context to understand what reports mean before taking the necessary action.

Conclusion

Identity security is a fundamental part of access management. Securing and verifying identities is one of the most complex challenges organizations face today. Attackers are using increasingly sophisticated methods to launch attacks, and a significant percentage of these attacks leverage credentials. The key challenge is identifying whether identities accessing system resources are valid, even in cases where they are using valid credentials, because adversaries are increasingly using correct credentials to gain access. Organizations should implement multi-layered defense systems comprising comprehensive identity security systems and AI tools to help with intelligent authorization and session monitoring. The focus should be on adopting identity threat detection and response capabilities that offer visibility across an organization’s ecosystem in a single, comprehensive interface.