AI-Driven Threat Detection: Truths and Questions

As a long time IT, cybersecurity, and identity professional, I’ve seen a lot of public and private truths come and go in my time.

A public truth is a trendy claim people make in public. It’s their idealized version of how things “should be.” A private truth is what they actually do on the ground, in their own organizations. Often, private truths exist because organizational requirements, legacy technology, or culture make realizing the public truth exceedingly difficult.

• Public truth: Static user-selected passwords will disappear in 10 years (circa 2014).
• Private truth: Passwords are easy, cheap, and users understand them. Prepare for a future with passwords—but continue to embrace and evolve other methods to mitigate the worst-case scenarios. (Folks admitted to this private truth in our Passwords and Passwordless Authentication Report).
  
  
• Public truth: Multi-factor authentication (MFA) solves all manner of breach by credential theft (circa 2009).
• Private truth: MFA is great, but it’s often missing or misconfigured, MFA fatigue exhausts users, and the bad guys will adapt and work around it. Therefore, layer your authentication and security controls.

When it comes to identity security (protecting access and authorization of your digital identities), the public truth is that best practice frameworks, regulatory compliance, and cyber insurance companies call for strong preventive and mitigating controls.

However, the private truth is that very few organizations have a good handle on who their privileged users are, what they have access to, or what they should have access to.

It’s a wild-west frontier with multiple teams tracking identities and permissions in their respective areas, siloed toolsets generating reports of who has access to what, and a whole lot of tedious, manual processes that become outdated as soon as they’re prepared.

AI-driven threat detection can help to tame this chaos, but first, let’s set the stage.

The Wild West of Privilege

As Peter Druker once said, “If you can’t measure it, you can’t manage it.”

This is true with privilege as well.

In most organizations, the number of individuals deemed “admins” used to be considerably smaller. They included network admins, domain admins, firewall and proxy server admins, database admins and, further down the IT chain, help desk admins and others. They fell into the “IT” group and were administered as such. They were a known quantity, and it was possible to understand who had access to what at any given time, set centralized policies for access, audit user sessions and store credentials and secrets in a centralized vault. This was typically done using Privileged Access Management (PAM).

Then came Software as a Service (SaaS) apps and cloud and the picture gets a bit cloudier. Business line managers and application owners took over some of the admin roles from their workstations. Privilege went to the edge of the organization.

Then, with cloud service providers (CSPs) such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, the edge disappeared completely. In cloud environments, agility and speed are key, so cloud admins are empowered to create new users, escalate privileges to third-party developers and contractors, and basically run the DevOps show in their particular cloud as they see fit. Machine or non-human identities (NHI), such as service accounts, APIs, AI agents, and containers, run in an automated fashion usually without a lot of oversight from the cloud admins.

But here’s the rub. Given the fact that a single compromised IT admin account, workforce, cloud admin account, developer or machine identity can create the opportunity for the bad guys to take down an organization, it’s a bit unsettling to think most organizations are flying blind. Technology has advanced faster than our human resources, time, budgets, and planning cycles have allowed us to keep up.

Cloud Identity Discovery is the first step to AI-driven threat detection

Tell me if this looks familiar:

Boss says: “We need to get a handle on all our (infrastructure, network, cloud) admins.” IT has the responsibility for ultimately determining who is an admin, then putting policies, auditing and security in place.

1. Project start

1. Traditional admins? No problem. On-premises, datacenter, infrastructure, workstations? Consult the PAM console. Things are going great.
2. Cloud? Discovery starts to get a little fuzzy. Let’s start with the cloud console and see who has been assigned admin rights to various pieces of cloud infrastructure. This provides some insight, but are we certain we’re seeing all our cloud admins? After all, new ones are being dynamically created all the time, and cloud users that don’t look like admins can in fact operate as admins with escalated privileges. All right, you’ve got this, maybe some scripting will work here to scan for traditional indicators of admin rights, such as “role” and “group” assignments.
3. Multi-cloud? Ok, things just got a bit more difficult. We can’t see the cloud admins in our AWS EC2 instance from our Google Cloud console. Another console to tie into. Create another script. Ok, we’re good here.
4. Amazon AWS does an update. AWS script breaks.

2. Manual processes engaged

1. A full-time employee (FTE) is given the responsibility of putting together a report once a week that includes a consolidated view of admins across the entire multi-cloud, on-premises enterprise.
2. Report is outdated as soon as it’s produced. Confidence that the report could stand up to a compliance audit is low.

3. Machine identities considered

1. Our machine or non-human identities (NHI) also need to be inventoried on an on-going basis.
2. Cloud scans reveal various cloud, local, and domain service accounts.

4. Audit and compliance

Confidence that your work could stand up to a compliance review or audit scrutiny is low. White knuckling through this.

This was a bit of an oversimplification, but I’m sure you could identify with at least a few of the elements above. Thís is why one of the biggest search engine terms and one of the hottest topics over the past year has been “cloud discovery” or “cloud identity discovery” or some variant of it.

Most organizations don’t have a good idea of what infrastructure – servers, databases, containers, APIs, service accounts—exist in their clouds. Once you find them, you’re not sure what to do with them because it’s not easy finding who the owner of an AI agent or a service account is.

A classic conundrum of the modern-day IT admin is finding a service account that hasn’t been used in six months, a prime target for an attacker, but not wanting to disable it for fear of incurring the wrath of a developer or cloud admin when something breaks in the dev process.

Cloud identity discovery looks to develop a more complete picture of what is in your multi-cloud environment, let’s you assign owners to non-human identities, and shows you where your biggest identity risks are so you can focus your security operations on the highest priority items.

It finds things like:

Shadow admins: Shadow admins are users with administrative privileges that are not easily visible or documented, posing security risks as they can perform critical actions without proper oversight.

Overprivileged users: An overprivileged user has more access rights or permissions than necessary for their role, increasing the risk of accidental or malicious misuse of sensitive data and systems.

Stale accounts: Stale accounts are user accounts that are no longer active or used, often belonging to former human or non-human identities, and can be exploited by attackers if not properly managed or removed.

Orphaned accounts: Orphaned accounts are user accounts that remain active after an employee leaves an organization, lacking an associated owner, and can be a security vulnerability if not deactivated.

Cloud identity discovery finds these “identity misconfigurations” across a multi-cloud framework so there is no need for scripting or manual tabulation across your cloud properties. It can also do much more, such automatically vaulting cloud admin credentials and DevOps secrets, enabling seamless checking out of sessions, recording of admin sessions, and post-session auditing.

You can apply uniform policies for all admins. Plus, cloud identity discovery marries up with your traditional PAM solution to provide a single pane-enterprise view of privileged administrators that you can take to your audit committee with confidence.

Enter a force multiplier: AI-Driven threat detection

Now that all privilege is mapped and continuously discovered, AI-threat detection enters the picture. AI threat detection is the use of artificial intelligence technologies to identify, analyze, and respond to potential security threats in real-time.

By leveraging machine learning algorithms and data analytics, AI can detect patterns and anomalies that may indicate malicious activity. These patterns are often difficult and time consuming for humans to recognize on their own, much less triage and chase down the various alerts from across the organization.

AI-driven threat detection is a proactive approach that not only enhances security today but also improves productivity and prepares you for emerging threats. Since human IT resources are limited and better applied to higher value projects, AI-driven threat detection stands guard.

Its typical use cases:

• Visibility across identities: Get a complete inventory and continuous discovery of all identities everywhere in your organization, including human and machine, across hybrid and multi-cloud environments.
  
  
• Identity misconfiguration detection: Discover and rectify identity misconfigurations such as disabled MFA, over-entitled identities, and stale accounts to enhance security posture.
  
  
• Threat detection: Continuously monitor for identity-related attacks like brute-force attacks and MFA bombing, providing real-time alerts and insights.
  
  
• Threat investigation: Provide context and insights around identity-related attacks to security and identity teams for efficient threat investigation and response.
  
  
• Threat remediation: Rapidly respond to identity threats with automated actions and insights, reducing the burden on security teams and minimizing potential damage.
  
  
• Privilege escalation prevention: Detect and prevent privilege escalation attempts by monitoring identity access and behavior across cloud and traditional infrastructure.
  
  
• Anomalous behavior detection: Identify and respond to anomalous identity behavior compared to baseline activities, using high-quality identity signals for actionable insights.
  
  
• Identity risk scoring: Use AI-driven risk scoring to highlight the most vulnerable identities and assess the potential impact of identity-related threats.
  
  
• Security operations integration: Seamlessly integrate identity threat insights into existing security operations tools like SIEMs and SOARs to enhance incident response workflows.

AI-driven threat detection can be deployed to work automatically to avert security incidents in real time. For example, unusual IT admin behavior such as creating large numbers of new accounts, is detected, it can move that user out of “admin” group and place them in a probationary one until further investigation can be done.

5 questions to ask about AI-Driven threat detection

With cloud identity discovery engaged, you now have a full inventory of all of the privileged users across your complex multi-cloud hybrid environment. What to do next?

Here are the questions I hear most frequently.

1. What is an agentic AI system, and am I prepared?

 The term “agentic” is all the rage these days. These systems autonomously perform tasks within your AI system. Having agentic AI agents proactively and tirelessly working to advance workloads can yield a boon to your organization, but they can also be potential security risks.

Left unmanaged, these agents could be taken over by a bad actor and operate with near unfettered access to your data and systems. Worse still, agentic agents are very in

dependent and autonomous and operate out of sight within the AI framework.

It’s AI vs. AI. AI-driven threat detection can help manage these systems, ensuring that they operate securely and efficiently. It treats agentic agents as machine identities and can ensure that basic and advanced safeguards are in place. It can move bad agents out of commission and alert security staff for follow-up investigation.

2. How can AI-driven threat detection adapt to emerging cyber threats?

AI-driven threat detection systems are inherently adaptive, leveraging machine learning algorithms to continuously learn from new data and evolving threat landscapes. These solutions analyze vast amounts of data in real-time, identifying patterns and anomalies that may indicate emerging threats. Many organizations have not only multiple clouds, but multiple identity providers.

The best AI-driven threat detection models don’t just look at the target server, database or workstation, but also mine identity providers, like Okta, Ping, and Azure AD to baseline user behavior and create a complete picture of the user identity.

3. What do I do with these threats once I find them?

Identifying threats is only the first step. You also need a plan for responding to and mitigating these threats. AI-driven threat detection can provide real-time decision-making support and autonomous AI assistants to guide your response efforts, ensuring that threats are addressed promptly and effectively.

While AI-driven threat detection can bring to the fore some of the most pressing risks, security teams need to be brought into the mix and security workflows established so that when compromise is detected you can deal with it effectively and fast.

4. Can it AI-driven threat detection systems detect insider threats?

This one is a bit of a trick question. The best AI-driven threat detection systems create behavioral baselines for each user to identify deviations that may indicate malicious insider activity. The compromised admin may look like a legitimate user and may execute the commands they are authorized to do, but good AI-driven threat detection can sniff out a potential compromise. By continuously monitoring access patterns, privilege usage, and system interactions, it alerts you to threats from inside your organization.

5. How can AI-driven systems improve real-time response to security incidents?

AI-driven systems can significantly enhance real-time response to security incidents by automating threat detection and response processes. These systems can analyze network traffic, user behavior, and system logs in real-time, identifying potential threats and triggering automated responses to mitigate them.

For instance, AI can automatically isolate compromised devices, block malicious IP addresses, or enforce additional authentication measures when suspicious activity is detected. This rapid response capability minimizes the time between threat detection and mitigation, reducing the potential impact of security incidents.

Additionally, AI-driven systems can prioritize alerts based on the severity and potential impact of threats, enabling security teams to focus on the most critical issues. Furthermore, AI can provide security analysts with actionable insights and recommendations, enhancing their ability to make informed decisions and respond effectively to complex threats.

How Delinea uses AI threat detection

Identities are proliferating at an unprecedented rate and there’s no way for humans to keep up. AI-driven threat detection isn’t a luxury. It's a necessity.

Delinea leverages AI-driven threat detection to protect all identities, including IT admins, workforce, developers, and machine identities. By scanning for anomalous behavior and correlating activity across multi-cloud and on-premises environments, Delinea can automatically shut down potential threats. This user-friendly approach enhances security while keeping your team productive and your business running.

Check out a demo of Delinea’s Identity Threat Protection solution.