In March 2022, Gartner analysts dropped us some breadcrumbs on an emerging new category that they are calling “Identity Threat Detection and Response” (ITDR).
Citing it in their “Top Security and Risk Management Trends for 2022” release, the analysts told us that they introduced the term “to describe the collection of tools and best practices to defend identity systems.”
The reason for the new category that they cite is the marked rise in active targeting of Identity and Access Management (IAM) infrastructure by sophisticated threat actors, as well as the fact that credential misuse is “a primary threat attack vector.”
In this post, we will attempt to:
Even before the pandemic, the identity and access layers were already under threat. Especially given the transition away from the on-prem to the cloud, where identity is both the key to accessing an organization’s assets and the perimeter protecting those assets. Taking control of identities with privileged access gives attackers the keys to the kingdom, along with all of the crown jewels that they can reach with those privileges.
Attacks on the identity layer have only increased in the past two years, given the move to remote and cloud work, with the Verizon Data Breach Investigations Report for 2021 telling us that 80% of breaches involve privileged credentials.
The threat to identities has led to a blooming field of IAM (IGA, PAM, CEIM, CSPM, SSPM, etc ad infinitum) and authentication tools like MFA and SSO, all aimed at managing our identities more effectively and reducing the chances of compromised credentials being used against us.
All of these factors and developments are important, but none of them are particularly new.
What is new is the recognition that these IAM tools are identity and access infrastructure and not security.
Moreover, Gartner explicitly tells us that “Sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure” and that we need to develop ways to protect that infrastructure.
The analysts go a step further in their critique of the current landscape.
“Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure,” Peter Firstbrook, the research Vice President at Gartner quoted in the report.
What he is saying is that while we have done a better job at putting tools into place aimed at acting more securely with our identities and access, with tools like authentication, attackers are finding ways to undermine those systems and use them as their avenue to reach deep inside their targets.
Malicious actors have the ability to use our identity and access infrastructure against us. IAM tools can be incredibly powerful and useful. But they can also be a single point of failure if they are compromised. A basic principle of security tells us that we should not have the same system that's managing the infrastructure be the one monitoring that it is working securely.
Think of it like a Segregation of Duties for your identity and access security.
What is needed is a solution that actually secures our infrastructure and ensures that it continues to operate correctly. This is where ITDR steps up into the limelight.
Going back to Firstbrook’s description of ITDR as “the collection of tools and best practices to defend identity systems,” we understand that this segment is still in its early days.
What we do know is what ITDR is looking to solve for and what it needs to do to get us there.
A major flaw in IAM tools is they have limited visibility.
An identity provider (IdP) like Okta, for example, will only see the identities that are in its directory. If you are only tracking identities from the IdP side, then you are only seeing half of the picture from an access privilege POV.
What about looking at the asset side of the equation to see who has access privileges to them? There may be local IAM users in your AWS, or in the case of GitHub with its Bring Your Own Identity model, internal or external users with access to your repos that you simply do not know are there.
Access privileges are the answer to the question of what can an identity, human or machine, do after they have had their identity authenticated? Which assets can they access? What level of access (read, write, admin, etc) will they have?
These access privileges are the relationship between the identity and the apps and services where the identity interacts with their assets. Understanding who has access to what and how they are using those privileges is critical to operating securely.
As noted above, what we need ITDR to do is to help us secure our IAM infrastructure and ensure that it continues to operate correctly.
This is a tall order, but Delinea has it covered. Here’s how we do it.
Delinea provides a Cloud Identity and Access Security Platform that continuously monitors your identities, access privileges, assets, and activities to secure all your apps and cloud services.
This means that we go full-stack, connecting to everything from your IdPs (Okta, Ping, Azure AD), to IaaS (AWS, Azure, GCP) to SaaS (GitHub, O365, Google, etc), and beyond.
Data from these sources is normalized and processed by our machine learning engine. Our visibility allows you to continuously monitor your environments, detect threats, and effectively remediate risks, enabling you to achieve and maintain least privilege.
Here’s how we do it:
Once we connect to your IdPs and apps/services, we collect and monitor data on:
Based on the data that we collected and normalized, we detect issues from:
All this information enables us to:
We then assist in the remediation process without impacting the ongoing operations.
Delinea enables your team to remediate more effectively and efficiently with surgical precision by:
Despite all the challenges organizations face regarding identity and access security, we're on the right track. More and more organizations are using IAM tools to manage their identities and access more efficiently. Now, security teams must take the next step and ensure that they're securing those tools and their environments. For more information on how Delinea can help your organization secure its identity and access infrastructure, we invite you to schedule a meeting with us and request a demo of our platform.