Identity-first security is certainly a buzzword of 2021. Despite having been around for some years before, the concept is now top of mind for companies after Gartner named it as one of its Top Security and Risk Management Trends for 2021 in March.
The mass transition to remote working in 2020 has repositioned identity at the heart of security strategies, resulting in a move away from traditional LAN edge approaches. And although multi-factor authentication (MFA) and single sign-on (SSO) have already succeeded in making the sign-in process more secure than the traditional username and password combinations, threat actors will inevitably work their way through an organisation’s defences.
To establish an effective line of defence against these attackers, organisations must assume their current security measures are insufficient and build stronger protections within the network itself. Focus should also be on systems which monitor the effectiveness of perimeter solutions by identifying when threat actors have evaded them.
Keeping up with data: SaaS, unstructured data and securing it with identity
What are the weaknesses?
Research has shown that around 57% of breaches involve insider threats, and employee negligence is a leading cause of those incidents. It therefore makes sense that securing identities should be at the top of any CISO’s priority list. However, detecting these insider threats remains a challenge for many businesses, and the ongoing remote workforce has not helped the situation.
The SolarWinds attack is a prime example of the need for identity-first security. Altered SolarWinds products provided attackers with a backdoor into numerous company networks, bypassing any perimeter protections those organisations may have had in place. Without in-network defences, companies have little chance in deterring attackers from lucrative targets, such as Active Directory (AD). Undoubtedly, organisations have spent substantial amounts of time and money on technologies like MFA and SSO, but the same cannot be said for the systems that identify attacks against those solutions. Securing access to the network is one thing, but protecting those vulnerable gateways is another. When attackers have demonstrated their capabilities of breaching these technologies, then businesses must return to the drawing board.
Even though MFA and SSO are no longer enough to protect business systems, this should not be seen as a criticism of these technologies – they have both served a purpose and assisted in the development of effective network protection solutions. Instead, individuals should acknowledge that, with enough time and resources, a determined attacker will almost always be able to defeat perimeter protections. Stronger protections are needed within the network, monitoring the effectiveness of these perimeter solutions by identifying when attackers may have eluded them.
Keeping up threat detection
Technology today allows organisations to identify when an employee, supplier, or attacker using stolen credentials might be navigating areas of the network without needing access. Detecting suspicious activity inside the network is therefore essential.
Threat detection platforms allow users to identify unauthorised network scans, possible credential theft, and attempts to access or steal sensitive data. Further, these platforms can conceal real data and assets while creating false data, AD objects, and network assets designed to misdirect or entice attackers, resulting in them revealing their presence. This capability makes it an ideal technology to strengthen any enterprise’s security setup. These capabilities to detect in-network lateral movement will continue to grow in importance as remote working continues.
Automated hacking, deepfakes and weaponised AI – how much of a threat are they?
Don’t forget about Active Directory
More than 90% of Global Fortune 1000 organisations use Active Directory for authentication, identity management, and access control. AD is seen as an easy target by attackers, as businesses consider it protected by the perimeter defences, which sophisticated attackers have proven they can breach. Privileged access exploitation is a component in 80% of known security breaches, including the recent SolarWinds and Microsoft breaches. Once AD is compromised, hackers can use stolen credentials to move laterally throughout the network, as well as escalate privileges for credentials already in their possession.
CISOs and other security leaders often consider AD as ‘part of the plumbing’, meaning that its performance is evaluated based on accurate and uninterrupted service delivery. If a company loses domain administrator control over the AD environment, defenders will be forced to stand idly by, unable to mitigate the damage, meaning that protecting identities requires comprehensive AD protection.
AD protection tools offer greatly improved network visibility, allowing defenders to identify possible attack paths and proactively automate certain security practices and procedures. Gartner affirms that the saying “identity is the new perimeter” is now a reality. To ensure those identities across the company – within user, domain, and device levels – are secure, protecting AD must be a business-wide priority.