In the past few years, organisations have been experiencing monumental shifts. The headaches of in-house server rooms are waning in favour of the low-cost and flexible resources of the elastic cloud. Company-owned and company-managed personal devices are long gone, replaced by increasingly powerful and rapidly changing consumer devices.
These shifts have shaken the concept of the traditional network perimeter to its very core. The edge of your network is increasingly difficult to define, as identities may carry it to data centres far beyond your control.
Traditional perimeter protection (firewalls, intrusion detection systems, anti-virus software, and so on) remains pertinent, but is clearly no longer sufficient to keep attackers from gaining access to corporate networks.
Therefore, to protect themselves, organisations need a new paradigm: stop treating the edge of an organisation’s network as the only perimeter, and expand our definition of perimeter to include identity.
What does it mean for an organisation to treat identity as a perimeter? Given that attackers will inevitably breach outer defences and gain a foothold, organisations need to shift their focus to the later phases of the attack lifecycle: they need to focus on detecting the use of stolen credentials and lateral movement.
This is currently a significant blind spot for organisations, since most security products focus on the early phases of keeping attackers out of the network. It is difficult to detect attackers moving laterally because a skilled attacker knows how to blend in with normal user activity.
According to incident response firm Mandiant, the mean time to detection today now sits at around 205 days – a staggeringly long amount of time for an attacker to go unchallenged inside your organisation. However attackers breach an organisation’s perimeter, they need one critical thing to successfully complete their mission: credentials.
Attackers can steal credentials from unsuspecting users through vulnerabilities in software, through brute force method, or they can obtain the password hash and pass it when required (a pass-the-hash attack).
Any method enables attackers to masquerade as real users, blending in with the day-to-day noise of legitimate activity so they can move laterally without detection. In some case, attackers have the audacity to escalate their privileges — often by exploiting a vulnerability — and create their own credentials within the organisation’s identity store.
Adaptive authentication can help fill this blind spot. Adaptive authentication is in the perfect vantage point to observe and disrupt the credential seeking and lateral movement phases of the attack lifecycle. Moreover, by joining adaptive authentication information with other alerts in a security information and event management (SIEM) system, security practitioners can obtain a more complete view of an attack and write appropriate correlation rules to improve the organisation’s security posture.
Correlation is key. One security event raises suspicion, but when that event is correlated with other security events, you have an incident. For example, an email threat detection device may alert you that a malicious binary was sent to a particular user in your organisation.
That alert, combined with an adaptive authentication alert attached to the credentials of that user, paints an increasingly likely image of a breach in its early stages. The fidelity of these security alerts can be further increased through the use of real-time threat intelligence, helping identify activity that is being launched from known malicious criminal infrastructure or anonymous proxy networks.
In addition, the rich data collected and analysed by an adaptive authentication solution is extremely valuable during a security investigation and incident response. This data may include : the username associated with the identity, the group membership associated with the identity, the IP address associated with the identity as it was presented in the authentication, attribution data associated with that IP address, such as its geographical location or classification (for example, an anonymous proxy or known malicious IP), the system that the identity was attempting to access, the behaviour profile(s) of the physical user associated with the identity, and the biometric profile(s) of the physical user associated with the identity.
A timeline of this data can paint a clearer picture of the lifecycle of an attack. Forensic investigators can utilise it to analyse the attempted movement of attackers in order to scope the intrusion and determine motive. In addition, because this data is a window into user behaviour, it can be analysed by behavioural analysis products for anomalies.
Adaptive authentication should fit into your security ecosystem, not only issuing alerts to your SIEM solution, but also enabling you to act upon those alerts in a meaningful way during an attack.
Specifically, an authentication system should support a rich API allowing for rapid updates to an authentication policy specific to identities and systems being protected.
Identity has become a perimeter of its own, and should be treated like one. Defence of that perimeter is an absolute necessity in our evolving security landscape. Monitoring that perimeter provides valuable context to attacks as they unfold.
Sourced from Stephen Cox, Chief Security Architect, SecureAuth