Check out all the on-demand sessions from the Intelligent Security Summit here.
Despite double-digit budget increases, CISOs and their teams are scrambling to contain increased internal breaches, embezzlement and fraud. Identities are the attack vector of choice during a recession, exacerbated by inflationary costs driving up the cost of living, making phishing emails’ false claims of easy money all the more alluring.
As one CISO confided to VentureBeat in a recent interview, “recessions make the revenue-risk aspects of a zero-trust business case real, showing why securing identities deserves urgency.”
Attackers use machine learning (ML) algorithms to create and launch malware-free intrusions. These account for 71% of all detections as indexed by the CrowdStrike Threat Graph.
The latest Falcon OverWatch Threat Hunting Report illustrates how attack strategies aim for identities first. “A key finding from the report was that upwards of 60% of interactive intrusions observed by OverWatch involved the use of valid credentials, which continue to be abused by adversaries to facilitate initial access and lateral movement,” said Param Singh, VP of Falcon OverWatch at CrowdStrike.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
CrowdStrike’s acquisition of Reposify reflects how leading cybersecurity platform vendors concentrate on adopting new technologies to provide external attack surface management while protecting enterprises against internal threats.
Reposify scans the web daily for exposed assets, enabling enterprises to have visibility over them and defining which actions they need to take to remediate them. At last year’s Fal.Con event, CrowdStrike announced plans to use Reposify’s technology to help its customers stop internal attacks.
Identity attacks soar in a down economy
Identity-based breaches interrupted 78% of enterprises’ operations last year, and 84% said they experienced an identity-related breach.
Identities are a core attack vector for attackers in a down economy; their strategies are to gain control of an organization. Attackers’ favorite targets are legacy identity and privileged access management systems that rely on perimeter-based security that often hasn’t been updated in years. Once in, attackers immediately grab admin rights, create fraudulent identities and begin exfiltrating financial data while attempting cash transfers.
Attackers are using ChatGPT to fine-tune social engineering attacks at scale and mine the data to launch whale phishing attacks. Ivanti’s State of Security Preparedness 2023 Report found that nearly one in three CEOs and members of senior management have fallen victim to phishing scams, either by clicking on the same link or sending money.
Identities are under siege during periods of economic uncertainty and recessions. CISOs fear that internal employees will be duped out of their passwords and privileged access credentials by social engineering and phishing attacks — or worse, that they may go rogue.
CISOs, internal security analysts staffing security operations centers (SOCs) and zero-trust leaders have told VentureBeat that a rogue IT employee with admin privileges is their worst nightmare.
Snowden a cautionary tale
Those CISOs willing to discuss the issue with VentureBeat all referenced Edward Snowden’s book Permanent Record as an example of why they’re so concerned about rogue attackers.
One CISO cited the passage: “Any analyst at any time can target anyone. Any selector, anywhere I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant to a federal judge, to even the President.”
“We’re always looking for fuel to keep our senior executives and board funding zero trust, and the passages in Snowden’s book are effective in accomplishing that task,” one cybersecurity director told VentureBeat.
A core tenant of zero trust is monitoring everything. The Snowden book provides a cautionary tale of why that is essential.
System and security admins interviewed by VentureBeat admit that internally launched cyberattacks are the hardest to identify and contain. A stunning 92% of security leaders say internal attacks are equally as complex or more challenging to identify than external attacks. And, 74% of enterprises say insider attacks have become more frequent; more than half have experienced an insider threat in the last year, and 8% have experienced more than 20 internal attacks.
Why CISOs are fast-tracking IAM implementations
CrowdStrike CEO and cofounder George Kurtz commented: “Identity-first security is critical for zero trust because it enables organizations to implement strong and effective access controls based on their users’ specific needs. By continuously verifying the identity of users and devices, organizations can reduce the risk of unauthorized access and protect against potential threats.”
Kurtz told the audience at his keynote at Fal.Con 2022 that “80% of the attacks, or the compromises that we see, use some form of identity and credential theft.”
CISOs interviewed for this story say they’re fast-tracking identity access management (IAM) in response to the rise in internal attacks, the high cost of misconfigured identities and new attack strategies from the outside aimed at their IAM, PAM and Active Directory platforms.
The highest priority is IAM proofs of concept and the fast-tracking of pilots to production servers in response to more aggressive attacks on legacy tools without advanced security features, including vaults.
Leading IAM providers include AWS Identity and Access Management, CrowdStrike, Delinea, Ericom, ForgeRock, Google Cloud Identity, IBM Cloud Identity, Ivanti and Microsoft Azure Active Directory.
Steps CISOs take to get quick value from IAM
Getting the most value from IAM implementations is considered core to CISO’s zero-trust network access (ZTNA) frameworks and operating philosophy. This is made all the more urgent by economic uncertainty and a forecasted recession.
Stopping the zombie credential epidemic by auditing all existing access credentials and rights
A common mistake is to import all existing credentials from an existing legacy identity management system into a new one. CISOs must budget time to audit every credential and delete those no longer needed.
Ivanti’s study found that 45% of enterprises suspect that former employees and contractors still have active access to company systems and files. This is often because de-provisioning guidance wasn’t followed correctly, or because third-party apps offer hidden access even after credentials have been inactivated.
“Large organizations often fail to account for the huge ecosystem of apps, platforms, and third-party services that grant access well past an employee’s termination,” said Ivanti chief product officer Srinivas Mukkamala. “We call these zombie credentials, and a shockingly large number of security professionals — and even leadership-level executives — still have access to former employers’ systems and data.”
Multifactor authentication (MFA) adoption is critical early on in an IAM launch
MFA must be first designed into workflows to minimize the impact on user experiences. Next, CIOs need to drive identity-based security awareness while also considering how passwordless technologies can alleviate the need for long-term MFA.
Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and Windows Hello for Business.
Enforcing identity management on mobile devices has become a core requirement, as more workforces will stay virtual. Of the vendors in this area, Ivanti’s Zero Sign-On (ZSO) is the only solution that combines passwordless authentication, zero trust and a streamlined user experience on its unified endpoint management (UEM) platform.
Ivanti designed the tool to support biometrics — Apple’s Face ID — as the secondary authentication factor for accessing personal and shared corporate accounts, data and systems. ZSO eliminates the need for passwords by using FIDO2 authentication protocols.
CIOs tell VentureBeat that Ivanti ZSO is a win because it can be configured on any mobile device and doesn’t require another agent to be loaded and patched to stay current.
Require identity verification before granting access to any resource
The latest generation of IAM platforms is designed with agility, adaptability and integration to a broader cybersecurity tech stack via open APIs. Take advantage of how adaptive new IAM platforms are by requiring identity verification on every resource, endpoint and data source.
Start tight with controls and allow access only on an exception basis where identities are closely monitored and validated. Every transaction with every resource needs to be tracked. This is a core part of having a zero-trust security mindset. Being rigorous about defining identity verification will reduce unauthorized access attempts by employees, contractors or other insiders, shielding an organization from external threats by requiring identity verification before granting access.
Configure the IAM so no human can assume a machine’s role, especially in AWS configurations
This is core to zero trust because human roles on an AWS platform need to be constrained to least privileged access.
From DevOps, engineering and production teams to outside contractors working in an AWS instance, never allow human roles to intersect or have access to machine roles. Not getting this right increases the attack surface and could lead to a rogue employee or contractor capturing confidential revenue data through an AWS instance without anyone ever knowing. Audit every transaction and enforce least privileged access to avoid a breach.
Monitor all IAM activity down to the identity, role and credential level
Real-time data on how, where and what resources that each identity, role and credential is accessing — and if any access attempts are outside defined roles — is core to achieving a zero-trust security framework.
CISOs tell VentureBeat that it’s essential to consider identity threats as multifaceted and more nuanced than they initially appear when first discovered through monitoring and threat detection. An excellent reason to monitor all IAM activity is to catch potential misconfigurations and resulting vulnerabilities in the identified areas of the tech stack.
One manager of an SOC for a financial services firm told VentureBeat that monitoring saved their company from a breach. An attacker broke into several employees’ cars and stole their badges and any access credentials they could find — including laptops — then used them to access the company’s accounting systems. The intrusion was blocked immediately with monitoring, as the employees had told IT that their laptops had been stolen earlier that week.
Being safe in an economic downturn begins with identities
CISOs, CIOs, SOC managers and analysts tracking alerts and threats say the gaps left by legacy identity management systems are the weakest security link they have to deal with during down economic times.
Legacy IAM systems were used primarily for preventative control, but today every organization needs a more cyber-resilient approach to protecting every machine and human identity in their business.
IAM implementations are being fast-tracked to ensure that only legitimate users’ identities have least privileged access to the resources they need to do their jobs. The goal of preventing unauthorized users from accessing the network begins by getting rid of zombie credentials.
Monitoring user activities is a must-have for any IAM implementation, as it can stop a breach in certain situations and prevent fraud before it starts.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.