What identity threat detection and response (ITDR) means in a zero-trust world

Join executives from July 26-28 for Transform’s AI & Edge Week. Hear from top leaders discuss topics surrounding AL/ML technology, conversational AI, IVA, NLP, Edge, and more. Reserve your free pass now!

Identities are one of the most attacked perimeters an enterprise has, and the trend continues to accelerate. Cyberattacks aimed at bypassing identity access management (IAM) are succeeding, with cyberattackers moving laterally across enterprise networks undetected. 

By obtaining privileged access credentials, cyberattackers are also exfiltrating enterprises’ most valuable data, including employees’ and customers’ identities and financial information. 

Stolen credentials now account for 61% of all data breaches and it’s growing as cyberattackers and more sophisticated advanced persistent threat (APT) organizations look for new ways to compromise IAM platforms. For example, the SolarWinds breach started with attackers getting administrative permissions to the company’s global administrator account. 

From there, they used a trusted security assertion mark-up language (SAML) token signing certificate to forge SAML tokens whenever they wanted, enabling them to move across SolarWinds’ infrastructure at will. Gartner predicts that 75% of security failures are attributed to not managing identities, access and privileges, up from 50% in 2020 — which seems low given how many IAM-based attacks are happening in 2022.

Event

Transform 2022

Protecting identities starts with a hardened IAM infrastructure

The limitations of IAM and privileged access management (PAM) are also apparent in multicloud infrastructures. 

Every public cloud provider relies on specific versions of IAM, PAM, policy management, configuration and admin and user access controls, leaving gaps between cloud platforms that cyberattackers are exploiting today. Closing multicloud security gaps and multicloud identity management are two areas where cybersecurity startups are providing much-needed innovation. 

Even when an enterprise has defined and begun to deploy its zero-trust framework, there are still trust gaps in infrastructure and potentially within and between IAM platforms. Zero trust must treat all forms of identity as a threat to be effective, not just user trust alone. 

Application, data, device, transport/session and user trust must be addressed in any zero-trust framework that also looks to harden IAM infrastructure. Identity threat detection and response (ITDR) addresses gaps in identity protection left open by how isolated IAM, PAM and identity governance and administration (IGA) systems are. 

Given the gaps in multicloud architectures and an exponential increase in human and machine-based identities, CISOs and security teams are evaluating ITDR to harden IAM platforms first, especially those deployed in multicloud infrastructures. 

ITDR vendors claim their platforms can provide more efficient investigations into identity-based breach attempts, enable remediation and terminate RDP sessions to prevent administrator accounts from being compromised, along with several other benefits. 

Leading vendors who have announced ITDR solutions or are bundling applications to deliver a unified platform include Authomize, CrowdStrike, Illusive, Microsoft, Netwrix, Quest, Semperis, SentinelOne (Attivo Networks), Silverfort, SpecterOps, Tenable and others. 

Identity threat detection and response in a zero-trust world

A central precept of zero trust is least-privileged access. It’s a core design criterion in the leading IAM, PAM and IGA systems today. These systems are designed to authenticate and authorize an identity request for every least privileged access session, whether the identity is human or machine-based. 

ITDR providers are designing their systems to strengthen least-privileged access by identifying entitlement exposures, privileged escalations that could indicate a breach and identifying credential misuse before a breach can occur. 

Making ITDR a priority is a necessity, knowing that multicloud and container-intensive infrastructures are popular attack vectors, with cyberattackers looking to capitalize on how isolated IAM, PAM and IGA systems are. 

Breaching an IAM gives cyberattackers the keys to the kingdom because they have all the credentials they need to take over an enterprise network. There’s also the issue of getting identity orchestration right across multiple cloud platforms, another area IDTR and SIEM providers are concentrating on providing solutions for today. 

CISOs see value in ITDR from a zero-trust standpoint for several reasons. First, ITDR shows the potential to help consolidate their tech stacks and reduce the overhang of legacy systems and their associated maintenance costs. 

Closing the gaps in multicloud infrastructure by enforcing additional areas of trust over and above user identities is needed. ITDR shows the potential to eradicate any implicit or assumed trust across infrastructure and tech stacks. 

Additionally, CISOs see the potential in ITDR to progress on their zero-trust initiatives without adding more applications to address each identity-based threat surface on their networks. Cyberattackers have successfully used malware to compromise an Active Directory (AD) configuration, gaining access to privileged access and identity management data. 

The collection of technologies and applications that comprise ITDR platforms shows the potential to detect and stop credential theft and privileged misuse. 

What CISOs are doing now 

The CISOs with a budget for zero-trust initiatives are after quick wins or those projects delivering measurable value and results. Multifactor authentication and endpoint security for virtual workforces are two examples. 

Given how many workloads they have moving into multicloud infrastructure, closing the gaps between cloud providers’ unique IAM and PAM systems is also a high priority. 

CISOs may get an opportunity to build a new business case for additional zero-trust funding this year, given how attacks on identity management are increasing. 

As for enterprises’ interest and commitment to zero trust, Ericom’s 2021 Zero Trust Market Dynamics Survey found that 83% of security and risk professionals believe zero trust is strategically important to their businesses. 

Additionally, 52% see zero trust as a more proactive than traditional approach to securing their enterprises. Identity and access management is where 42% of security and risk professionals plan to get started with zero trust. Securing those new IAM, PAM and IGA systems need to be considered in any new business case this year, as attacks to circumvent identity systems and exploit them increase.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Source: Read Full Article