The identity-first security approach seen over the past 18 months has not led to well-rounded protections.
Australian businesses and staff have spent a lot of time rethinking and investing in identity over the past year and a half.
But that investment is proving uneven and leaving gaps they must now address.
Businesses have almost universally invested in systems and capabilities that enable workers to establish their identity to access corporate systems and data from their homes or other remote locations.
These systems allow businesses to on- and off-board workers to the corporate environment and apportion system access based on assigned privileges and permissions.
They have made specific investments in multi-factor authentication (MFA) to add a layer of protection to traditional username and password-based logins. Examples include single sign-on (SSO) portals that provide a simple, secure interface through which all corporate systems can be accessed and secure network access platforms.
While organisations have spent substantial amounts of time and money on these tools, they cannot say the same for systems that identify either attacks against these tools or the abuse of legitimate credentials.
While casting to one side what happens if attackers breach an identity, organisations must reverse or at least rebalance this juxtaposition of disproportionately investing time and money in identity management to round out their security postures as they embrace new ways of work.
Scoping the shortfall
This oversight or gap in identity security is clear from the industry numbers and trends.
Gartner warned businesses of the trend towards ‘identity-first security’ earlier this year, noting that identity is now being put “at the centre of security design,” in part to manage significant changes in the way employees access corporate systems due to the pandemic.
But the firm warned that businesses and practitioners, in general, are “not doing a great job of managing and monitoring identities. Very little has been spent on effective monitoring of authentication to spot attacks against this infrastructure,” research vice president Peter Firstbrook said.
Other identity-focused research that includes Australian customers similarly shows an imbalance in identity-related investments.
One survey points to 85% of executives seeing identity security as “critical to [the] overall user experience.” Still, it only charts the amount of money they put towards identity and access management, MFA, and SSO.
There are two points to make here. First, identity is not just about streamlining the frontend user experience. Investments in identity security on the front end should not come at the expense of more backend ‘plumbing’ type systems that are as important – if not more so – to protecting users’ identities and managing system permissions.
Second, businesses should acknowledge that, with enough time and resources, a determined attacker will almost always be able to defeat SSO, secure network access, and other kinds of perimeter protection.
Organisations should not see this as a criticism of these technologies. Rather, this is simply an acknowledgment of the challenging security environment that businesses are experiencing.
Businesses should now focus on investing in systems that monitor the effectiveness of perimeter solutions, identifying when threat actors have evaded those solutions and are navigating areas inside the network.
Areas for focus
Detecting suspicious activity inside the network is essential.
Businesses can use threat detection platforms to recognise possible credential theft and attempts to access or steal sensitive data. These platforms can conceal production data and assets while creating false data and network assets designed to misdirect or entice attackers, resulting in them revealing their presence.
Detecting in-network lateral movement will continue to grow in importance as remote working continues and offer a necessary boost to identity security setups.
Active Directory (AD) protection tools are another crucial but overlooked element. Organisations use AD for authentication, identity management, and access control. As such, it’s a common vehicle for attackers with one set of stolen credentials to escalate an attack and gain greater privilege or persistence.
While some consider AD as ‘part of the plumbing’ or as protected by existing perimeter defences, the reality is that protecting identities requires comprehensive AD protection. Protecting AD must be a business-wide priority to secure those identities across the company – within the user, domain, and device levels.