Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Prevent Identity From Becoming Your Own Nemesis

Understanding identity is essential to the modern organization. The user identity tells us who we are and what we will do because it understands what our motivations and privileges are. When that identity is taken over, it may become your worst enemy. Like George Costanza in Seinfeld, no matter which identity he picked — from marine biologist to the import/export businessman — it all just blew up in his face in the end.

Prevent User Identity Theft

In the modern organization, the security perimeter has morphed to be based on identity instead of firewalls. As a result, we need to have a conversation about the security technologies that exist today in the market and how they help your organization to become more secure in a growing threat landscape.

The Risk

I believe we could all agree that a user’s identity could be at risk of becoming your next backdoor. The ultimate objective for security and IAM teams is to protect user identities from compromising security in the enterprise. In order to achieve that, these teams need to understand the behavior, threat, and risks associated with each and every identity. In other words: what the identity did, is doing, and will do.

Before we dive deeper, we should talk about what defines identity. Obviously there are many things that define an identity but I believe that access activity is the most logical starting point. Why? Because this is where the journey towards understanding behavioral patterns begin. There is another reason, just as important, which is that access activity provides one of the highest fidelity data points that exist for an organization and it is the easiest to take action on to get to the (real) truth. Other data points may include data that is monitored post-access, such as DLP technology (aimed to classify data, detect, and prevents data exfiltration) and this provides less fidelity because data files, by nature, are static objects and are not dynamic. An attacker would need to duplicate and ext-filtrate files to show that there is a compromise, and by then: You already have an attacker in your network who has gotten to your sensitive information. Therefore, user behavior yields the best fidelity because it is real-time, adaptive, and you can stop the attacker earlier in the kill chain.

Even though other technologies such as DLP have been around for many years, they cannot compare to access data as they inherently do not offer the same level of accuracy. To this day, organizations are still trying to reduce DLP false positives and noise on multiple levels: network, endpoints, classification, detection, at rest, in use, in motion. This is a very time-consuming and manual task, making it even more critical to have high-fidelity data that is easily deployed and analyzed.

The Change

It’s time to mention change, which is a necessary part of any organization that wants to stay abreast of current threats. Without acknowledging that change is a constant factor, organizations will place a considerable amount of effort and investment into containing and mitigating changes as if they are the areas of compromise.  Embracing change is key to establishing the right frame of mind when it comes to staying secure. Now that we have established that identity data gives the most fidelity when it comes to understanding threats in your organization, let’s examine some ways the market is leveraging this data for security.

Identity Analytics is a machine learning and statistics-based tool that helps us profile and predict user behavior as part of the effort to define and characterize an identity. This must be a continuous practice in every organization because of the constant change in the threat landscape. In recent market research, Gartner claims that “context about a user’s behavior is so beneficial, it has become a feature to many other existing security technologies.” Preempt has believed that user behavior was the key to understanding security from the beginning. While user behavior is an essential part of every security strategy, it’s on the starting point, not the end goal. I am happy to see that five years after we started, analysts are aligning with this approach towards user behavior.

Monitoring identities and entities used to be easier when employees came to the office to log into the network. This is no longer the case. With employees needing to have both internal and remote access to a variety of on-premises and cloud applications on a variety of managed and unmanaged devices, achieving visibility becomes both harder and more necessary to understanding risk in your organization. Luckily, there are more affordable and faster solutions to understanding identities. In addition, leveraging monitoring solutions that can better help organizations get more out of their current infrastructure helps reduce the costs and complexity of rearchitecting. In their recent Market Trends, Gartner looks at behavior analysis as a link that connects different departments in the organization. Behavior analysis has gone beyond a simple security solution to a cross-departmental orchestrated effort.

Risk-Based Authentication, also known as RBA, is an old concept from the 90s that was promoted by RSA after the acquisition of RSA data by Security Dynamics in 1996. In my humble opinion, RSA never delivered on its promise. RSA was mostly focused on preventing Man-in-the-Middle (MitM) types of attack with a hardware token second factor (aka OTP) device. Today, it is much easier to achieve true RBA because of the rich context collected using various methods in real-time, and overall it is smarter and more predictive because of machine learning technology. RBA takes the behavior context produced by the identity analytics solution and uses that information to help solve problems. The contextual data surrounding an identity helps to evaluate if the activity that the person is performing is classified as normal, risky, or critical/compromised. Beyond just profiling, the behavior of a user, understanding the change of a user over time can be so complex that systems must constantly learn from new data points and adapt responses based on new input. All of this risk profiling of user behavior and machine learning to understand change needs to happen in real-time so we are constantly one step ahead of the attacker. Without proper automated remediation capabilities, security analysts will be burdened by the noise of alerts that may or may not be critical to their organization.

The Solution

Identity data is key. It really doesn’t matter into which statistics you buy into IBM, Verizon, Gartner, or others. What truly matters is that at the end of the day, whether it is 3 out of 5, or 4 out of 5 breaches, it always involves some sort of identity compromise. Therefore, that is why Preempt believes that user behavior is simply the starting point and not the end goal. Understanding identity data and leveraging identity data is the starting point for understanding compromise in your organization. Rather than make your security analysts chase around a lot of noise, you can focus their time on what provides the best indication of compromise: analytics from identity access data.

But is MFA the solution? Authentication and authorization have become staples in many security strategies, but we believe this is going to change. Confidence levels in authentication continue to drop as we constantly talk about how we need to add another factor (and friction) to strongly verify the identity of a user and their intentions have given that traditional two-factor solutions can be easily hacked. Whether it is adding biometrics or even behavioral patterns, authentication mechanisms are increasingly growing more complex. But it is helpful! Here is the reality: I believe we are getting closer to that moment when people are tired of the friction and the MFA fatigue that these vendors cause. Eventually, users will find a way to circumvent security for the preference of convenience.

Is this really what we want to achieve? To lessen our security by implementing more security? It seems ironic at best. Making authentication more complex is not the answer. Technology must get smarter, must rely on context, and only add friction when there is no other recourse. For me: Smart is when we decide to make cars instead of faster horses. Applying the same precautions to every resource or identity doesn’t necessarily pile up to better security. You need to apply dynamic decision making to each and every activity, only applying the right level of security to the right level of risk at the right time.

A modern approach to authentication means many things, but most importantly it means that it needs to be easy: easy to deploy, easy to use, easy to change, and easy to secure. If you are interested in a modern way to leverage identity data to understand risk in your organization and take action, contact us at [email protected].

Topics: Adaptive Response, Conditional Access, Credential Compromise, Domain Controller, Identity, Identity Verification, Lateral Movement, Multi-factor Authentication,

Posted by Eran Cohen on September 26, 2019 6:01 PM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More