Hello. My name is Maurizio Ostinet. I am a solution architect at One Identity. Thank you for taking the time to listen to this session which is entitled, Identity Threat Detection and Response Explained. In this session, we will see the current scenario about identity-related attacks and what are the limitations of the traditional security controls.
Then, we will have a look at ITDR, describing what is, and how Gartner defines it. We are going to see also some capabilities that are available in the One Identity products. And finally, we'll have a look at the One Identity platform working along with an ITDR solution.
With the pandemic, many organizations started to switch to remote work, which has determined an increase in the adoption of new technologies such as public cloud, artificial intelligence, internet of things, social media. As a result, we are assisting to a constant attack surface expansion. And nearly every day, there is news of yet another data breach, and we can observe a common thread. The attackers succeeded by targeting identity credentials.
According to the Verizon 2023 data breach investigation report, the three primary ways in which attackers access an organizations are stolen credentials, phishing, and exploitation of vulnerabilities. And we are increasingly seeing privilege misuse breaches paired with fraudulent transactions more this year than in the past. Fraudulent transactions are the end game of the business email compromise, and is typically a money transfer to a threat actor controlled bank account. It is clear that without a strong identity security posture, organizations will fail in cyber resilience.
There are relevant detection gaps between IAM and infrastructure security controls. Existing identity protection solutions put their focus on making sure people have access to only what they need, but they are unable to provide visibility into key factors in identity breaches like credential misuse, exposure, privilege escalation activities. An organization may have in place everything from access management, to IGA, password management, PAM, and MFA authentication tools, but a determined attacker can still gain access using techniques such as phishing or even distributing infected USB keys.
It's when they bypass an organization's existing security tools that the real damage starts. Recent identity-centric cyber attacks on Okta, Uber, Cisco, and many more have highlighted the vulnerability of identity infrastructure and the exploitation of identity systems. While prevention measures such as multifactor authentication and different IAM systems are essential, they are not foolproof. This highlighted the need for a comprehensive contextual approach that includes detection and response.
And the infrastructure security, including traditional SOC tools, is used broadly, but has a limited depth when it comes to detecting identity-specific threats. And the limitations are even more clear, looking at the annual report on CM detection risk, published by CardinalOps. As we can see, enterprise SIEM have a detection capability only for 24% of all 196 techniques in MITRE ATT&CK. This means that the attackers can execute around 150 different techniques that will be completely undetected by the SIEM.
What are the reasons for this gap between actual and expected coverage? It is not a matter of missing data since, according to the report, the current coverage of the ingested data is 94% of all MITRE techniques. It is something more related with the complexity and changes of the enterprise with manual processes and challenges in hiring and retaining skilled personnel.
US analyst Gartner defines ITDR as an approach that works by implementing detection mechanisms, investigating suspect changes and activities, and responding to attacks to restore the integrity of the identity infrastructure. Essentially, ITDR augments IAM, adding detection and response capabilities to the preventive only controls featured by the traditional IAM platforms. If an attacker succeeds in obtaining login credentials, they may then be able to create new accounts within an infrastructure. This can determine a significant risk, as these accounts may go unnoticed for an extended period, allowing an attacker to maintain a presence without being noticed.
ITDR can assist in preventing these techniques by monitoring for unusual activity, and locking down unusual accounts, and alerting the security team to closely examine them. Identity first security approaches such as ITDR become key components of a comprehensive and effective zero trust strategy. Adopting an ITDR strategy will ensure that only approved end users and devices can have access to systems.
By taking advantage of a combination of zero trust and ITDR, security teams can significantly improve the security posture of their organization. Based on Gartner, preventive controls can work to avoid misconfiguration, vulnerabilities, and exposure by reducing the attack surface by removing unnecessary or excessive privileges. The IAM toolset offer a foundational preventive controls to limit the exposure of excessive privileges in case a credential is compromised. While the focus of ITDR is to work as second and third layers of defense after the foundational preventive IAM controls, identity threats can bypass or compromise the IAM preventive controls. Consequently, it is important to understand the separation between prevention-- so activities undertaken before an attack-- and detection and response, monitoring for attacks and stopping them while they are in progress.
Now we see more in depth the detection side of ITDR. The key point is to be as agile in detecting new techniques as the attackers are in developing tactics, techniques, and procedures. An example here is to be able to detect multiple sessions from the same user on multiple systems, which means to collect the right signals and to use detection logic to prioritize and analyze suspicious events.
Tactics, techniques, and procedures detection can detect multiple threats and tools, which are typical of multifaceted identity related attacks. An effective way of implementing detection controls is to use MITRE ATT&CK knowledge base of TTPs. What is MITRE?
In essence, it is a really detailed view of what Lockheed Martin published in 2011 with their kill chain concept. The patterns of cyber attacks are organized into a logical flow. Where they Lockheed Martin kill chain model is conceptual, the MITRE ATT&CK framework is operational. And the biggest innovation introduced by MITRE ATT&CK is that it extends the traditional intrusion kill chain model to go beyond static IOC to catalog all known adversary playbooks and behaviors-- so tactics, techniques, and procedures.
An example of attack from a research of NSA is the abuse of a federated authentication mechanism to access protected data. The actors demonstrate a different set of tactics, techniques, and procedures for gaining access to the cloud resources of the victim. In one of these TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the private key that is used to sign the SAML tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.
A recent NSA cybersecurity advisory warned of actors exploiting a vulnerability in VMware that allowed them to perform this TTP and abuse federated SSO infrastructure. The analysis derived from a combination of threat signals is an effective control in ITDR. A starting point to build detection logic for TTPs is CM.
And security awareness is extremely critical. A recent report from Trustwave, a managed security service provider, notes that phishing remains one of the most popular and effective techniques for attackers to gain access to organization. Examples that highlight this need are social engineering attacks such as impersonation of IT help desk and MFA prompt bombing. Monitoring of underground initial access brokers-- so digital risk protection services-- can help organizations to detect leaked credentials. And user behavior analytics provided by infrastructure security controls such as firewalls, EDR, SIEM, and XDR tools or anomaly detection in PAM tools, adaptive access controls in access management, and authentication tools, we'll see later such capabilities provided by the One Identity unified platform.
Deception techniques-- attackers attempted to utilize any fake credentials created by deception tools can be detected. And account takeover mitigation, a range of capabilities such as device identification, behavioral biometrics, and location intelligence can be used to detect anomalies at the point of login due to credential misuse. And bot mitigation-- most of these techniques are provided by fraud detection tools to detect and mitigate automated attacks by bots that abuse business logic on web, on mobile, or even API channels.
ITDR needs intensive interoperability with the IAM tools during the response phase. For this reason, it's crucial the collaboration between IAM and security operation teams. This requires integration of procedures and security operation tools to facilitate the investigation and automating response actions. The initial response requires to isolate user identity, device, and possibly network to contain the threat.
IAM controls, such as step-up authentication or session termination, are useful for account takeover mitigation. And a risk-based adaptive access is the most common automated response action to contain the compromised administrative credentials. The responses may trigger manual or semi-automated processes if the IAM infrastructure itself has been compromised.
A critical point here is the creation of a response plan and playbook for the most common identity threats. The action included in the identity threats response playbook should be contain and eradicate-- so mainly freeze all automated provisioning, stop all account changes in IGA and PAM, and quarantine users who are executing suspicious activities; recover, so restore from backups; and collect evidence for investigation, including PAM and IAM logs; and report. So notify people early, including exec, legal staff, and response teams. And remediate-- so reset affected credentials, remove rogue and excessive accounts, and rotate security keys.
It is interesting to think about similarities between the old forts and the traditional perimeter-centric network security since they have quite a lot in common. Like traditional perimeter-centric network security, forts had a well-defined perimeter wall, and access to the fort was strictly controlled. There was a time when building a wall around an organization's infrastructure was sufficient for cyber security. There was a well-defined network boundary where all enterprise resources such as devices, file servers were inside the network, and users' access to the network was strictly controlled.
People, applications, and data are the lifeblood of the organization. With the office and the infrastructure that are disappearing, the identities are quickly becoming more exposed. With this new identity as a security perimeter, identity is the common denominator across location agnostic access point devices and networks, enabling organizations to holistically authenticate, authorize, and manage users, things, and systems.
Here, we can see a couple of examples where ITDR can potentially create impacts according to research from Forrester, but there is more. Employee burnout, security teams are already understaffed. A 2022 study found that 66% of security team members experience significant stress at work, and 64% have had work stress impact their mental health. Staff are expected to be available 24 hours per seven days through major incidents, stay on top of every risk, and deliver results in limited timeframes, and they are faced pushback when asking for budget. In 2022, burnout caused hospitalizations.
Cyber insurance-- although cyber insurance carriers introduced more rigorous underwriting processes, increased premiums, and reduced coverage in 2022, blind spots still exist. Forrester expects insurers to move aggressively into cyber security by acquiring MDR providers in 2023, continuing the trend that started in 2022. These MDR acquisitions will give insurance high value data about attacker activity to refine underwriting guidelines and visibility into policyholder environments, and also, the ability to verify attestations. Such moves will change cyber insurance market dynamics and the requirements for coverage and pricing.
Looking at the One Identity unified platform, we can find some identity detection and response capabilities. We have OneLogin that, based on its AI engine, analyzes large volumes of data to identify anomalies and prevent threats across users and applications. OneLogin builds a profile of typical user behavior and identify anomalies and prevent risk in real time for advanced threat defense and advanced security analytics with in-depth session analysis powered by Safeguard, our PAM platform.
All the privileged user activity is tracked in real time without the need to define any rule. Safeguard creates a baseline of normal behavior and detect the deviations using different machine learning algorithms such as login time, text visualized on the screen, open net application, and behavioral biometrics, helping to detect theft and misuse of privileged credentials and to identify breaches. On the response side, Identity Manager, our IGA platform, can respond with different action to a threat, triggering a user recertification or disable an account, for instance. And we have, again, OneLogin that can work to log the user of the session, or block the user, or ask the user for a re-authenticate itself.
Now, we continue our ITDR journey introducing Sharelock. Sharelock provides an ITDR platform based on the behavioral analysis of machines and users, detecting anomalies, learning, and reacting continuously to identity centric threats. Anomalies coming from different sources can be correlated to threats. Any kind of data set can be ingested in real time. For instance, SaaS applications such as Office 365, and G Suite and traditional on-prem log format like CEF, or Syslog. But let's see more in-depth components.
The indicator of behavior is the basic and atomic building block of the Sharelock machine learning architecture. An indicator of behavior is a metric to use it to measure and track the behavior of a system or an individual. The IOB enable the ability to understand anomalies.
An anomaly can be, for instance, geographical; or it can be a time anomaly, like the user is accessing outside of the normal hours; or an occurrence anomaly, like for instance, too many failed logins; or it can be a path anomaly like navigating or browsing folders in a strange sequence. Essentially, any behavior can be monitored, human or non-human, and it can be related to a user or to an application like an SAP transaction. Reference model-- the reference model is the anomaly detection template that can correlate threads to the singular anomalies detected by the indicator of behavior. It is a collection of common unusual behaviors and correlations to detect and react to identity threats.
The reference model is for each category a bunch of anomalies to observe normally on users. For example, on the data side, it can be an anomaly on a user that never accessed a file, or that is downloading an anomalous volume of files. And the reference model has a list of threats and playbooks that are associated with it.
For instance, if I have a connection from an unusual country and an anomalous number of login attempts, then I have a threat. We can call it, for instance, dangerous access situation with a severity which is determined by the reference model. And based on the playbook which is linked to the threat, the response can be notify the user and the security admin and send a message to the IGA platform to trigger a certification campaign.
Here in the upper part of the slide, we have the IOBs related to three different domains of application. So transactional-- for instance, SAP-- data-- SharePoint or Google docs-- and collaboration-- Gmail, Teams. And on the lower part, there are the IOBs to detect anomalies identified on the IAM infrastructure. In between, there is the correlation engine to identify a threat and remediate with a playbook.
Sharelock can also analyze the gap between the should-be state described in the IGA system and compare it with the as-is state of actual application utilization based on peer clustering algorithms, and provides a set of recommendations like add, or revoke, or keep, for instance, which can be actioned in the IGA platform via user account lockouts or triggering an access validation workflow. How One Identity can work with an ITDR platform. Here, we can see an example.
For instance, we can have in OneLogin a failed login anomaly for the account, ABC. In Google Meet, we can have a connection with a new device of the account, XYZ. Each application is signaling an anomaly on a specific user ID, and Sharelock correlate these anomalies to an identity source of truth-- One Identity Manager in our scenario.
So we have the correlation of different accounts to a single identity. Essentially, and this is the real key value, anomalies detected on IAM systems can be correlated with anomalies detected on the business application side. And on the response side, the IAM platform itself is the place for remediation. So Identity Manager or OneLogin can trigger actions.
And in this screenshot visualizing the pending attestation of a line manager in Identity Manager, we can see an example of remediation based on the Identity Manager. So in this case, Sharelock detected a compromised account threat based on an anomalous number of failed logins on the VPN. And according to the playbook, Sharelock sent out a message to Identity Manager that triggered a certification campaign so the line manager, after reviewing the anomaly and verifying with the user, can decide the proper action. This is just an example of our capability to simply build integration with external systems such as an ITDR platform. Our rich and powerful set of REST API is the main way to achieve such kind of integration.
And now we are going to close the session having a look at the One Identity approach that can help the organizations to achieve the identity defense in depth. Here, we can see the full picture where our unified identity platform works together with the wider ecosystem such as SOC. And so our platform, starting from ITDR, to provide a fast and proper response to detect the identity threats.
This architecture understand the Gartner concept of separation between prevention and detection and response layers. So with a unified identity platform, we have the ability to operate the risk reduction by granting risk size entitlements through adaptive policies tied to real world identity behavior matrix with complete visibility of who has what privileges and when while continuously correcting improper and redundant access and feed the audit trails to the ITDR that correlates real time behavior from logs and systems to the identity level. The identity threat signals detected by ITDR can be consumed by One Identity platform to trigger action along with the infrastructure security controls.
Thank you to our partners for sponsoring this session.