Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – Although the phrase “identity is the new perimeter” has been around for several years, the concept is surfacing as a top priority for 2021. So much so that in a recent Gartner, Inc. press release, they listed “Identity-First Security” as one of its Top Security and Risk Management Trends for 2021.
The Importance of Identity-First Security
In the release, Gartner pointed to the SolarWinds attack as a prime example of the need for “identity-first security.” Peter Firstbrook, research vice president at Gartner, noted that “the SolarWinds attack demonstrated that we’re not doing a great job of managing and monitoring identities.” He pointed out that while organizations have spent considerable time and money on technologies like biometrics, multi-factor identification (MFA), and single sign-on (SSO), they had not spent nearly as much on identifying attacks against those solutions.
This last point is critical. While tools like MFA and SSO have helped make the sign-in process more secure than simple username and password combinations, savvy attackers have long since figured out ways to defeat them. One should not interpret that as a knock on either technology but rather an acknowledgment that, with enough time or resources, a determined attacker will almost always be able to defeat perimeter protections. As Gartner points out, stronger protections are needed within the network, monitoring the effectiveness of these perimeter solutions by identifying when attackers may have circumvented them. It is impossible to stop 100% of attacks. It’s what defenders do next that counts.
Shifting Security Priorities
Gartner acknowledges that attack surfaces have expanded dramatically over the past year as the COVID-19 pandemic forced record numbers of employees to work remotely. It further notes that the shift toward remote work necessitated by the pandemic has put identity “at the center of security design,” demanding “a major shift from traditional LAN edge design thinking.” Given that research has shown that as many as 57% of breaches involve insider threats—and employee/third-party negligence is a leading cause of those incidents—it makes sense that securing identities should be at the top of any CISO’s to-do list.
Unfortunately, detecting these insider threats remains a challenge for many organizations—and the increasingly distributed workforce has not helped. Fortunately, technology like the Attivo Networks ThreatDefend® Platform has made it easier than ever for organizations to identify when an employee, vendor, or attacker using stolen credentials might be roaming around areas of the network for which they do not require access. Detecting suspicious activity inside the network is critical. The ThreatDefend platform allows users to identify unauthorized network scans, possible credential theft and reuse, attempts to access or steal sensitive data, and more. Better still, the platform can conceal real data and assets while creating false data, AD objects, and network assets designed to misdirect or entice attackers, to trick attackers into giving away their presence. This capability makes it an ideal technology to augment any enterprise’s security setup—and with more users than ever working from home, these capabilities to detect in-network lateral movement are only growing more important.
Protecting Identity Means Protecting Active Directory
Protecting Active Directory (AD) is one of the most critical items to prioritize in the quest to protect identities, privileges, and access. CISOs and other security leaders tend to consider AD “part of the plumbing,”—meaning that its performance is evaluated based on accurate and uninterrupted service delivery. Security will often take a back seat to ease of management or for the sake of simplicity. However, AD is the primary authentication and authorization mechanism for the enterprise, which means compromising it can give attackers free rein to do as they please. Unfortunately, despite its level of importance, today’s red teams estimate that they can compromise AD 100% of the time during security exercises—and if red teams can do it, attackers certainly can, too. If the enterprise loses domain administrator control over the AD environment, there is very little defenders can do to mitigate the damage, meaning that protecting identities requires comprehensive AD protection.
Fortunately, Attivo now offers stronger AD protections than ever through tools like the ADSecure solution, which detects attacks on AD originating from compromised systems, and the ADAssessor solution, which continually assesses AD to identify potential exposures and misconfigurations while providing detailed remediation advice. These tools offer greatly improved network visibility, allowing defenders to visualize possible attack paths and proactively automate certain security practices and procedures. Gartner notes that the saying “identity is the new perimeter” is now a reality. To make sure those identities at the user, device, and domain level are secure, protecting AD must be a CISO-level concern.
The Right Technology Partner Is Critical
Gartner points to its own 2020 CISO Effectiveness Survey to underscore that CISOs today are increasingly looking to consolidate vendors to make it easier to configure their security solutions properly and respond to alerts appropriately. While the growing number of cybersecurity vendors and individual solutions available has helped push innovation forward, integrating disparate technologies can be a challenge for security teams. As a result, finding the right technology partner is more important than ever for enterprises seeking to keep their networks protected against today’s advanced threats.
Attivo Networks has a record that speaks for itself when it comes to improving client security postures. Attivo solutions have provided the most comprehensive detection and prevention coverage for lateral movement, credential theft and reuse, privilege escalation, and other common attack vectors. It has also demonstrated that the company’s solutions improve endpoint detection rates by an average of 42%. Attivo is also committed to information sharing and automation. The company’s numerous 3rd party integrations will seamlessly share attack data to expedite isolation, blocking, and threat hunting.