Authomize Blog

Tackling the Rise of Insider Threat Risk After the Great Resignation

Earlier this month, the team over at security firm Kroll released its “Q3 Threat Landscape: Insider Threat the Trojan Horse of 2022” report on the rise in insider threat…

30/11/2022 • Gabriel Avner

Read more

Authomize is the ITDR Platform

Authomize announced today that we are the Identity Threat Detection and Response (ITDR) Platform. If you missed our Press Release on the announcement, take a moment to check it out…

15/11/2022 • Gabriel Avner

Read more

Integrating Authomize ITDR with Microsoft Sentinel SIEM

In response to the expanding threat surface facing identities, interoperability between identity and access management (IAM) and security operations is now understood to be a must for organizations in defending their cloud environments…

08/11/2022 • Steven Riley

Read more

3 Steps to Take to Get Started with Identity Threat Detection and Response (ITDR)

Following the new Gartner research report around Identity Threat Detection and Response (ITDR) we suggest 3 steps that help organizations get started with protecting their IAM layer from identity threats.

24/10/2022 • Maya Malevich

Read more

3 Trends to Look for at Gartner IAM 2022

The countdown to one of the biggest Identity events of the year has already begun. With just 10 days to go before the doors open at Gartner IAM in Las Vegas, Identity and Security folks recovering…

11/08/2022 • Gabriel Avner

Read more

Authomize Discovers PassBleed Password Stealing and Impersonation Risks in Okta

Organizations depend on their Identity Providers for managing their identities and access to their apps and services, using them as their trusted management solution for everything from Single Sign-On and Multi-Factor Authentication to directory services and provisioning access.

19/07/2022 • Gabriel Avner

Read more

Okta Customers Exposed to Risk of Password Theft and Impersonation in PassBleed Attacks

Authomize’s Security Research Lab has uncovered a set of inherent risks in the popular Identity Provider Okta that leave users exposed to potential compromise and exploitation..

• Gabriel Avner

Read more

Identity Threat Detection and Response Explained

In March, Gartner analysts dropped us some breadcrumbs on an emerging new category that they are calling “Identity Threat Detection and Response” (ITDR).

04/05/2022 • Gabriel Avner

Read more

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download

In March, Gartner analysts dropped us some breadcrumbs on an emerging new category that they are calling “Identity Threat Detection and Response” (ITDR).

Citing it in their “Top Security and Risk Management Trends for 2022” release that we broke down in last week’s post, the analysts told us that they introduced the term “to describe the collection of tools and best practices to defend identity systems.”

The reason for the new category that they cite is the marked rise in active targeting of identity and access management (IAM) infrastructure by sophisticated threat actors, as well as the fact that credential misuse is “a primary threat attack vector.”

In this week’s piece, we will try to:

Identity and Access are Under Attack

Even before the pandemic, the identity and access layers were already under threat. Especially given the transition away from the on-prem to the cloud where identity is both the key to accessing an organization’s assets and the perimeter protecting those assets. Taking control of identities with privileged access gives attackers the keys to the kingdom, along with all of the crown jewels that they can reach with those privileges.

Attacks on the identity layer have only increased in the past two years given the move to remote and cloud work, with the Verizon Data Breach Investigations Report for 2021 telling us that 80% of breaches involve privileged credentials. 

The threat to identities has led to a blooming field of IAM (IGA, PAM, CEIM, CSPM, SSPM, etc ad infinitum) and authentication tools like MFA and SSO, all aimed at managing our identities more effectively and reducing the chances of compromised credentials being used against us. 

All of these factors and developments are important, but none of them are particularly new.

Reexamining our Assumptions on IAM

What is new is the recognition that these IAM tools are identity and access infrastructure and not security. 

Moreover, Gartner is explicitly telling us that, “Sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure,” and that we need to develop ways to protect that infrastructure. 

The analysts go a step further in their critique of the current landscape. 

“Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure,” Peter Firstbrook, the research Vice President at Gartner quoted in the report. 

What he is saying is that while we have done a better job at putting tools into place aimed at acting more securely with our identities and access, with tools like authentication, attackers are finding ways to undermine those systems and use them as their avenue to reach deep inside their targets.

We have seen two high profile examples of this problem. First in the SolarWinds case where Russian hackers defeated MFA and hijacked Active Directory to create a new admin identity. More recently was the hack of Okta where the Lapsus$ group compromised a third-party vendor and used that access to penetrate into Okta’s clients, gaining scary amounts of access.

Given the evidence that malicious actors have the ability to use our identity and access infrastructure against us.

IAM tools can be incredibly powerful and useful. But they can also be a single point of failure if they are compromised. A basic principle of security tells us that we should not have the same system that is managing the infrastructure be the ones monitoring that it is working securely.

Think of it like a Segregation of Duties for your identity and access security. 

What is needed is a solution that actually secures our infrastructure and ensures that it continues to operate correctly.

This is where ITDR steps up into the limelight.

Defining IDTR

Going back to Firstbrook’s description of ITDR as “the collection of tools and best practices to defend identity systems,” we understand that this segment is still in its early days.

What we do know is what ITDR is looking to solve for and what it needs to do to get us there.

The Challenge

A major flaw in IAM tools is they have limited visibility. 

An identity provider (IdP) like Okta will only see the identities that are in its directory. If you are only tracking identities from the IdP side, then you are only seeing half of the picture from an access privilege POV.

What about looking at the asset side of the equation to see who has access privileges to them? There may be local IAM users in your AWS, or in the case of GitHub with its Bring Your Own Identity model, internal or external users with access to your repos that you simply do not know are there.  

Access privileges are the answer to the question of what can an identity, human or machine, do after they have had their identity authenticated? Which assets can they access? What level of access (read, write, admin, etc) will they have? 

These access privileges are the relationship between the identity and the apps and services where the identity interacts with their assets. Understanding who has access to what and how they are using those privileges is critical to operating securely.

The Solution

As noted above, what we need ITDR to do is to help us secure our IAM infrastructure and ensure that it continues to operate correctly.

Securing the infrastructure means:

Ensuring that the infrastructure is used correctly:

This is a tall order, but Authomize has it covered. Here’s how we do it.

Authomize’s Approach to ITDR

Authomize is the first Cloud Identity and Access Security Platform.

We continuously monitor your identities, access privileges, assets, and activities, to secure all your apps and cloud services. This means that we go full-stack, connecting to everything from your IdPs (Okta, Ping, Azure AD), to IaaS (AWS, Azure, GCP) to SaaS (GitHub, O365, Google, etc), and beyond. 

Data from these sources is normalized and processed by our Machine Learning engine.

Our visibility allows you to continuously monitor your environments, detect threats, and effectively remediate risks, enabling you to achieve and maintain Least Privilege. 

Here’s how we do it:

Monitor

Once we connect to your IdPs and apps/services, we collect and monitor data on:

Detect

Based on the data that we collected and normalized, we detect issues from:

All this information enables us to:

Remediate

We then assist in the remediation process without impacting the ongoing operations.

Authomize enables your team to remediate more effectively and efficiently with surgical precision by:

Next Steps for Securing Your Cloud Identity and Access

Despite all of the challenges facing organizations when it comes to their identity and access security, we appear to be on the right track. 

More and more organizations are using IAM tools to manage their identities and access more efficiently. 

Now security teams have to take the next step and ensure that they are securing those tools and their environments.

For more information on how Authomize can help your organization secure your identity and access infrastructure, we invite you to schedule a meeting with us and request a demo of our platform.