Careers & People

6/7/2017
02:00 PM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Compromised Identities Are ITs Fault

The eternal battle between IT and security is the source of the problem.

The compromise and misuse of identity credentials provides the easiest doorway into an enterprise network, and the quickest path to its most valuable assets. It also extends beyond the realm of employees to business partners, and even customers where this information is leveraged for fraud.

The recently released 2017 Verizon Data Breach Investigations Report (DBIR) found that a whopping 81% of hacking-related breaches use either stolen and/or weak passwords. In other words: the breaches came from compromised identities.

Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects.  IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night.  This first front can be summarized as the CIO and CISO divide.

The second front is wider: IT and security teams have vastly different functions and interests.  IT teams focus on enabling the business through information technology operations, availability, performance and continuity.  The objective is to achieve no outages and deliver desired information at the blink of an eye to users. As a result, IT sometimes errs on providing too much access especially through access cloning and rubber-stamping certifications for compliance.

Security teams on the other hand focus on malware detection, finding threats, and remediation. Dwell times between infection and detection can average over 150 days and up to 220 days according to recent reports. Security operation centers (SOCs) require time to collect data and determine root cause issues. They must often analyze kill chains from data breach incidents in reverse. Internally, they also face privileged access abuse issues and insiders with approved credentials exfiltrating data.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

To succeed in combating identity-based risks, these teams must first agree that the compromise and misuse of identities are issues they need to tackle collaboratively in order to provide the least amount of access without impacting business process flows.

What is the Identity Threat Plane?
Identity consists of users, their accounts, access entitlements, and related activities, both on-premises and in the cloud. Common issues include excess access, access outliers, orphan and dormant accounts, as well as unknown privileged access risks. Therefore, security teams should consider identity as a threat plane — and a source of attack that needs to be defended.

At the same time, IT teams need to understand that group and role proliferation are a major part of the problem. Unfortunately, IAM is too often constrained by inflexible and inefficient manual processes for compliance with legacy rules defining roles. 

The Productivity Versus Security Dynamic
There will always be a natural tension between the CIO and the CISO. This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything and to maintain the assurance of confidentiality, integrity, availability, and safety. Every one of those attributes is potentially contrary to what the CIO wants to do. Because of the disconnect between teams, identity-based risks remain a large unknown to security teams. Large volumes of excess, outlier, and unknown access risks are blind spots for many organizations, especially those with digital assets spread across the data center and multiple clouds. Here are three best practices for bridging the gap:

Embrace CIO-CISO collaboration. Despite or indeed because of their differences, the CIO and the CISO need to find common security interests so they can collaborate to meet their organization’s goals and needs. Increasingly, IT and security teams are collaborating around cloud computing, big data, and security analytics focused on behavior, identity and privilege.

A great deal of the work performed today in security revolves around big data for the rich context it provides to determine risks and anomalous activity. IT teams also now use the cloud to do analytical work that could not be performed if the cloud did not exist.

New, cloud-based security solutions rely heavily on big data and machine learning models for analytics that leverage the low cost and productivity-enhancing capabilities of the cloud. These solutions give CIOs and CISOs the best of both their worlds.

Accept that identity is a threat plane. The old single security perimeter — where data and applications resided safely in the data center with users on a LAN behind a firewall — is dead. It has been killed by the Internet’s ever-changing, ever-growing world of cloud computing and mobility, where data and applications are likely to reside in innumerable cloud-based data centers — as well as in the traditional data center with users on any device at any location at any time of the day.

Each day, CIOs and CISOs face the daunting challenge of trying to secure on-premise environments connected to multiple cloud applications and multiple mobile devices. New threats emerge daily, and most are based on the misuse and compromise of identity alongside ransomware outbreaks. Traditional perimeter defenses simply cannot cope with the volume and intelligence of these threats.

Leverage analytics and access controls to reduce risks. More organizations are leveraging machine learning analytics to gain 24/7 real-time visibility into big data. The primary benefits are: deeper insights into who has access to what, who is accessing the data, and who looked at what data — and to correlate such activities with people’s entitlements to access specific data, applications, networks, and so on.  We are moving from coarse-grained controls for accounts to fine grain controls on entitlements and risk profiles driven by machine learning analytics. 

In tandem, smart organizations can implement refined access controls that precisely define people’s access privileges. Key to these controls is having a zero baseline access policy for employees who transfer to a new position — their access is brought to a zero baseline and increased according to their needs. Having a quarterly risk-based certification process is also a good idea as it helps an organization catch excess access with high scores.

The sooner CISOs and CIOs recognize, agree on and treat identities as a potential security threat, the more effective an organization will become at detecting and preventing identity compromise and misuse attacks.

Related Content:

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
craigk944
50%
50%
craigk944,
User Rank: Apprentice
6/13/2017 | 8:07:58 AM
Silos , competing objectives, and comment sense
You've got to love it when competing objectives trump what's best for the organization, and customers. It ends up costing everyone $$ in the end. Cybercriminals and hackers love it, though, as it simplifies their efforts.  Banish these people to positions where they get to ask, "will that burger be for here or to go?" craig kensek
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/12/2017 | 6:52:53 PM
Embracing 2FA and MFA
Helping isolate "friendly fire" (employee) intrusion from activity based on stolen credentials can be done rapidly by implementing 2FA or MFA.  Mult-factor authentication gets lots of groans, whether it's due to added costs or added time; there's a strange belief that having to enter more than two credentials, including add-ons like pins delivered by mobile device or token hardware.  But in the end these extra layers of security are going to save money, especially from the perspective of resource hours and insurance, when you consider how many intrusions occur every day under current security models.  Granted it's not perfect but all the same, I'd bet on a more secure environment with these models in place and then focus on intrusions either from friendly fire, or other avenues not based on illegal logins.
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.