Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:00 PM
Saryu Nayyar
Saryu Nayyar
Connect Directly
E-Mail vvv

Why Compromised Identities Are ITs Fault

The eternal battle between IT and security is the source of the problem.

The compromise and misuse of identity credentials provides the easiest doorway into an enterprise network, and the quickest path to its most valuable assets. It also extends beyond the realm of employees to business partners, and even customers where this information is leveraged for fraud.

The recently released 2017 Verizon Data Breach Investigations Report (DBIR) found that a whopping 81% of hacking-related breaches use either stolen and/or weak passwords. In other words: the breaches came from compromised identities.

Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects.  IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night.  This first front can be summarized as the CIO and CISO divide.

The second front is wider: IT and security teams have vastly different functions and interests.  IT teams focus on enabling the business through information technology operations, availability, performance and continuity.  The objective is to achieve no outages and deliver desired information at the blink of an eye to users. As a result, IT sometimes errs on providing too much access especially through access cloning and rubber-stamping certifications for compliance.

Security teams on the other hand focus on malware detection, finding threats, and remediation. Dwell times between infection and detection can average over 150 days and up to 220 days according to recent reports. Security operation centers (SOCs) require time to collect data and determine root cause issues. They must often analyze kill chains from data breach incidents in reverse. Internally, they also face privileged access abuse issues and insiders with approved credentials exfiltrating data.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

To succeed in combating identity-based risks, these teams must first agree that the compromise and misuse of identities are issues they need to tackle collaboratively in order to provide the least amount of access without impacting business process flows.

What is the Identity Threat Plane?
Identity consists of users, their accounts, access entitlements, and related activities, both on-premises and in the cloud. Common issues include excess access, access outliers, orphan and dormant accounts, as well as unknown privileged access risks. Therefore, security teams should consider identity as a threat plane — and a source of attack that needs to be defended.

At the same time, IT teams need to understand that group and role proliferation are a major part of the problem. Unfortunately, IAM is too often constrained by inflexible and inefficient manual processes for compliance with legacy rules defining roles. 

The Productivity Versus Security Dynamic
There will always be a natural tension between the CIO and the CISO. This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything and to maintain the assurance of confidentiality, integrity, availability, and safety. Every one of those attributes is potentially contrary to what the CIO wants to do. Because of the disconnect between teams, identity-based risks remain a large unknown to security teams. Large volumes of excess, outlier, and unknown access risks are blind spots for many organizations, especially those with digital assets spread across the data center and multiple clouds. Here are three best practices for bridging the gap:

Embrace CIO-CISO collaboration. Despite or indeed because of their differences, the CIO and the CISO need to find common security interests so they can collaborate to meet their organization’s goals and needs. Increasingly, IT and security teams are collaborating around cloud computing, big data, and security analytics focused on behavior, identity and privilege.

A great deal of the work performed today in security revolves around big data for the rich context it provides to determine risks and anomalous activity. IT teams also now use the cloud to do analytical work that could not be performed if the cloud did not exist.

New, cloud-based security solutions rely heavily on big data and machine learning models for analytics that leverage the low cost and productivity-enhancing capabilities of the cloud. These solutions give CIOs and CISOs the best of both their worlds.

Accept that identity is a threat plane. The old single security perimeter — where data and applications resided safely in the data center with users on a LAN behind a firewall — is dead. It has been killed by the Internet’s ever-changing, ever-growing world of cloud computing and mobility, where data and applications are likely to reside in innumerable cloud-based data centers — as well as in the traditional data center with users on any device at any location at any time of the day.

Each day, CIOs and CISOs face the daunting challenge of trying to secure on-premise environments connected to multiple cloud applications and multiple mobile devices. New threats emerge daily, and most are based on the misuse and compromise of identity alongside ransomware outbreaks. Traditional perimeter defenses simply cannot cope with the volume and intelligence of these threats.

Leverage analytics and access controls to reduce risks. More organizations are leveraging machine learning analytics to gain 24/7 real-time visibility into big data. The primary benefits are: deeper insights into who has access to what, who is accessing the data, and who looked at what data — and to correlate such activities with people’s entitlements to access specific data, applications, networks, and so on.  We are moving from coarse-grained controls for accounts to fine grain controls on entitlements and risk profiles driven by machine learning analytics. 

In tandem, smart organizations can implement refined access controls that precisely define people’s access privileges. Key to these controls is having a zero baseline access policy for employees who transfer to a new position — their access is brought to a zero baseline and increased according to their needs. Having a quarterly risk-based certification process is also a good idea as it helps an organization catch excess access with high scores.

The sooner CISOs and CIOs recognize, agree on and treat identities as a potential security threat, the more effective an organization will become at detecting and preventing identity compromise and misuse attacks.

Related Content:

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2017 | 8:07:58 AM
Silos , competing objectives, and comment sense
You've got to love it when competing objectives trump what's best for the organization, and customers. It ends up costing everyone $$ in the end. Cybercriminals and hackers love it, though, as it simplifies their efforts.  Banish these people to positions where they get to ask, "will that burger be for here or to go?" craig kensek
User Rank: Ninja
6/12/2017 | 6:52:53 PM
Embracing 2FA and MFA
Helping isolate "friendly fire" (employee) intrusion from activity based on stolen credentials can be done rapidly by implementing 2FA or MFA.  Mult-factor authentication gets lots of groans, whether it's due to added costs or added time; there's a strange belief that having to enter more than two credentials, including add-ons like pins delivered by mobile device or token hardware.  But in the end these extra layers of security are going to save money, especially from the perspective of resource hours and insurance, when you consider how many intrusions occur every day under current security models.  Granted it's not perfect but all the same, I'd bet on a more secure environment with these models in place and then focus on intrusions either from friendly fire, or other avenues not based on illegal logins.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
PUBLISHED: 2021-05-13
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.