Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:00 PM
Saryu Nayyar
Saryu Nayyar
Connect Directly
E-Mail vvv

Why Compromised Identities Are ITs Fault

The eternal battle between IT and security is the source of the problem.

The compromise and misuse of identity credentials provides the easiest doorway into an enterprise network, and the quickest path to its most valuable assets. It also extends beyond the realm of employees to business partners, and even customers where this information is leveraged for fraud.

The recently released 2017 Verizon Data Breach Investigations Report (DBIR) found that a whopping 81% of hacking-related breaches use either stolen and/or weak passwords. In other words: the breaches came from compromised identities.

Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects.  IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night.  This first front can be summarized as the CIO and CISO divide.

The second front is wider: IT and security teams have vastly different functions and interests.  IT teams focus on enabling the business through information technology operations, availability, performance and continuity.  The objective is to achieve no outages and deliver desired information at the blink of an eye to users. As a result, IT sometimes errs on providing too much access especially through access cloning and rubber-stamping certifications for compliance.

Security teams on the other hand focus on malware detection, finding threats, and remediation. Dwell times between infection and detection can average over 150 days and up to 220 days according to recent reports. Security operation centers (SOCs) require time to collect data and determine root cause issues. They must often analyze kill chains from data breach incidents in reverse. Internally, they also face privileged access abuse issues and insiders with approved credentials exfiltrating data.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

To succeed in combating identity-based risks, these teams must first agree that the compromise and misuse of identities are issues they need to tackle collaboratively in order to provide the least amount of access without impacting business process flows.

What is the Identity Threat Plane?
Identity consists of users, their accounts, access entitlements, and related activities, both on-premises and in the cloud. Common issues include excess access, access outliers, orphan and dormant accounts, as well as unknown privileged access risks. Therefore, security teams should consider identity as a threat plane — and a source of attack that needs to be defended.

At the same time, IT teams need to understand that group and role proliferation are a major part of the problem. Unfortunately, IAM is too often constrained by inflexible and inefficient manual processes for compliance with legacy rules defining roles. 

The Productivity Versus Security Dynamic
There will always be a natural tension between the CIO and the CISO. This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything and to maintain the assurance of confidentiality, integrity, availability, and safety. Every one of those attributes is potentially contrary to what the CIO wants to do. Because of the disconnect between teams, identity-based risks remain a large unknown to security teams. Large volumes of excess, outlier, and unknown access risks are blind spots for many organizations, especially those with digital assets spread across the data center and multiple clouds. Here are three best practices for bridging the gap:

Embrace CIO-CISO collaboration. Despite or indeed because of their differences, the CIO and the CISO need to find common security interests so they can collaborate to meet their organization’s goals and needs. Increasingly, IT and security teams are collaborating around cloud computing, big data, and security analytics focused on behavior, identity and privilege.

A great deal of the work performed today in security revolves around big data for the rich context it provides to determine risks and anomalous activity. IT teams also now use the cloud to do analytical work that could not be performed if the cloud did not exist.

New, cloud-based security solutions rely heavily on big data and machine learning models for analytics that leverage the low cost and productivity-enhancing capabilities of the cloud. These solutions give CIOs and CISOs the best of both their worlds.

Accept that identity is a threat plane. The old single security perimeter — where data and applications resided safely in the data center with users on a LAN behind a firewall — is dead. It has been killed by the Internet’s ever-changing, ever-growing world of cloud computing and mobility, where data and applications are likely to reside in innumerable cloud-based data centers — as well as in the traditional data center with users on any device at any location at any time of the day.

Each day, CIOs and CISOs face the daunting challenge of trying to secure on-premise environments connected to multiple cloud applications and multiple mobile devices. New threats emerge daily, and most are based on the misuse and compromise of identity alongside ransomware outbreaks. Traditional perimeter defenses simply cannot cope with the volume and intelligence of these threats.

Leverage analytics and access controls to reduce risks. More organizations are leveraging machine learning analytics to gain 24/7 real-time visibility into big data. The primary benefits are: deeper insights into who has access to what, who is accessing the data, and who looked at what data — and to correlate such activities with people’s entitlements to access specific data, applications, networks, and so on.  We are moving from coarse-grained controls for accounts to fine grain controls on entitlements and risk profiles driven by machine learning analytics. 

In tandem, smart organizations can implement refined access controls that precisely define people’s access privileges. Key to these controls is having a zero baseline access policy for employees who transfer to a new position — their access is brought to a zero baseline and increased according to their needs. Having a quarterly risk-based certification process is also a good idea as it helps an organization catch excess access with high scores.

The sooner CISOs and CIOs recognize, agree on and treat identities as a potential security threat, the more effective an organization will become at detecting and preventing identity compromise and misuse attacks.

Related Content:

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2017 | 8:07:58 AM
Silos , competing objectives, and comment sense
You've got to love it when competing objectives trump what's best for the organization, and customers. It ends up costing everyone $$ in the end. Cybercriminals and hackers love it, though, as it simplifies their efforts.  Banish these people to positions where they get to ask, "will that burger be for here or to go?" craig kensek
User Rank: Ninja
6/12/2017 | 6:52:53 PM
Embracing 2FA and MFA
Helping isolate "friendly fire" (employee) intrusion from activity based on stolen credentials can be done rapidly by implementing 2FA or MFA.  Mult-factor authentication gets lots of groans, whether it's due to added costs or added time; there's a strange belief that having to enter more than two credentials, including add-ons like pins delivered by mobile device or token hardware.  But in the end these extra layers of security are going to save money, especially from the perspective of resource hours and insurance, when you consider how many intrusions occur every day under current security models.  Granted it's not perfect but all the same, I'd bet on a more secure environment with these models in place and then focus on intrusions either from friendly fire, or other avenues not based on illegal logins.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
PUBLISHED: 2020-09-22
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only� or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allo...