Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:00 PM
Saryu Nayyar
Saryu Nayyar
Connect Directly
E-Mail vvv

Why Compromised Identities Are ITs Fault

The eternal battle between IT and security is the source of the problem.

The compromise and misuse of identity credentials provides the easiest doorway into an enterprise network, and the quickest path to its most valuable assets. It also extends beyond the realm of employees to business partners, and even customers where this information is leveraged for fraud.

The recently released 2017 Verizon Data Breach Investigations Report (DBIR) found that a whopping 81% of hacking-related breaches use either stolen and/or weak passwords. In other words: the breaches came from compromised identities.

Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects.  IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night.  This first front can be summarized as the CIO and CISO divide.

The second front is wider: IT and security teams have vastly different functions and interests.  IT teams focus on enabling the business through information technology operations, availability, performance and continuity.  The objective is to achieve no outages and deliver desired information at the blink of an eye to users. As a result, IT sometimes errs on providing too much access especially through access cloning and rubber-stamping certifications for compliance.

Security teams on the other hand focus on malware detection, finding threats, and remediation. Dwell times between infection and detection can average over 150 days and up to 220 days according to recent reports. Security operation centers (SOCs) require time to collect data and determine root cause issues. They must often analyze kill chains from data breach incidents in reverse. Internally, they also face privileged access abuse issues and insiders with approved credentials exfiltrating data.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

To succeed in combating identity-based risks, these teams must first agree that the compromise and misuse of identities are issues they need to tackle collaboratively in order to provide the least amount of access without impacting business process flows.

What is the Identity Threat Plane?
Identity consists of users, their accounts, access entitlements, and related activities, both on-premises and in the cloud. Common issues include excess access, access outliers, orphan and dormant accounts, as well as unknown privileged access risks. Therefore, security teams should consider identity as a threat plane — and a source of attack that needs to be defended.

At the same time, IT teams need to understand that group and role proliferation are a major part of the problem. Unfortunately, IAM is too often constrained by inflexible and inefficient manual processes for compliance with legacy rules defining roles. 

The Productivity Versus Security Dynamic
There will always be a natural tension between the CIO and the CISO. This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything and to maintain the assurance of confidentiality, integrity, availability, and safety. Every one of those attributes is potentially contrary to what the CIO wants to do. Because of the disconnect between teams, identity-based risks remain a large unknown to security teams. Large volumes of excess, outlier, and unknown access risks are blind spots for many organizations, especially those with digital assets spread across the data center and multiple clouds. Here are three best practices for bridging the gap:

Embrace CIO-CISO collaboration. Despite or indeed because of their differences, the CIO and the CISO need to find common security interests so they can collaborate to meet their organization’s goals and needs. Increasingly, IT and security teams are collaborating around cloud computing, big data, and security analytics focused on behavior, identity and privilege.

A great deal of the work performed today in security revolves around big data for the rich context it provides to determine risks and anomalous activity. IT teams also now use the cloud to do analytical work that could not be performed if the cloud did not exist.

New, cloud-based security solutions rely heavily on big data and machine learning models for analytics that leverage the low cost and productivity-enhancing capabilities of the cloud. These solutions give CIOs and CISOs the best of both their worlds.

Accept that identity is a threat plane. The old single security perimeter — where data and applications resided safely in the data center with users on a LAN behind a firewall — is dead. It has been killed by the Internet’s ever-changing, ever-growing world of cloud computing and mobility, where data and applications are likely to reside in innumerable cloud-based data centers — as well as in the traditional data center with users on any device at any location at any time of the day.

Each day, CIOs and CISOs face the daunting challenge of trying to secure on-premise environments connected to multiple cloud applications and multiple mobile devices. New threats emerge daily, and most are based on the misuse and compromise of identity alongside ransomware outbreaks. Traditional perimeter defenses simply cannot cope with the volume and intelligence of these threats.

Leverage analytics and access controls to reduce risks. More organizations are leveraging machine learning analytics to gain 24/7 real-time visibility into big data. The primary benefits are: deeper insights into who has access to what, who is accessing the data, and who looked at what data — and to correlate such activities with people’s entitlements to access specific data, applications, networks, and so on.  We are moving from coarse-grained controls for accounts to fine grain controls on entitlements and risk profiles driven by machine learning analytics. 

In tandem, smart organizations can implement refined access controls that precisely define people’s access privileges. Key to these controls is having a zero baseline access policy for employees who transfer to a new position — their access is brought to a zero baseline and increased according to their needs. Having a quarterly risk-based certification process is also a good idea as it helps an organization catch excess access with high scores.

The sooner CISOs and CIOs recognize, agree on and treat identities as a potential security threat, the more effective an organization will become at detecting and preventing identity compromise and misuse attacks.

Related Content:

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2017 | 8:07:58 AM
Silos , competing objectives, and comment sense
You've got to love it when competing objectives trump what's best for the organization, and customers. It ends up costing everyone $$ in the end. Cybercriminals and hackers love it, though, as it simplifies their efforts.  Banish these people to positions where they get to ask, "will that burger be for here or to go?" craig kensek
User Rank: Ninja
6/12/2017 | 6:52:53 PM
Embracing 2FA and MFA
Helping isolate "friendly fire" (employee) intrusion from activity based on stolen credentials can be done rapidly by implementing 2FA or MFA.  Mult-factor authentication gets lots of groans, whether it's due to added costs or added time; there's a strange belief that having to enter more than two credentials, including add-ons like pins delivered by mobile device or token hardware.  But in the end these extra layers of security are going to save money, especially from the perspective of resource hours and insurance, when you consider how many intrusions occur every day under current security models.  Granted it's not perfect but all the same, I'd bet on a more secure environment with these models in place and then focus on intrusions either from friendly fire, or other avenues not based on illegal logins.
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
PUBLISHED: 2020-12-01
ManageOne versions,,,, ,, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...