Careers & People

02:00 PM
Saryu Nayyar
Saryu Nayyar
Connect Directly
E-Mail vvv

Why Compromised Identities Are ITs Fault

The eternal battle between IT and security is the source of the problem.

The compromise and misuse of identity credentials provides the easiest doorway into an enterprise network, and the quickest path to its most valuable assets. It also extends beyond the realm of employees to business partners, and even customers where this information is leveraged for fraud.

The recently released 2017 Verizon Data Breach Investigations Report (DBIR) found that a whopping 81% of hacking-related breaches use either stolen and/or weak passwords. In other words: the breaches came from compromised identities.

Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects.  IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night.  This first front can be summarized as the CIO and CISO divide.

The second front is wider: IT and security teams have vastly different functions and interests.  IT teams focus on enabling the business through information technology operations, availability, performance and continuity.  The objective is to achieve no outages and deliver desired information at the blink of an eye to users. As a result, IT sometimes errs on providing too much access especially through access cloning and rubber-stamping certifications for compliance.

Security teams on the other hand focus on malware detection, finding threats, and remediation. Dwell times between infection and detection can average over 150 days and up to 220 days according to recent reports. Security operation centers (SOCs) require time to collect data and determine root cause issues. They must often analyze kill chains from data breach incidents in reverse. Internally, they also face privileged access abuse issues and insiders with approved credentials exfiltrating data.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

To succeed in combating identity-based risks, these teams must first agree that the compromise and misuse of identities are issues they need to tackle collaboratively in order to provide the least amount of access without impacting business process flows.

What is the Identity Threat Plane?
Identity consists of users, their accounts, access entitlements, and related activities, both on-premises and in the cloud. Common issues include excess access, access outliers, orphan and dormant accounts, as well as unknown privileged access risks. Therefore, security teams should consider identity as a threat plane — and a source of attack that needs to be defended.

At the same time, IT teams need to understand that group and role proliferation are a major part of the problem. Unfortunately, IAM is too often constrained by inflexible and inefficient manual processes for compliance with legacy rules defining roles. 

The Productivity Versus Security Dynamic
There will always be a natural tension between the CIO and the CISO. This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything and to maintain the assurance of confidentiality, integrity, availability, and safety. Every one of those attributes is potentially contrary to what the CIO wants to do. Because of the disconnect between teams, identity-based risks remain a large unknown to security teams. Large volumes of excess, outlier, and unknown access risks are blind spots for many organizations, especially those with digital assets spread across the data center and multiple clouds. Here are three best practices for bridging the gap:

Embrace CIO-CISO collaboration. Despite or indeed because of their differences, the CIO and the CISO need to find common security interests so they can collaborate to meet their organization’s goals and needs. Increasingly, IT and security teams are collaborating around cloud computing, big data, and security analytics focused on behavior, identity and privilege.

A great deal of the work performed today in security revolves around big data for the rich context it provides to determine risks and anomalous activity. IT teams also now use the cloud to do analytical work that could not be performed if the cloud did not exist.

New, cloud-based security solutions rely heavily on big data and machine learning models for analytics that leverage the low cost and productivity-enhancing capabilities of the cloud. These solutions give CIOs and CISOs the best of both their worlds.

Accept that identity is a threat plane. The old single security perimeter — where data and applications resided safely in the data center with users on a LAN behind a firewall — is dead. It has been killed by the Internet’s ever-changing, ever-growing world of cloud computing and mobility, where data and applications are likely to reside in innumerable cloud-based data centers — as well as in the traditional data center with users on any device at any location at any time of the day.

Each day, CIOs and CISOs face the daunting challenge of trying to secure on-premise environments connected to multiple cloud applications and multiple mobile devices. New threats emerge daily, and most are based on the misuse and compromise of identity alongside ransomware outbreaks. Traditional perimeter defenses simply cannot cope with the volume and intelligence of these threats.

Leverage analytics and access controls to reduce risks. More organizations are leveraging machine learning analytics to gain 24/7 real-time visibility into big data. The primary benefits are: deeper insights into who has access to what, who is accessing the data, and who looked at what data — and to correlate such activities with people’s entitlements to access specific data, applications, networks, and so on.  We are moving from coarse-grained controls for accounts to fine grain controls on entitlements and risk profiles driven by machine learning analytics. 

In tandem, smart organizations can implement refined access controls that precisely define people’s access privileges. Key to these controls is having a zero baseline access policy for employees who transfer to a new position — their access is brought to a zero baseline and increased according to their needs. Having a quarterly risk-based certification process is also a good idea as it helps an organization catch excess access with high scores.

The sooner CISOs and CIOs recognize, agree on and treat identities as a potential security threat, the more effective an organization will become at detecting and preventing identity compromise and misuse attacks.

Related Content:

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2017 | 8:07:58 AM
Silos , competing objectives, and comment sense
You've got to love it when competing objectives trump what's best for the organization, and customers. It ends up costing everyone $$ in the end. Cybercriminals and hackers love it, though, as it simplifies their efforts.  Banish these people to positions where they get to ask, "will that burger be for here or to go?" craig kensek
User Rank: Ninja
6/12/2017 | 6:52:53 PM
Embracing 2FA and MFA
Helping isolate "friendly fire" (employee) intrusion from activity based on stolen credentials can be done rapidly by implementing 2FA or MFA.  Mult-factor authentication gets lots of groans, whether it's due to added costs or added time; there's a strange belief that having to enter more than two credentials, including add-ons like pins delivered by mobile device or token hardware.  But in the end these extra layers of security are going to save money, especially from the perspective of resource hours and insurance, when you consider how many intrusions occur every day under current security models.  Granted it's not perfect but all the same, I'd bet on a more secure environment with these models in place and then focus on intrusions either from friendly fire, or other avenues not based on illegal logins.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.