Stopping Modern Attacks Requires XDR with Identity By Kapil Raina, Identity Protection Evangelist, CrowdStrike

Stopping Modern Attacks Requires XDR with Identity

Kapil Raina, Identity Protection Evangelist, CrowdStrike | Thursday, 16 February 2023, 07:30 IST

  •  No Image

Stopping Modern Attacks Requires XDR with IdentityKapil Raina, a cyber security marketing executive of 20+ years of experience, has built and led product, marketing, sales, and strategy teams at startups and large brands such as VeriSign, VMware, and Zscaler. He is a recognized speaker and author of books on AI, PKI, Mobile Commerce, Biometrics, and other security topics.

As organizations have strengthened protection for their networks and endpoints, compromising identities has become a focal point of infiltrating organizations. We have seen a rapid rise in the prevalence of identity-based attacks: nearly 80 percent leverage identity-based attacks to com- promise legitimate credentials and use techniques like lateral movement to quickly evade detection. Organizations must be experts at understanding adversaries and their motivations in order to detect and respond to these threats.

While the cybersecurity industry may have various definitions of XDR, Gartner recommends choosing an XDR tool that includes at minimum: endpoint, data lake, orchestration, source of identity data for correlation, and threat intelligence.

The problem is, most XDR vendors fail to integrate identity protection in a meaningful way. While identity and access management (IAM) is important, it does not fully defend against identity-based attacks. XDR vendors as a whole are not designed, from the ground up, with the necessary telemetry to identify modern identity-based attacks in real-time across hybrid environments, remote workers, and multiple identity stores without disrupting users.

Where IAM Falls Short

It is always about the keys to the kingdom. An adversary’s ultimate goal is always to gain access to critical data, typically as a privileged user, and move about undetected.

IAM vendors are extremely effective at managing digital identities across their life cycles, from provisioning to de-provisioning, allowing organizations to manage users’ digital identities and ensuring all users have access to the resources they need to perform their roles. Many organizations lean on these vendors as part of their Zero Trust efforts.

The problem is, these IAM solutions have been on their own “island” for a while now, leading to potential blind spots. In some cases, the IAM provider has challenges in securing its own infrastructure. When attackers use compromised credentials, they can infiltrate a network and circumvent the existing security solutions that organizations may have in place. This blind spot was not fully understood or appreciated until recently. Organizations need to seamlessly marry detection and enforcement in order to prevent this type of activity.

Identity Protection: Asking the Right Questions

Identity-based attacks are increasing the speed at which an adversary can gain access to, and move throughout, an organization. It takes an average of one hour and twenty four minutes for attackers to move laterally within an organization - typically using identity-based attacks. If an adversary uses a valid credential, it is much harder to determine that it’s malicious. You need real-time, full visibility across your security stack in order to identify potentially malicious behavior and quickly act on it.

Can you detect and defend against identity-based attacks? Ask your organization the following questions such as: Do you have enough information from native and third-party sources, including behavioral analytics? Can you process what’s happening and stop it in real time? Do you leverage risk-based conditional access to minimize false positives? Can you see and protect everything in your environment, including unmanaged or legacy systems? Can you take proactive action to contain a breach? This may include using risk scoring to block a compromised identity from being used at other endpoints or ensuring segmentation to prevent lateral movement.

The majority of today’s XDR solutions lack the capabilities to help organizations answer the above questions. We have seen most XDR vendors have a particular area of expertise, whether that is starting at the network or making a SIEM or SOAR solution appear more attractive. However, by Gartner’s definition, they have to do it all if they are going to call themselves an XDR solution.

While XDR extends detection and response from the endpoint across all environments, you cannot forget the individual or the identity in all of this - and you certainly cannot forget the threat intelligence aspect. Newer XDR solutions have trouble correlating attack patterns to determine whether an identity is compromised (that is identifying in real time an unmanaged endpoint, but a known identity). To understand when/if there is an attack, you need the endpoint and identity telemetry, but you also need to have massive adversary knowledge to compare the threat vector to.

XDR with Identity Protection: Better Together

There is a real complexity that exists in identifying and responding to real-time attacks if you are only looking at one piece of a fragmented puzzle, or you have swivel chair syndrome with your security tooling. IAM is only one piece of the identity protection puzzle. A holistic XDR solution - one that connects endpoint, identity and threat intelligence together, ensuring coverage everywhere (cloud, on-prem, mobile, unmanaged devices, and more) - is the only way to solve this effectively.

When it is done right, organizations have unified cross-domain detections and investigations to effectively connect the dots, understand the context, and automate the risk response to stop or contain adversary attacks. XDR with identity protection not only stops threats, but improves the bottom line. For example, one of the CISOs at an auto glass company I spoke to recently shared their operational expense savings: a 75 per cent reduction in support password resets, an 8 percent reduction in phishing susceptibility, and a 32 percent reduction in unnecessary user access rights. A holistic XDR solution that can correlate native and third-party cross-domain telemetry - spanning network, email, endpoint, identity, web applications, cloud and SaaS apps, workloads, third-party systems and security tools, and more - wins.

Whatever you do, don’t neglect the importance of identity protection within your XDR solution.

CIO Viewpoint

From VPNs to Zero Trust: The Transition to a...

By Shankar Venkatesan, Senior IT Leader, Avalon Technologies

The Cyber Security Spar in Integrating IT and...

By Vimal Goel, CIO, HPCL-Mittal Energy

Towards Cyber Resilience: A Data-Centric...

By Puneet Gupta, Vice President & Managing Director, NetApp India/SAARC

CXO Insights

Emerging Trends, Challenges & Future Prospects...

By Sujoy Brahmachari, CIO & CISO, Rosmerta Technologies

Exploring Data-First Security and Automation in...

By Maheswaran S, Country Manager - S.Asia, Varonis Systems

Securing IT-OT Converged Infrastructure

By Saurabh Sharma, SMIEEE, FIE, CEH, Chief Manager (BIS) & CISO, Petronet LNG Ltd.