It’s Time for Identity-First Security Management

Posted on by Carolyn Crandall

While perimeter defense tools like firewalls and antivirus software once reigned supreme, today’s cybersecurity professionals understand that preventing 100% of attacks targeting a network is impossible—particularly in today’s distributed world, where remote work remains the norm. As Gartner recently noted, “identity is the new perimeter” is no longer a belief. It’s reality.

Today, organizations increasingly use perimeter security tools in conjunction with identity-based, least-privilege access programs and in-network defenses capable of detecting attack escalation and lateral movement. Widespread remote work has effectively demonstrated the critical role that identity plays within modern network security, making identity-first security management a must-have for today’s enterprises.

The Importance of Identity Management

The concept of identity management is not new, and 74% of today’s breaches involve access to a privileged account. With a compromised account, attackers can often evade perimeter defenses, moving freely throughout the network to target Active Directory (AD) and escalating their privileges further. AD is a prime target because it authenticates and authorizes identities and devices across the network, providing authentication for users, directory services and integrations across business applications, including file servers, applications and more.

Active Directory serves as a roadmap for the entire network, providing a single management pane for authentication and authorization across resources. Several years ago, Microsoft estimated that 95 million AD accounts are under attack daily—a number that has almost certainly risen in the intervening time, especially given that 90% of Global Fortune 1,000 companies use AD. Unfortunately, because AD requires access to a wide range of network environments, it is tough to secure. As organizations prioritize managing identities to secure themselves against attack, defending Active Directory must be a priority.

Identity Protection Challenges

Organizations do not always have the necessary visibility into AD security hygiene issues, nor do they have reliable alerting to key exposures at the domain, device or user levels. Unfortunately, real-time detection of AD privilege escalation can be challenging to achieve through traditional means, yet restricting access to AD information is difficult to accomplish without negatively impacting business operations.

Most organizations lack continuous visibility into identities and account risks related to credentials, shadow administrators, stale accounts, shared credentials and identity attack paths. Unfortunately, this makes it difficult to tell when exposures, misconfigurations or overly permissive provisioning might be creating vulnerabilities. This lack of visibility is particularly dangerous today, at a time when the network environment is more distributed than ever. It is tough to manage identity entitlements and ensure a policy of least-privilege access across both on-premise and cloud environments.

Protecting Identity by Protecting Active Directory

For effective identity-first security, it is critical to detect and disrupt attack activity, such as reconnaissance, lateral movement and privilege escalation early in the attack cycle. AD visibility is also crucial, and defenders require the ability to identify changes that might indicate an attack is underway, such as mass account lockouts, disables or deletions. Other red flags, such as suspicious password management, brute force login attempts and DCShadow attacks, should also raise suspicions. Ultimately, insufficient AD visibility can give attackers considerable room to operate without fear of detection.

Endpoint security is also essential, as it can identify unauthorized processes and activities while flagging users that are executing them. Additionally, security teams should implement and orchestrate AD logging and monitoring, including change notifications and alerting mechanisms. These tools can make defenders aware of any changes made to AD in near-real-time, allowing them to act quickly in the event of suspicious activity. In that vein, they should conduct continuous penetration testing on AD to identify potential attack paths and remediate any misconfigurations or vulnerabilities before attackers can exploit them.

Effective identity management also requires regular audits and assessments to identify the domain, user and device-level exposures. These audits can help identify weak policies, account and privilege issues, rogue domain controllers and other potential vulnerabilities. It is also vital to factor cloud security into the equation. Organizations can mitigate cloud identity exposures by implementing security controls and managing cloud entitlements in a way that lets them monitor for misconfigurations, protect sensitive resources and audit third-party access. These protections can mitigate today’s most common identity-related exposures.

Identity Is the New Perimeter

Remote work, the expansion of IoT and the rise of cloud computing have vastly expanded the attack surface and forced cybersecurity professionals to place greater importance on identity management. With credential theft on the rise and attackers regularly targeting AD, it has become increasingly critical for today’s enterprises to have effective identity management and protection tools in place. Fortunately, modern security technology has given defenders valuable new ways to combat these threats. Security professionals like to say that identity is the new perimeter. If that’s the case, then the perimeter is dead—long live the perimeter!

Carolyn Crandall

Chief Security Advocate, Attivo Networks


access control authentication identity management & governance

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community