Organizations must focus more on protecting their IAM infrastructure

Nov 2, 2022 | cybersecurity

There are many trends in cybersecurity today, as organizations battle ever more cunning and prevalent cybercriminals; new tools and methods are emerging all the time.

Sophisticated threat actors are actively targeting identity and access management (IAM) infrastructure, and credential misuse is now a primary attack vector. ITDR, then, is the “collection of tools and best practices to defend identity systems.”

This adds another layer of security to even mature IAM deployments, said Mary Ruddy, a VP analyst at Gartner.

“Identity is now foundational for security operations (identity-first security),” she said. “As identity becomes more important, threat actors are increasingly targeting the identity infrastructure itself.”

Simply put, “organizations must focus more on protecting their IAM infrastructure.”

Securing identity with identity threat detection and response

Stolen credentials account for 61% of all data breaches, according to Verizon’s 2022 Data Breach Investigations Report. Gartner, meanwhile, attributes 75% of security failures [subscription required] to lack of identity management; this is up from 50% in 2020, the firm reports.

As noted by Peter Firstbrook, a research VP at Gartner, organizations have spent considerable effort improving IAM capabilities, but most of that focus has been on technology to improve user authentication. While this may seem beneficial, it actually increases the attack surface for a foundational part of the cybersecurity infrastructure.

“ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation,” he said.

ITDR is a new acronym Gartner uses to describe the security discipline that protects the identity infrastructure. Much like network detection and response (NDR) and endpoint detection and response (EDR) protect critical infrastructure in the organization, ITDR is required to protect the systems that control identity and access across the organization. Now that identity has become the new perimeter, the detection gaps between traditional IAM solutions and infrastructure security controls are constantly exploited by malicious actors, inside and outside the organization.

Before searching for the tools to protect your identity infrastructure, we recommend identifying the gaps in your environment by following the below 3 steps:

Step 1: Assess Identity-First Security Posture

Examine the identity risk level across your cloud environment by reviewing actual access privileges and identifying stale accounts, over-privileges, and privilege escalation paths. The proliferation of identities and assets together with the dynamic nature of the cloud often leads to hidden, unused and excessive access.

For example, “More than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted, which greatly increases the attack surface for account compromises.” Gartner Innovation Insight for Cloud Infrastructure Entitlement Management, published on 15 June 2021 by Henrique Teixeira, Michael Kelley, and Abhyuday Data.

Reviewing all cloud services and applications for illicit access can be very time consuming and error-prone. CIEM (Cloud Infrastructure Entitlement Management) solutions can help identify over-privileges in IaaS. If you wish to cover all your bases, it would be beneficial to also review cloud applications and IAM tools to identify stale access from partial offboarding as well as privilege escalations across systems (shadow administrators and federation).

Step 2: Assess Identity Threats

Review the configurations and deployments of your IAM tools (IdP/SSO, IGA and PAM) to detect risks and threats such as exposed passwords, user impersonation, and unauthorized changes. Even mature deployments of IAM solutions may be exposed to identity threats due to misconfigurations or even by design.

A point-in-time assessment will provide you with an estimate of your exposure level and indicate the prioritization and extent of your ITDR adoption for ongoing protection. Identifying where you are exposed will also help determine who should own ITDR in your organization.

Step 3: Examine Response Playbooks

Your SIEM, SOAR and XDR tools are handling incident response for your security infrastructure. Chances are that some of your existing playbooks can also be used for identity risks and threats. Review your existing playbooks to identify what will work for identity and access incidents and what requires adjustments, or new playbooks.

Some ITDR solutions will also provide automated remediation capabilities, such as disabling excessive access, and resolution recommendations (like moving from SWA to SAML). The severity and potential impact of incidents on your organization will determine the urgency and automation of your playbooks.

Find a solution for each IT challenge in your company with our powerful Converged Platform. Get a custom demo.


(1) Securityboulevard

(2) Venturebeat

Imagen de Pete Linforth en Pixabay

Related Articles