Locking the Door Is No Longer Enough: Required Capabilities for Identity and Access Threat Prevention
Given that the vast majority of hacking-related breaches – 81% by Verizon’s count – are due to compromised credentials, it’s increasingly critical to establish identity as one of the most fundamental aspects of security. Who is accessing your network and where? What privileges does each user have, and is the behaviour they are exhibiting suspicious? This is especially important given the proliferation of access points, devices, users, applications and geographically distributed work forces. In this blog, we define the key requirements and capabilities IT Leaders should be looking for in Identity and Access Threat Prevention (IATP) solutions (also known as Conditional Access), and the drivers they should support within the organisation.
Today the job of real-time policy enforcement and threat prevention still primarily falls to network firewalls and endpoint security products, much as it has for the past 20 years. While essential for security, these technologies make very binary allow/block decisions based on a specific and often static event or metadata within a network session or suspicious file.
The next generation of security technologies, with innovations such as machine-learning, Artificial Intelligence (AI) and behavioural detection algorithms are still often inconclusive, reactive and limited to detection only. As a result, they feed into an increasingly overwhelmed incident response process that leaves security operations a step (or more) behind malicious actors.
This creates a devil’s bargain for security teams where they must either block or allow based on incomplete information, in which you risk compromising security (allow) or prevent users from carrying out their work (block). It is important to be able to detect and distinguish truly malicious behaviour from atypical but bengin behaviour.
What is Identity and Access Threat Prevention?
With Identity and Access Threat Prevention (IATP), organisations get real-time and continuously adaptive policy enforcement and threat prevention based on identity, behaviour and risk to the enterprise. IATP seeks to achieve an enterprise-wide holistic view of identity; automatic detection and prevention of threats before losses occur; faster and more efficient security teams and operations; and behavioural analysis integrated with real-time enforcement.
By integrating with your existing access control infrastructure, IATP can move beyond simple blocking decisions and incorporate user interaction to challenge suspicious behaviour, confirm a threat, or resolve a benign anomaly in real-time without impacting user productivity or requiring security analyst input. We have created a handy checklist defining the key requirements and capabilities of Identity and Access Threat Prevention solutions. Scroll down for a more detailed explanation.
Key Capabilities of Identity and Access Threat Prevention
Comprehensive View of Identity
In order to enforce policies and stop threats, it is imperative that an IATP solution be able to see the many types of identities in the enterprise and the many environments in which they operate. As enterprise assets and infrastructure move to the cloud, it is crucial that the security team’s view into identity and devices is the same in the cloud as it is inside the traditional perimeter.
Firstly, a solution should be able to automatically distinguish between the many types of entities in an enterprise. For example, is an account a human user or a programmatic service account? Or, is a particular device a workstation, server or VDI host? Following this, IATP tools must be able to detect the privileges associated with the account. This ability to identify the true type of entity, and its real privileges, will often require direct analysis of traffic to identify traits that may not be found in the Active Directory logs alone. For instance, the solution should be able to identify a user who has been granted administrator privileges even if that user is not the official Administrators Group in Active Directory (AD).
Next, organisations will need to compile a wide range of attributes for each user or account, such as behaviours and encryption types. These attributes establish the context necessary for building risk-based policies, behavioural models and threat detection logic that are core to an IATP solution. Lastly, it will need to support these requirements across the breadth of the enterprise. This includes being able to track identity and attributes at the level of groups and organisational units as well as at the level of individual accounts.
Key visibility requirements:
- Human vs Programmatic
- Server, Virtual Host
- Account Privileges
Traits and Attributes
- Managed vs Unmanaged
- Password Strength
- Protocols and encryption
- Behavioural, etc.
- Internal enterprise network
- Cloud enterprise network
- SSO Applications
- Federated Services
Continuous Risk Scoring and Audit
Once visibility is established, an IATP will need to put all entities and their many attributes into a security context. This allows an organisation to maintain an ongoing view of its security posture and proactively identify weaknesses.
By managing both the configuration, posture, and real-time behaviour of every entity, the solution should be able to score each account, user or device in terms of its risk to the network. At a high-level this reflects the likelihood that a given host is actively part of an attack, could be used as part of an attack or represents an internal user misbehaving.
Observed risks should include an audit of password policy to identify weak passwords, passwords that have been exposed in previous breaches, or users who are sharing passwords or accounts. Risk should be monitored over time and allow staff to view the historical risk of a user or account, and likewise apply this same visibility to larger groups or organisational units.
Key risk scoring requirements include:
Admin configurations – stale accounts stealthy admins
Abnormal account behaviour
Continuously recalculated risk score
Device configuration weaknesses
Use of weak or risky protocols (i.e. NTLM)
Use of compromised or shared passwords
Continuous Threat Prevention
A key role of IATP is to actively prevent threats, as opposed to simply detecting them. By providing pre-access control, an IATP solution can enforce or block before data is compromised. This is a critical capability as truly preventative enforcement avoids the need for time-consuming incident response, mitigation and recovery work.
Threat detection models and preventative controls should likewise extend to the cloud to ensure full context for detection, and to adequately protect all assets and users. IATP solutions should specifically focus on attacks against identity and signs of attackers who may have infiltrated an organisation. We believe that detection models should limit dependence on signatures or known Indicators of Compromise (IoCs), as much as possible, to ensure detection of custom, obfuscated or novel threats.
It is highly desirable for the solution to detect and enforce policy on common tools and protocols used by administrators as they are often employed by attackers to move laterally and deliver malware to hosts. Examples include PsExec, WMI and RPC, among others.
Key threat prevention requirements include:
Compromised accounts, devices and identities
Use of malicious tools
Abuse of admin tools and protocols
Organisations need a mechanism to provide real-time controls without disrupting valid user behaviour. To meet this goal, an IATP solution should be able to dynamically verify a user’s identity and enforce policy accordingly. Policy-based access controls should allow an organisation to determine and enforce who is able to access what resources, and in what context (e.g., role, device, privilege, location, risk level, etc.). The solution must continuously monitor these attributes and verify identity based on real-time changes in the environment.
Key identity verification requirements include:
Support for real-time authentication such as MFA
Support for Single Sign On
Support for Active Directory Federation Services (ADFS)
Notifications – email, SMS, syslog, etc.
Ability to adapt verification based on context
Continuously Adaptive Enforcement
The ultimate job of security is to enforce policy, stop threats and mitigate risk. These tasks all require reliable enforcement, and IATP should fill this role. Enforcement options can include both native and third-party enforcement options such as integrations with other security tools (i.e. firewalls and Intrusion Prevention System, IPS). However, the need for real-time pre-access control will likely heavily rely on the native enforcement options of the IATP solution itself.
Enforcement options should be able to continuously adapt based on real-time changes in the environment. For example, as the risk of a particular host rises, based on observed attributes and behaviour, the solution should deliver more stringent enforcement options. This gradual and adaptive approach allows organisations to align enforcement strategies to the needs of the business, and thus mitigate risk while minimising the impact on normal business operations.
IATP needs a continuous and long-term understanding of behaviour across the enterprise, this includes the ability to baseline entity behaviour across a wide range of attributes. For example, the solution should understand the devices, protocols, and assets that an entity commonly uses; the times, locations, and contexts in which they are used; and be able to automatically identify meaningful deviations from past behaviour and adjust risk ratings accordingly.
As with other capabilities, it is important that behavioural modelling extends to cloud-based assets to ensure a complete and accurate view of account behaviour.
Key adaptive enforcement requirements include:
Native enforcement options
Real-time, pre-access enforcement
Third party integrations (FW, endpoint, etc.)
Gradual response options to limit user disruption
Ability to adjust enforcement options based on observed risk
Forensics and Reporting
While IATP should prioritise real-time security actions, it needs to provide a robust and interactive tool for security investigations as well. This should naturally include the ability to analyse entities and groups in detail, as well as investigate the progression of a complex security incident; and provide an in-depth view of a security event to reveal the “who, what, when, and where” of all related events. And should ideally provide a chronological view of the underlying events to allow analysts to reconstruct the details of an attack or policy violation.
Ultimately, the solution should be able to share information with highly customisable reports; which include both reporting for security practitioners, regular auditing records, as well as summary reports more suited for higher level management.
Our blog is of course not a complete list of all features and functionality, and organisations will likely need to adapt their IATP needs based on their environment, existing security tools, and use cases. Secrutiny has extensive experience helping customers to align IATP deployments with their particular needs.
For further information visit our Identity and Access Threat Prevention solution page, or download our whitepaper ‘An Expert Guide on Identity & Access Threat Prevention‘.
Check Out Our Other Recent Posts >
Read this blog, including content from our partner KnowBe4, to learn how you can take your employees from liabilities to assets. Including five recommended actions to fortify them into your organisation’s last layer of security.
Password best practice would have us use a separate complex password for everything, but it’s not that easy. Discover our simple route to robust passwords.
With much of the UK working from home due to COVID-19, malicious actors are taking advantage of the pandemic to find opportunities for distributing their malware to unsuspecting users. This blog will give a high-level overview of campaigns and IOCs discovered by Anomali.