Identity-in-depth and the evolution of defense
We’ve seen it over and over again: the parade of companies and government agencies announcing the impact of their latest breach. These players have something in common that you might not realize – they have all heavily invested in security. But despite this, they all have something else in common that we can all probably agree upon: the millions they have spent on security have been rendered all but irrelevant by nothing more than a modern identity thief.
The approach to security hasn’t changed much since the Roman times – many call it defense-in-depth. The idea is to create concentric rings of security around what you want to protect, with each ring designed to weaken the enemy’s attack until they are basically defeated before reaching the prize. In ancient times, this would include defensive structures like castle moats, drawbridges, a portcullis and the inner keep. Today, the modern equivalent layers can be easily identified as a building’s physical security, firewalls, network intrusion detection, authentication layers, application barriers and access controls.
But despite all that, every one of the recent infamous breaches (Target, Home Depot, Sony, the list goes on) were carried out upon organizations that had these layers in place. As these scenarios prove, all of your defensive layers are irrelevant if the attacker has valid credentials that allow them through the castle door. In fact, in this day and age, it’s safe to assume you’ve already been hacked.
Have you ever heard these phrases? “They are already in the walls” or “You have already been hacked.” Enemy nation-states and corporate hacking syndicates spend the vast majority of their time simply trying to install “cyber sleeper cells” within as many organizations as they can so that it can be activated when needed.
Think about it: when Sony Pictures was about to release the film The Interview, North Korean hackers invaded its network and wreaked havoc; infecting machines and releasing private emails that made more than a few people upset. Many believe that these attackers had a foothold within the Sony network long before the sleeper cell was activated and caused so much damage. Let’s face it: with the rise of the Internet of Things, the cloud, and the proliferation of BYOD — and all the threats these new trends bring—the traditional approach to defense-in-depth is quickly becoming irrelevant and ineffective. But how are these agents breaking into our networks? Are they really hackers?
The colloquial term for any attacker that breaks into a network is “hacker,” and this word tends to be universally applied to all people involved in the breach. But for the purposes of this article, let’s be a bit more specific.
A hacker is someone who has a high level of technical expertise. They can write code, understand complex network technology and sometimes spend time in rooms filled with security devices looking for the next zero-day exploit. Research shows that the vast majority of today’s attackers don’t have anywhere near the level of technical experience that the traditional hacker has. Rather, today’s hackers simply exploit our greatest weakness: our users. Using methods like phishing, social engineering and honeypots, these attackers exploit human error to obtain our users’ valuable credentials – thereby easily passing through the various layers of security in place.
Once the attacker has these credentials, as far as most networks are concerned, there is no reason to be suspicious. In most cases, it simply doesn’t matter if the security team has deployed solutions, it doesn’t matter that the HR database is encrypted or if the digital doors have been locked. If you have the keys, you get in.
With incidents like these so rampant, too often today, the vulnerability of our users making security mistakes is simply seen as a cost of doing business. But rather than be complacent, we need to realize that our approach to security simply is not working. What we need is a revolution in our traditional defense-in-depth strategies that I call identity-in-depth.
Identity-in-depth /aɪˈdɛn tɪ ti – ɪn – dɛpθ/
Noun: The concept of augmenting traditional forms of cyber security with modern, intelligent, and adaptive identity-centric solutions.
When the traditional layers of defense are augmented with modern IAM solutions, they transform from simple slaves to the user ID and password to user aware, adaptive and context-driven security platforms. Let’s take a look at some examples of our traditional security layers and how they can be amplified with identity:
Firewalls
These network perimeter security layers capture and secure traffic going in and out of our environments. With the growth of cloud computing and SaaS, our outbound traffic is more and more open to everything. This is because firewalls alone have no idea the differences between User A and User B – and whether your user John Doe should be connecting from San Diego or Pyongyang.
But firewalls augmented with identity know exactly who the users are, what teams they belong to and what sites they should and should not be visiting—and more importantly, can block connections that exhibit risk. Modern firewalls can be managed by identity solutions and can even help support your obligations to regulations like PCI, PII and SOX compliance.
VPN gateways
VPN access is still widely granted to our users and even our partners and contractors. VPNs also just happen to be one of the most widely abused security layers in many attacks. If you think granting access to random users just because they have the right user ID and password seems like a bad idea, you’re right.
A VPN enhanced with identity will know details about the user that can be used to determine if the connection is legitimate. The user’s behavioral analytics, IP address, geographical data, internal roles, browser and OS are just a few of the aspects that should be used to generate adaptive security responses from the VPN that either step up the connection to MFA or at least block a suspect connection from even being made. Of course, replacing your VPN strategy with a risk-enabled reverse proxy would always be better.
Web Access Management (WAM)
Many have already embarked on an SSO strategy for their web applications failing to realize that SSO is more than a just a user convenience, but an actual pillar of our security posture. First things first, make sure your goals for SSO are broadened to include the disciplines found in modern web access management.
Every site in your environment should be secured by a single platform that can control access, perform step-up authentications, provide SSO to any web security platform, and finally, treat every connection with adaptive security based on knowledge about the user provided by identity.
We can try to trust that our application administrators have put the right safeguards in place, but again, if the credentials have been stolen, what difference does it make? WAM augmented with identity will know that the connecting user is trying to access an application from a new location, or that they have never tried to access before. Identity provides details about the user that again can be used to calculate risk and proactively adapt to threats in real time.
User directories
Authentication repositories like Active Directory, LDAP, or Azure are typically used to validate credentials, but their role in security often goes deeper than that. For instance, application security based on the roles our users have in these directories is still the most popular use case in application security. Can you answer these questions? Are there users in your directory that shouldn’t be there? Or are their users in your directory with toxic or unethical role combinations? Is there a rogue account with admin privileges? (There was in the case of Target’s breach.)
Directories that have not been governed by modern identity solutions have no idea what the answers to those questions are. With identity, it’s a different story. When identity management augments our directory strategy, we begin to identify users that were created out of band (a hacker’s back door account), users who have been over privileged or have dangerous capabilities in the environment.
There are many more examples, but it should be clear by now, to everyone, that our traditional approach to security simply isn’t working on its own. It is time to evolve from a classic defense-in-depth strategy to a modern approach that encompasses identity management and behavioral analytics – one that assumes the enemy is already in your walls. In this day and age when an organization must assume they’ve already been breached, the traditional approach to simple perimeter-based security strategies is simply not enough – security most start from the core. Only when our solutions are deployed with the strategy of identity-in-depth can we be adequately prepared to do battle with today’s ever-growing threats.