By JULIE SMITH
Executive Director, Identity Defined Security Alliance
Some of the major cyberattacks that have happened over the past two years, such as SolarWinds, Colonial Pipeline and the Oldsmar water treatment plant, all have one major element in common — identity. These breaches should serve as a rally cry for organizations, and individuals, to implement basic identity management principles to prevent cyberattacks.
Identity Management Day, spearheaded by the Identity Defined Security Alliance (IDSA) and National Cybersecurity Alliance (NCA) was founded in 2021 with the goal of raising awareness around the importance of identity management and securing digital identities. In honor of the day (April 12 this year), I spoke to the following industry experts to get their advice on how companies and individuals can protect themselves all year long.
Tyler Farrar, CISO, Exabeam
“Colonial Pipeline, SolarWinds, Twitch. All of these organizations have one thing in common: they suffered data breaches as a result of stolen credentials. Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organizations of all sizes and access sensitive data.
We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this pervasive issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing.
Credential-driven attacks are largely exacerbated by a ‘set it and forget it’ approach to identity management, but organizations must build a security stack that is consistently monitoring for potential compromise. Organizations across industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
David Putnam, Head of Identity Protection Products at NortonLifeLock
“Identity theft has become a booming business with cybercriminals looking to take advantage of consumers’ changing behaviors and increased digital footprint to launch coordinated attacks and convincing scams. To protect against this threat, consumers need to take charge of their digital lives and proactively invest in identity theft monitoring, alert and recovery services to help monitor threats to their identity and safeguard their personal information.”
Kapil Raina, VP, Zero Trust, Identity Protection, and Data Protection Marketing, CrowdStrike
Gartner recently noted (Feb 18, 2022 report) that one of the top trends for cybersecurity in 2022 will be Identity Threat Detection and Response. This aligns with CrowdStrike’s 2022 Global Threat Hunting Report research that shows 80% of cyber breaches involving identity-based attacks. The industry’s broader response to attacks has been to deploy Zero Trust architectures that feature identity security as a key pillar. Even when looking at more tactical responses, with modern attack methods, the MITRE ATT&CK TTPs can no longer be covered without using identity attack detection and protection tools. And with enterprises deploying hybrid architectures and required to secure remote and on campus workers, the industry needs a platform based approach for defense without relying on a single vendor for a response. These trends make the protection of identities and identity stores – everywhere and for everyone – more urgent now than ever.”
Jeremy Grant, Coordinator, Better Identity Coalition
“The Better Identity Coalition is pleased to join with our partners in supporting Identity Management Day. So many services – in banking, health care, government, and e-commerce – depend on knowing “who is on the other side” of a transaction. Today, the ability to offer high-value transactions and services online is being tested more than ever, due in large part to the challenges of proving identity online. The lack of an easy, secure, reliable way for entities to verify identities of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many services online.
The good news is that these problems are not insurmountable; by making identity management a priority and investing in digital identity infrastructure, we will prevent costly cybercrime, give businesses and consumers new confidence, improve inclusion, and foster growth and innovation across our economy.”
Tom Ammirati, CRO, PlainID
“Security risk vectors are dynamic and fluid, and as a result, data breaches continue to challenge even the most resilient of enterprise architectures. Historically, the root cause of the majority of breaches has been due to compromised credentials. As technologists, we are forced to evolve and innovate. To keep pace with the demands of digital work and life, organizations are implementing next level technologies, processes, and policies to ensure that trusted identities have authorized access to digital assets. The goal is to allow the ‘right’ users to have access to the ‘right’ resources – and to ensure the wrong ones don’t. If we can do that, then potentially we can prevent many of these breaches.”
Chad Thunberg, CISO, Yubico
“It’s reported that small businesses generate 44% of the U.S.economic activity. Many of them are a vital part of the overall supply chain and partner ecosystem of larger organizations. With attackers increasing their focus on the supply chain, it is imperative that these SMBs adopt fundamental and important security practices including the use of phishing-resistant MFA protocols, like FIDO, that are available as part of many Single Sign-On solutions as indicated by the “Sign in with” buttons. SMBs should also strongly consider using cloud data storage to mitigate ransomware threats and a password vault for those sites that have yet to adopt modern authentication.”
Kurt Baumgartner, principal security researcher, Kaspersky
“Kaspersky proudly supports Identity Management Day. According to our survey data, three out of four people use default security settings in apps and online services at least some of the time. In order to take proper care of their identities, we encourage people to always check security settings, tighten them where possible and limit what they share. We also urge people to use a unique password for every website, app and service and use two-factor authentication wherever it’s available, especially with bank accounts and credit cards.”
Jon Shende, Board Member, MyVada
“Identity is our new security perimeter; close to 60% of the data breaches in 2021 exposed some form of PII with over 70% of such breaches including passwords. With the increase of “fuzzing” techniques to check variations of stolen passwords, identity attacks will only get more focused given the access an administrative or select user credentials will grant an attack targeting specific corporations and their systems.”
Heath Spencer, CEO, TraitWare
“While Big Business dominates the headlines for cyber-attacks, the SMB often underestimates the need for proper Identity and Access Management. Often ill-prepared, the SMB is therefore a prime target for attack – presenting low risk and high return for the cybercriminal.
All companies need to improve security now to avoid disaster – with 2 must-haves: SSO and MFA. Multiple sets of employee credentials for access to various applications increase friction, cost, and risk. A setup that combines passwordless MFA with SSO vastly reduces risk by eliminating phishable credentials and shrinking the attack surface, while also reducing company costs and friction.”
Heath Spencer, CEO, TraitWare
“There are different ways to enter a structure. There are different ways to enter digital environments as well. The easiest path of least resistance for a bad actor as well as an upstanding citizen is the front door. So our access through that front door [“legacy login,” with a username and password] is still the number one cause of data breach and why we need to address at least looking at how we modernize the front door lock.”
Sandy Bird, CTO and Co-Founder of Sonrai Security.
“Excessive access will run rampant in the post-Covid cloud. However, most organizations no longer have this visibility making it easier for insiders to continue to do damage undetected.”
Eric Kedrosky, CISO and Director of Cloud Security of Sonrai Security.
“For almost every two cloud security jobs in the United States today, a third job is sitting empty because of a shortage of skilled people. It’s like going into football’s Super Bowl with only seven players on the field when the other team has all eleven.”
Brendan Hannigan, CEO of Sonrai Security.
“In 2022, we will see some nasty public cloud breaches as criminals exploit risk and complexity that companies have left unaddressed,” said Brendan Hannigan, CEO of Sonrai Security. “While S3 bucket exposures are easily preventable, they keep happening, and these problems are the tip of the iceberg. Cloud identity and data access misconfigurations represent more vast and insidious risk and criminals are wising up to this.”
Brendan Hannigan, CEO of Sonrai Security.
“Cloud security teams are ripping industries apart as cloud-native developers drive blazingly fast innovation to market,” aid Brendan Hannigan, CEO of Sonrai Security. s“This disruption also will tear apart traditional security teams. The old IT, device focused, manual and IP centric security world is irrelevant in this new world. Top security teams will be reinvented with automation, cloud and DevOps taking center stage.”
Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security.
“What we are seeing from the field is that this gap is closing as more companies move to a multi-cloud strategy focusing on services that support their industry,” said Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security. “Are your security teams ready to secure two clouds?”
Sandy Bird, CTO and Co-Founder of Sonrai Security.
“A zero-day attack, at its core, is a flaw,” said Sandy Bird, CTO and Co-Founder of Sonrai Security. “It is an unknown exploit in the wild that exposes a vulnerability and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves no opportunity for detection … at first.”
Eric Kedrosky CISO and Director of Cloud Security at Sonrai Security.
“CSPM is the foundation of how we secure our cloud environments,” Eric Kedrosky CISO and Director of Cloud Security at Sonrai Security said. “If you don’t have the right CSPM tool done correctly with the right tools–-multi-clouds and remediation–-you’ll be left behind.”
“According to the National Cybersecurity Alliance and CyBSafe study, “Oh Behave!” 53% of employees don’t think it is their responsibility to protect company online information. When you think about it, this is because the tech industry has always said “we control access” and “we control the technology,” but that isn’t necessarily true. Employees who use the information each day control that information. We believe in giving employees the critical thinking skills and tools to protect customer and company information.”
Nelson Moulton, Security and Network Operations Director at PacificEast
“When InfoSec people refer to the CIA of cybersecurity, they’re usually talking about the Confidentiality, Integrity, and Availability of the data we work to protect and not the three-letter government entity. These three tenets of security are fundamentally dependent on trusting the identity of the user accessing the data; without surety of identity, how do you build trust about who can or cannot access what, where, when and how? In our remote workforce world, assuring the identity of BYOD users has presented a challenge to many SMB organizations. This demand has led to impressive growth and accessibility of trusted identity management solutions that enable us to work together, even when we’re apart.”
Small businesses often struggle to develop and implement a plan for securing their identities due to a lack of time and resources. A strategy for securing digital identities may involve identification of the need; planning, developing, testing and implementing the response; and finally, monitoring and maintaining the procedures and any software used. Those steps can become overwhelming for small businesses with staff shortages, small budgets or limited time.
John Reade, Information Systems Director at Quanterion Solutions Incorporated
“However, securing identities can be tackled one project at a time. Setting up multi-factor authentication, using password managers, creating processes for identity data management, and scheduling automatic updates are all a great place to start.”
Carla Roncato, Founder of Authora Research
Whether you follow a zero-trust framework or not, identities are a critical control point for all organizations due to their ubiquitous use in our digital world. For many organizations, every day is identity management day–considering the amount of unprecedented attrition in the workforce coupled with persistent identity-based attacks– there is no better time to spotlight how critical identity-security has become globally.”
Adil Khan, CEO, SafePaaS
“We all know that companies are going to get attacked. The question is, what are you doing when somebody gets in your network to protect your data and not just your identity? Knowing identities is half the battle when it comes to mitigating risk.”
Jason Lim, Founder and CEO, Cydentiq Sdn Bhd
“Identity security is not just about ticking a checkbox to satisfy your compliance, it is part of your business. You can’t run a business without giving access to your employees or contractors. Identity security is not an one-time project, it is a journey. A journey that includes a series of initiatives that is incorporated with strategy, capabilities, vision, people, process and technology to continuously addressing the ever-changing identity landscape in the business.”
Rod Simmons, VP of Product Management, Omada
“Organizations today are faced with a rapidly proliferating workforce. This is not only in terms of remote work, but also in an explosion of third-parties, auditors, interns, and contracted workers who require access to a similarly growing IT landscape of applications, infrastructure and data. To wit, there is no one solution that organizations can turn to in order to solve their identity security issues. A connected ecosystem of solutions that are married with strong business processes and committed corporate buy-in is needed in order to properly secure identities.”
Den Jones, CSO, Banyan Security
“Identity is a foundational requirement for securing access to applications, resources, and infrastructure. With the transition to hybrid work becoming the new normal, identity becomes a core component when securing remote access to corporate networks. In fact, the CISA listed identity as the first pillar in a successful zero trust model when they released their Zero Trust Maturity Model guidance back in September. Traditional solutions such as legacy VPNs are no longer sufficient in order to properly secure this ever-growing attack surface.”
Morey Haber, Chief Security Officer, BeyondTrust
“We all have a unique identity. When translated to technology, we have more than one account associated with our identities, and threat actors target our accounts to infiltrate an environment. Identity Management Day helps consumers, employees, and businesses understand the risks to their identities if an account is compromised, along with the best practices for securing accounts from identity-based attack vectors. If you consider how many accounts an individual may have to perform their role within an organization, protecting users’ identities is one of the best strategies to prevent future security breaches.”
Manish Gupta, IDSA Customer Advisory Board Member
“On the 2nd Identity Management Day, we find the world in a tumultuous situation. Unlike the covert cyberwars and script kiddies of the past, we now find ourselves staring at overt cyber hostility by nation states, innovative concoctions of simple and complex tactics by underage actors, and independent mercenaries heading to call to action by national leaders. Identity Defined Security is the only security perimeter and defense we have in the absence of national borders in cyberspace. So, let’s double down on Identity Management awareness and excellence to ensure a safe cyberworld.”
David Pignolet, founder & CEO, SecZetta
“Even though third-party access is at the heart of more than 51% of security breaches, it continues to be a gap in many organizations’ identity programs. Non-employees are given the same level of access as employees, oftentimes with less scrutiny in confirming they are who they claim to be, and that the level of access granted to them is appropriate and limited to only when needed. Managing all identities with the same diligence is a critical first step in creating a strong cybersecurity culture, inclusive of both employees and non-employees, and a resilient cyber framework to withstand ever increasing cyber security threats.”
Matt Mills, President of Worldwide Operations at SailPoint
“Identity security is more “essential” than ever. Many companies are only scratching the surface of identity security, focused only on granting access. That may have been good enough a couple of years ago, but today the stakes have never been higher for enterprise security. “Good enough” is no longer enough.
Enterprises face cyber threats daily, and breaches incur costs that are both financial and reputational—and in many cases, it has cost executives their careers. Today’s enterprises cannot afford to kick the can down the road further. Strong identity security is no longer a “nice to have” solution. It is essential. Placing identity at the core of the security architecture, and truly understanding who should have access to what and how that access is used is the only path forward to a secure enterprise.”
Joseph Carson, Advisory CISO and Chief Security Scientist at Delinea
“When it comes to cyber threats, all roads continue to lead to identity. Digital transformation, the move to cloud, and requirements for remote work have only made it easier for cyber criminals as organizations struggle to secure an expanded threatscape and get a handle on identity sprawl. Companies of all sizes need to focus on centralizing identities while also reinforcing best practices and training to ensure employees are doing everything possible to secure their credentials. Remember: it only takes one compromised identity to negatively impact the company’s financial performance, customer loyalty, and brand reputation, potentially costing millions of dollars.”
Chris Hickman, Chief Security Officer, Keyfactor
“Many organizations are just beginning to recognize the importance of having a strategy for managing the sprawling machine identities and credentials in their network. Just like human identities, machine identities are complex and come in many forms, which creates challenges and vulnerabilities for IT and security professionals. Two major challenges organizations face include a lack of visibility into the human and device identities accessing their data and managing them at scale. This makes it difficult for organizations to shift away from traditional networks and data centers and fully implement initiatives like cloud adoption and zero trust.”
David Higgins, Senior Director, Field Technology Office
“Big rises in digital and IT initiatives have contributed to an accelerated number of digital identities, running into the hundreds of thousands per organization. These identities are associated with machines and applications, as well as customers, staff and suppliers. And the majority of them routinely access sensitive or privileged data and assets.
Organizations face a widening identity-centric attack surface because investment in the cyber tools and techniques to secure this access has not kept pace with investments required to accelerate digital business initiatives, creating cybersecurity “debt” that must be paid down by introducing Zero Trust principles to Identity Security strategies.”
