Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Attackers are cashing in on the proliferation of new identities being assigned to endpoints and the resulting unchecked agent sprawl. Scanning every available endpoint and port, attackers are automating their reconnaissance efforts using AI and machine learning, and enterprises can’t keep up.
This is making hackers more efficient at finding exploitable gaps between endpoint protection and identity security, including Active Directory. And once inside the infrastructure, they can evade detection for months or years.
Why it’s hard to stop identity breaches
Nearly every organization, especially mid-tier manufacturers like the ones VentureBeat interviewed for this article, has experienced an identity-based intrusion attempt or a breach in the last 12 months. Manufacturing has been the most-attacked industry for two years; nearly one in four incidents that IBM tracked in its 2023 Threat Intelligence Index targeted that industry. Eight-four percent of enterprises have been victims of an identity-related breach, and 98% confirmed that the number of identities they are managing is increasing, primarily driven by cloud adoption, third-party relationships and machine identities.
CrowdStrike’s cofounder and CEO, George Kurtz, explained during his keynote at the company’s Fal.Con event in 2022 that “people are exploiting endpoints and workloads. And that’s really where the war is happening. So you have to start with the best endpoint detection on the planet. And then from there, it’s really about extending that beyond endpoint telemetry.” Consistent with CrowdStrike’s data, Forrester found that 80% of all security breaches start with privileged credential abuse.
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
Up to 75% of security failures will be attributable to human error in managing access privileges and identities this year, up from 50% two years ago.
Endpoint sprawl is another reason identity breaches are so hard to stop. It’s common to find endpoints so over-configured that they’re as vulnerable as if they weren’t secured. Endpoints have 11.7 agents installed on average. Six in 10 (59%) have at least one identity and access management (IAM) agent installed, with 11% having two or more. Absolute Software’s Endpoint Risk Report also found that the more security agents installed on an endpoint, the more collisions and decay occur, leaving endpoints just as vulnerable as if they had no agents installed.
Who controls Active Directory controls the company
Active Directory (AD) is the highest-value target for attackers, because once they breach AD they can delete log files, erase their presence and create federation trust relationships in other domains. Approximately 95 million Active Directory accounts are attacked daily, as 90% of organizations use that identity platform as their primary authentication and user authorization method.
Once attackers have access to AD, they often can avoid detection by taking a “low and slow” approach to reconnaissance and data exfiltration. It’s not surprising that IBM’s 2022 report on the cost of a data breach found that breaches based on stolen or compromised credentials took the longest to identify — averaging 327 days before discovery.
“Active Directory components are high-priority targets in campaigns, and once found, attackers can create additional Active Directory (AD) forests and domains and establish trusts between them to facilitate easier access on their part,” writes John Tolbert in the whitepaper Identity & Security: Addressing the Modern Threat Landscape from KuppingerCole. “They can also create federation trusts between entirely different domains. Authentication between trusted domains then appears legitimate, and subsequent actions by the malefactors may not be easily interpreted as malicious until it is too late, and data has been exfiltrated and/or sabotage committed.”
10 ways combining endpoint and identity security strengthens zero trust
2023 is becoming a year of getting more done with less. CISOs tell VentureBeat their budgets are under greater scrutiny, so consolidating the number of applications, tools and platforms is a high priority. The goal is to eliminate overlapping applications while reducing expenses and improving real-time visibility and control beyond endpoints.
With 96% of CISOs planning to consolidate their tech stacks, alternatives, including extended detection and response (XDR), are being more actively considered. Leading vendors providing XDR platforms include CrowdStrike, Microsoft, Palo Alto Networks, Tehtris and Trend Micro. EDR vendors are fast-tracking new XDR product development to be more competitive in the growing market.
“We’re seeing customers say, ‘I really want a consolidated approach because economically or through staffing, I just can’t handle the complexity of all these different systems and tools,’” Kapil Raina, vice president of zero trust, identity, cloud and observability at CrowdStrike, told VentureBeat during a recent interview. “We’ve had a number of use cases where customers have saved money so they’re able to consolidate their tools, which allows them to have better visibility into their attack story, and their threat graph makes it simpler to act upon and lower the risk through internal operations or overhead that would otherwise slow down the response.”
The need to consolidate and reduce costs while increasing visibility is accelerating the process of combining endpoint management and identity security. Unifying them also directly contributes to an organization’s zero-trust security strengths and posture enterprise-wide. Integrating endpoint and identity security enables an organization to:
Enforce least privileged access to the identity level beyond endpoints: An organization’s security improves when endpoint and identity security are combined. This unified solution improves user access management by considering real-time user behavior and endpoint security status. Only the minimum level of access is granted, reducing the risk of unauthorized access and lateral movement within the network.
Improve visibility and control across all endpoints at a lower cost: Integrating endpoint and identity security provides visibility beyond endpoints and helps security teams monitor resource access and quickly identify potential breach attempts network-wide.
Increase accuracy in real-time threat correlation: Endpoint and identity security data improve the accuracy of real-time threat correlation by identifying suspicious patterns and linking them to threats by collecting and analyzing data from endpoints and user identities. This enhanced correlation helps security teams understand the attack landscape and be better prepared to respond to changing risks.
Gain a 360-degree view of activity and audit data, a core zero-trust concept: Following the “never trust, always verify” principle, this unified approach evaluates user credentials, device security posture and real-time behavior. Enterprises can prevent unauthorized access and reduce security risks by carefully reviewing each access request. Implementing this zero-trust strategy ensures strict network access control, creating a more resilient and robust security environment.
Strengthen risk-based authentication and access: Zero-trust authentication and access emphasize the need to consider the context of a request and tailor security requirements. According to the “never trust, always verify” principle, a user requesting access to sensitive resources from an untrusted device may need additional authentication before being granted access.
Eliminate gaps in zero trust across identities or endpoints, treating every identity as a new security perimeter: Unifying endpoint management and identity security make it possible to treat every identity as a security perimeter, verify and audit all access requests and gain much better visibility across the infrastructure.
Improve real-time threat detection and response beyond endpoints, step by step: Endpoint and identity security on the same platform improve an organization’s ability to detect and respond to real-time threats. It gives organizations a single, comprehensive data source for to monitoring user and device activity and analyzing network threats. This allows security teams to quickly identify and address vulnerabilities or suspicious activities, speeding up threat detection and response.
Improve continuous monitoring and verification accuracy: By integrating endpoint security and identity security, enterprises can see user activities and device security status in a single view. The approach also validates access requests faster and more accurately by considering user credentials and device security posture as well as the context of the request. This strengthens the security posture by aligning with the zero-trust model’s context-aware access controls, applying them to every identity and request across an endpoint.
Improve identity-based microsegmentation: Integrating endpoint security and identity security allows enterprises to set more granular, context-aware access controls based on a user’s identity, device security posture and real-time behavior. Identity-based microsegmentation, combined with a zero-trust framework’s continuous monitoring and verification, ensures that only authorized users can access sensitive resources and that suspicious activities are quickly detected and addressed.
Improve encryption and data security to the identity level beyond endpoints: Enterprises often struggle with getting granular control over the many personas, roles and permissions each identity needs to get its work done. It’s also a challenge to get this right for the exponentially growing number of machine identities. By combining endpoint and identity security into a unified platform, as leading XDR vendors do today, it’s possible to enforce more granular, context-aware access controls to the user identity level while factoring in device security and real-time behavior.
The lessons of consolidation
A financial services CISO says their consolidation plan is viewed favorably by their cyber insurance carrier, who believes having endpoint management and identity security on the same platform will reduce response times and increase visibility beyond endpoints. VentureBeat has learned that cyber insurance premiums are increasing for organizations that have had one or more AD breaches in the past. Their policies now call out the need for IAM as part of a unified platform strategy.
CISOs also say it’s a challenge to consolidate their security tech stacks because tools and apps often report data at varying intervals, with different metrics and key performance indicators. Data generated from various tools is difficult to reconcile into a single reporting system. Getting on a single, unified platform for endpoint management and identity security makes sense, given the need to improve data integration and reduce costs — including cyber insurance costs.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.