Detecting Identity Bypass of Network Security Solutions

 A foundational part of every enterprise's security strategy is the implementation of network access security controls such as Zero Trust Network Access (ZTNA), VPNs and firewalls to protect both the enterprise’s critical assets and the identities that access them. By ensuring that only trusted identities can access sensitive assets, enterprises can advance towards implementing a Zero Trust access model, thereby protecting both assets and identities from potential security threats.

 Beyond limiting access, these network security controls serve as vital channels for security teams to monitor for signs of active exploitation, indicators of attack or even data exfiltration attempts. However, the true efficacy of these network access solutions hinges on their implementation, which, in the ever-changing landscape of a dynamic enterprise, can vary greatly on a daily basis.

While these technologies form a critical component of an enterprise's security program, a fundamental question often remains unanswered by many organizations: Are these systems truly functioning as expected or are they being bypassed by users?

Unfortunately, the reality is that network security controls can be bypassed and the enterprise security team won’t discover this until it is too late and a compromise or breach has occurred. Despite the diligent efforts of IT and security teams, numerous common challenges can lead to situations where bypasses of their network access solutions can occur, yet remain undetected for months or even years. Some of the top reasons include:

• Complex hybrid environments that change frequently, sometimes daily. The dynamic nature of cloud environments where new virtual networks, storage buckets, and systems are often created as needed to support the business and often not well coordinated nor is security always top of mind.

• Complex and dynamic environments also frequently results in mistakes and misconfigurations. Whether these mistakes are with the access systems themselves or with the networks that that these access systems protect, simple misconfigurations can result in identities bypassing the controls.

• In the dynamic environment of a large enterprise, shadow IT has become an unavoidable reality. Faced with pressing deadlines, teams often bypass official processes, getting creative with the establishment of "temporary" systems and, occasionally, entire networks. This drive for efficiency and agility introduces risks and the potential bypass of established access controls.

• While these network access solutions aim to be as transparent as possible, they always add some friction for users. Users may attempt to subvert these controls to make it easier to do their job or for more malicious reasons to avoid blocking or monitoring their nefarious activity.

• Extensions of the network due to a recent merger, acquisition or partnership can inadvertently add new groups of identities and network paths into or out of the environment that can result in a bypass situation.

Implications of Bypass Exposures

When it’s possible to bypass network access solutions, the organization and its users can be exposed to a variety of risks, that can potentially have a negative impact on the business. Some examples include:

• Introduces malware to the enterprise that would have been blocked by content / antivirus controls embedded in the networks security solutions – making the enterprise susceptible to unauthorized access and potential data breaches.

• Creates significant monitoring blind spots for security teams, hiding unauthorized activities and making it challenging to detect and respond to threats effectively.

• Hinders compliance efforts with violations of regulatory requirements that result in potential legal and financial repercussions.

• Unauthorized access that can lead to data loss or compromise, impacting the confidentiality, integrity and availability of sensitive information.

• Unauthorized access to sensitive customer data that can lead to long-term reputational damage, making it difficult to attract and retain customers and partners.

Monitoring Tactics for Detecting Bypass Exposures

These exposures can be difficult to detect and monitor and require continuous monitoring for various indicators. A few tactics that can be used to proactively identify potential issues include:

• Analyzing Access Deviations: Scrutinize network traffic for atypical user access and unexpected data flows to or from external sources, which may signal a departure from normal activity. Monitoring network access controls for anomalous drop in user sessions can unveil bypass events, particularly those on a larger scale.

• Monitoring External Identities Accessing Your Exposed Assets: Proactively observe network activity for external access to newly exposed assets. Ensure these assets have undergone the requisite security and change control processes before their internet exposure, as threat actors often target new assets within hours of exposure. Discovering unexpected exposed assets and accesses can pinpoint bypass situations requiring immediate action. As evident by the recent SSH backdoor, any application exposed to the internet can go from secure to exploitable in an instant and requires constant attention to ensure these exposed applications don’t become a bypass pathway into the Enterprise network.

• Validating Identity Access Pathways: Rigorously track all user sessions to ensure they pass through the designated VPN, firewall, or ZTNA controls. This is actually quite difficult to do by looking at logs alone in a traditional SIEM as it requires stitching together of logs from multiple technologies in real-time to confirm that in fact the user session was logged (and thus traversed) the proper controls.

• Monitoring Identity Accesses Across Boundaries: Keep an eye on traffic that transgresses established internal network zones in ways that don’t align with your security policy, indicating that segmentation controls may have been circumvented.

The risk of bypass exposure is ever-present, and the subsequent exploitation by threat actors, who are perpetually scanning for vulnerabilities, can happen swiftly. To mitigate this risk, it's essential to continuously monitor user accesses throughout the enterprise network for such exposures. However, the reality is that most enterprises lack the necessary capabilities for this advanced level of user activity monitoring without a solution like AuthMind.

Identifying Bypass Exposures with AuthMind

AuthMind’s Identity Platform is designed to offer real-time insights into all identity accesses throughout any hybrid, multi-cloud IT environment. At the heart of AuthMind’s solution lies a novel, highly scalable Identity Access Graph that maps the access paths between identities (human and non-human) and assets (applications, services, storage buckets, machines) along with detailed context in real-time. By analyzing events from both identity solutions and network access solutions, AuthMind’s Identity Access Graph can reveal who is accessing what, and the exact path they took to access it. For example, if Bob is accessing a third-party SaaS solution, AuthMind will analyze identity logs, firewall logs and SASE logs to get the full context about this single user activity flow that can immediately answer questions such as:

• When did the event occur?

• How often does the user access this asset?

• What network path did the identity’s access follow, i.e. did a user’s session traverse a ZTNA node?

• Did the access include an authentication event to the corporate IdP?

Based on this detailed Identity Access Graph, AuthMind can be configured with continuous monitoring detection policies that implement the above for bypass events that can alert on all of the above mentioned indicators that could reveal an identity is bypassing your established network security controls. In addition to detecting these bypass events, AuthMind will reveal the identity who is bypassing network security controls based on analysis of identity and network activity to make it easy for IT and Identity teams to efficiently investigate and rapidly mitigate the exposure.

Book a meeting with AuthMind to learn more!