Advancing Cybersecurity: Integrating Identity Defense into Security Operations

 Gartner® recently published “5 Initiatives to Move Toward Security Operations Excellence.”¹ This insightful document details five initiatives security and risk management leaders can champion to strengthen their cyber defenses while improving the return on their security investments:

1. Employ a threat detection life cycle
2. Integrate identity defense into SecOps
3. Enhance threat intelligence operations
4. Perform threat hunting
5. Integrate offensive security into SecOps

Some of the report’s specific recommendations related to integrating identity defense into SecOps are detailed below.

First, Gartner notes “historical discrepancy between IAM and SecOps.” Specifically, “IAM has long been seen as a preventative control, implementing technologies and services to deliver ‘safeguarded’ identities. On the other hand, SecOps is responsible for operating the SOC, whose primary responsibility is to detect and respond to threats. However, the majority of SOCs today have limited depth of coverage when it comes to detecting identity-specific threats. This discrepancy becomes problematic when the majority of threat activity is dependent on the abuse of identities to achieve success, ultimately resulting in a crucial threat detection blind spot.”

To address this discrepancy, Gartner recommends that organizations, “define an identity threat detection and response discipline and elect an SOC champion.” Gartner notes that the roles of the SOC and IAM teams are as follows, “The SOC team is ultimately responsible for the ITDR process definition, along with execution and integration into existing SOC processes based on stakeholder requirements. The IAM leader is accountable for incorporating the ITDR initiative into the larger IAM program, including outcome-influenced prevention and related metrics.”

Second, Gartner recommends that security teams “enhance detection, response, and intelligence operations with identity context.” Gartner further details, “Go beyond just active directory (AD) monitoring. Whereas AD threat detection and response focuses on AD threats only, ITDR also includes detection of, and response to, a broader set of identity threats to other kinds of IAM systems and tools.”

Gartner concludes their recommendations on integrating identity defense into SecOps by instructing that enterprises, “Enroll identities as part of your attack surface reduction strategy.” Gartner further notes that organizations should “Inventory existing preventive controls and audit IAM infrastructure for misconfigurations, vulnerabilities and exposures.”

From AuthMind’s perspective, Gartner’s recommendations on integrating identity defenses into SecOps are extremely relevant. Here is what we are hearing from our interactions with identity and SecOps teams:

Implementing identity-first security solutions like AuthMind can significantly improve an organization’s ability to detect identity-based threats and improve its identity security posture. However, adopting technology alone isn’t the silver bullet.

Another crucial step forward involves dismantling the barriers between identity and SecOps teams and adopting processes that foster collaboration. By working together, these teams can proactively uncover identity risks before adversaries exploit them and strategically prioritize their mitigation efforts, considering the organization's specific business environment and potential attack paths.

Moreover, this partnership is essential in crafting and refining Standard Operating Procedures (SOPs) tailored to address incidents involving identity compromise or attacks on identity systems, ensuring an effective response.

2-Identity context requires collecting and synthesizing telemetry from multiple sources, including data beyond the identity infrastructure.

Identifying identity-specific threats, misconfigurations, and exposures cannot rely solely on events and logs from a single identity system such as Active Directory or multiple identity and access management (IAM) systems and tools. To see the whole picture, organizations need to consider solutions like AuthMind, which gathers, correlates, and holistically analyzes identity system events and log data, network and cloud flow logs, and remote access logs to gain deep, contextual insight into identity access activities. This doesn’t have to be a heavy lift on the data collection front since modern solutions like AuthMind can deliver identity observability without using agents by leveraging logs already in your SIEM system or by deploying AuthMind sensors.

3-Identity teams are embracing their expanded responsibilities to reduce the risk from identity misconfigurations, vulnerabilities, and exposures.

There is growing acknowledgment that identity teams play a major role in reducing the identity attack surface. This includes proactively finding identity blind spots and misconfigurations that put their organization at risk, such as the usage of local accounts, missing multi-factor authentication (MFA), password hygiene issues, the bypass of critical identity systems, and dormant service accounts, to cite a few examples. Following the best practices from identity providers is a good starting point, but it’s not sufficient given the complexity of most environments. That is why identity teams are evaluating identity security posture management solutions like AuthMind to discover and resolve identity exposures.

Going forward, it is clear that best-in-class identity defense will require better collaboration between identity and SecOp teams to discover identity exposures proactively and respond to real-time identity-based attacks more effectively, leveraging solutions like AuthMind that can provide full identity context.

---------

¹Gartner subscribers can view the entire report, “5 Initiatives to Move Towards Security Operations Excellence,” 30 January 2024 at: https://www.gartner.com/document/5153731 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved