The blind spot of Identity Security

Identity security (also known as Identity and Access Management or Identity and Access Governance) is a type of security that focuses on access to digital information or services based on the authenticated identity of an individual. It ensures that users are who they say they are and that they are doing what they are authorized to do. In most environments, Identity and Access Management (IAM) is the first line of defense against threats but, according to Palo Alto Networks, 65% of observed security incidents are due to bad permissions handling and misconfiguration, which opens doors wide for threat actors.

An Identity Governance solution should keep track of every existing active/inactive account in a system and should be able to spot any account creation/update in “near real-time” to block any lateral movement and privilege escalation attempt as soon as possible.

However, the company’s reality is often very complex: dealing with hybrid environments and legacy applications makes account synchronization much less effective. Thus, reaching completeness of visibility over the population of accounts acting on each system, including all the application accounts, service accounts, and dev accounts is not trivial.

Our hands-on experience confirms it, and we understand that there is only one way to be certain of having real-time knowledge of all accounts, getting rid of all the blind spots. That is by detecting active accounts in application audit trails and logs to continuously compare them against the ones listed in the Identity Governance system.

Sharelock Identity Threat Detection and Response brings under scrutiny accounts that do exist but are not listed in the Identity Governance system in real-time. These accounts are usually created directly in the target system for diverse reasons, be it for negligence, bypassing compliance rules, or performing malicious activities. These accounts uselessly expand a company’s attack surface exposing the company to unnecessary security risks.

‍

‍

In the best cases, they act on systems without being monitored until the next synchronization. It could take days or weeks tough, if the Identity Governance system does not manage local/application/system accounts and only focuses on those authenticated through the SSO process, these accounts remain invisible (and potentially dangerous) forever. These are named ghost accounts and are even more dangerous than orphan accounts because they elude every eventual present or future verification. They often are highly privileged system accounts created for development or test purposes and then gone forgotten.

Another important aspect is about used/unused accounts management as well. Under certain circumstances (SSO), Identity Governance can get information about the actual usage of an account. However, the information is partial both in quality (you only have the logon) and in systems coverage (SSO-enabled application only). Focusing only on the user’s ‘login successful‘ operation, an Identity Governance determines if an account is still used looking for the last login date and time. Usually, you only obtain the answer to this simple question: did the account log in the past N days? The reality is that the user could have just logged in without using the application functionalities at all, you don’t know anything about the actual usage. We think this is not enough to completely determine the account usage.

Consider a specific user and a specific account he used daily. The following changes in his behavior happen:

1. The user changed his habits, and he is now logging in with that account just twice a month. For sure this is a massive change of habits. However, the account is still being considered a used one. Thanks to Sharelock Identity Threat Detection and Response, such changes in account usage habits are going to suggest a recertification campaign and/or eventually raise some notifications to be sure this access is still needed in the future.
2. The user changed his habits, and dramatically decreased the set of functionalities he operates by using that account. Identity Governance still ignores all but login events. Qualitative changes in the actual user’s behavior currently aren’t detected at all by Identity Governance. Sharelock detects from ingesting logs and audit trails these qualitative changes in usage and triggers the Identity Governance for managing the above as a potential over-provisioning. It could be that now some of the entitlements can be safely removed from that user.
3. The same change of behavior as point 2, is detected as happening on the same access, but this time from multiple users. Probably something changed on a broader scale (change of process, change of users workflow). Sharelock detects this massive change and suggests that a better role design could be necessary to obtain a better minimum privilege on that access.

As a further example, also consider an application getting used much more frequently during the quarter’s end and very poor/no usage in the remaining months. Just looking at the last login date and time for each user is going to give you inconsistent results.

Sharelock Identity Threat Detection and Response learns the overall behavioral pattern of usage from each cluster of users (by department, job title, and manager). Sharelock leverages behavioral baselines to dynamically predict the best usage/un usage threshold for each particular access, based on the actual behavior of employees.

Identity Security is built upon two foundational tenets: Identity which mandates you have complete knowledge of all users’ accounts (including ghost ones); and Security which cannot be enforced if you don’t know how each user behaves.

Only with Sharelock Identity Threat Detection and Response you can have complete knowledge of everything so that nothing slips under the radar. Sharelock unlocks actual Identity Security.

‍