You Can’t Prevent Every Attack, But You Can Mitigate the Damage

More than ever, attackers are leveraging compromised identities to carry out cyberattacks. Stopping them is a challenge—but limiting their impact doesn’t have to be.

By Grady Summers, Executive Vice President of Product, SailPoint

A four-star general and a chef walk into the Pentagon. It sounds like the start of a joke, but it’s not. Consider the differences between the two individuals, but also consider the similarities. Both work in the same building. Both are employed by the government. Both probably have a key card that grants them access to the building and dictates where they can go within it.

Of course, this is where the similarities end. The general has access to the more secure areas of the building containing sensitive materials and information pertinent to his or her job. On the other hand, the chef probably has access to parts of the building that the general would never think to go, such as kitchens, storage, or areas where food is served. The chef’s access card isn’t going to provide access to the war room, and there’s a good chance the general’s card won’t grant access to every area where a chef might serve a meal for different teams. This is all perfectly logical—why risk the entire building being compromised because of one lost keycard?

Put in those terms, it seems obvious. So why do so many organizations fail to apply this same logic to their identity security? By granting users, devices, applications and other identities privileges well in excess of what they need to do their jobs, organizations are making it far too easy for attackers who compromise an identity. Unfortunately, compromising identities is something of a specialty for many of today’s attackers—meaning that improving identity security must be a higher priority than ever for modern organizations.

The Danger of Poor Identity Security 

Systems are growing ever more complex, and as that complexity increases visibility becomes more difficult. While many businesses had already been undergoing digital transformations, the past two years have accelerated the trend significantly—particularly as it applies to identity security. With remote work as the norm, new users and devices now need to access corporate networks from unfamiliar places every day. IT teams also need to grapple with securing the new applications that employees need to function remotely, such as Slack and Zoom. And of course, use of the cloud continues to expand, adding entirely new infrastructure and applications to the mix.

As the complexity of IT environments grows, so too does the potential threat surface. Users might need to access data across multiple servers, cloud environments, file sharing applications, and other locations. In an organization with hundreds or thousands of employees, determining access rights and privileges for each individual user can seem like an incredibly daunting task, especially when business operations are taken into account. And here’s the real issue: no IT team wants to be seen as a roadblock to productivity. This is the core of the problem that leads to overprovisioning. It is easier to grant more access than necessary than it is to field access requests on a case-by-case basis. This makes it challenging to manually govern identities at scale.

Unfortunately, overprovisioning can have negative consequences. If our old friend the chef has a keycard that opens the door to the war room, anyone with access to that keycard could throw on an apron, grab a sandwich platter, and make off with top secret intelligence. In an enterprise IT environment, it’s much the same. Should software developers have access to human resources files? Should the public relations team be able to approve purchase orders? When employees have outsized access levels, it opens the door to chaos. Anyone can be tricked into giving away their password—it happens every day. But compromising an administrative assistant’s identity should not allow an intruder to access financial records or personal information. No individual identity should give an attacker the keys to the castle.

No “Set It and Forget It” for Identity Security  

I was a CISO fifteen years ago when I first heard Mandiant CEO Kevin Mandia say that compromise was inevitable, and that smart companies should focus on preparation, detection, and response instead of assuming that prevention will work. Even though it’s been 15 years—and “compromise is inevitable” is no longer even controversial—it seems like most of today’s security tools focus primarily on stopping or preventing attacks, rather than mitigating their potential impact. Shifting the focus to mitigation represents a change in philosophy, but one that will have positive results for businesses. This isn’t to say that preventative tools are not necessary—they absolutely are—but that they can be used most effectively in conjunction with tools that help lessen the impact of those attacks that slip through the cracks.

Given that 61% of breaches today involve credential data, that process starts with ensuring that individual identities have access only to the data and areas of the network they need access to. That means that if a marketing employee falls victim to a phishing email, some marketing data might be compromised—but the attacker won’t be able to access payment information or personnel files.

While it is difficult to manage large numbers of identities manually, modern technology has—thankfully—made it easy. Today’s organizations no longer need to individually provision access privileges for users and other identities. Artificial intelligence (AI) and machine learning (ML) have powered the growth of new automated tools capable of identifying patterns in behavior and understanding the degrees of access appropriate for different job functions. Modern solutions can even learn and adjust over time if they see repeated access requests from similar users, or notice that a certain type of access is almost never used. Identity security is not a “set it and forget it” solution. Needs and functions change over time, and a good identity security solution must change as well.

Contain the Blast Radius and Stay Out of the Headlines 

A strong identity security solution establishes the right level of access for individual identities in a way that doesn’t inhibit their ability to do their job. And really, why should it? The chef will probably never even know their keycard doesn’t open the door to the war room—they have no reason to even try it. Likewise, the general has no reason to access wherever the chef is headed. Denying them access will not impact their performance in any way. There is no reason to give them access to areas that they will never need to do their respective jobs.

Automation has made it possible to apply this same principle at scale for today’s organizations, establishing clear access parameters for different identities and ensuring that the damage caused by one compromised identity remains contained. While preventative tools are important, organizations must invest more resources into attack mitigation. Mandiant may have been early in its proclamation that breaches are inevitable—but it was true. But not every breach has to be a big one. Thanks to automation, today’s identity tools can help organizations ensure that their next breach stays out of the headlines.

About the Author

Grady Summers has held technology and leadership positions for over 20 years and now serves as the Executive Vice President of Product at SailPoint. Grady will be responsible for driving SailPoint’s technology roadmap and solution strategy, ensuring strong and consistent execution across SailPoint’s identity portfolio. Most recently, Grady was the Executive Vice President of Products and Customer Success at FireEye. In his two roles before that, Grady was a Principal at Ernst and Young, helping to lead the firm’s information security practice, and the Chief Information Security Officer (CISO) at General Electric, overseeing a massive global cybersecurity organization.

For more information, visit www.sailpoint.com.