Companies have historically focused on security tools to help protect from attackers successfully getting into an organization. However, with the acceleration of ransomware and AI-backed cyber threats, modern security teams now realize that this is not enough – they have to treat breaches as inevitable and prepare accordingly to quickly find and shut-down attacks when access is compromised. Put simply, organizations must work to de-risk breaches before they inevitably take place. The best way to de-risk breaches, rendering them effectively powerless, is to use the principles of intelligent access to enforce least privilege, monitor access changes in real-time, and perform forensics beyond basic log analysis.
Don’t assume you can prevent breaches, but do plan to minimize their impact with Least Privilege
A growing chorus you hear from today’s security professionals is “it’s not a question of ‘if,’ but ‘when.’” We should, of course, all continue to do all we can to stop attackers from getting access. However, our security posture must adapt beyond the last line of defense to include strategies for quickly shutting down security incidents. Everyday in the press, we see more examples of the dangers of putting all your faith in the strategy of preventing breaches. For example, in the 2020 Twitter breach attackers targeted a small number of employees with a spear phishing attack to gain access to internal account support tools in order to tweet a bitcoin scam from high-profile accounts including Barack Obama, Joe Biden, Bill Gates, Elon Musk, and Floyd Mayweather. These employees had multifactor authentication and robust endpoint security tools deployed on their machines, but of course, those don’t help when hackers log in rather than hack in. The best way to reduce the risk and potential impact of a data breach is to achieve and maintain Least Privilege – to ensure that each user has only the essential access rights that they require to perform their jobs. Fewer people with access to sensitive account support functionality would have made the Twitter attack less likely to succeed.
How to implement: Regularly review and adjust access privileges, ensuring they align with current job requirements (including service accounts, local roles, and ACL-level permissions). Conduct security-driven “spot-check” access reviews to move closer to “continuous compliance” rather than waiting for monthly or quarterly audit processes. .
Implement real-time monitoring of access changes
Actions like the creation of new admin accounts or sensitive information should always trigger red flags and be immediately reviewed by security teams. In the infamous SolarWinds attack, threat actors seized control of employee accounts, granted those accounts more privileges, and created new accounts with unlimited access to burrow deep into their victim’s networks. Real-time monitoring of privilege escalation and new admin account creation (a pillar of Intelligent Access) would have been a very potent technique to minimize the blast radius of that attack and to get an early warning of this frequently used technique of escalating privilege.
How to implement: Put monitoring tools in place to provide real-time alerts for access changes and ensure these alerts are integrated into your overall process for a coordinated response.
Don’t rely on logging alone
When breaches happen, SecOps teams turn to system logs to trace the steps of the attackers to figure out which systems and data were accessed. However, logging is expensive and storage-intensive, so often, investigators find that logging was either turned off or lacking sufficient detail to truly understand what they need to know. Of course, attackers also do their best to cover their tracks so even well-designed logging systems won’t necessarily give you the whole picture. Attackers from the MGM incident earlier this year leveraged a lesser-known feature of “inbound federation” of Okta to create unusual pathways of new user creation. Tracking down and deciphering logs for these types of techniques are undoubtedly more difficult. Thus, when it comes to post-breach forensics, SecOps teams are much more commonly expanding their search to include what could have been accessed rather than simply on what was accessed, because the picture that logging provides is usually incomplete.
How to implement: Leverage a comprehensive mapping of data and permissions for your whole enterprise so you always know who can access which data and what they can do with that access.
In short, beefing up identity security will make a much bigger impact on reducing the risks of data breaches than simply continuing to focus on more and more tools designed to keep attackers out.