IT security teams layer in solutions to prevent threat actors from infiltrating networks, devices, and applications. But all those measures are useless if someone lets them in through the front door.
“When we think about security, usually we’re thinking about endpoint security and network security, maybe even data security these days. But oftentimes identity is overlooked,” Matt Caufield, VP of product and identity security at Cisco, said during the recent SC Media panelcast Detecting the Identity Trojan Horse: The Human Element of Cyber Breaches and Its Paradox with Cyber Identity. “It’s still a function that lives within the IT organization, and it’s still seen as an operational function for most organizations—despite the fact that the vast majority of breaches originate with identity.”
The latest Verizon Data Breach Investigations Report shows 74% of cyber breaches came from human errors and phishing scams. Such a high statistic points to users’ poor cyber hygiene and low security awareness. However, another cause are sophisticated attacks that make it difficult to distinguish a compromised account from a valid one.
The rise of session hijacking and MFA bypasses
The panel discussed the increasingly complicated identity landscape that cybersecurity professionals must navigate – managing identities across numerous systems made more complex by the synchronization of HR systems, directories, and single sign-on platforms. Further complicating matters is managing multiple identity providers, mitigating shadow IT risks with orphaned IDs and undiscovered SaaS accounts, and promptly offboarding terminated users.
As a CISO with decades of experience, Michael Farnham’s frustration arises from outdated protocols and technical debt. Despite efforts to implement new security measures, existing vulnerabilities persist while the threat of rogue user databases pose ongoing challenges, he told the webcast audience.
“Even now, there are lack of controls to stop bad things from happening when it comes to identity. There's just not enough,” Farnham, currently an advisory CISO for technology consultancy Trace3, said. “There's a lot of blind trust in place that I cannot fix necessarily in all of my different areas that I have in my environments.”
Adding to those woes are the persistence of traditional attacks like password spraying, brute forcing, phishing and newer tactics like session hijacking and multi-factor authentication (MFA) bypassing that undermine the belief MFA alone can thwart identity-based attacks.
Session hijacking allows attackers to steal session tokens and assume users' identities without the need for traditional authentication methods. Malware-based man-in-the-middle attacks intercept session tokens, granting unauthorized access to sensitive systems and applications.
Even with widespread MFA implementation, vulnerabilities persist. Attackers exploit MFA fatigue or use tactics such as flooding MFA prompts to deceive users into granting access.
In essence, while MFA and traditional security measures remain crucial, they are no longer foolproof defenses against evolving identity-based threats.
While every industry with an identity program is susceptible to such attacks, some, like healthcare are more at risk due to the nature of the industry, where users share IT and medical devices, according to Aaron Woland, a distinguished engineer within Cisco’s security department. “Here at Cisco … I’m using one of my many dedicated systems that are just for me. No one’s ever going to sit down and log into my machine. That’s not always the case in a lot of industries, especially medical.”
Woland said the evolution of web authentication brings to light the need to revisit fundamental security principles. Despite advancements like biometrics and passkeys, authentication protocols often overlook lessons from early network-based authentication systems. For instance, the significance of session token management is often underestimated. Lengthy, non-refreshing tokens present vulnerabilities, a concern exacerbated by the absence of session invalidation mechanisms common in network protocols, he said.
Efforts like CAEP (Continuous Access Evaluation Protocol) aim to address these shortcomings, Woland noted. However, contemporary authentication methods still face challenges in ensuring session integrity and preventing token theft.
A different approach to securing IAM processes
Today's identity and access management tools provider user resource access through policy-based decisions, encompassing factors like group membership and resource sensitivity. Yet, to enhance security, much more is now needed. It’s crucial identity professionals have the means to evaluate user risk, manage account configuration (password strength, dormancy), and detect behavioral anomalies. Solutions do exist to address these complexities, but a comprehensive approach to access evaluation remains a challenge.
Farnham warned that customers' identity management maturity levels vary, from manual to automated processes. Automated onboarding requires vigilance to detect abnormal activity and tools to facilitate behavior baseline comparison, automated responses, and auditability for effective identity governance amidst evolving security landscapes.
“I want to have room for somebody to be able to audit that on a regular basis, audit that behavior, modify those baselines if I need to do so. Any kind of tool that's helping me to do that would be extremely helpful as well,” the CISO said.
A new era of identity intelligence
Vendors such as Cisco are rising to the occasion with new solutions that transform authentication, authorization, and threat detection through identity context and behavior analysis. These identity threat intelligence tools elevate zero-trust access and threat defenses beyond conventional network and endpoint security.
“Access to that type of intelligence doesn’t come by default with your EDR or your network security tools or firewalls. It’s something new that organizations need to work on building into their security programs that they might not have today,” Caufield explained.
“Data is only as interesting as what you do with it,” he added. Cisco Identity Intelligence, including a version that includes Duo MFA, brings together information collected from different identity systems to not just inventory but analyze user behaviors. This also reduces the need to blindly trust what is happening between identity and networking systems – it’s now collected and displayed on demand.
“I love being able to see things before they happen, and not just have to detect them after,” Farnham said of identity’s general movement in that direction.