How Identity threats are currently defined and the defense approach and tools used by most SOC teams are woefully insufficient.
That needs to change immediately.
Most SOC teams view identity security as fixing identity hygiene and updating pre-compromise posture management. But in this expanding identity and GenAi threat environment, comprehensive identity security also requires AI-driven post-compromise detection and response capabilities to defend against ongoing attacks. We know this because organizations are getting blind-sided across their hybrid threat surfaces by Identity-based attacks, despite having identity attack prevention.
This challenge is made even more difficult because most SOC teams lack the tech stack to gain visibility into such identity attacks until months later, if ever. Put simply, if you can’t see it, you can’t stop it. A new understanding of Identity is needed, as is a comprehensive approach to detection and response.
A new definition of identity: the center of the modern enterprise
Identity is no longer singular or locked away. A more appropriate definition is that identity is the center of the modern enterprise, as it runs through your on-premises and cloud networks, SaaS, PaaS, data, remote work, and other surfaces and numerous devices. Unfortunately, it also enables cyber attackers to launch their attacks across hybrid surfaces on an industrial scale. What’s more, it takes just one compromised identity for attackers to quickly navigate complex network systems and steal critical data from organizations everywhere, without even being detected by most SOC teams. The reality is that all hybrid attacks eventually become identity attacks.
All hybrid attacks eventually become identity attacks.
How do we know this?
Because, despite investing millions of dollars in security tools to defend hybrid environments, 90% of organizations have experienced an identity attack. Additionally, attackers have commoditized techniques such as phishing-as-a-service and ransomware-as-service, enabling them to replicate successful attacks involving identities at large scales.
Unified cloud and network Access are the new frontlines in identity security
Identity used to be only accessible if an attacker was already in the network. The belief was that firewalls, EDR, and policies were sufficient to protect identities and were the frontlines for identity defense. That’s no longer the case. Today, identities are beyond the perimeter and easily accessed outside the traditional network environment. With such external access now the norm, unified cloud and network access have become the new frontlines for defenders.
Attackers need two Things to be successful – an Identity and a network
Essentially, attackers need only two things to be successful – an identity and a network. In terms of Identity, it’s a target-rich opportunity for attackers. As the number of identity attack surfaces rapidly expands, the opportunities for identity compromise increase exponentially. Every user (customers, employees, partners, and vendors), device, and service account in the cloud and network represents a potential identity attack vector.
Thus, attackers can abuse every kind of identity, both human and machine-related, to spread their attacks either as a starting point or to move laterally within an environment to access sensitive data and spread ransomware. Plus, the myriad of machine identities (such as APIs, bots, and service accounts) all pose unique defense challenges. Unlike human users, they cannot authenticate via MFA (more on MFA in a moment).
The identity explosion brings huge machine and service identity blind spots
Yet, these machine identities have access to critical resources. According to Silverfort, 31% of all users are service accounts with high access privileges and low visibility. Additionally, on average, 109 new shadow admins are introduced by a single AD misconfiguration, enabling attackers to reset a true admin’s password. *Silverfort Identity Underground Report
31% of all users are service accounts with high access privileges and low visibility.
Furthermore, enterprises have more identities to protect than their SOC team may realize. According to the Vectra Identity Calculator, enterprises have 3X identities (machine/service accounts) for every employee. That means enterprises with 1,000 employees have at least 3,000 identities to protect. Plus, according to Okta, only 64% of those users actually enable MFA, resulting in at least 1,080 identities (3,000 x (100%-64%) that aren’t protected by, or even use, MFA. Clearly, the way we think of Identity and approach Identity security must be both more elastic and involve comprehensive coverage.
Additionally, while attacker groups pivot between attack surfaces in the network and cloud at will, too often, SOC teams rely on siloed tools for each attack surface, adding more noise, a cascade of alerts, and less visibility. With the rapid increase in enterprise identities coupled with the lack of visibility, attackers gain more ways to breach a network and progress their attacks, while defenders are ill-equipped to meet these new challenges. Consequently, in the vast majority of instances, SOC teams aren’t preventing, seeing, or stopping identity attacks from entering their networks or stealing their data.
An expanding identity attack surface raises your threat risk
Similarly, as organizations continue to migrate to the Cloud, their environments span on-premises infrastructure, cloud services, and remote workspaces, creating an increasingly complex fabric of interconnected systems. This expansion gives attackers multiple new entry points to begin an attack. That fact alone greatly increases their odds of success. Even one compromised entry point can lead to significant breaches as attackers pivot between on-premises and cloud environments.
MFA isn’t nearly enough – if it ever was
For a significant portion of SOC teams, the prevailing view of their identity security is one of, “We’ve got MFA, so we’re all set.” As we’ve seen with recent, high-profile breaches, MFA isn’t enough. The fact that 90 percent of enterprises that experience identity attacks had MFA tells that story in no uncertain terms
90% of enterprises that experience identity attacks had MFA in place.
That fact is borne out by the Microsoft disclosure at Ignite in 2023, revealing that 62% of all active monthly users didn’t have MFA turned on. This means that almost two-thirds of an organization’s identities are at a much higher risk of an account breach. Finally, the OKTA supply chain breach in late 2023 demonstrated the insufficiency of MFA in protecting identities. Attackers can easily bypass MFA through social engineering or compromised devices, among other ways.
That’s less of a critique of MFA and more of a reality check about human behavior.
Similarly, EDR solutions aren’t bulletproof either. They’re necessary but insufficient, since they can miss various and subtle signs of identity compromise. Intrusion prevention tools are also helpful, but not perfect. In short, one way or another, attackers are going to breach your defenses. According to Vectra AI’s research, 71% of security professionals believe that their organization has been breached, they just don’t know where. SOC teams need to augment prevention with robust post-compromise identity detection and response capabilities.
Attackers are going to bypass MFA or EDR and breach your defenses, one way or another.
The human element and identity security fatigue
There’s also a human element to identity security that’s reflected in the Azure Active Directory users of MFA statistics mentioned above. It’s the realization that even when security tools are at employees’ or even enterprises’ disposal, they are not always used or implemented correctly or consistently, if at all. This manifests in all kinds of ways, from simple password fatigue to a failure to implement or enforce policies at the organizational level. Spear phishing continues to be successful in part due to simple human alert fatigue, attention diversion from multitasking, AI-generated fakes, or just “plain ol’ curiosity.”
But identity security fatigue is also a two-way street, impacting SOC teams as well. Analyst fatigue and burnout are real and formidable factors that diminish their effectiveness. Handling an overwhelming number of alerts–almost 5,000 every day–along with tedious manual tasks and too many overtime hours leaves teams overworked, overwhelmed, and understaffed. The result is declining confidence and competence in doing their jobs and high attrition rates. As attackers are becoming more efficient in their attacks, defenders are increasingly falling behind the threat curve.
GenAI attack surface – increasing identity exposure exponentially
Finally, the rapid adoption and integration of GenAI tools like Microsoft Copilot into enterprise environments are already creating new and highly accessible attack surfaces. Even though AI-driven tools are intended to streamline operations, they’re prime targets for identity attacks because the large language models (LLMs) powering them have access to proprietary corporate data. With just one breach, attackers gain the same AI-driven advantage, using enterprise-level AI capabilities against the enterprise itself, exploiting identities to spread their attacks at the speed and scale of AI.
To compound matters, without a post-compromise identity detection and response solution that applies behavioral analysis at the speed of AI, SOC teams have little to no visibility into what information an AI-Chat powered tool like Copilot returns to the attacker. This adds even more latency to detection and response than already exists. SOC teams must be able to leverage detection and monitoring solutions with AI-driven speed and capabilities to prevent and stop attackers from abusing identities through GenAI tools and accessing sensitive data and information.
The conventional definition of identity security consisting of credentials and using MFA is no longer true or usable, as it lags behind the reality of the expanding hybrid surface, the insufficiency of MFA, the mass production of machine identities, and the steep AI-driven threat curve.
The bottom line is that the GenAI-driven attack capabilities of a Copilot breach increase your identity exposure on an exponential scale.
How big of a risk does identity compromise pose to organizations?
About 98% of organizations are seeing a rapid expansion in the number of identities they must protect–but cannot–so it’s difficult to overstate the challenge. Furthermore, according to ISDA, 84% of organizations suffered direct business impacts from an identity breach. Identity proliferation is happening and is here to stay. It’s no wonder that 90% of organizations suffer from an identity breach. Identity compromise is getting ever easier and gives attackers the keys to your data kingdom.
That’s why it’s astonishing that 62% of SOC teams have zero visibility into either the human or machine identities that have access to sensitive data or assets of their organizations. In other words, a significant majority of organizations are incapable of protecting their critical assets from identity-based attacks and are unable to even see when an identity is being, or has been, abused.
Which is more important: the attacker that might get in… or the one that’s already in?
As noted above, 71% of SOC analysts think they are already compromised, they just don’t know it yet. Sure, preventive posture and hygiene are fundamental to identity-first security. However, with new users, devices, systems, and workloads, it’s a never-ending struggle of new gaps to close and more configurations to change. Not to mention misconfigurations that arise from automation or system changes due to M&A activities.
Despite your best efforts, attackers only need one opening to progress in an environment. As attackers continue to accelerate their speed in attacks, security teams should prioritize investing in post-compromise threat detection to stop attackers who have already infiltrated your environment as early as possible, before damage occurs.
All organizations need to stay on top of their identity security, which starts with recognizing the new realities of identity security in the expanding identity and GenAI threat surface environment. It also requires a balanced approach that includes optimizing identity hygiene and posture management, as well as post-compromise identity detection and response. An exposure gap analysis is also recommended.
Vectra Identity Threat Detection and Response (ITDR) detects changes in security posture and delivers post-compromise identity detection and response at the speed and scale of AI, so your team can see and stop identity compromise before any damage occurs.