Defending Against Threats in Identity Security; Part 2: Remediate

Hannah Young
Hannah Young
.
May 2, 2023
6 min
 read

This is Part 2 (Remediate) of a series on changing security threats and approaches. If you haven’t already, check out Part 1 (Detect) first!

While many understand the need for security practitioners to evolve with attackers, the hard truth is that current solutions already do not do enough to combat advanced security attacks or remediate them once they occur.

Since its release last year, the 2022 Gartner Report has fundamentally changed how we see identity and access management (IAM). Much of this is due to Identity Threat Detection and Response (ITDR), a phrase coined in the Gartner report that offers a new approach to changing security threats.

According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.” A key part of the response step: remediation.

Graph from the Gartner Report titled "ITDR Works as Second and Third Layers of Defense After Prevention"

In this two-part series, we break down the defense against emerging problems in identity security into their two major steps: Detect and Remediate. This is Part 2: Remediate.

Part 2: Remediate

Although there are many pieces online about security incidents and how they happened or could have been prevented, it is rare to have genuine insight into what an affected organization does to remediate after an attack (e.g., EA’s brief response to their breach).

While we’ve now walked through detective measures, as Gartner advises, “in addition to preparing for and detecting threats and attacks, SRM leaders should prepare a response plan.” Gartner offers the recommendation to “master the response phase by building or updating playbooks and automation to include IAM enforcement within the steps taken to eradicate, recover from, report and remediate identity threats.”

Security playbooks can take on different forms, but in general, they include a plan outlining the steps you’ll take if/when a security incident occurs (Gartner offers a few examples of what this looks like in their “Cybersecurity Incident Response Plan” and “Creating a Ransomware Playbook” toolkits). Every organization needs an information security strategy; attacks can’t be the first time you do something about security because, then, time is of the essence. Every second you spend developing a remediation strategy while a breach is happening is time that the attacker will be using to gather information, attempt to install persistence mechanisms, and potentially compromise additional accounts. This makes having a playbook ready to go essential to timely and effective remediation.

Gartner offers a variety of strategies for your playbook under this remediate umbrella, including to “reset affected credentials, remove rogue and excessive accounts, patch systems, and rotate security keys” and specifically “automating response actions” (emphasis added). Pre-automation, remediation was mostly case-by-case, usually prompted by an incident or some sort of “clean up” like an audit or company initiative. As a result, some remediation services and companies stitched together their own remediation tools and workflows, making solutions pretty ad-hoc overall.

It's important to keep in mind that company size is a key context. At large enterprises, the security operations center (SOC) tends to be responsible for remediation efforts. However, smaller companies may not have a dedicated SOC, so individuals may have to take up multiple roles (being responsible for both infra-security and incident response, for example), including remediation work. This made it especially useful for smaller companies to move away from these ad-hoc solutions toward automation.

Now, a class of tools called SOAR (Security Orchestration, Automation, and Response) is used for auto-remediation. SOAR as a term was coined in 2017 (by… you guessed it! Gartner!), so it is still generally a new category of tools. For example, a SOAR flow may be triggered by a user reporting an Okta session as stolen, so then, automatically, the user account and device(s) are locked, their manager is alerted, the password is scrambled, and a ticket is raised for a SOC analyst to do a forensic investigation (note that in this example, there’s both manual (SOC analyst has to lead a forensic investigation manually) and automated steps (user account is automatically locked)).

A triple venn diagram with SOAR in the middle. In one circle, it says "Security Orchestration and Automation", one circle has a brain and says "Threat Intelligence Platforms", and the final circle has the outline of three people and a clock that says "Security Incident Response Platforms" with an equation at the bottom of the image that says "SOAR = SOA + SIRP + TIP"
Image by Gartner

A considerable benefit of SOAR is the rapid response, saving valuable security analyst time. However, the major problem with auto-remediation is that it’s great in theory but, in practice, it brings on a slew of new issues, like the loss of data associated with cold-cutting access. There are also concerns with predictability—do I understand what the auto-remediation will do and when it will do it?—and the “cat and mouse” issue—will I have to build a new auto-remediation strategy for every possible issue that comes up?

You need good practices, such as playbooks and quality input, to feed into SOAR for it to be effective. Without playbooks, you may just be chasing every new threat as they pop up, negating the whole point of using automation to streamline processes in the first place (a concept we elaborate on in “Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now”). Without quality input, your SOAR may have a high false positive rate (say, a tool wrongly detects an Okta session as compromised) and erroneously cold-cut access, scramble passwords, and lock devices automatically, majorly disrupting you and the business.

Essentially, to take advantage of auto-remediation without otherwise jeopardizing your organization’s productivity, your security team needs SOAR capabilities tailor-made for identity systems. Luckily, solutions are starting to appear across the identity space, and we’ll talk more about them soon.

To get notified when we post more about these solutions (and to stay up to date with Crosswire on all things identity and infosec), sign up to receive our updates below!

More from our blog

Identity Governance Best Practices for Security Leaders

Explore essential identity governance best practices for security leaders, ensuring robust security frameworks and compliance adherence. Learn more today.

Johnny Wang
.
4 min
 read
UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read