How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is “Solution 2: Remediate” of a two-part series on “How to Detect and Remediate Identity Threats” (if you haven’t already, check out Solution 1: Detect first)! In this series, we provide solutions to the problems put forth in our parallel series “Defending Against Threats in Identity Security,” (both Part 1: Detect and Part 2: Remediate).

As we discuss in “Defending Against Threats in Identity Security; Part 2: Remediate,” current solutions already do not do enough to combat advanced security attacks or remediate them once they occur. While there are many pieces online about security incidents and how they happened or could have been prevented, it is rare to have genuine insight into what an affected organization does to remediate after an attack (e.g., EA’s brief response to their breach).

However, industry researchers are working overtime to discover and create new strategies, like the 2022 Gartner Report’s creation/coining of the ITDR (Identity Threat Detection and Response) discipline. According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”

In this two-part series, we break down how to both detect and remediate changing identity security threats. This is Solution 2: Remediation.

What do approaches to remediation currently look like?

As is illustrated in the Gartner graphic above, remediation/response exists as a conclusive step in your identity security process after a threat has evaded preventative and detective measures. Gartner offers the recommendation to “master the response phase by building or updating playbooks and automation to include IAM enforcement within the steps taken to eradicate, recover from, report and remediate identity threats.”

Security playbooks can assume diverse formats, but they typically encompass a blueprint delineating the actions to take in the event of a security incident (Gartner provides several examples of playbooks in their “Cybersecurity Incident Response Plan” and “Creating a Ransomware Playbook” toolkits). Gartner offers a variety of strategies for these kinds of playbooks, including to “reset affected credentials, remove rogue and excessive accounts, patch systems, and rotate security keys” and “automating response actions.”

Before automation, remediation was primarily handled on a case-by-case basis, typically triggered by an incident or “clean up” activities such as an audit or company initiative. Consequently, many companies cobbled together their own remediation tools and workflows, making solutions pretty ad-hoc overall. However, as can be seen in the emphasis added in the paragraph above, recent strategies have turned to automation in order to bolster their remediation efforts.

Note: When it comes to remediation strategies, it’s important to consider the context of company size. In larger enterprises, the security operations center (SOC) typically handles remediation tasks. However, in smaller companies without a dedicated SOC, individuals may assume multiple roles (including remediation work), such as being responsible for both infrastructure security and incident response for example. This transition towards automation becomes particularly beneficial for smaller companies, enabling them to move away from ad-hoc solutions.

Automation Remediation Conversation

Now, a category of tools known as SOAR (Security Orchestration, Automation, and Response), coined in 2017 by Gartner, is utilized for automated remediation. For instance, a SOAR workflow might be triggered when a user reports a stolen Okta session, automatically locking the user account and device(s), notifying their manager, scrambling the password, and generating a ticket for a SOC analyst to conduct a manual forensic investigation—both manual (SOC analyst has to lead a forensic investigation manually) and automated steps (user account is automatically locked).

The major problem with auto-remediation is that it’s great in theory but, in practice, it brings on a slew of new issues. While SOAR offers the advantage of swift response, it also introduces challenges like potential data and productivity/opportunity costs when cold-cutting access, concerns regarding predictability and understanding the “when” and “what” of the automated remediation process, as well as the “cat and mouse” issue: the ongoing need to chase new strategies for every potential issue that comes up.

How to take advantage of auto-remediation without disrupting your org

To effectively leverage auto-remediation while ensuring uninterrupted business operations, it is crucial for your security team to have SOAR capabilities specifically designed for identity systems. These systems should be able to apply remediations that are appropriate to the level of risk involved. For example, when dealing with a signal you have low confidence in, it would be inappropriate to lock the entire user account. Instead, the focus should be on restricting access to highly sensitive applications only.

Additionally, self-service resolution paths are essential to making auto-remediation work for you and your organization. In the event of a locked user account, users should have the ability to restore access on their own, without relying on the involvement of the security or IT team. This is crucial because no detection method is flawless, and every minute wasted due to incorrect detection translates to costs for the business. Therefore, minimizing time-to-recovery as much as possible is paramount.

Flexible, identity-cognizant remediation practices that balance org safety with productivity/user experience are not currently commonplace in remediation or threat detection software. However, solutions are starting to appear across the identity space, and we’ll talk more about them soon.

To get notified when we post more about these solutions (and to stay up to date with Crosswire on all things identity and infosec), sign up to receive our updates below!