How to Detect and Remediate Identity Threats; Solution 2: Remediate
This is “Solution 2: Remediate” of a two-part series on “How to Detect and Remediate Identity Threats” (if you haven’t already, check out Solution 1: Detect first)! In this series, we provide solutions to the problems put forth in our parallel series “Defending Against Threats in Identity Security,” (both Part 1: Detect and Part 2: Remediate).
As we discuss in “Defending Against Threats in Identity Security; Part 2: Remediate,” current solutions already do not do enough to combat advanced security attacks or remediate them once they occur. While there are many pieces online about security incidents and how they happened or could have been prevented, it is rare to have genuine insight into what an affected organization does to remediate after an attack (e.g., EA’s brief response to their breach).
However, industry researchers are working overtime to discover and create new strategies, like the 2022 Gartner Report’s creation/coining of the ITDR (Identity Threat Detection and Response) discipline. According to the report, “ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.”
In this two-part series, we break down how to both detect and remediate changing identity security threats. This is Solution 2: Remediation.
What do approaches to remediation currently look like?
As is illustrated in the Gartner graphic above, remediation/response exists as a conclusive step in your identity security process after a threat has evaded preventative and detective measures. Gartner offers the recommendation to “master the response phase by building or updating playbooks and automation to include IAM enforcement within the steps taken to eradicate, recover from, report and remediate identity threats.”
Security playbooks can assume diverse formats, but they typically encompass a blueprint delineating the actions to take in the event of a security incident (Gartner provides several examples of playbooks in their “Cybersecurity Incident Response Plan” and “Creating a Ransomware Playbook” toolkits). Gartner offers a variety of strategies for these kinds of playbooks, including to “reset affected credentials, remove rogue and excessive accounts, patch systems, and rotate security keys” and “automating response actions.”
Before automation, remediation was primarily handled on a case-by-case basis, typically triggered by an incident or “clean up” activities such as an audit or company initiative. Consequently, many companies cobbled together their own remediation tools and workflows, making solutions pretty ad-hoc overall. However, as can be seen in the emphasis added in the paragraph above, recent strategies have turned to automation in order to bolster their remediation efforts.
Note: When it comes to remediation strategies, it’s important to consider the context of company size. In larger enterprises, the security operations center (SOC) typically handles remediation tasks. However, in smaller companies without a dedicated SOC, individuals may assume multiple roles (including remediation work), such as being responsible for both infrastructure security and incident response for example. This transition towards automation becomes particularly beneficial for smaller companies, enabling them to move away from ad-hoc solutions.
Automation Remediation Conversation
Now, a category of tools known as SOAR (Security Orchestration, Automation, and Response), coined in 2017 by Gartner, is utilized for automated remediation. For instance, a SOAR workflow might be triggered when a user reports a stolen Okta session, automatically locking the user account and device(s), notifying their manager, scrambling the password, and generating a ticket for a SOC analyst to conduct a manual forensic investigation—both manual (SOC analyst has to lead a forensic investigation manually) and automated steps (user account is automatically locked).
The major problem with auto-remediation is that it’s great in theory but, in practice, it brings on a slew of new issues. While SOAR offers the advantage of swift response, it also introduces challenges like potential data and productivity/opportunity costs when cold-cutting access, concerns regarding predictability and understanding the “when” and “what” of the automated remediation process, as well as the “cat and mouse” issue: the ongoing need to chase new strategies for every potential issue that comes up.
How to take advantage of auto-remediation without disrupting your org
To effectively leverage auto-remediation while ensuring uninterrupted business operations, it is crucial for your security team to have SOAR capabilities specifically designed for identity systems. These systems should be able to apply remediations that are appropriate to the level of risk involved. For example, when dealing with a signal you have low confidence in, it would be inappropriate to lock the entire user account. Instead, the focus should be on restricting access to highly sensitive applications only.
Additionally, self-service resolution paths are essential to making auto-remediation work for you and your organization. In the event of a locked user account, users should have the ability to restore access on their own, without relying on the involvement of the security or IT team. This is crucial because no detection method is flawless, and every minute wasted due to incorrect detection translates to costs for the business. Therefore, minimizing time-to-recovery as much as possible is paramount.
Flexible, identity-cognizant remediation practices that balance org safety with productivity/user experience are not currently commonplace in remediation or threat detection software. However, solutions are starting to appear across the identity space, and we’ll talk more about them soon.
To get notified when we post more about these solutions (and to stay up to date with Crosswire on all things identity and infosec), sign up to receive our updates below!
More from our blog
CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.
Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.
False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.
We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.
How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?
This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.
Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).
If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.
IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.
RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.
Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.
Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.
Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.
The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.
It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?
Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.
Five significant ways to improve your workflows with automation and get more results than your resources permit.
Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.
Subscribe to our blog
Get Crosswire's security insights delivered straight to your inbox. No frills, no spams, unsubscribe anytime!