The Secret Third Step to Threat Detection and Response: Protection

Hannah Young
Hannah Young
.
June 20, 2023
6 min
 read

Before threat detecting/monitoring identities for suspicious or anomalous access and remediating incidents after they happen, there’s a grey area: properly configuring your setup and taking preventative steps to protect your identities (and, therefore, your critical assets). How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

While there are many ways to authenticate (MFA, SSO, username/password), the reality is that, like with CircleCI, we’ve seen attackers circumvent these measures more and more, and “traditional one-time gating mechanisms (once you’re in, you’re in) are insufficient to cater to this new reality,” according to The 2022 Gartner Report. In their recommendation, “trust and risk must be assessed at every moment, and changes must be reflected immediately, across all sessions. For this reason, IAM is well-placed to deliver a more continuous approach to support an adaptive zero trust security capability.”

Comic of one bald stick figure and one stick figure with a ponytail, the bald one says "I got one of those two-factor security keys you've been bugging me about." The one with the ponytail says "Great!" The bald person says "It took a lot of work, fiddling with configurations, annoying setbacks, and general pain," the next panel then shows the bald one with a set of physical house/car keys and they say "...But I FINALLY got it onto the metal ring of my keychain" The one with the ponytail, now off screen, says "At least now it's secure" and the bald one says "Yeah, this thing is NOT coming off."
Image by xkcd

MFA was originally a “nice-to-have,” which then became mandatory, and now it’s both mandatory and insufficient (e.g., one can steal a 2FA-backed Okta cookie and have access to anything in the SSO provider that doesn’t require SAML app sign-in time step-up). Also, as we briefly discussed in a previous article, device trust is another measure that isn’t impenetrable and can sometimes be spoofed.

In addition to MFA not being robust enough against new attacks, many find it annoying and bothersome. Most people are comfortable with multiple step-ups, like a required 2FA re-prompt + a Yubikey every time you log in, for high-sensitivity assets (e.g., AWS root). However, for lower-sensitivity-but-still-valuable assets, especially those used often, it may not be worth the social capital (from the security/IT teams’ perspective) to require additional 2FA at every app log-in since the rest of the company may find it incredibly inconvenient.

Image of a person staring at their computer with an annoyed expression with an arrow pointing to a "Sign In" screen with an arrow pointed to a multi-factor authentication phone screen with an arrow pointing back to the first image, forming a circle

The crux of protection is this: the ideal protective state is to verify that the user is who you think they are at every step of an application usage lifecycle—from device sign-in to SSO-provider sign-in to application sign-in to application usage—in order to mitigate account takeover or malicious insiders (e.g., Account Takeover: “Sam shouldn’t be accessing Salesforce right now, they’re on parental leave” or Malicious Insider: “I don’t think it’s a good idea for Jordan to export Snowflake data right after they handed in their two weeks notice”). You want to protect critical assets (sensitive data that we aim to safeguard, like financial, customer, and business data) while still maximizing productivity.

Yet, as we demonstrated, you’ll run into tons of roadblocks with getting users to adopt measures, especially if they disrupt their workflow (not just ”ugh, why do I have to keep hitting the 2FA prompt on my phone every time I open my laptop” but also MFA-fatigue attacks, where the attacker spams MFA prompts until the user lets up, or a breach where the user just lets an MFA request through because they’re annoyed by MFA). This makes these comprehensive measures easy in theory but difficult in practice due to the operational challenges of using them.

Image by xkcd

Gartner provides a variety of advice on how to protect yourself when you suspect a threat, including “use SSE to provide a containment layer for SaaS apps,” “freeze all automated provisioning,” and “use automated threat containment approaches, such as risk-based adaptive access (step-up authentication and session termination).” Yet, in a sea of potential solutions, it’s hard to know which measures are both effective and right for you.

An important context here is company stage. For example, a small, low-profile company might have fewer threats to defend against, so a basic IdP setup with mandatory MFA at sign-in time will take them far. On the other hand, a high-profile international company (e.g., Apple, Google, Meta) has a massive target on their backs, drawing highly sophisticated attackers that will find and exploit even the most minor gaps in protective measures. For these companies, a more robust security approach would be needed.

Image of Shaggy from the episode "The Night Ghoul of WonderWorld" of the show "Scooby-Doo and Scrappy-Doo" holding the English Crown Jewels with an amused expression on his face

Another contextual framework is the “crown jewel assets” model, where, as opposed to company size, company data is what sets your risk factors apart. Take, for instance, a meditation app company that deals with relatively little consumer data; this lack of “valuable” data means they may not be a big target for attacks. On the contrary, a neobank whose data includes customer financial information and bank account access is likely to be a bigger target that requires a more involved security strategy due to its perceived value to attackers.

No matter your risk level, every organization needs an information security strategy. Attacks can’t be the first time you do something about security because, then, time is of the essence (a concept we elaborate on in “Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now”). Every second you spend detecting and defending against threats while a breach is happening is time that the attacker will be using to gather information, attempt to install persistence mechanisms, and potentially compromise additional accounts. This makes it so that automating protection and creating “speed bumps” like MFA and peer approval are invaluable measures to limit the costs of attacks and their remediation, even if they can’t always prevent them entirely.

While there are boundless considerations when it comes to protection (e.g., configuration drift, grandfathered exceptions, supply chain risk, etc), ultimately, everyone’s goal is to prevent and minimize the impact of an attack as much as possible.

Luckily, threat protection and detection software/solutions are starting to appear across the identity space, and we’ll talk more about them as they’re released. To get notified when we post more about these solutions (and to stay up to date with Crosswire on all things identity and infosec), sign up to receive our updates below!

More from our blog

Identity Governance Best Practices for Security Leaders

Explore essential identity governance best practices for security leaders, ensuring robust security frameworks and compliance adherence. Learn more today.

Johnny Wang
.
4 min
 read
UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read