tl;dr – headlines of breaches frequently reference “highly sophisticated” attacks to cover up garden variety lapses in IAM programs. The downside is that mindshare and budget get taken down a blind alley looking for sophisticated solutions and directed away from less exotic but more effective cybersecurity investment.
One of the most fun aspects of my role at Zilla is that at its heart I am paid to talk to cybersecurity professionals from a diverse set of enterprises. These firms range from one of the world’s fastest growing public software companies to the world’s largest manufacturer of personal care products. Sometimes themes emerge. A recurrent topic of discussion is the contrast between the dramatic media narratives of data breaches and the underlying, often preventable, causes rooted in identity and access management (IAM) deficiencies.
I like to picture these threat actors as high society folks from a Gatsby scene, sipping expensive wine and concocting elaborate schemes to breach corporate data. Above is how ChatGPT pictures them.
There’s a shared concern among many security professionals about the tendency for the media and fancy crisis PR consultants to label all breaches as the handiwork of “highly sophisticated” attackers. What’s the harm? The headlines overshadow the reality that enterprises could avert many of these breaches through enhanced IAM controls and a more robust identity security posture. Characterizing every breach as sophisticated directs attention towards complex solutions at the expense of addressing the common IAM challenges that have plagued enterprises for decades.
For example, in a recent CISO roundtable, 70% (!) of attendees rated Identity Governance and Administration (IGA) as their number one priority for 2024. The crux of the issue often ties back to the reliance on legacy IGA solutions. These systems were born in an era defined by an on-prem network perimeter, and for a market keen on addressing the financial mismanagement and lack of transparency that led to the infamous collapses of Enron and WorldCom. These outdated IGA solutions addressed the biggest problem of the time — ensuring that access to critical financial systems and data was properly managed and auditable. That need still exists! However, as enterprises float into the cloud, the limitations of legacy IGA solutions have become a problem of their own.
Legacy IGA solutions are often ill-equipped to handle the dynamic and distributed nature of cloud environments. The static, perimeter-based security model they were built upon struggles to adapt to the fluidity of cloud resources and the rapid pace of digital transformation. This disconnect not only hampers the agility and innovation that cloud computing enables but also introduces significant security gaps that threat actors are all too eager to exploit.
In my conversations with security practitioners, the clear sentiment is that many are not all that thrilled with their legacy IGA vendor. They are more fearful of an over-privileged account in a cloud service that cannot integrate with their IGA system than a “sophisticated” threat actor. For example, one organization found itself compromised not through an elaborate cyber attack but through an active account of a former employee that should have been de-provisioned. Despite this, the breach was still framed in the context of a sophisticated threat, overshadowing the basic yet critical lapse in an underfunded IAM program.
Forward thinking organizations recognize that they cannot wait 3 months for their next access review to identify and take action on an active account for a terminated user. What’s needed is a solution that continuously assigns and monitors permissions, identifies threats and misconfigurations, and provides remediation right away.
None of this is to say that state sponsored, well-funded, and yes–sophisticated–threat actors don’t exist. Attackers such as Fancy Bear, Carbanack, Lazarus Group, and other well financed groups are attacking more than just critical infrastructure and large financial institutions. But fretting about the sophisticated means with which they may attack when not addressing basic identity security posture is like a bank manager worrying about the strength of the vault door while leaving it open. As regulators turn up the heat regarding disclosure and transparency of data breaches, my suspicion is we’re going to be hearing more about preventable misconfigurations in cloud and SaaS systems than about high society, sophisticated attacks.