Connect with us

Hi, what are you looking for?


Data Protection

Today’s Biggest Security Gap? Identity.

Enterprise Security Gaps

Identifying security gaps is a favorite pastime of security professionals. We lovingly spend time performing risk assessments, drafting and administering policies, implementing defensive technologies, and generally trying to figure out the angle of future attacks.

Enterprise Security Gaps

Identifying security gaps is a favorite pastime of security professionals. We lovingly spend time performing risk assessments, drafting and administering policies, implementing defensive technologies, and generally trying to figure out the angle of future attacks.

As much fun as that is, in many cases, we’re missing the obvious. People are our security problem.

The people problem

Security teams that focus on “what” is happening, and the layers of defense being breached, are constantly in reactive mode. Reviewing reams of data produced by technology – firewalls, network devices or servers – is not making organizations more secure. With this approach, the team fails to prevent breaches or respond in a sufficiently timely way. Instead, the addition of more data and more complexity perversely prevents achieving the end result: protecting sensitive information.

The significant breaches of today are executed by people infiltrating the organization, and attackers are doing this by assuming identities or abusing insider privileges.

There is a gap between the firewall (as the initial line of defense) and the data-centric analysis and alerts received by the security team (the organization’s last line of defense). Tracking user activity, especially connections between suspicious behaviors and privileged users, would allow organizations to close this gap.

Knowledge and understanding of identity has the ability to cut through the overwhelming event noise and explosion of data that continues by all accounts to render security organizations blind and unable to respond to real threats or even detect if they are under attack.

Advertisement. Scroll to continue reading.

It is time to incorporate identity into the organization’s overall security and, more specifically, breach prevention strategy. We have to stop accepting a gap approach to security, which is usually focused on data and devices rather than people. In light of the nascent perimeter-less world, identity will increasingly be the primary factor that matters to the security team.

Identity data is pervasive, yet typically absent from the security world view. For security organizations, our corporate identity – the personal identity elements we bring to our corporate environment – and our behavior, are aggregate details essential in building a picture of what is happening within – and beyond – the corporate perimeter, offering deep context to inform the security team on the appropriate response to potential threats and real attacks.

The critical piece in this approach is the security organization’s ability and capacity to understand the full scope of identity – who the person really is behind any given device, and whether they are behaving abnormally. This is particularly helpful when identifying attackers that have managed to acquire privileged user credentials.

Yet, this raises a fundamental, but non-trivial challenge. How can you know what is normal behavior, particularly at large scale?

Identifying normal behavior

One way to reduce the scope is to focus on the highest risk identities first. If you accept that the greatest risk comes from people inside your organization that can access sensitive information – privileged users – including non-human accounts that may be privileged, then the correct steps are as follows:

1) Reduce the number of privileged users/identities and accounts.

2) Limit the privileges any one user has, to systems and applications necessary to do their job.

3) Integrate the identities of privileged users into security and risk monitoring to spot behavior that may indicate a breach.

The first two steps are really classic identity and access management, although many organizations still struggle with these basics. The easy example is the industry’s current favorite punching bag, the NSA.

For the third step, Martin Kuppinger, founder and a principal at global analyst firm KuppingerCole, writes on his blog, “Users might access far more documents than average than they did before. Accounts might be used at unusual times. Users might log in from suspicious locations. Sometimes, it is not a single incident, but a combination of things, eventually over a longer period of time, which is typical for a specific form of attack, especially in the case of long-running APTs (Advanced Persistent Threats).” These are the symptoms of abnormal behavior, and Mr. Kuppinger suggests a look at the discipline of Real-time Security Intelligence as an approach to identify such behavior. This is the step that is most critical for today’s security programs because it focuses on the end user – the area in which the greatest risk lies.

Closing the gap

As more and more of the computing environment moves outside of the control of central IT organizations, led by the move towards BYOD, the necessity to recognize who a user actually is, and what is normal for them becomes a foundational part of effective security monitoring.

Without such identity-powered security, we can anticipate security teams continuing to struggle to differentiate whether the events they are monitoring are worth a reaction – providing enough hesitation for attackers to execute more and more damaging data breaches. Further, security teams will continue to operate in reactive mode and perpetuate the failure to prevent breaches or respond in a sufficiently timely way. 

If identity is a central component to security management, then security teams will be in a better position to understand the behavior of users, and will spend far less time trying to identify the meaning behind the events they are seeing. People will continue to be our biggest point of exposure, and with a keen focus on user behavior and activity, we’ll be in a much better position to limit the impact of breaches than we are today.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...