Why unifying endpoints and identities is the future of zero trust

Attackers are cashing in on the proliferation of recent identities being assigned to endpoints and the ensuing unchecked agent sprawl. Scanning each out there endpoint and port, attackers are automating their reconnaissance efforts utilizing AI and machine studying, and enterprises can’t sustain.  

That is making hackers extra environment friendly at discovering exploitable gaps between endpoint safety and identification safety, together with Energetic Listing. And as soon as contained in the infrastructure, they’ll evade detection for months or years.

Why it’s laborious to cease identification breaches 

Almost each group, particularly mid-tier producers like those VentureBeat interviewed for this text, has skilled an identity-based intrusion try or a breach within the final 12 months. Manufacturing has been the most-attacked trade for 2 years; practically one in 4 incidents that IBM tracked in its 2023 Risk Intelligence Index focused that trade. Eight-four % of enterprises have been victims of an identity-related breach, and 98% confirmed that the variety of identities they’re managing is rising, primarily pushed by cloud adoption, third-party relationships and machine identities. 

CrowdStrike’s cofounder and CEO, George Kurtz, defined throughout his keynote on the firm’s Fal.Con occasion in 2022 that “individuals are exploiting endpoints and workloads. And that’s actually the place the struggle is occurring. So you need to begin with the very best endpoint detection on the planet. After which from there, it’s actually about extending that past endpoint telemetry.” In keeping with CrowdStrike’s information, Forrester discovered that 80% of all safety breaches begin with privileged credential abuse.

As much as 75% of safety failures will probably be attributable to human error in managing entry privileges and identities this 12 months, up from 50% two years in the past. 

Endpoint sprawl is another excuse identification breaches are so laborious to cease. It’s frequent to search out endpoints so over-configured that they’re as susceptible as in the event that they weren’t secured. Endpoints have 11.7 brokers put in on common. Six in 10 (59%) have at the least one identification and entry administration (IAM) agent put in, with 11% having two or extra. Absolute Software program’s Endpoint Threat Report additionally discovered that the extra safety brokers put in on an endpoint, the extra collisions and decay happen, leaving endpoints simply as susceptible as if they’d no brokers put in.

Who controls Energetic Listing controls the corporate  

Energetic Listing (AD) is the highest-value goal for attackers, as a result of as soon as they breach AD they’ll delete log recordsdata, erase their presence and create federation belief relationships in different domains. Roughly 95 million Energetic Listing accounts are attacked day by day, as 90% of organizations use that identification platform as their main authentication and consumer authorization technique. 

As soon as attackers have entry to AD, they typically can keep away from detection by taking a “low and gradual” method to reconnaissance and information exfiltration. It’s not stunning that IBM’s 2022 report on the price of a knowledge breach discovered that breaches based mostly on stolen or compromised credentials took the longest to establish — averaging 327 days earlier than discovery. 

“Energetic Listing elements are high-priority targets in campaigns, and as soon as discovered, attackers can create further Energetic Listing (AD) forests and domains and set up trusts between them to facilitate simpler entry on their half,” writes John Tolbert within the whitepaper Id & Safety: Addressing the Trendy Risk Panorama from KuppingerCole. “They will additionally create federation trusts between solely completely different domains. Authentication between trusted domains then seems authentic, and subsequent actions by the malefactors is probably not simply interpreted as malicious till it’s too late, and information has been exfiltrated and/or sabotage dedicated.”     

10 methods combining endpoint and identification safety strengthens zero belief 

2023 is changing into a 12 months of getting extra carried out with much less. CISOs inform VentureBeat their budgets are underneath better scrutiny, so consolidating the variety of purposes, instruments and platforms is a excessive precedence. The purpose is to get rid of overlapping purposes whereas decreasing bills and enhancing real-time visibility and management past endpoints.

With 96% of CISOs planning to consolidate their tech stacks, options, together with prolonged detection and response (XDR), are being extra actively thought of. Main distributors offering XDR platforms embody CrowdStrike, Microsoft, Palo Alto Networks, Tehtris and Pattern Micro. EDR distributors are fast-tracking new XDR product improvement to be extra aggressive within the rising market.

“We’re seeing prospects say, ‘I actually need a consolidated method as a result of economically or via staffing, I simply can’t deal with the complexity of all these completely different techniques and instruments,’” Kapil Raina, vp of zero belief, identification, cloud and observability at CrowdStrike, informed VentureBeat throughout a current interview. “We’ve had plenty of use instances the place prospects have saved cash so that they’re in a position to consolidate their instruments, which permits them to have higher visibility into their assault story, and their risk graph makes it less complicated to behave upon and decrease the danger via inside operations or overhead that will in any other case decelerate the response.”

The necessity to consolidate and cut back prices whereas rising visibility is accelerating the method of mixing endpoint administration and identification safety. Unifying them additionally immediately contributes to a company’s zero-trust safety strengths and posture enterprise-wide. Integrating endpoint and identification safety permits a company to:

Implement least privileged entry to the identification degree past endpoints: A corporation’s safety improves when endpoint and identification safety are mixed. This unified resolution improves consumer entry administration by contemplating real-time consumer habits and endpoint safety standing. Solely the minimal degree of entry is granted, decreasing the danger of unauthorized entry and lateral motion throughout the community. 

Enhance visibility and management throughout all endpoints at a decrease price: Integrating endpoint and identification safety gives visibility past endpoints and helps safety groups monitor useful resource entry and rapidly establish potential breach makes an attempt network-wide.

Enhance accuracy in real-time risk correlation: Endpoint and identification safety information enhance the accuracy of real-time risk correlation by figuring out suspicious patterns and linking them to threats by gathering and analyzing information from endpoints and consumer identities. This enhanced correlation helps safety groups perceive the assault panorama and be higher ready to reply to altering dangers.

Acquire a 360-degree view of exercise and audit information, a core zero-trust idea: Following the “by no means belief, all the time confirm” precept, this unified method evaluates consumer credentials, system safety posture and real-time habits. Enterprises can forestall unauthorized entry and cut back safety dangers by fastidiously reviewing every entry request. Implementing this zero-trust technique ensures strict community entry management, making a extra resilient and strong safety surroundings.

Strengthen risk-based authentication and entry: Zero-trust authentication and entry emphasize the necessity to take into account the context of a request and tailor safety necessities. In line with the “by no means belief, all the time confirm” precept, a consumer requesting entry to delicate assets from an untrusted system may have further authentication earlier than being granted entry.

Eradicate gaps in zero belief throughout identities or endpoints, treating each identification as a brand new safety perimeter: Unifying endpoint administration and identification safety make it attainable to deal with each identification as a safety perimeter, confirm and audit all entry requests and acquire a lot better visibility throughout the infrastructure.

Enhance real-time risk detection and response past endpoints, step-by-step: Endpoint and identification safety on the identical platform enhance a company’s means to detect and reply to real-time threats. It offers organizations a single, complete information supply for to monitoring consumer and system exercise and analyzing community threats. This permits safety groups to rapidly establish and deal with vulnerabilities or suspicious actions, dashing up risk detection and response.

Enhance steady monitoring and verification accuracy: By integrating endpoint safety and identification safety, enterprises can see consumer actions and system safety standing in a single view. The method additionally validates entry requests quicker and extra precisely by contemplating consumer credentials and system safety posture in addition to the context of the request. This strengthens the safety posture by aligning with the zero-trust mannequin’s context-aware entry controls, making use of them to each identification and request throughout an endpoint.

Enhance identity-based microsegmentation: Integrating endpoint safety and identification safety permits enterprises to set extra granular, context-aware entry controls based mostly on a consumer’s identification, system safety posture and real-time habits. Id-based microsegmentation, mixed with a zero-trust framework’s steady monitoring and verification, ensures that solely licensed customers can entry delicate assets and that suspicious actions are rapidly detected and addressed. 

Enhance encryption and information safety to the identification degree past endpoints: Enterprises typically wrestle with getting granular management over the various personas, roles and permissions every identification must get its work carried out. It’s additionally a problem to get this proper for the exponentially rising variety of machine identities. By combining endpoint and identification safety right into a unified platform, as main XDR distributors do in the present day, it’s attainable to implement extra granular, context-aware entry controls to the consumer identification degree whereas factoring in system safety and real-time habits. 

The teachings of consolidation 

A monetary providers CISO says their consolidation plan is seen favorably by their cyber insurance coverage provider, who believes having endpoint administration and identification safety on the identical platform will cut back response occasions and enhance visibility past endpoints. VentureBeat has realized that cyber insurance coverage premiums are rising for organizations which have had a number of AD breaches up to now. Their insurance policies now name out the necessity for IAM as a part of a unified platform technique. 

CISOs additionally say it’s a problem to consolidate their safety tech stacks as a result of instruments and apps typically report information at various intervals, with completely different metrics and key efficiency indicators. Information generated from varied instruments is tough to reconcile right into a single reporting system. Getting on a single, unified platform for endpoint administration and identification safety is smart, given the necessity to enhance information integration and cut back prices — together with cyber insurance coverage prices.