Last week, I saw a post from Richard Bird, Chief Security Officer at Traceable. It was simple, effective, and perfectly crystalized some recent thoughts on identity security. He wrote, “ITDR is the use of security language (finally) to define identity control.”
This is true in so many ways. At Identiverse and Gartner IAM this year, I’ve attended sessions about TTPs, Mitre ATT&CK, response playbooks, threat hunting, security data lakes, and XDR.
With a spate of high-profile identity attacks, it’s fair to say that we have caught the attention of security leaders, but how do we go one step further? How do we encourage security teams to be more interested in identity? Likewise, how do we make identity teams start thinking in terms of security? What do good identity security programs look like?
How we communicate with different stakeholders is critical to this. This includes speaking a common language, aligning processes, and using communication channels that work for users.
Moving From Security to Identity: From One Acronym Hell to Another
Let me share a bit about my journey with you. Last year, I shifted from the world of cybersecurity, specifically cyber threat intelligence, to explore the new lands of identity.
Now, the cyber threat intelligence (CTI) industry has this rather unfortunate habit of drowning itself in acronyms. From IOC, IOA, and APT to IAB, AVC, and ACH, it’s all a bit…much.
Sure, the influence of the military on cybersecurity has brought professionalism and structure, but it also introduced a ton of jargon that can be quite overwhelming, especially for newcomers.
Little did I know that my venture into identity would take it to a whole new level of acronym madness. I found myself surrounded by many acronyms to decipher, like CIAM, CIEM, CNAPP, CSPM, CWPP, IGA, PAM, and PIM. And when I thought I had a handle on it, ITDR and ISPM came to add to the complexity!
In a recent piece of research, I stumbled upon an interesting perspective from James Hoover, Associate Principal Analyst at Gartner. He urged us to "demilitarize our security program," highlighting the significance of addressing this acronym overload in both cybersecurity and identity. Let’s all do better to cut out the acronyms and reduce the BS.
Towards a Common Language
The worlds of security and identity are starting to collide, but there’s still plenty of work to do. One of my favorite quotes on this topic comes from David Mahdi, Chief Identity Officer of Transmit Security. “Identity people are now at the point of no return where you’re going to have to learn more about cybersecurity. Cybersecurity people, conversely, now need to understand the notion of joiner, mover, and leaver and pick up some IAM knowledge.”
First, security professionals can better understand the joiner, mover, and leaver process. Here we need to increase the scope of identity beyond Active Directory. Security professionals should be as familiar with the implications of poor IAM hygiene and weaknesses in the offboarding process as with Golden Ticket attacks and Pass-The-Hash. For security professionals who have an appetite to learn more about identity best practices, we've pulled together a list of helpful resources, articles, books, and podcasts: https://docs.oort.io/best-practices/identity-security-reading-list.
Second, identity teams should learn more about cybersecurity and, specifically, the threat landscape. For example, in response to the rise of session hijacking and cookie theft, IAM teams can work to reduce session lengths. Mitre ATT&CK is awesome for identity teams to understand and categorize these emerging techniques.
So far, I’ve spoken generally about “security teams”. One key area where identity teams should play a more significant role is the incident response process.
Establishing clear roles and a shared vocabulary regarding incident response playbooks is essential. For instance, how should the investigation proceed if there's a suspected compromised user? Does the investigating person have access to the necessary context, historical activity, and entitlements?
In the event of wiping a machine, it's not enough to stop there. Consider terminating all active sessions and quarantining the user to prevent login from a different device. Additionally, monitoring for access from new, unmanaged devices should be initiated.
These processes cannot be effectively managed in isolation, necessitating collaboration between security and identity teams. By enhancing communication and alignment well before an incident occurs, we can define effective playbooks and ensure swift response when needed.
Communication Channels That Work for the User
The real winners, however, will be those who manage to build an identity security program that works for the most important stakeholders: the users.
In How a Human-First Approach Will Make Your Identity-First Security Initiative a Success, James Hoover provides compelling reasons to be “human-first” in your identity security strategy. He argues that for identity security programs, enterprises must consider diverse workstyles and lifestyles of their user base, acknowledging factors beyond job functions, which can lead to enhanced security, reduced friction, increased productivity, and better user experiences across various channels.
James extolls the benefits of meeting “users where they are at”. A great way to achieve this is by using communication channels that work for the user. For example, workers are using Slack and Teams more than email. Why not create workflows directly in these messaging platforms that make more sense for the user? Did you detect a suspicious login? Reach out to the user! Is an employee using a weak form of MFA? Slack them!
In addition to the platform, the tone and language of the message should also be considered. Avoid drowning them in technical jargon and avoid the annoying acronyms. Short videos within messages can make a world of difference, explaining why using a personal VPN or enabling MFA matters.
At Oort, for example, you can set up automated Slack/Teams messages to be sent to users failing the checks. We also embed short Security Awareness Training videos from Wizer into these messages so the user understands the importance of rectifying the issue.
As organizations plan for what their identity security program looks like, the worlds of security and identity will continue to collide.
As this happens, security teams need to know more about IAM best practices and grasp how hygiene is vital for reducing their attack surface. Likewise, identity teams should push themselves to learn more from the threat landscape and begin thinking about how they can work with security counterparts. This will help to establish a common understanding between teams, as well as a common language.
At the same time, as we build, we must not forget to focus on making this meaningful to the end user. Mature organizations will embrace new communication channels, such as Slack or Teams, as part of their overall identity security strategy.