Why unifying endpoints and identities is the future of zero trust

Attackers are cashing in on the proliferation of recent identities being assigned to endpoints and the ensuing unchecked agent sprawl. Scanning each out there endpoint and port, attackers are automating their reconnaissance efforts utilizing AI and machine studying, and enterprises can’t sustain.  

That is making hackers extra environment friendly at discovering exploitable gaps between endpoint safety and identification safety, together with Lively Listing. And as soon as contained in the infrastructure, they will evade detection for months or years.

Why it’s laborious to cease identification breaches 

Practically each group, particularly mid-tier producers like those VentureBeat interviewed for this text, has skilled an identity-based intrusion try or a breach within the final 12 months. Manufacturing has been the most-attacked trade for 2 years; practically one in 4 incidents that IBM tracked in its 2023 Menace Intelligence Index focused that trade. Eight-four percent of enterprises have been victims of an identity-related breach, and 98% confirmed that the variety of identities they’re managing is growing, primarily pushed by cloud adoption, third-party relationships and machine identities. 

CrowdStrike’s cofounder and CEO, George Kurtz, defined throughout his keynote on the firm’s Fal.Con occasion in 2022 that “individuals are exploiting endpoints and workloads. And that’s actually the place the warfare is going on. So you need to begin with one of the best endpoint detection on the planet. After which from there, it’s actually about extending that past endpoint telemetry.” In step with CrowdStrike’s knowledge, Forrester discovered that 80% of all security breaches begin with privileged credential abuse.

Up to 75% of security failures might be attributable to human error in managing entry privileges and identities this 12 months, up from 50% two years in the past. 

Endpoint sprawl is one more reason identification breaches are so laborious to cease. It’s frequent to seek out endpoints so over-configured that they’re as weak as in the event that they weren’t secured. Endpoints have 11.7 brokers put in on common. Six in 10 (59%) have at the least one identification and entry administration (IAM) agent put in, with 11% having two or extra. Absolute Software’s Endpoint Risk Report additionally discovered that the extra safety brokers put in on an endpoint, the extra collisions and decay happen, leaving endpoints simply as weak as if they’d no brokers put in.

Who controls Lively Listing controls the corporate  

Lively Listing (AD) is the highest-value goal for attackers, as a result of as soon as they breach AD they will delete log recordsdata, erase their presence and create federation belief relationships in different domains. Roughly 95 million Active Directory accounts are attacked day by day, as 90% of organizations use that identification platform as their major authentication and person authorization methodology. 

As soon as attackers have entry to AD, they usually can keep away from detection by taking a “low and sluggish” strategy to reconnaissance and knowledge exfiltration. It’s not stunning that IBM’s 2022 report on the cost of a data breach discovered that breaches based mostly on stolen or compromised credentials took the longest to determine — averaging 327 days earlier than discovery. 

“Lively Listing parts are high-priority targets in campaigns, and as soon as discovered, attackers can create extra Lively Listing (AD) forests and domains and set up trusts between them to facilitate simpler entry on their half,” writes John Tolbert within the whitepaper Identity & Security: Addressing the Modern Threat Landscape from KuppingerCole. “They’ll additionally create federation trusts between solely completely different domains. Authentication between trusted domains then seems respectable, and subsequent actions by the malefactors might not be simply interpreted as malicious till it’s too late, and knowledge has been exfiltrated and/or sabotage dedicated.”     

10 methods combining endpoint and identification safety strengthens zero belief 

2023 is turning into a 12 months of getting extra performed with much less. CISOs inform VentureBeat their budgets are beneath larger scrutiny, so consolidating the variety of functions, instruments and platforms is a excessive precedence. The purpose is to eradicate overlapping functions whereas lowering bills and enhancing real-time visibility and management past endpoints.

With 96% of CISOs planning to consolidate their tech stacks, alternate options, together with prolonged detection and response (XDR), are being extra actively thought-about. Main distributors offering XDR platforms embrace CrowdStrike, Microsoft, Palo Alto Networks, Tehtris and Trend Micro. EDR distributors are fast-tracking new XDR product growth to be extra aggressive within the rising market.

“We’re seeing prospects say, ‘I actually need a consolidated strategy as a result of economically or by staffing, I simply can’t deal with the complexity of all these completely different programs and instruments,’” Kapil Raina, vp of zero belief, identification, cloud and observability at CrowdStrike, advised VentureBeat throughout a latest interview. “We’ve had various use circumstances the place prospects have saved cash in order that they’re in a position to consolidate their instruments, which permits them to have higher visibility into their assault story, and their menace graph makes it easier to behave upon and decrease the chance by inner operations or overhead that will in any other case decelerate the response.”

The necessity to consolidate and scale back prices whereas growing visibility is accelerating the method of mixing endpoint administration and identification safety. Unifying them additionally immediately contributes to a company’s zero-trust safety strengths and posture enterprise-wide. Integrating endpoint and identification safety allows a company to:

Implement least privileged entry to the identification stage past endpoints: A corporation’s safety improves when endpoint and identification safety are mixed. This unified answer improves person entry administration by contemplating real-time person conduct and endpoint safety standing. Solely the minimal stage of entry is granted, lowering the chance of unauthorized entry and lateral motion inside the community. 

Enhance visibility and management throughout all endpoints at a decrease price: Integrating endpoint and identification safety supplies visibility past endpoints and helps safety groups monitor useful resource entry and rapidly determine potential breach makes an attempt network-wide.

Improve accuracy in real-time menace correlation: Endpoint and identification safety knowledge enhance the accuracy of real-time menace correlation by figuring out suspicious patterns and linking them to threats by amassing and analyzing knowledge from endpoints and person identities. This enhanced correlation helps safety groups perceive the assault panorama and be higher ready to reply to altering dangers.

Achieve a 360-degree view of exercise and audit knowledge, a core zero-trust idea: Following the “by no means belief, at all times confirm” precept, this unified strategy evaluates person credentials, gadget safety posture and real-time conduct. Enterprises can stop unauthorized entry and scale back safety dangers by fastidiously reviewing every entry request. Implementing this zero-trust technique ensures strict community entry management, making a extra resilient and sturdy safety setting.

Strengthen risk-based authentication and entry: Zero-trust authentication and entry emphasize the necessity to think about the context of a request and tailor safety necessities. In response to the “by no means belief, at all times confirm” precept, a person requesting entry to delicate assets from an untrusted gadget might have extra authentication earlier than being granted entry.

Get rid of gaps in zero belief throughout identities or endpoints, treating each identification as a brand new safety perimeter: Unifying endpoint administration and identification safety make it potential to deal with each identification as a safety perimeter, confirm and audit all entry requests and acquire a lot better visibility throughout the infrastructure.

Enhance real-time menace detection and response past endpoints, step-by-step: Endpoint and identification safety on the identical platform enhance a company’s skill to detect and reply to real-time threats. It provides organizations a single, complete knowledge supply for to monitoring person and gadget exercise and analyzing community threats. This enables safety groups to rapidly determine and handle vulnerabilities or suspicious actions, dashing up menace detection and response.

Enhance steady monitoring and verification accuracy: By integrating endpoint safety and identification safety, enterprises can see person actions and gadget safety standing in a single view. The strategy additionally validates entry requests sooner and extra precisely by contemplating person credentials and gadget safety posture in addition to the context of the request. This strengthens the safety posture by aligning with the zero-trust mannequin’s context-aware entry controls, making use of them to each identification and request throughout an endpoint.

Enhance identity-based microsegmentation: Integrating endpoint safety and identification safety permits enterprises to set extra granular, context-aware entry controls based mostly on a person’s identification, gadget safety posture and real-time conduct. Identification-based microsegmentation, mixed with a zero-trust framework’s steady monitoring and verification, ensures that solely approved customers can entry delicate assets and that suspicious actions are rapidly detected and addressed. 

Enhance encryption and knowledge safety to the identification stage past endpoints: Enterprises usually wrestle with getting granular management over the numerous personas, roles and permissions every identification must get its work performed. It’s additionally a problem to get this proper for the exponentially rising variety of machine identities. By combining endpoint and identification safety right into a unified platform, as main XDR distributors do at present, it’s potential to implement extra granular, context-aware entry controls to the person identification stage whereas factoring in gadget safety and real-time conduct. 

The teachings of consolidation 

A monetary providers CISO says their consolidation plan is considered favorably by their cyber insurance coverage service, who believes having endpoint administration and identification safety on the identical platform will scale back response instances and enhance visibility past endpoints. VentureBeat has discovered that cyber insurance coverage premiums are growing for organizations which have had a number of AD breaches up to now. Their insurance policies now name out the necessity for IAM as a part of a unified platform technique. 

CISOs additionally say it’s a problem to consolidate their safety tech stacks as a result of instruments and apps usually report knowledge at various intervals, with completely different metrics and key efficiency indicators. Knowledge generated from numerous instruments is tough to reconcile right into a single reporting system. Getting on a single, unified platform for endpoint administration and identification safety is sensible, given the necessity to enhance knowledge integration and scale back prices — together with cyber insurance coverage prices.