As organizations strengthen protection for their networks and endpoints, compromising identities has become a focal point of infiltrating organizations. We’ve seen a rapid rise in the prevalence of attacks on identities: nearly 80% of attacks leverage identities to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection. Organizations must now understand adversaries and their motivations to detect and respond to these threats.

While the cybersecurity industry may have various definitions of XDR, Gartner recommends choosing an XDR tool that includes at minimum: endpoint, data lake, orchestration, source of identity data for correlation, and threat intelligence.

We’ve found that most XDR vendors fail to integrate identity protection in a meaningful way. While identity and access management (IAM) is important, it does not fully defend against identity-based attacks. IAM vendors as a whole are not designed, from the ground up, with the necessary telemetry to identify modern identity-based attacks in real-time across hybrid environments, remote workers, and multiple identity stores without disrupting users.

Where IAM falls short

It’s always about the keys to the kingdom. Threat actors always aim to gain access to critical data, typically as a privileged user, and move about undetected.

IAM vendors are extremely effective at managing digital identities across their life cycles, from provisioning to de-provisioning, allowing organizations to manage users’ digital identities and ensuring all users have access to the resources they need to perform their roles. Many organizations lean on these vendors as part of their zero-trust efforts.

Unfortunately, these IAM products have been on their own “island” for a while now, leading to potential blind spots. In some cases, the IAM provider has challenges in securing its own infrastructure. When attackers use compromised credentials, they can infiltrate a network and circumvent the existing security solutions that organizations may have in place. This blind spot was not fully understood or appreciated until recently. Organizations need to seamlessly marry detection and enforcement to prevent this type of activity.

Identity Protection: ask the right questions

Identity-based attacks are increasing the speed at which an adversary can gain access to and move throughout, an organization. It takes an average of one hour and twenty four minutes for attackers to move laterally within an organization — typically using identity-based attacks. If an adversary uses a valid credential, it’s much harder to determine that it’s malicious. Security teams need real-time, full visibility across their security stacks to identify potentially malicious behavior and quickly act on it.

Can the security team detect and defend against identity-based attacks? Ask these questions:  

  • Does the organization have enough information from native and third-party sources, including behavioral analytics?
  •  Can the team process what’s happening and stop it in real time? Can it leverage risk-based conditional access to minimize false positives?
  • Can the organization see and protect everything in the company’s environment, including unmanaged or legacy systems?
  • Can the security team take proactive action to contain a breach? This may include using risk scoring to block a compromised identity from being used at other endpoints or ensuring segmentation to prevent lateral movement.

The majority of today’s XDR and IAM products lack the capabilities to help organizations answer these questions. We’ve seen most XDR vendors have a particular area of expertise, whether that’s starting at the network or making a SIEM or SOAR product appear more attractive. However, by Gartner’s definition, they have to do it all if they’re going to call themselves XDR.

While XDR extends detection and response from the endpoint across all environments, security pros can’t forget the individual or the identity in all of this — and we certainly can’t forget the threat intelligence aspect. Newer XDR products have trouble correlating attack patterns to determine whether an identity has been compromised (i.e. identifying in real time an unmanaged endpoint, but a known identity). To understand when/if there has been attack, security teams need the endpoint and identity telemetry, and they also need to have massive adversary knowledge with which to compare the threat vector.

Why companies need XDR with identity protection

There’s a real complexity that exists in identifying and responding to real-time attacks if the team only looks at one piece of a fragmented puzzle, or it may have swivel chair syndrome with its security tooling. IAM is only one piece of the identity protection puzzle. A holistic XDR product – one that connects endpoint, identity and threat intelligence together, ensuring coverage everywhere (cloud, on-prem, mobile, unmanaged devices) – is the only way to solve this effectively.

When done right, organizations have unified cross-domain detections and investigations to effectively connect the dots, understand the context, and automate the risk response to stop or contain adversary attacks. XDR with identity protection stops threats, and also improves the bottom line. For example, one of the CISOs at an auto glass company I spoke to recently shared their operational expense savings: a 75% reduction in support password resets, an 8% reduction in phishing susceptibility, and a 32% reduction in unnecessary user access rights.

A holistic XDR solution that can correlate native and third-party cross-domain telemetry – spanning network, email, endpoint, identity, web applications, cloud and SaaS apps, workloads, third-party systems and security tools – wins every time.  

Kapil Raina, identity protection evangelist, CrowdStrike