This article was originally published by BeyondTrust. You can view the article here.
In any corporate environment, every worker needs access to multiple systems from day one (Active Directory, Okta, HR applications, Salesforce, finance tools—the list goes on and on). Those already numerous accounts—and privileges—then accumulate over time (privilege creep) as that employee changes roles or works on different projects. According to a 2023 Gartner survey on application sprawl, the average “knowledge worker” (desk worker) uses 11 applications, nearly double the six applications they were using on average in 2019. Forty percent of digital workers are using more than the average number of applications, and 5% use 26 or more applications at work.
The sprawling number of applications poses significant challenges for the worker. In the same Gartner survey, respondents attributed the following workplace inefficiencies to account sprawl:
- 47% struggled to find information needed to effectively do their jobs
- 32% made the wrong decisions due to lack of awareness
- 36% indicated they miss important updates amid the noise
Operational inefficiencies are only one part of the story for organizations. Application sprawl also creates significant challenges for security teams that are attempting to correlate all the accounts back to one human identity. Privilege creep, shadow accounts, orphaned accounts, misconfigurations, and poor credential hygiene are just a few of the security issues that can operate under the radar of security teams, leaving significant gaps in the security mesh for threat actors to exploit.
The unfortunate reality is that the disjointed identities that emerge from having multiple accounts tied to multiple applications in a hybrid environment create a scenario where attackers only need to exploit one account to gain access to an entire resource. A single compromise can put an entire workflow at risk due to MFA fatigue attacks, SIM jacking, or poor credential hygiene.
In this blog, I dive into the security implications of having a workforce comprised of multiple disjointed identities and the critical role holistic identity protection plays in visualizing and responding to those risks.
The security complexities of multiple accounts in enterprise environments
Disjointed identities create blind spots for security teams that open the door to costly data breaches. In 2023, a staggering 84% of data breaches involved compromised credentials, costing organizations an average of $4.24 million each. Securing your identities isn’t just about convenience; it’s also about protecting your bottom line.
Let’s take a look at just a few of the most common security challenges disjointed identities can pose for organizations:
1. Single sign on (SSO)
Single sign on (SSO) is one way an organization might think about managing the sprawl of accounts to make it easier for employees to login to multiple systems without having to juggle (and follow best practices for) lots of credentials and multifactor authentication (MFA) solutions. While SSO does make things easier from the end-user perspective, it also means there is a single point of failure. An attacker only has to compromise one Okta login to potentially expose 10, 20, or 30 other applications and systems. Or what if the Okta infrastructure itself is targeted?
SSO can be useful, but it doesn’t help organizations reduce the number of accounts and privileges or uncover shadow accounts and misconfigurations—and it might be a tempting, high-value target for attackers who could use password sprays, session hijacking, or MFA fatigue to get in and access multiple systems.
2. Orphaned and shadow accounts
It’s not merely an inconvenience to have multiple accounts. The real challenge emerges when managing numerous accounts per person across potentially thousands of business applications.
This scenario is common in large enterprises, where the joiner, mover, leaver process can introduce faults and lead to the creation of orphaned accounts. And those are just the accounts that you are aware of. Well-meaning employees may have created their own local accounts, shared accounts, or used their own accounts to run services, creating shadow accounts that you—and your security teams—aren’t even aware you need to secure.
Over time, these issues can compound, making it difficult to accurately identify the owner of an account when a security issue arises. For an individual, solutions like Dashlane effectively establish identity and consolidate account management. However, scale this to the size of an enterprise, considering various privileges, and flaws begin to emerge and worsen over time. This complexity underscores why businesses must invest in robust identity security practices.
3. Non-human identities and accounts
Don’t forget your non-human identities and accounts. Service accounts and APIs are vital components, but are often overlooked as an identity attack vector. A single compromised machine identity can be the key to unlocking sensitive data or disrupting critical operations. These types of accounts can be a lot more dynamic, as well, especially in the cloud, where systems and accounts are spun up and down to scale with needs.
The limitations of point products in implementing holistic identity security
Individual or point solutions targeting specific aspects of identity security (e.g., human, non-human, service accounts, etc.) can provide targeted defenses, but they often lack the capability to offer a holistic view of an organization’s identity landscape. While these solutions can be part of an identity security strategy, relying solely on them could result in siloed data with gaps in visibility and control.
The reliance on specialized products alone for protecting certain identities or infrastructure components underscores a critical vulnerability in many organizations’ security postures. Without a unified platform to integrate these disparate solutions, the effort to maintain a secure and compliant environment becomes an incredibly manual and error-prone task. A holistic identity security solution not only consolidates this fragmented landscape, but also automates and enhances the detection, management, and remediation processes, significantly reducing the burden on security teams while enhancing security, risk management, compliance, and efficient auditing and investigations.
The importance of gaining a unified view of all user accounts under one identity
Identity Security Best Practices require having a unified view of all user accounts under one identity, both human and machine, along with the risk associated with each. Even if an Identity Service Provider (IdP) or Single Sign-On (SSO) solution has been implemented to help consolidate this identity and account relationship challenge, you still need to secure your identity infrastructure because, if an attacker is able to add a new IdP, gain access to an SSO solution, or exploit Active Directory (AD), then it is also game-over.
One of the biggest benefits of gaining this unified view of identities is that it allows you to think like an attacker as you strategize to better enhance your overall security posture.
There’s a fairly famous saying in security: “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” – John Lambert, Corporate Vice President, Security Fellow, Microsoft Security Research.
The idea is that a defender thinks in siloed lists: defender A thinks about Active Directory, defender B thinks about Windows Desktop AV, Defender C thinks about Windows Servers, etc. The attacker, on the other hand, thinks about a graph, or series of connections between accounts and systems that they can use to achieve their objective. They exploit the lack of visibility between these disparate systems (the defender’s lists) to move laterally and inflict damage. That could mean starting on Windows Desktop with a local admin privileged user, then using that access to capture a privileged domain account and pivot onto a server.
Because organizations often lack visibility across different identity systems, their security teams can’t see the graph of connections an attacker could exploit. And you can’t stop what you can’t see. Being able to give visibility into those graphs allows security teams to see what an attacker sees—exactly who has access to what—so they can proactively remove those often-hidden links, privileges, and access (escalation paths) that could allow an attacker to succeed. It also gives an idea of the potential blast radius if or when an account is compromised—and a way to mitigate that blast radius. No more unlocked doors for malicious actors to exploit.
Additional benefits of unified identity security
A unified view of identities, and their accounts and associated risk, also provides security teams with the following additional benefits:
- Improved Risk Management: With a clear picture of each user’s access, you can proactively identify and address potential threats before they become problems. It’s like having a complete risk map at your fingertips.
- Streamlined Compliance: Juggling multiple logins and passwords across disparate identities is not only cumbersome, but also increases the risk of non-compliance with security protocols. Unifying your view simplifies identity security and reduces compliance headaches.
- Cleaner Auditing and Investigations: When incidents occur, tracing activity across scattered identities is like searching for a needle in a haystack. A unified view simplifies investigations, allowing for faster identification of the root cause and more effective remediation. Imagine finding the culprit in seconds instead of hours regardless of account naming syntax!
How to Unlock a Unified View of Accounts and Identities with BeyondTrust Identity Security Insights
Imagine a solution that transforms your cumbersome keyring into a sleek, digital master key. BeyondTrust Identity Security Insights is that transformative tool, offering a panoramic view of your workforce identities on a single dashboard. Here’s how it fortifies your digital fortress:
- Panoramic Visibility: Every user, identity, account, privilege, and entitlement falls under your gaze, ensuring no shadow goes unexplored.
- Advanced Threat Detection: AI-driven analytics ferret out suspicious behaviors, over-privileged accounts, and potential vulnerabilities, enabling proactive defense strategies.
- Automated Threat Prioritization: With threats automatically ranked by severity, your response efforts can be strategically focused where they’re needed most, fortifying your security posture efficiently.
- Enforcing Minimal Access: Tailor privileges precisely to the needs of each role, minimizing unnecessary exposure and reducing the attack surface.
- Streamlined Security Enforcement: Automate and standardize access controls across your organization, easing the compliance load and bolstering your defense mechanisms.
How Identity Security Insights helped identify the Okta Support Unit breach
Identity Security Insights detected several aspects of an intrusion that occurred as a result of the 2023 Okta Support Unit breach. The tool’s multiple detections and alerts allowed BeyondTrust security teams to quickly remediate the attack and prevent any impact or exposure to BeyondTrust’s infrastructure or customers.
The compromise of Okta’s support system allowed an attacker to access sensitive files uploaded by Okta’s customers. In this case, the attacker was able to access an HAR file that had been requested by Okta’s support team to debug an issue BeyondTrust was having. The HAR file that was uploaded to Okta’s support portal contained an API request and a session cookie. Within 30 minutes of the upload, an attacker attempted to perform admin API actions in the BeyondTrust Okta environment using the session cookie from this support ticket for authentication. Using this tactic, the attacker was able to subvert BeyondTrust’s custom policies around admin console access and create a backdoor user account using a naming convention consistent with existing service accounts.
At this point, Identity Security Insights began alerting BeyondTrust’s security teams to several aspects of the intrusion:
- Okta session hijacking: This detection looks for suspicious sessions appearing without an authentication event that are consistent with session hijacking.
- Okta user performed administrative action using a proxy: This detection alerts to abnormal user behavior—in this case the use of proxies to login as privileged users and perform sensitive administrative actions.
- Okta admin privileges were granted to a user: This information-level detection highlights all Okta admin assignments (typically rare and usually occur within an established process) to alert in the event an attacker is attempting to escalate privilege or grant privilege to backdoor accounts.
- Okta password health report generated: This information-level detection highlights when a report is generated out of the ordinary in case the activity is suspicious.
- Okta user with some level of admin access uses MFA vulnerable to SIM swapping: Our incident response process was significantly faster because the admin user used FIDO2 for MFA, allowing us to rule out attacker-in-the-middle phishing as the mechanism for the token theft. Posture recommendations for privileged users give identity security professionals incremental changes they can make to better protect these crucial accounts.
By providing unified visibility into the identities and accounts across BeyondTrust’s environment, advanced AI-driven threat detection, and automated threat prioritization, Identity Security Insights allowed BeyondTrust’s security teams to immediately disable the backdoor user account and revoke the attacker’s access before the account could be used, preventing any further actions or exposure to BeyondTrust’s infrastructure or customers.
