In a recent previous article we discussed “What are non-human identities and why do they matter?”.
This included the exponential growth of service accounts, system accounts, IAM roles, API keys, tokens, secrets and other forms of credentials not associated with human users. NHI’s now are increasingly playing a role in security incidents and data breaches.
In this follow up article, we will discuss three key areas to focus on when you’re building out your approach to securing NHI’s.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Discovery & Posture
In our previous article we pointed out that for every 1,000 human users, organizations typically have 10,000~ non-human connections or credentials. This means the fundamental activity of discovery, inventory and monitoring in a continuous fashion is key. This activity must occur across all of your environments as well, whether it is internally hosted and managed enterprise IT systems, or external environments such as SaaS applications, the latter of which pose additional challenges for organizations when it comes to visibility and monitoring.
This is why organizations need to have robust SaaS Governance programs and can lean into resources such as the Cloud Security Alliance (CSA)’s SaaS Governance Best Practices for Cloud Customers guide.
It is one thing to have a program and plan in place for governance, but organizations also must have innovative modern security tooling capable of maintaining visibility across your organization's NHI footprint regardless of the environment those credentials and connections exist in.
Additionally, while visibility is a great first step, and is in line with longstanding best practices such as asset inventory, you also need tooling capable of providing rich context to help prioritize risks associated with NHI’s accordingly. Having visualizations such as connectivity maps can demonstrate the connections taking place, the systems, products and vendors involved and the associated risks.
Source: Astrix Security
This includes insights into what permissions each NHI has, such as what it can read, write, the level of privileges of those NHI’s (e.g. administrative level access) and more. To aid in the broader push for zero trust, you also need to be able to determine based on the level of access the NHI’s have, what level of permissions are being actively used. This can help right-size permissions and facilitate zero trust principles such as least-permissive access control.
We know from reports that only 2% of applied permissions are actually being used, meaning 98% of applied permissions to accounts are not actually needed, and are overly permissive. These credentials continue to be prime targets for attackers and one of the leading vectors in data breaches, per sources such as the latest Verizon DBIR.
That means these NHI’s are just sitting around waiting to be compromised by an attacker, and when they do, the attackers are able to leverage the permission sprawl to move laterally, access sensitive data and take other harmful actions impacting an organization, its systems and its data.
The ability to effectively monitor and manage the posture associated with your organization's NHI needs to account for a broad range of factors. This includes aspects such as issues associated with assigned and utilized privileges, reputations of the vendors and their products involved, real-time runtime context such as suspicious behavior as well as threat intelligence such as a vendor being recently breached or involved in a security incident. All of these insights and context can be used to comprehensively mitigate organizational risk associated with NHI’s.
Third-Party Breach Response & Credential Rotation
As we have been discussing, NHI's often facilitate connections to third parties, such as business partners, customers, external SaaS providers and more. When those third-parties experience a security incident, it demands a strong ability for third-party breach response and credential rotation for any NHI’s impacted as part of an incident.
The first step of any breach response activity is understanding if you’re actually impacted. Being able to quickly identify any impacted credentials associated with the third-party experiencing the incident is key. You need to be able to determine what the NHI’s are connected to, who is utilizing them, and how to go about rotating those NHI’s without disrupting critical business processes, or at least understanding those implications prior to rotation.
We know in a security incident, speed is king. Being able to outpace attackers and cutting down on response time through documented processes, visibility and automation can be the difference between mitigating direct impact from a third-party breach, or being swept up in a list of organizations impacted due to their third-party relationships.
Anomaly Detection - Going Beyond Posture
While we know that posture management is foundational security activity, it isn’t a silver bullet either. Being able to actively detect anomalous activity associated with your organization's NHI’s is important to determine what behavior is normal and what should be a cause for concern, such as potential threats or malicious activity.
Determining suspicious behavior can be done by leveraging a variety of factors, such as IP’s, geolocations, Internet Service Provider (ISP)’s and API activity. When these factors change from baseline activity associated with NHI’s they may be indicative of nefarious activity and warrant further investigation, or even remediation if an attack or compromise is confirmed.
Source: Astrix Security
Security teams are not only regularly stretched thin, but they also often lack a deep understanding across the organizations entire application and third-party ecosystem as well as insights into what assigned permissions and associated usage is appropriate. This is why modern security tools aimed at protecting NHI’s often provide automated guardrails, capable of automating remediation workflows such as rotating secrets or reducing assigned permissions to mitigate threats. They also should provide the ability to integrate with existing security stacks to help empower SOC and Security teams to respond quickly and effectively.
Bring it all together
By bringing together the areas we discussed of discovery & posture management, third-party breach response and anomaly detection, organizations are able to get ahead of risks associated with their NHI footprint. Knowing the scale of the problem with modern organizations having tens of thousands of NHI’s distributed and operating across both internal and external systems, the idea of tackling these risks manually is simply impractical. Organizations must lean into modern Identity and Access Management (IAM) and Identity Threat Detection and Response (ITDR) tooling to facilitate these activities at-scale.