Speaking for myself Raj Dodhiawala, I unfortunately have developed a sense of apathy to the continuing success of cyberattacks. I don’t care to read beyond the headline that a ransomware attack resulted in a pay-out. Worse, I am less jarred by the next email from a provider about my personal data being compromised. Knowing what I know about existing privilege access management tools my providers use, I half expect my personal data to be stolen in the next data breach anyway. As someone in the business of cybersecurity, I am unsettled that we as an industry are failing, always caught on our back foot every day these attacks utilizing privilege escalation and lateral movement succeed at a very high rate.
We all recognize that organizations have invested millions in tools, processes, people, and training in cybersecurity. Zero Trust is the rage of the day. Every major vendor offers a cybersecurity platform of sorts. I could go on and on. So, it’s fair to ask: what then is missing from achieving a high degree of cyber resilience? In my opinion, two things are askew:
Too much focus on detection instead of protection. Detection requires a high degree of vigilance, and therefore internal resources to recognize every incident, to respond in a timely matter each time, and stop each bad act before it causes harm. It never is a comfortable situation “to be looking back over your shoulder,” no matter performant your agent is, how robust your AI is, or how much you rely on the network effect of your MDR service. Detection-inevitably fails, and we read these headlines every day, because bad actors are relentless on figuring out how to bypass even your strongest fortifications.
Zero Trust initiatives are often missing a key ingredient: Identity, and more specifically, Privileged Identity (aka admins). Network and endpoint protection is only as good as privileged identity protection. Attackers masquerading as admins cause the most damage and is hardest to detect and stop — I could argue that attackers will not succeed in the attack if they are not able to elevate their privilege to the admin level.
It is no wonder that credential compromise, privilege escalation, and lateral movement remain the top techniques in almost all attacks. How else can an attacker get to the crown jewels? Backward looking defensive methods or network and endpoint detection haven’t yielded the cyber resilience we all are vying for.
Grounded in my experience in network security and in endpoint security, our false positives were often due to lack of knowledge about the identity behind the tactic or malicious activity that we were looking to detect and stop. Disambiguating actions (remote access, PowerShell execution, a registry change, and all others) whether performed by a regular user versus a privileged user, and in that, whether that account is compromised or not remains the driving force for innovations in better detection and response. But in the end, any detection and response (XDR) is about defence, not protection.
We therefore need a paradigm shift in the governance of privileged identities, one that focuses on authorization and not just authentication. The focus on authorization, and specifically on eliminating privilege sprawl is the driver in the transformation of PAM to PAM+. I see this shift happening as more and more organizations embrace Zero Trust with privileged identity as the third leg of the stool alongside network and endpoint (Unfortunately, in “Implementing a Zero Trust Architecture.” NIST 1800-35B relegates authorization to various policy components of their ZTA, leaving it implicit in the ICAM – this is a topic for another time).
In their transformation to PAM+, organizations are examining their privilege sprawl and questioning the diminishing value of protecting credentials in a vault while the privileged identity attack surface out there is being exploited routinely. PAM+ leaning organizations are challenging the age-old IT processes by eliminating always-on, always-available but occasionally used administrator access with Zero Standing Privilege and Just-in-Time approaches. Removing standing privileges shrinks, if not eliminates the attack surface, offering the true protection against attackers moving laterally. PAM+ makes compromised credential-based attacks totally ineffective. This is the transformation I am seeing now and today: organizations are embracing PAM+ to eliminate privilege sprawl and stop lateral movement.
Author: Raj Dodhiawala