Three pitfalls to avoid in Identity Security Threat Detection
Lior Tamir, Product Manager at Spera Security
September 22, 2023
With identity as the number one attack vector, environments becoming more complex and attackers improving their methods, organizations are required more than ever before to continuously monitor account activities and track anomalies to identify and respond to identity-based threats.
Many security teams try to mitigate this attack vector by leveraging existing event-management tools such as SIEM and XDR, using their native tools for account monitoring, log correlation and detection of identity-related alerts. While only addressing part of the challenge, this approach often leads to the following three pitfalls:
Lack of context and prioritization leads to alert fatigue Security teams are overloaded with false-positive or low-impact identity threats. Traditional SIEM and XDR only track activity logs and lack context into posture status, unable to identify crucial elements such as secured authentication and privileges, account purpose, blast radius and business impact. With a constant flow of alerts and issues, security teams struggle to find a needle in the haystack:
Lacking coverage of “crown jewel” apps Ingesting data into SIEM is costly and demands time and effort on the part of the company engineers , resulting in missing coverage of “crown jewel” apps such as Snowflake or Salesforce for SIEM alert detection. Even when such data exists, it is no small feat to correlate attacker activity that starts in the IdP (i.e. AAD or Okta) and ends in a SaaS or Cloud such as Netsuite, AWS or GCP.
Missing identity detection and expertise Generating, fine-tuning and maintaining quality detections requires specific expertise and a significant amount of effort. While XDR and SIEMs span across multiple attack vectors, they are not able to provide critical identity security detections.
Organizations that seek a mature identity security program should implement tools that provide combined visibility into misconfigurations, identity analytics, activity monitoring and threat detection, from people and machines, through identity providers and beyond the data in the “crown jewel” apps. Such tools should use their context to reduce noise, prioritize and focus teams on what matters most.