Illusive Blog December 21, 2020

Securing Identities Through Digital Transformation By Reducing The Attack Surface

By Paul Kivikink

The topic of accelerated (or forced) digital transformation has been top of mind during many of my recent discussions with customers.  It comes as no surprise that human-operated campaigns, such as ransomware, quickly and enthusiastically adapted to the entire global workforce now operating remotely, imposing many organizations to modernize their cyber resiliency and security operations.   From a more fundamental technology perspective, it may be a positive side benefit for organizations that had long term multi-year plans for digital transformation and are now embracing technology to enable their business.

While many security practitioners see the primary focus of digital transformation as moving all business apps to cloud platforms or SaaS, the scope is a much broader transformative activity typically led by IT to integrate/automate the core business processes and objectives.  The leading focus for many security teams during the digital transformation often begins with ensuring Identity and Privileged Access Management solutions are deployed, before focusing on additional layers of security, to ensure that workplace identities can securely access resources.  While there are quick win fundamentals that can be easily deployed such as SSO, MFA, and modern passwordless solutions – there are several challenging areas to consider when managing identities through digital transformation:

3 Identity challenges we hear that organizations are looking to solve during digital transformation:


1. Inventory of user and application identities

Many organizations struggle with understanding their inventory of user identities and application access used across their workforce.  Many organizations have legacy identity providers (IdP’s) or multiple IdP’s that they would like to streamline to reduce costs. For example, we have noted that many enterprise customers are looking to consolidate IDP to Azure AD which comes with O365. They may not even be aware of what identities are being used and where they have exposed privileged identities posing a high risk to the organization.  Organizations are trying to answer questions around:

  • What privileged identities are being used?
  • Are there unmanaged/unused accounts or identities?
  • Which identities are being used for cloud/SaaS apps?
  • What identities are legacy and/or may not be possible to migrate?


2. Finding identities with risky high-privileged misconfigurations or policy violations

As the remote workforce shift has expanded the need to protect corporate identities, there are several types of identity policy violations that can be exploited by an attacker for human-operated campaigns and leveraged for lateral movement within an organization. Identities and access privileges should be managed with identity governance solutions such as Microsoft’s Azure AD.

  • Identifying overprivileged identities e.g. User with a low level of access in on-prem AD but has high level of access in Azure AD
  • Restricting the use of domain administrator accounts and local administrators
  • Reduce the identity attack surface by highlighting policy violations such as lack of 2FA/MFA, risky high privileges, and unnecessary/unknown access.


3. Detection and visibility on Identity risks to inform decisions on continuous authentication and privileged identity threat detection

  • Continuously discover local admin accounts, unmanaged accounts, and shadow admins.
  • Detect risk privileged identities that could be targeted to reach a high value asset
  • Detect for irregular behavior from corporate identities

The challenges described above are broad security problems that Identity customers are looking to solve, and there are also additional complexities for securing identities and privileged access that no single solution will likely address.  From an attacker perspective, the credentials and application connections created by the business are necessary, but in nearly every organization the rapid business growth and innovation driving digital transformation results in ever-changing access footprint that can provide attackers with new pathways to reach high value assets in hybrid cloud environments.   It is key to note how attack campaigns prevalent in recent media such as nation-state attacks and human-operated ransomware take advantage of privileged identities to achieve its objectives. After successfully luring an employee with a phishing email containing malware, a human-operated attack landing on an endpoint will quickly attempt to exploit Active Directory/Identity hygiene issues to compromise privileged credentials and seek to move laterally. Reducing the attack surface risk by decreasing the number of risky accessible privileged identities accessible is critical to slowing down or stopping these human-operated campaigns.

The work Illusive is beginning with Microsoft + Azure AD is helping solve these problems through Attack Surface Management with focusing on reducing risk of privileged identity exposure.

Identity Inventory

  • Identity discovery to understand high risk of users and applications to address during migration
  • Discover, visualize, and remediate over privileged Azure AD user and application identities
  • Application discovery for Identity legacy accounts and apps that can’t be migrated
  • Discover application that are using administrative level access in their stored credentials

Securing Identity Access Gaps and Policies

  • Identify accounts that lack privileged access management (PAM) control, and report credentials should be migrated to a PAM solution
  • Monitor for identity policy violations and remediation vulnerability to be compliant with MFA and other security policies
  • Detect insiders or adversaries attempting to leverage misconfigurations or policy gaps between on-prem Active Directory and Azure AD

Protecting Privileged Identities

  • Protect identities post-migration by placing deception credentials tailored to an organization’s environment
  • Visibility and risk insights into privileged identity attack surface exposure
  • Monitoring privileged identities that are accessing critical assets (databases, devops, cloud infrastructure, etc.) and ensure administrative credentials are not store on inappropriate systems
  • Leverage Zero-Trust principles such as those offered by Microsoft

The Illusive product suite safeguards privileged identities in Azure Active Directory by identifying and eliminating pathways and credentials that attackers might leverage to move towards critical data stored there. This attack surface management for Azure AD reduces account takeovers, lowers the mean time to identify and remediate misconfigurations, increases early detection of nation-state adversaries and human-operated ransomware attackers, catches malicious insiders, and closes cloud security and attack surface visibility gaps.

Don’t let security worries slow your organization’s digital transformation-accelerate it with protection that gives you the visibility to stop attacker movement no matter where it is occurring in your Azure environment.

Learn more about how the Illusive and Azure Active Directory can meet your security needs: