Illusive Blog May 19, 2022

The Identity Security Paradox: How Do You Protect Identities with IAM and PAM?

By Mark Jaffe

UPDATE 10/24/22: Gartner Report

According to the 20 October 2022 Gartner report Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response by Henrique Teixeira, Peter Firstbrook, Ant Allan and Rebecca Archambault, “Conventional identity and access management and security preventive controls are insufficient to protect identity systems from attack. To enhance cyberattack preparedness, security and risk management leaders must add ITDR capabilities to their security infrastructure.”

Enterprise Strategy Group joined Illusive on May 10 to discuss “The Identity Security Paradox,” which is that organizations can invest so much in identity management solutions, but remain vulnerable to so many identity risks. Highlighting recent reports from both organizations, Jack Poller presented ESG research: “Securing the Identity Perimeter with Defense in Depth,” Wade Lance presented Illusive’s “Analyzing Identity Risks” research, and I moderated the conversation.


Jack set the backdrop for the discussion by revealing a few key statistics from the ESG research. First, the management of identity has been evolving from an HR process of on-boarding, to an IT operations process of enabling access to systems, and into an emerging security practice. These days, identity management is an IT operations process about half the time.

But the fact is that identity is a security program. Ransomware attacks are easily exploiting vulnerable identities, such as cached credentials (more on that later). And as a result, identity is shifting to security. However, even as AD managers are reporting to the CISO, they are still focused on provisioning and enablement because they lack insight into security risks.

For example, Jack pointed out that only 41% of access is reevaluated on a time- based cadence. And even when privileges are evaluated, admins are rarely comfortable revoking them without understanding why it is a security risk.

A PAM without a Plan

ESG’s research also revealed that the shift to identity security is increasing, with 84% of organizations increasing their identity and access management (IAM) budget over the next 12 months relative to other cybersecurity solutions. Of those organizations increasing their IAM budget, 19% indicated privileged access management (PAM) solutions would be their most significant investment. In fact, 90% of organizations said PAM was a top five control, but only 4% said PAM is the most effective IAM solution.

ESG research reveals a gaping void in PAM effectiveness

In fact, according to Illusive’s research, the reality is that 87% of local admins are not enrolled in a PAM solution. Jack and Wade discussed a number of scenarios that result in these unmanaged admins, such as a local admin immediately creating a second local admin account as a back-up (and who among us hasn’t done this?).

The most cited use cases for PAM include monitoring, auditing, and reporting (58%) and automated discovery, orchestration, and management (39%). Yet most PAM solutions lack any sort of sophisticated discovery capabilities, typically limited to a single scan of the directory structure.

Cached Credentials Rule Everything Around Me

Nowhere is this more evident than cached credentials: the theft of credentials from system memory is the most commonly cited attack. Illusive’s research really drives this point home: we have discovered cached credentials on 13% of endpoints!

The other side of the “Identity Security Paradox” is that organizations are investing so much into solutions for the rarest of attacks (i.e., zero-days). And when it comes to identity security, attackers have great tool sets (e.g., Mimikatz), while defenders have historically struggled to find a solution.

A Lapsus$ attack targeted vulnerable identities every step of the way

For example, after a recent Lapsus$ attack, Sitel claimed that “there are no Indicators of Compromise (IoC) and there is still no evidence of malware, ransomware, or endpoint corruption.” Of course, what that really means is that there were gaps in IAM and PAM solutions (or their deployments) that left Sitel without visibility into the threat. For all the love that so-called “AI” solutions get for their behavioral analysis, it is pretty tricky to detect privileged access identity threats because legitimate users need privileges to do their job.

Stay a Step Ahead of Identity Risks with Illusive

Finally, Jack wrapped up the conversation with the common wisdom, “you can’t protect what you don’t know about.” The fact is that traditional IAM and PAM deployments can still leave organizations in the dark about cached credentials, service accounts, legacy applications, shadow admins, and so forth.

On the bright side, Illusive SpotlightTM is enabling organizations to illuminate these identity risks and to automatically remediate them (i.e., removing cached credentials from endpoints). And for identity risks that can’t be remediated, Illusive ShadowTM provides compensating controls that leave deceptive credentials on privileged hosts, delivering high-fidelity detection.

Watch the “Identity Security Paradox” Webinar On-Demand

Read ESG research: “Securing the Identity Perimeter with Defense in Depth

Read Illusive research: Analyzing Identity Risks