How CISOs enable ITDR approach through the principle of least privilege
Somewhere, right now, a CISO is in a boardroom making their best case for stronger identity threat detection and response (ITDR) initiatives to lower the risk of intrusion.
For a good reason, too: Look no further than the Change Healthcare breach, where the BlackCat gang allegedly used stolen credentials to gain access to company systems to deploy ransomware. And Change Healthcare isn’t an isolated incident; it’s part of a growing trend. The 2024 Verizon Data Breach Investigations Report noted that 77% of web application attacks resulted from stolen credentials.
Identity security is a top priority for CISOs across every vertical. To address this challenge, security leaders are investing time and resources into bolstering their ITDR strategies.
At the core of effective IDTR is the principle of least privilege, which scrutinizes who has access to systems and assets and for how long. Let’s take a closer look at what comprises an ITDR approach and the basics of least privilege, then explore how least privilege enables CISOs to implement and manage successful ITDR strategies.
The relationship between ITDR and least privilege
The ITDR approach is holistic in nature, taking a complete view of how attackers compromise accounts and identities. ITDR begins with gathering data from sources like identity and access management (IAM) systems, security information and event management (SIEM) systems, and user access management (UAM) tools to determine a baseline for identity activity.
ITDR also incorporates various techniques for identifying suspicious activity, such as anomaly detection, risk scoring and monitoring of threat intelligence feeds. If a threat is identified, a deeper analysis is conducted to determine its legitimacy or severity.
Next, an effective ITDR approach dictates the appropriate automated or manual response to the threat as quickly as possible.
The principle of least privilege makes threat response a much easier proposition for security teams by shrinking the attack surface dramatically. This is because least privilege requires the removal of all unnecessary user access: Access is limited to only what an employee needs to do their job, and only for as long as they need it.
A drastically reduced attack surface and more limited privileges for existing accounts allows security teams to more quickly and accurately assess and respond to threats as they occur. In short, least privilege makes successful ITDR possible.
The basics of least privilege
Organizations have traditionally over-permissioned users, giving them access to many more assets and systems than they typically need. The rationale behind this? The (reasonable) desire to ensure that employees are productive and have access to whatever they might need at any point.
But while handing over all the keys to the castle seems convenient, it is a CISO’s worst nightmare in an environment where attackers ruthlessly seek out identity vulnerabilities.
Least privilege must start by addressing dormant users, including former employee or contractor accounts, abandoned service accounts, seasonal or project-specific accounts, and inactive privileged accounts.
After reducing the number of accounts to the bare minimum, you can get granular and scrutinize the access privileges of the remaining accounts. Determining who gets access to what starts with determining various access controls:
- Context-based access control (CBAC): Considers location, time, device type and user behavior to determine whether to grant access to a resource.
- Attribute-based access control (ABAC): Grants access based on user specifications, such as department or location, and creates relationships between roles and groups.
- Role-based access control (RBAC): Considers a user’s role in determining resource access.
It’s important to note that each of these controls varies in the amount of access provided. As such, ABAC and RBAC should be limited, but systems should be in place to grant these controls on a time-bound basis when necessary. Also, privileged users with elevated access should be closely monitored to ensure that their credentials aren’t exploited.
Another critical aspect of least privilege is how long users are given access. Just-in-time (JIT) access ensures that users receive access only when needed and for the minimum duration necessary. Session management is essential to enforcing JIT access, as it requires session timeouts and automatic logouts for idle users. This minimizes the potential damage if an attacker gains access to an active session.
Why least privilege is essential for ITDR
Stripping down accounts and access sets the foundation for a successful ITDR implementation. As a result, a company’s identity and access security posture is strengthened in several ways:
- Reduced attack surface and blast radius: With fewer access points and limited permissions, companies reduce the risk of both intentional and accidental breaches. Attackers have fewer opportunities to exploit vulnerabilities within a network, and the risk of employees accidentally exposing accessed data drops.
- Enhanced detection: Least privilege simplifies user activity monitoring, a crucial element of ITDR. With clear boundaries around user access, anomalous behavior becomes easier to identify. Imagine fewer doors in a secure building. Any unauthorized entry becomes immediately apparent.
- Mitigated privilege escalation: One of the most common attacks involves exploiting a low-level account and then moving within the network to access more sensitive data. Least privilege significantly reduces the potential damage from such attacks. Even if an attacker compromises a low-level account, their ability to move laterally and access critical systems is restricted.
- Improved compliance: Many regulations mandate strict access controls. Least privilege aligns perfectly with compliance requirements for data privacy and security. Implementing a least privilege approach can demonstrate a proactive stance towards data protection.
CISOs can’t put an end to all data breaches, but those who implement a least privilege approach make attacks a lot more difficult. By shrinking access to its most manageable level, CISOs employing ITDR strategies will ensure their teams are well-positioned to reduce the risk of breaches.