MixModes Approach to Combating The Growing Threat of Identity-Based Attacks on Enterprise Organizations

In today’s interconnected digital landscape, enterprise organizations are increasingly vulnerable to identity-based threats. According to recent studies, over 80% of data breaches are attributed to compromised credentials, highlighting the critical need for robust identity threat detection solutions. Despite the implementation of various security measures, current solutions are failing to adequately address the evolving nature of identity-based attacks, leaving organizations exposed to significant risks. 

Gartner Emerging Tech Wave: Security

In its Emerging Tech Wave: Security report, Gartner highlights the growing importance of identity threat detection and response (ITDR) in the face of evolving cybersecurity threats. As organizations adopt decentralized architectures and rely increasingly on digital identities, ITDR becomes a critical component of their cybersecurity posture.

Gartner defines ITDR as a collection of tools, processes, and technologies that enable organizations to proactively detect, investigate, and respond to threats targeting identities and access privileges. These threats can range from phishing and credential stuffing attacks to account takeovers and privilege escalation.

The report underscores the need for organizations to move beyond traditional identity and access management (IAM) solutions and adopt comprehensive ITDR strategies. Traditional IAM solutions primarily focus on preventing unauthorized access to systems and resources, but they often fall short in detecting and responding to sophisticated attacks that target identities.

Gartner Key Trends

Gartner identifies several key trends driving the adoption of ITDR:

1. Decentralized Architectures: The shift towards cloud computing, microservices, and API-driven architectures has created a more distributed and interconnected IT environment. This makes it difficult to manage and protect identities across disparate systems and networks.

2. Expanded Attack Surfaces: The growing adoption of IoT devices, mobile devices, and social media has expanded the attack surface for identity-based threats. Attackers can exploit vulnerabilities in these devices and platforms to gain unauthorized access to systems and data.

3. Evolving Attack Methods: Attackers are becoming increasingly sophisticated in their methods, using techniques like social engineering, artificial intelligence, and machine learning to bypass traditional security controls.

Current Solutions and Their Failings

Download the EBook

Enterprise organizations typically rely on traditional identity and access management (IAM) solutions to safeguard their digital assets. However, these solutions often fall short in several key areas. One of the primary failings of current IAM systems is their reliance on static credentials such as usernames and passwords. These credentials are susceptible to phishing attacks, brute force attempts, and credential stuffing, leading to unauthorized access and data breaches.

Moreover, traditional IAM solutions struggle to provide comprehensive visibility and control over user access across complex hybrid IT environments. As organizations embrace cloud services, mobile devices, and remote work, the traditional perimeter-based security model becomes increasingly ineffective. This lack of visibility creates blind spots that can be exploited by threat actors seeking to compromise user identities and gain unauthorized access to sensitive resources.

Another critical failing of current identity threat detection solutions is their limited ability to detect insider threats. Malicious insiders or compromised accounts within an organization pose a significant risk, yet traditional IAM systems often lack the behavioral analytics and anomaly detection capabilities necessary to identify and mitigate such threats effectively.

The Need for Enhanced Threat Detection

Research shows that 75% of organizations that forward identity management source logs to their SIEM do not use them for any detection use cases. This is further supported when reviewing Okta’s integrations with Sumo Logic & Splunk, which are based, in large part, on providing basic visibility & record count dashboards. The challenge is that visibility dashboards do not call out any specific actions for the security analysts. 

Going further, where these SIEMs do have any type of “alerting” functionality supported, it is based on rules or threshold logic. The challenge with this methodology is the difficulty writing a rule that can take into account the variety of employee profiles that every organization has? (spoiler alert… you really can’t) 

The user experience, for a security analyst, is the need to decipher graphs and charts to determine what to investigate or wade through a list of “alerts” that are noisy and full of false positives. This is frustrating and susceptible to human error.

MixModes Approach to Identity Threat Detection and Response

MixMode approached this challenge differently. We built our use cases around providing actionable insights based on our patented generative model AI, which does not require any rules or thresholds and will develop an understanding of the organization’s user activities across 3 dimensions: (aggregate user activities, user application access & user login geo location). 

The MixMode platform supports these analytics with the following:

  1. Alerting based on the aforementioned 3 AI Operators.
  2. Dedicated contextual identity management dashboard to provide AI informed insights and details that combine log aggregations with AI risk scoring.
  3. Logging that supports querying for alert context, hunting and labeling. Some additional detail on the 3 AI Operator Use Cases.
  4. UI pivots from MixMode back to Okta’s Admin platform for quick remediation.

Looking at MixMode’s initial analytics set, what follows is a detailed description of AI applications and the associated use cases. Each of these insights is based on MixMode’s patented generative model process. There are no rules or thresholds applied. 

Active Users

This AI analytic looks at all user behaviors to develop an understanding of the normal distribution of user activities within an organization. Thereafter, the analytics will highlight time periods that deviate from that expected behavior with a focus on the specific users from that time period. This use case for this analytic is to provide a macro view of the customer environment and showcase significant deviations that might indicate a compromised credential or malicious insider.

User Login Geolocation

This AI analytic looks at user login from the perspective of location, time and frequency of occurrence (so-called impossible travel). By looking for successful logins from different geo-locations within a short amount of time, this analytic will alert the customer to potentially malicious activity.

User Application Access

This AI analytic looks at user application access activity to develop an understanding of what is normal and expected. While application access is provisioned within Okta, looking at normal access patterns can help provide early indication of malicious activity. The use case for this is that following initial access an attacker will oftentimes explore all of the applications the compromised account has access to. While a user may have access to dozens of published applications, they usually only access a small number of those apps regularly. This AI Operator will develop a generative model understanding of what applications users normally access and surface when there is a significant deviation from these behaviors.

To support these insights, The MixMode Platform provides a tailored user experience with alerts and supportive visualizations (in addition to raw log access). The dedicated Identity Management security dashboard provides one click access analytical insights and contextual information. Organized into AI Overview and Visibility sections, the user interface provides all of the details needed to monitor user behaviors, assess risks and take action. This solves the analyst problem of identifying what is important, what it means, and when to take action.

ITDR is not a one-time project but an ongoing process that requires continuous improvement and adaptation to evolving threats. Organizations should adopt a risk-based approach to ITDR, focusing on protecting their most critical assets and identities. The prevalence of identity-based threats poses a significant challenge to enterprise organizations, necessitating a paradigm shift in the approach to identity threat detection. 

Current solutions are failing to provide the level of protection required to mitigate the risks posed by evolving cyber threats. It is imperative that enterprise organizations prioritize the adoption of advanced identity threat detection solutions to mitigate the growing risks posed by identity-based threats and ensure a secure digital environment for their operations.

Reach out to learn more about how MixMode can help you defend against identity-based threats.

Other MixMode Articles You Might Like

Defense-in-Depth: A Comprehensive Approach to Modern Cybersecurity

MixMode Announces Quarterly Product Release That Enhances SOC Effectiveness and Puts Customers in the Driver’s Seat

Overcoming Cloud Security Challenges: The Power of Cloud-Native AI-Driven Solutions

Under Siege: Ransomware and Your Business

Ethan Caldwell, Chief Development Officer of MixMode, Joins Forbes Technology Council

Proactive Defense: The Importance of Analyzing User Identity Data in a Zero Trust Framework