Okay, so you’re a security leader at your enterprise – congratulations! It’s a big, challenging role, as you know too well. You or a colleague are likely responsible for securing the cloud and legacy apps that drive critical revenue and customer engagement for your organization. But it’s not just the apps you need to secure. There’s also increased executive scrutiny and interest in ensuring that the build, testing and deployment processes are secure and won’t cause unplanned outages. These are unquestionably big tasks. And you know which teams write and run those cloud apps: the cloud team, platform engineers, DevOps admins and developers.

Understanding Developer and Cloud Team

That’s right, developers, cloud engineers and DevOps admins, how well do you know these teams? How important is security to them? Maybe the question we are asking ourselves is, what do the broader development teams want? It’s fair to say that security will be, at best, one of multiple priorities for many of these teams and roles.

First, developers, cloud engineers and operations all need to access cloud resources and various dev tools to do their jobs, but how much access do they need, and which tools do they need to use vs. administer? Second, developers need to write code and build apps to get the features and capabilities required to market rapidly. And yes, they know their apps need to be secure, but there can be many cases where the development team can be pretty sure the code is secure. But is it really secure? Too often, it isn’t secure because of a lack of secure processes and tools, human error or a process skip.

As security leaders, how well do we understand what it takes to secure developers’ build environments, pipelines and access requirements? What about production environments? How confident are we that we can restrict access to tools, enforce security processes, for instance, and not impact productivity and operations?

Providing Transparent Security Without Burdening Cloud Teams

So, what should we do to ensure the security of dev and cloud environments? In most cases, a mandate from the security team isn’t viable, and even if it is, how well will mandated tools and processes be adopted? You know the answer. But how can we ensure security without burdening developers with new processes and tools? Ideally, we could let them access and use cloud resources and secure secrets using the tools they already use and transparently ensure the tools, access and development processes are secure. By achieving this, security requirements will not burden development teams, and security can ensure that apps and development processes are secure. Providing security while staying out of the way, or at least being minimally visible, helps accelerate acceptance from the development and cloud teams.

Educating Developers: Security As a Pain Reliever (Lessons from A Snowboarder’s Lost Powder Day)

However, developers can also experience much pain and additional work from a security failure. For example, when credentials were stolen from a popular code repository, CircleCI issued an advisory that all credentials should be rotated. With automated rotation, that’s relatively easy, but if the credentials are manually rotated, that’s days of work for developers.

I recently saw this firsthand – one of my snowboarding buddies and developer friend was alerted on the chairlift that his organization’s cloud credentials had been hardcoded and posted to a code repository. Fortunately, it appeared the credentials had not been stolen. His team removed and secured the hardcoded credential…. but didn’t rotate it. Duh, but he’s a developer, not a security person. The attacker got what they wanted with the original credential and stole their cloud resources – even when you delete versions in a code repository, the old versions are still there.

Sadly, my friend lost a powder day on the slopes (we don’t get many of those in New England), development slipped, and dev resources were wasted. It was a huge pain and embarrassment for him and his company – all because a credential was not rotated. The reality is, of course, that security incidents are always painful and never happen at convenient times.

Being Loved by Preventing Pain and Accelerating Development

If we can prevent dev teams from experiencing pain and have devs realize that security has their back, then security teams can be loved! The message to dev teams can be: Keep doing what you’re already doing, and we, security, will help keep you out of trouble! Or, even better, with automation tools, such as automated secrets onboarding from popular dev tools like Terraform, we (security) can help accelerate your development processes.

Now, that’s a win, and it puts security on track to be loved!

Taking a Holistic Approach to Security Avoids Impacting Agility

Let’s dive deeper into how we can deliver transparent security processes. Of course, we’ll need to take a broader perspective. While technology is a key enabler, it’s not just about technology; it’s also about people and processes. Developers want and expect to automate everything they do, so automated security processes are a key requirement.

And, when we talk to development leads, it’s clear they care a lot about security, and their collective voice echoes a common sentiment: “Security is non-negotiable, but it must not come at the cost of our agility and creativity.”

Achieving Transparent Security by Addressing People, Processes and Technology

Here are three essential requirements and challenges to consider (as you seek to be loved):

1. Technology. Let dev teams do what they are already doing without needing to change their workflows, processes or tools, or at least to keep any changes to a minimum. Make security transparent to the developer. For example, allow developers and cloud teams access to cloud resources through the cloud providers’ consoles that they are already using while giving the security teams precise, granular controls with zero standing privileges (ZSP)

If developers are already using Kubernetes Secrets or the cloud providers’ built-in (native) secrets vaults such as Azure Key Vault, AWS Secrets Manager or Google Secret Manager for securing their secrets – let developers keep using them while meeting corporate security mandates by transparently giving security teams a centralized view of all the secrets stores across the organization, providing and managing rotation and taking care of audit needs. This eliminates the need for dev teams to be concerned about secrets rotation or logging audit data. Instead, developers can access secrets from the native vaults just like they’ve done before.

While developers continue to access secrets from native vaults as they have always done, it is crucial to explore how centralized security measures can further enhance the protection of these secrets without disrupting existing workflows, as demonstrated in the ESG Showcase for AWS Applications.

2. People. A frequent, key challenge for security teams is working and aligning with the cloud teams. This critical step ensures that while security teams can offer transparent solutions for developers, they will often need to reconfigure access and other permissions to the cloud to deploy these technologies.

In our recently published technical community blog, “Secrets Hub Success: Engaging with Your Cloud Teams,” CyberArk’s professional services team outlines approaches for reaching out and making requests to the organization’s cloud team.

3. Process. Establishing secure automated build environments and processes is a balancing act – what can be done to ensure CI/CD build and development processes are secure without burdening developers? While automation and technology play significant roles, there are also process steps to improve security. For example, security can be strengthened, and any damage limited by approaches such as segmenting access to code bases, automating pipeline creation and forcing destruction after the build so that no credentials can be reused, forcing manual inspection of a pull or merge request by requiring MFA at critical build steps and of course severely restricting access to production environments.

Recognizing these challenges, the webinar titled “Software Development Environments in the Real World: Striking the Right Balance between Security and Innovation” offers insights into practical solutions. CyberArk development and R&D leaders draw upon research from the new book by O’Reilly Media and CyberArk, “Identity Security for Software Development: Building With Identity, Secrets and Credentials,” to address these concerns.

Collaborating with Dev and Cloud Teams – Don’t Force Technology

A holistic approach addressing technology, people and processes is essential to secure development environments and teams. No matter how good it may be, trying to force the latest security technology on dev and cloud teams risks frustration and lagging adoption. Instead, by taking a holistic approach, it is possible to be loved while securing developers’ access, CI/CD pipelines and code – and more “love” will help you drive higher levels of adoption of secure practices.

Partnering and Engaging – Key Approaches

Key elements that security teams have used to partner with development and cloud teams to establish secure build and development processes include:

• Engaging with developer leads and cloud teams to understand their needs and challenges and to build trust.
• Identifying and enabling security champions in the cloud and dev teams.
• Offering flexible security solutions that minimize changes to developer workflows.
• Providing automation solutions to help development teams maximize their efficiency.
• Working with DevOps admins and the platform engineering teams to build process steps that boost security without burdening teams and impacting productivity.
• Fostering a culture of shared responsibility for security. Highlighting potential burdens, such as rotation and audit, for which security is responsible.
• Continuously educating and updating teams on best security practices.

By taking these steps, we can ensure that security becomes a fundamental part of the development process. This will lead to more secure and efficient development processes for your organization, which benefits everyone involved. And maybe it even generates a little love for you and the security team.

Chris Smith is a director of product marketing at CyberArk.

Watching the recent Snowflake customer attacks unfold felt a bit like rewatching a horror movie with predictable attack sequences and missed opportunities to run to safety. But this time, the ending was far more devasting. More than 100 organizations were exposed, and many are now grappling with the impacts of data theft and extortion in what some are calling one of the largest breaches in history.

As I reflect on the widely publicized incident, I keep coming back to the data. Data is what your organization is built on, what sets you apart. How you secure (or fail to secure) your data can dictate your fate. Because threats don’t always knock directly on your door, increasingly, they reach into your tangled web of providers and partners to get to you. To protect your data – the lifeblood of your digital business – you’ve got to think bigger than your own organization. My top three takeaways from the Snowflake attacks reflect this reality.

1. Info stealers are everywhere – and can cause rippling damage. The ShinyHunters group recently claimed responsibility for the Snowflake campaign, alleging that they gained access to organizations’ Snowflake accounts with the help of info stealer malware and an unsuspecting third-party contactor. Snowflake has not publicly confirmed this claim. However, its incident response partners stated that “stolen credentials obtained from multiple info stealer malware infections on non-Snowflake-owned systems were the point of entry for the attacks.”

Info stealers – malware designed to steal sensitive information – are widely used in credential-based attacks because they’re cheap, readily available and don’t require much technical know-how. Threat actors banking on poor password practices can purchase logs stolen by info stealers to launch targeted attacks that can ripple across supply chains. In the case of Snowflake, they hit the jackpot. Investigators found that 80% of the accounts used in the campaign had prior credential exposure – and linked some credentials to infections back in 2020. If that doesn’t prompt organizations to beef up password policies for their employees and third-parties, what will?

2. MFA isn’t optional. Period. Many of these identity-based attacks compromised Snowflake user accounts because the accounts did not require multi-factor authentication (MFA).

Inadequately protected credentials are (still) low-hanging fruit for attackers. As the threat landscape continues to evolve rapidly, MFA is a critical identity security layer, not a “nice to have.” Unfortunately, too many organizations have learned this the hard way, with 25% making (or increasing) investments in MFA and high assurance after an identity-related breach.

Breaking this cycle must start with increased SaaS provider support and can succeed with consistent customer follow-through. Delivering secure solutions isn’t enough; critical SaaS vendors must also empower customers with the right controls and best practices to help them make sound security decisions. For example, SaaS customers should be able to mandate MFA for all user accounts, forgo SMS push notifications for more secure authentication methods to thwart MFA bypass attacks and utilize biometrics to limit the effects of info stealers. In turn, these customer organizations must implement these advanced security controls consistently to reduce the most risk possible.

3.  Default encryption keys jeopardize data security. Lax identity security practices reportedly ignited this recent firestorm of attacks, while data security missteps fanned the flames. Specifically, numerous organizations relied on default encryption keys to protect their data within Snowflake’s platform instead of bringing their own keys.

Bring your own key (BYOK) is a widely accepted best practice for preserving security and centralized control of encrypted data. With BYOK, the customer creates and manages their own encryption keys for the application’s underlying cloud infrastructure (e.g., AWS, Google Cloud or Microsoft Azure). This gives the customer greater control over who and what can access their data within the application, full ownership of the data lifecycle and the ability to revoke the SaaS provider’s access to the keys when required. If an attacker manages to compromise the SaaS provider – directly or indirectly – the customer’s data will remain encrypted and unintelligible.

Five Steps to Strengthen Data Security in an Interconnected World

A compromise on one party can lead to a compromise on all. Is your organization prepared for the fallout? In the wake of the Snowflake customer attacks, here are six recommendations for enhancing cyber resilience across your supply chain so you’re ready to face whatever comes next – wherever it comes from:

1. Raise the bar for credential theft. Today’s thriving info stealer market further proves that passwords are the weakest link in the security chain. Make a game plan to secure all employee credentials and enforce an enterprise-wide password policy if you haven’t already done so. Stay current on emerging tactics, techniques and procedures (TTPs) involving info stealer malware and incorporate this threat intelligence into regular cybersecurity training. It may also be a good time to explore how passkeys could help your organization eliminate passwords from authentication workflows.
2. Strengthen third-party authentication with PAM. Every cloud service provider, SaaS provider and third-party you bring into your digital ecosystem exponentially increases your risk. Your identity security strategy must account for them all. Implement phishing-resistant MFA for outside parties with access to your sensitive data and infrastructure. Mirror privileged access management (PAM) best practices established for internal purposes – such as storing privileged identities in a secure repository, isolating and monitoring sessions and provisioning just-in-time (JIT) access – to strengthen third-party authentication. Consider a vendor PAM solution that ties into your organization’s existing enterprise PAM solution to help improve efficiency and make it easier to apply policies consistently.
3. Bring your own key (BYOK). When evaluating cloud-based solutions – particularly those involving your sensitive information – make sure they support BYOK for data encryption. While BYOK isn’t completely fail-safe, it’s an additional security layer that could potentially halt a dangerous chain reaction through the digital supply chain.
4. Reduce complexity and gain visibility with SaaS security. Organizations are struggling to maintain visibility across disparate environments. This isn’t due to a lack of cybersecurity tools; 94% already use more than 10 identity-related vendors. Create a plan to consolidate your vendor stack (this may involve deprecating legacy systems) to the best tools for your environment. During this exercise, you may find that SaaS security is the right fit for your business. SaaS security offerings can help you centrally monitor business-critical SaaS programs and systems and gain full visibility on things like risky configurations and potential vulnerabilities. Armed with actionable insights, you can take the proper steps – in the right priority order – to decrease the attack surface.
5. Assess critical vendors regularly. The visibility gap extends deep into the digital ecosystem, where risk from third- and fourth-party providers is challenging to evaluate regularly. Instead of trying to do everything all at once, use a SaaS tool or establish a process to prioritize your most critical vendors – those who interact with your most sensitive data and assets. Then, establish a regular cadence for complete risk assessments and validation. Once a year is typically a good starting point.

An Incident Response Worth Rewatching

The Snowflake breach reminds us that no organization is immune to attacks while reinforcing the need for constant vigilance at both organizational and digital ecosystem levels. Throughout these difficult weeks, the Snowflake team acted swiftly and communicated transparently. I commend them for their response and the work they’re doing to advance customer cybersecurity protections. May their efforts help fuel a broader push toward security and resiliency standards for all critical SaaS vendors – for the benefit of all.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

Privileged access management (PAM) programs aim to secure the highest-risk access in an organization, including using privileged credentials like passwords, SSH keys and application secrets. So, how can PAM and identity security teams prepare for a passwordless future? The answer lies in a deeper examination of what ‘passwordless’ really means and how PAM programs are modernizing to protect new identities and environments.

While the concept of passwordless authentication is not new, meaningful adoption has only begun in recent years. Several forms of passwordless authentication are gaining traction, ranging from physical authentication factors like USB keys or biometrics to digital factors like QR codes, passkeys and SMS messages with one-time codes. Each method can help efficiently validate a user’s access, which is central to the concept of Zero Trust.

Yet despite the benefits of these authentication formats, passwordless will not replace the need to secure high-risk access – with or without passwords and credentials.

Let’s explore why.

Analyzing Passwordless Authentication Factors

Authentication factors enabling an enterprise identity to connect to a resource are generally divided into three categories:

1. Knowledge factors or something you know.
2. Possession factors or something you have
3. Inherence factors or something you are.

Passwordless methodologies shift the authentication paradigm away from known passwords, a knowledge factor, opting instead to validate access with possession factors (such as a Yubikey or Passkey) and inherence factors (such as biometrics). In many cases, passwordless paradigms don’t truly eliminate passwords but rather abstract the secret away from the end user – just as modern privileged session management capabilities do.

These possession and inherence factors can make user logins faster and more seamless, in alignment with widely trusted standards for passwordless access, such as the FIDO2 Web Authentication (WebAuthN) standard.

Abstracting Passwords Does Not Eliminate Risk

Passwordless authentication factors will certainly reduce risk – but they can still be compromised. For example, biohacking attacks can compromise biometric authentication, while physical theft of Yubikeys and other hardware authenticators negates those standards. Phishing-resistant passkeys are harder to steal than passwords, but attackers can still access a device’s passkey store and use valid passkeys to reach their objectives. Consistent with a Zero Trust mindset, organizations must ‘assume breach’ and realize no authentication factor is safe.

Insider threats will also remain a risk with passwordless authentication. Changing authentication factors to improve user experience does not negate the risk of bad actors inside an organization’s directory or trusted roster of third-party vendors. Simply put, eliminating passwords does not entirely reduce the risk of compromised access.

Organizations will always need defense-in-depth controls to mitigate these risks, even with passwordless authentication paradigms. Tried-and-true PAM concepts like least privilege access, session isolation, privileged session audit and Identity Threat Detection and Response (ITDR) remain essential lines of defense that reduce the risk of identity compromise and lateral movement.

Why We Can’t Fully Replace Passwords – Yet

Today, several operational considerations prevent the full adoption of passwordless authentication. Here are several:

Compatibility. Many systems in an organization will always require passwords by default. For example, every organizational laptop, server and networked device has a built-in local administrator password. These credentials are top targets in ransomware attacks, which generally require local admin rights to execute malware on an endpoint and spread. PAM programs aim to remove these credentials on workstations and manage them securely in a vault.

Security teams lack proven paradigms for replacing these local admin passwords with passwordless authentication factors. The same is true of service accounts and other machine identities, most of which use secrets to authenticate machine-to-machine communications.

Shared account complexity. To reduce their attack surface or satisfy audit requirements, many organizations aim to reduce the number of accounts with access to their most sensitive resources. A common strategy is consolidating on a small number of highly privileged accounts shared by multiple IT and Cloud Ops users. Modern PAM programs then apply several layers of controls to secure these shared accounts. Since these accounts are shared between users, they generally rely on shared knowledge and require knowledge-based authentication factors like credentials.

Modern PAM programs aim to reduce the number of credentials and prevent their exposure to the end user, often obscuring them. In other words, ‘fewer passwords’ is as important as ‘passwordless’ authentication.

In cloud environments where federated access models are popular, some modern PAM programs also reduce password risk by embracing a zero standing privileges (ZSP) approach, creating and deleting entitlements for each privileged session. But even in cloud environments, every organization requires some level of shared privileged access, as the root and registration accounts required to set up a cloud environment can never be decommissioned. These root account credentials will always exist and must be secured with intelligent privilege controls.

Regulatory compliance. Auditors assessing an organization’s cybersecurity compliance with essential regulatory standards often look for defense-in-depth identity security. Some regulations require the use of passwords and careful controls on those passwords, such as implementing least privilege, multi-factor authentication (MFA), policy-based credential rotation and thorough audit visibility of password usage. Eliminating passwords outright can complicate and delay audit processes, ultimately impeding operations.

Backup Access. In emergency situations, passwords serve as a reliable fallback authentication method when passwordless options fail, ensuring users can access their accounts. In fact, many passwordless solutions even rely on credentials (or keys) on the backend. Since keys can be valuable targets for attackers, PAM programs must apply several layers of controls to secure them.

Expectations vs. Reality: Evaluating Passwordless Claims from Security Vendors

Many security vendors – including CyberArk – have smartly introduced passwordless authentication for users accessing their own platforms. However, despite bold claims from some vendors, these technologies cannot replace all passwords, SSH keys and application secrets today.

Identity security leaders are focusing on reducing the core problem – compromised credentials – with modern access models that reduce the number of passwords in play, such as just-in-time (JIT) access. Some technologies create ephemeral accounts and certificates that are not exposed to the end user. Other vendors use agent-based elevation on specific servers, though in this case, the servers still have built-in passwords that must be securely managed.

For these reasons, it’s essential to carefully evaluate claims that any security vendor can deliver a state of passwordless nirvana. The reality is that for the foreseeable future, nearly all organizations will rely on a wide variety of human and machine identities that need passwords to authenticate, making it essential to take a defense-in-depth approach to identity security.

Five Intelligent Privilege Controls for A Passwordless World

Even if we eventually succeed in removing the need for password-based access, heightened controls will still be needed on the highest-risk privileged access. Here are several:

1. Least privilege access. By reducing permissions for identities that authenticate without passwords, organizations can reduce lateral and vertical movement and limit a breach’s ‘blast radius.’ Least privilege is an essential element for a Zero Trust identity security strategy.

2. Session isolation. A passwordless world would still be plagued by ransomware and other forms of malware. Using proxy servers and bastion hosts to isolate highly privileged sessions helps prevent malware-compromised devices from reaching enterprise resources.

3. Session audit and screen recording. Regardless of how compliance requirements may evolve beyond passwords, organizations will need to review high-risk user activity and investigate potential incidents. To maximize the efficiency of audits, organizations will need a central review of end user sessions across long-lived systems, cloud workloads and services and web apps.

4. ITDR. Although proactive efforts are being made to reduce passwords, security teams will still need to detect malicious or anomalous behavior that could signal in-progress attacks – especially on their identity infrastructure. ITDR capabilities from leading identity security vendors can use AI and machine learning to detect known indicators of malicious access while flagging incidents to the security operations center (SOC) for automatic response and remediation.

5. Access with zero standing privileges. Even without passwords, organizations must reduce post-authentication risk. Organizations can reduce the blast radius of an attack by removing standing privileges and instead creating and deleting specific entitlements for specific users and sessions. A true ZSP posture requires that permissions are created and assigned on the fly and removed after use, with granular control of crucial TEA (time/duration, entitlements, approval) settings.

Interested in learning more about how modern PAM programs secure IT, third-party and cloud operations teams? Register for our upcoming webinar.

Sam Flaster is a director of product marketing at CyberArk.

Every organization is different, with its own unique needs, challenges and goals. That means that IT solutions, and especially IT security, must be complex tools that are highly configurable and adaptable to various scenarios. IT security solutions must be flexible and robust enough to handle many situations. They must support complex organizational structures, geographical dispersion, local law implications, vast and diverse technology stacks, multiple platforms, services and applications, a spectrum of threat models or different levels of resources.

Identity security is no exception, as it deals with one of the most critical aspects of any organization: the identities and access rights of its users and devices. However, identity security is not only a complex and flexible tool but also a vital and urgent one. The traditional perimeter-based security model is no longer sufficient in the era of cloud computing, remote work and mobile devices. Users and devices can access sensitive data and resources from anywhere, anytime and on any platform. This means that the identity and access management (IAM) policies and practices must be more granular, dynamic and context-aware, considering factors such as location, device type, network, behavior and risk level.

Moreover, identity security has to cope with the growing sophistication and frequency of cyberattacks, especially those that target user credentials and access rights. According to Verizon’s 2024 Data Breach Investigations Report (DBIR), 76% of all breaches (Nov. 2022 through Oct. 2023) included the human element, with people involved through privilege misuse, use of stolen credentials, social engineering – or error. Three of these methods are directly linked to users’ identities. Attackers increasingly use phishing, credential stuffing, password spraying and brute force to gain unauthorized access to organizations’ assets and data. Today, they don’t hack in; they log in.

Therefore, identity security must detect and prevent such attacks using security-first access management, intelligent privilege controls and flexible identity governance and administration (IGA). However, the intricacies of configurations, interoperability and the need for a seamless identity security fabric raise the bar and demand a high level of expertise and experience from the defenders. Implementing identity security to secure your organization is a challenging task, and it has many pitfalls and nuances that can make or break your security posture.

Implementing identity security can seem as daunting as learning to drive a stick shift in a world where automatic transmissions are the norm. However, just as mastering a manual transmission can offer a driver more control and a better feel for the car, embracing the complexities of identity security can provide organizations with a more robust and nuanced defense against cyberthreats.

Avoiding the Pitfall of Oversimplified Identity Security Solutions

One might be tempted to look for a quick and easy way out of this daunting challenge. Instead of investing in a comprehensive and sophisticated identity security solution that can handle the complexity and diversity of today’s IT environments, one might opt for a patchwork of more straightforward and cheaper solutions that cover only basic use cases and don’t require much customization or integration. This might seem like a smart and cost-effective approach, but it comes with a high price: security gaps and vulnerabilities.

By relying on multiple disjointed solutions that don’t communicate or coordinate with each other, one creates a siloed and inconsistent security posture that leaves many blind spots and weak points for attackers to exploit. Moreover, one exposes the organization to unnecessary and avoidable threats by settling for simplistic solutions that don’t offer the granularity and flexibility needed to adapt to the changing context and risk level. For example, an endpoint least privilege solution that doesn’t support adaptive multi-factor authentication (MFA) might allow an attacker to wait for the right moment to bypass the login process with stolen or weak credentials.

A solution that doesn’t manage privileged access or lacks flexible IGA will undoubtedly have overprivileged users and an uncontrolled attack surface, failing to combat insider threats or lateral movement. A solution that doesn’t enable security-first access management or intelligent privilege controls might fail to detect and prevent anomalous or malicious behavior, such as accessing sensitive data from an unusual location or device.

Returning to my earlier analogy – navigating the complex landscape of identity security is akin to driving a high-performance vehicle on a racetrack: it requires precision, adaptability and the right tools for the job. Just as a race car driver wouldn’t rely on an automatic transmission for the nuanced control needed on the track, security teams need sophisticated identity security solutions that offer granular control and can adapt to the ever-changing threat environment.

An automatic transmission is great for a grocery run but won’t get you far on a racetrack.

Applying Frameworks to Overcome Identity Security Complexity

A much better and more strategic way to overcome the steep learning curve and resource requirement issue with comprehensive enterprise-grade solutions is to rely on built-in frameworks and templates that provide guidance and best practices for implementing a robust and comprehensive identity security solution. One example is default policies that can be easily activated and instantly improve security posture. These policies can cover common scenarios and use cases, such as password management, least privilege enforcement, access control and session monitoring. Implementing these policies can help avoid the hassle and complexity of creating them from scratch while benefiting from their protection and compliance. Better yet, built-in frameworks help hit the ground running and allow for the continuous evolution of security measures.

Such intuitive frameworks support a seamless transition to role-based least privilege policy development, accommodating the organization’s unique pace and needs. These built-in frameworks and templates are essential tools, simplifying the identity security journey while ensuring high-quality and effective outcomes. Although the intricacies of identity security are complex, the tools to implement it do not have to be.

Embracing the shift toward a more secure digital environment, CyberArk’s QuickStart framework offers a streamlined approach to identity security that now extends to macOS users. Read our comprehensive whitepaper to learn about QuickStart, a rapid risk reduction and least privilege framework available in CyberArk Endpoint Privilege Manager. The framework can help reduce the attack surface on endpoints and servers and lay the foundation for role-based least privilege policies in just a couple of clicks.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

Imagine standing in your favorite ice cream parlor, gazing at myriad flavors chilling behind the counter. The choices are tantalizing, from traditional vanilla and chocolate to a swirl of the two. Ice cream flavors have evolved from these bases into cookies and cream, mint chocolate chip, Neapolitan, birthday cake, Rocky Road, butter pecan and coffee – you get the picture.

Ice cream is a lot like privileged access management (PAM) solutions. Both rely on foundational elements: vaulting and rotating credentials, isolating high-risk sessions and auditing actions taken with privileged accounts. These controls, like vanilla and chocolate, are essential for a successful, scalable PAM program.

But what happens when the basics no longer suffice?

Just as ice cream comes in multiple flavors, building a PAM solution that fits your organization’s needs can help reduce the attack surface as your ecosystem expands.

Scooping the Basics: PAM’s Fundamental Flavors

In the world of ice cream, as in PAM, the classics serve as the cornerstone for creativity. Vanilla, chocolate and swirl are not just timeless favorites; they are the essential foundations upon which all other flavors are built. Similarly, in any PAM practice, the basics of vaulting credentials, rotating them regularly and isolating and monitoring privileged sessions are the bedrock upon which a secure and scalable program is constructed. Let’s scoop into the details:

• Password Vaulting: It’s a classic favorite, like vanilla ice cream. It ensures that privileged account credentials are securely stored and managed, preventing unauthorized access and reducing the risk of credential theft.
• Credential Rotation: Chocolate ice cream and credential rotation are timeless. Regularly changing privileged account passwords mitigates risks associated with compromised credentials.
• Session Monitoring and Isolation: Combining vanilla and chocolate into a swirl, session monitoring and isolation provide visibility into privileged sessions, allowing organizations to monitor activities and isolate risky or unauthorized actions.

These foundational privilege controls are crucial but are just the beginning of a holistic PAM solution. Just as chocolate and vanilla can be enjoyed on their own, these basics lay the groundwork for modernizing a PAM strategy with additional “flavors.”

The diagram below represents how foundational and modern PAM controls come together to optimize privilege controls beyond built-in, vaulted credentials.

Sprinkling in Innovation: PAM’s Modern Flavors

Just as the classic flavors of vanilla, chocolate and swirl lay the groundwork for an endless variety of ice cream experiences, the foundational components of PAM – password vaulting, credential rotation and session monitoring – set the stage for a more sophisticated suite of security features. As we delve into the modern PAM flavors, we’ll discover how these essential elements evolve to meet the complex demands of today’s threat landscape. These flavors (aka components) are:

• Expanded Scope and New-Environment Coverage (Cookies and Cream): Like cookies and cream adds texture and complexity to vanilla, modern PAM solutions secure access not only to traditional systems but also to cloud workloads, DevOps tools, robotic process automation (RPA) and internet of things (IoT) devices.
• Modern Session Management and Monitoring (Cookie Dough): Advanced session management and monitoring features, akin to cookie dough ice cream, take privileged access visibility to new heights with keystroke logging, video recording and real time session monitoring.
• Robust Risk Analytics and Reporting (Rocky Road): Like Rocky Road, which combines chocolate, marshmallows and nuts for complexity, modern PAM solutions offer robust risk analytics and reporting capabilities, analyzing user behavior and detecting potential threats.
• Seamless Integration and Automation (Mint Chocolate Chip): Mint chocolate chip blends refreshing mint with decadent chocolate chips. Similarly, seamless integration and automation features in PAM solutions streamline operations and reduce human error by integrating with other security tools.
• Support for DevOps and Agile Methodologies (Strawberry Cheesecake): Just as strawberry cheesecake combines unique flavors, modern PAM solutions support DevOps and agile methodologies with features like just-in-time (JIT) access provisioning and automated secrets management.
• Scalability and Flexibility (Neapolitan): Neapolitan ice cream offers three flavors in one package. Modern PAM programs provide scalability and flexibility, supporting large-scale deployments and hybrid and multi-cloud environments.

A modern PAM program combines foundational aspects with modernized features, holistically reducing risk and managing privileged access. Like ice cream, PAM is versatile and should be integrated into various security strategies.

The PAM Sundae: A Staple Security Treat

As we layer our PAM Sundae with a variety of security measures, let’s explore the key components that make up this complete treat. Each element not only adds its own unique flavor but also enhances the overall protection, just like the perfect blend of toppings on a sundae. Here’s a taste of what makes our PAM strategy so satisfying:

• Securing Developers (Apple Pie à la Mode): Just as Apple Pie à la mode elevates a classic dessert, PAM solutions secure developer access to critical systems, managing secrets and integrating with DevOps tools.
• Secrets Management (Milkshake): A milkshake becomes indulgent with ice cream, just as modern PAM programs enhance security with robust secrets management for API keys, database credentials and encryption keys.
• Remote Access Management (Affogato): An affogato combines hot espresso and ice cream. Similarly, modern PAM solutions provide secure remote access for contractors and third-party users, enforcing least-privilege principles.
• Machine Identity Management (Banana Split): Like a banana split combines multiple flavors and toppings, machine identity management in PAM secures public key infrastructure, server certificates, SSH keys and other non-human credentials.
• Endpoint Privilege Management (Baked Alaska): Baked Alaska combines sponge cake and ice cream in a meringue shell. Endpoint privilege management in PAM controls administrative rights and applications while enforcing least privilege policies on endpoints.
• Workforce Identity Management (Ice Cream Sandwich): Ice cream sandwiches are convenient and delicious. PAM solutions integrate with workforce identity management to secure access for employees, contractors and third-party users to ensure security for all identities inside and outside of the organization.

PAM Delights: The Cherry on Top of Security

Modernizing your PAM practice involves securing built-in admin accounts with vaulting and rotating credentials and extending these controls to federated access and roles with JIT access models, zero standing privileges (ZSP) and web session protection. Including secrets management, enforcing least privilege on workstations and servers, managing machine and non-human identities and securing the workforce are essential for a comprehensive modern PAM program.

To wrap up our journey through the Privileged Access Ice Cream Parlor, we’ve savored a variety of PAM flavors that together create a robust security strategy. From the solid base of password vaulting and credential rotation to the delightful toppings of advanced session management and risk analytics, each element adds its own singular flavor to the mix. Like a sundae without a cherry on top, a comprehensive PAM program isn’t complete without integrating workforce identity management and securing the workforce. It’s the final touch that brings all the flavors together, creating a treat that’s not only irresistible but also ensures that every scoop is secure.

Ryne Laster is a product marketing manager at CyberArk.

A few weeks ago, my wife asked me why stopping threat actors from impacting our lives is so difficult. In this digital age, the necessity to connect online brings inherent exposure to vulnerabilities. The challenge for you as a security leader lies in reducing the sense of vulnerability by building trust. You need to protect your organization and reassure employees so they can perform their jobs without fear.

Whether you are a chief information security officer (CISO) with the best security solutions available or an identity and access management (IAM) leader with just enough security practices, the effectiveness of any security program is limited without the trust of the organization’s stakeholders. Trust is the cornerstone for achieving higher security maturity.

Take, for example, the credit card anti-fraud teams that call to verify suspicious purchases. Regardless of the explanation, customers feel protected when anti-fraud teams contact them and continue to trust and use their cards. Similarly, security leaders must cultivate the trust of stakeholders and end users to reduce their sense of cyber vulnerability and foster digital progress.

Cultivating Trust: Leadership Principles in Action

In a digital era marked by increasing connectivity and threats, CISOs’ and other security decision-makers’ roles have evolved beyond implementing security technologies to building fundamental trust within their organizations. According to the CyberArk 2024 Identity Security Threat Landscape Report, 93% of organizations have experienced identity-related security breaches in the past year, underscoring the trust in the organization’s security program.

In addition to the right level of privilege controls, intelligently applied, you can help improve your organization’s identity-focused security by embracing the principles of authenticity, logic and empathy. These foundational elements, inspired by insights from the Harvard Business Review, are crucial for building a resilient trust framework. By embracing these principles, you can present identity security as more than a technical solution. Instead, it becomes a strategic narrative that strengthens trust with stakeholders and users, ensuring comprehensive protection for all business operations.

Leadership in cybersecurity goes beyond managing security practices and incorporates human skills that build trust, anticipate risks and assure user-centric security. A leader’s job is to conduct the organization’s mindset when dealing with cybersecurity. With that in mind, the abovementioned three principles will help develop credibility, make educated decisions, and connect security processes with user needs.

Let’s explore the three principles that help in building trust in your cybersecurity program:

1. Authenticity: Building Credibility Through Consistent Behavior

Authenticity in cybersecurity leadership means acting as your organization’s genuine protector and strategic advisor. It involves transparent communication about the security posture, proactive sharing of risks and defenses and a visible commitment to the organization’s best interests. Authentic leaders build credibility and trust, which are essential for effective leadership in times of crisis.

2. Logic: Making Informed Decisions

Logical decision-making is crucial in cybersecurity. This principle involves data and analytics to understand threats and plan effective countermeasures. It would be best if you validated your strategies through evidence, enhancing your authority to earn the trust of stakeholders in the decisions you make to prioritize security initiatives. For Instance, cyberthreat intelligence provides valuable insights into imminent threats, attack patterns and vulnerabilities, equipping you to make informed decisions based on the world context around the organization. This way, you can ensure that your strategy is proactive, relevant and risk-based in addressing a never-ending evolution of the threat landscape.

3. Empathy: Aligning Security with User Needs

Empathy in leadership involves recognizing and addressing user concerns about security measures. As an empathetic leader, you should ensure that security protocols do not overburden users and that these measures align with the everyday experiences and expectations of those they aim to protect. This approach promotes user engagement and compliance, which are integral to a successful security strategy.

Securing Identity: Authentic, Logical, Empathetic Trust Building

Now that I’ve laid out these leadership principles, weaving them into everyday practice is necessary.  For example, identity security can effectively help the perception that our digital environment is safeguarded by ensuring that online transactions qualify users’ access through strong authentication methods and that their sessions are monitored continuously (Zero Trust). Finally, as important as the technology and processes is the need to understand the user’s need to promote the right level of security without interfering in their daily work.

Perception is as crucial as reality when it comes to honesty – it’s vital to be truthful and recognized as such. In other words, our stakeholders and end users should clearly understand why certain controls are necessary and how data is secured to make it easier for users to accept and follow the designed security practices. For instance, strong identity security is critical for defending against unwanted access and ensuring that only legitimate individuals may access sensitive data and systems. Techniques such as multi-factor authentication (MFA), biometric verification and behavioral analytics are essential components of a solid identity security strategy that you should incorporate into your plan to develop and maintain trust.

Fostering Confidence with Proactive Security: The Zero Trust Paradigm

Building trust through Zero Trust may seem contradictory at first. However, in essence, a Zero Trust strategy advocates giving the appropriate amount of trust for the right task at the right time. It eliminates implicit trust and implements security measures to prevent privilege abuse and security breaches.

Adopting a Zero Trust approach means assuming that no entity inside or outside the infrastructure is inherently trusted. This approach complements the principles of:

• Authenticity – by enforcing consistent verification, showcasing a transparent security commitment.
• Logic – by systematically applying strict access controls based on continuous assessment of risks and behaviors.
• Empathy – by ensuring security measures do not impede user productivity or experience.

Empowering Leaders: Advancing Zero Trust with Identity Security

Anyone who follows a leader follows because they have faith in their ability to make the best decisions for them. Using Zero Trust, the defensible strategy is to initiate through identity security, which is the center of the “trust but always verify” approach.

Enhancing Authenticity Through Biometrics and MFA

Biometric authentication and MFA strengthen authenticity by proving the organization’s dedication to protecting identity at every access point. These technologies make the security process visible and understandable to users, enhancing trust in the measures implemented.

Supporting Logical Decision-Making with AI and Analytics

Artificial intelligence (AI) and analytics can assess risks in real time and adjust security measures dynamically. This technology application supports logical leadership by making more efficient and effective data-driven decisions, showcasing a commitment to sophisticated, reasoned security practices.

Empathy through User-Centric Security Designs

Security designs that consider user convenience, such as adaptive authentication methods that adjust security based on behavior and risk, show empathy. These designs reflect that the organization values user experience alongside security, fostering trust and cooperation from users.

Building Trust: Leadership and Zero Trust Synergy in Identity Security

Returning to my wife’s original question about stopping threat actors, the answer is that we need to be cautious online and promote a security culture that doesn’t get in the way of living our lives the way we want. It also exists in cyberspace. To achieve our goal, we must cultivate a risk-tolerant mindset that will empower us to make prudent, risk-aware decisions.

In today’s complex cybersecurity landscape, a security leader’s effectiveness centers not just on the security technologies you deploy but significantly on the trust you build. By adhering to authenticity, logic and empathy and integrating sophisticated identity security measures within a Zero Trust framework, you can ensure your organization is protected and trusted by all stakeholders.

Claudio Neiva is CyberArk’s Security Strategic Advisor, Director (LATAM). 

In the era of rapid digital transformation, organizations are prioritizing cloud transformation projects to enhance their operational agility, scalability and cost efficiency. However, this shift takes time and brings significant challenges, particularly in security and identity management. As businesses strive to innovate and keep pace with the competitive landscape, they often accumulate cyber debt – the buildup of security liabilities and risk debt due to delayed software maintenance or outdated security enhancements.

Many large organizations maintain a combination of cloud and traditional infrastructure because they cannot easily migrate or replace certain on-premises infrastructure and applications with cloud-native or SaaS solutions without incurring significant costs or risks to the business. So, a phased migration is the best way to address the complexities and risks associated with cloud transformation.

Cloud Transformation Security Challenges

The CyberArk 2024 Identity Security Threat Landscape Report highlights several critical security challenges associated with digital transformation and the migration to the cloud, focusing on managing and securing identities, particularly machine identities. Key findings and issues identified in the report include:

Digital Transformation and Identity-Related Attacks

• Top source of attacks: Digital transformation is identified as the leading source of identity-related attacks, presenting significant security challenges for organizations transitioning to cloud environments.
• Increased attack surface: Cloud migrations expand the attack surface, creating more entry points for potential attacks and making it harder to secure all aspects effectively.

Privileged Machine Identities

• Prevalence of privileged access: 68% of respondents indicate that most of their machine identities have privileged access. These identities, encompassing applications, services and automated processes, require high-level permissions to operate.
• Risk of unauthorized access: Privileged machine identities are attractive targets for attackers due to their access to sensitive data and critical systems. Compromise of these identities can result in severe security breaches.

Growth of Machine Identities

• Machine identities: Leading the surge in identity security needs, driven by the proliferation of automation and microservices in cloud environments.

Operational and Compliance Challenges

• Operational risks: Inadequate management of secrets and access credentials across diverse cloud environments can lead to inconsistent security policies and weak access controls, increasing the likelihood of security incidents.
• Compliance challenges: Ensuring compliance with various regulatory requirements is complex in a cloud environment. Organizations must implement effective monitoring, auditing and reporting mechanisms to meet these obligations.

A Phased Cloud Migration Path

Most machine identities have privileged access, and the number of these non-human identities is only growing as automation, AI, cloud and other productivity enhancements become even more widely used. Since machine identities are closely associated with newer technology, it makes sense to start migrating your machine identity security to a centralized SaaS secrets management solution that integrates with your privileged access management (PAM) self-hosted solution and uses the credentials you already manage.

Organizations face increased operational risks and compliance challenges without proper management of machine identities. The complexity of managing secrets across diverse environments can lead to inconsistent security policies, weak access controls and an increased likelihood of security incidents.

Taking a phased approach and starting with SaaS secrets management offers a streamlined and centralized way to manage identities for humans and machines across cloud-native applications, multi-cloud environments and on-premises systems without disrupting your PAM self-hosted solution. This approach provides several key benefits that can significantly alleviate the burden of cyber debt:

1. Centralized administration and automation: SaaS secrets management platforms provide a unified interface for managing secrets that integrate with your PAM self-hosted solution, simplifying administration and reducing human error risk. Automation capabilities regularly rotate and update secrets for long-standing accounts and use dynamic secrets for ephemeral accounts to minimize the risk of compromised credentials.​​
2. Enhanced security and compliance: By centralizing secrets management, organizations can enforce consistent security policies and gain comprehensive visibility into how secrets are used and accessed – e
3. Scalability and flexibility: SaaS solutions scale with an organization’s needs and accommodate the dynamic nature of cloud environments by design. They support a wide range of integrations with cloud platforms, DevOps tools and CI/CD pipelines, enabling security to be seamlessly embedded into development workflows without hindering productivity​​.
4. Reduced complexity and cost: Managing secrets in a multi-cloud environment can be complex and costly. SaaS secrets management solutions reduce these complexities by providing a cloud-agnostic approach that avoids vendor lock-in and enables organizations to manage secrets uniformly across cloud services and on-premises systems​​.

Best Practices for SaaS Secrets Management Integration

When implementing a SaaS secrets management solution, organizations should consider the following best practices:

• Comprehensive discovery and onboarding of cloud vaults: Conduct a thorough discovery of all existing secrets and credentials across the and machine identities. Onboarding these secrets into the SaaS platform should be a structured and phased approach to ensure minimal disruption. Security teams need comprehensive visibility and insights into the organization’s secrets stores managed by the cloud service providers (e.g., AWS Secrets Manager (ASM) and Azure Key Vault).
• Policy-driven access control: Implement fine-grained access controls based on the principle of least privilege. Use policy-driven frameworks to define and enforce who can access specific secrets and under what conditions.
• Integration with existing solutions: Ensure the secrets management solution integrates seamlessly with your existing PAM solution (self-hosted or SaaS), DevOps and security tools. This enables automated workflows and continuous security without adding friction to development processes.
• Continuous monitoring and auditing: Use the SaaS platform’s monitoring and auditing capabilities to gain insights into secret usage. Continuous auditing helps identify anomalies and potential security threats, enabling timely interventions.

By addressing these challenges through strategic approaches and advanced security solutions, organizations can better secure their cloud environments against identity-related threats and ensure a more secure digital transformation.

Starting Your SaaS Journey with Secrets Management

As organizations strive to innovate and remain competitive, the accumulation of cyber debt poses significant risks. SaaS secrets management offers a powerful solution to these challenges, providing centralized, scalable and secure management of secrets across diverse environments. By taking a phased approach and adopting SaaS secrets management, organizations can reduce their cyber debt, enhance security and achieve their cloud transformation goals more efficiently while positioning the organization to adapt to future challenges with confidence and resilience.

cyber debt is critical in the cloud transformation journey. Ensure identity security is at the forefront of your software development with insights from the new “Identity Security for Software Development” book by O’Reilly Media and CyberArk. This early-release eBook collaboration offers a blend of theory and practice to protect against the risks of cyber debt in our evolving digital landscape. And be sure to check out our upcoming webinar, “How to Build a Developer-First Cloud Security Program,” on July 9, where I’ll be previewing content from the book.

John Walsh is a senior product marketing manager at CyberArk.

In the highwire act of the financial services sector, identity security serves as the essential safety net, meticulously engineered to intercept any missteps before they precipitate a fall. Just as a tightrope walker relies on a safety net for confidence at dizzying heights, financial institutions – from global companies and insurers to community banks and credit unions – navigate a complex array of risks. They trust in identity security to maintain balance and confidence amid the intricacies of digital banking transactions and financial data exchanges.

Identity Security in Today’s Financial Sector

As the tightrope of digital finance stretches further, carrying more data and transactions than ever, the need for an unshakeable safety net becomes paramount, as 93% of organizations faced two or more identity-related breaches in the past year. This net doesn’t just catch falls; it instills the confidence to push forward, innovate and engage with customers securely and effectively.

A Strategic Framework for Strengthened Identity Security

To ensure the financial sector’s safety net is both resilient and responsive, consider these six foundational elements to enhance identity security and future-proof against growing cyber risks:

1. Dynamic access management. Fine-tune your safety net by ensuring that only the right entities have access at the right times. This requires balancing user convenience and stringent security measures to prevent unauthorized access.
2. Intelligent privilege controls. Strengthen the fibers of your net with smart controls for protecting IT administrators, for example, by also introducing a zero standing privileges approach to access management. Tightly controlling access privileges minimizes the risk of breaches while allowing your team the flexibility to perform their roles effectively.
3. Unified identity orchestration. Weave a stronger net by integrating and managing all identity processes from a central point. This can help catch discrepancies and potential threats before they can cause harm.
4. Proactive threat detection. Equip your safety net with sensors that can feel the slightest tremor of threat, allowing immediate action. Continuous monitoring and real time analysis are crucial to swiftly detecting and mitigating threats.
5. Comprehensive identity mapping. Make every part of your safety net visible and accounted for by mapping out all human and machine identities. Knowing who and what is on your network is crucial for maintaining security.
6. Adaptive authentication. Modify the tension in your net according to the conditions with context-sensitive, adaptive multi-factor authentication (MFA) that responds dynamically to varying threat levels, enhancing security without compromising the user experience.

Beyond Compliance: Elevating the Safety Standards

While compliance like SWIFT CSCF, Sarbanes-Oxley (SOX), 23 NYCRR 500 and DORA provide a regulatory framework for setting up the safety net, true security leadership in the global financial sector involves cooperation to weave a net that’s ahead of the curve – anticipating risks and reinforcing points of vulnerability before they are tested.

For cybersecurity professionals in finance, this is your moment to ensure that the safety net you create is compliant and a cutting-edge model for others to follow. By embedding these six strategic pillars into your identity security practices, you protect assets and build a culture of security-first thinking across the organization.

A Confident Approach to Financial Identity Security

Embrace this holistic approach to identity security to ensure your financial operations can perform confidently on the highwire of modern finance. By strengthening your own company’s safety net, you protect not only your data and transactions but also the trust and confidence of your customers. Implement these strategies to stay agile and secure in a world where the stakes are as high as the rewards.

Let’s consider Rabobank’s experience to illustrate these concepts in action. With automated password management, privileged access and activity monitoring for 10 million customers across 48 countries and 59,000 employees, Rabobank International has significantly reduced risk and established a transparent overview of accountability.

As the landscape of financial security continues to evolve, establishing robust identity security protocols is a necessity and a strategic advantage. By adopting these principles, your organization can not only navigate the challenges of today but also pave the way for a secure and prosperous future in the digital age.

Chris Maroun is a senior director in CyberArk’s field technology office.

As a CIO, I often wish for a world where the threat landscape is less expansive and complicated than it is today. Unfortunately, the reality is quite different. This month, I find myself particularly focused on the idea that our digital business would come to a grinding halt without the technology ecosystem that supports it. However, this very ecosystem also presents significant risks.

This month, I’m thinking quite a bit about issues that pertain to the intricate web of potential vulnerabilities our collective digital ecosystem faces. The digital ecosystem brings several advantages, such as shifting the heavy lifting of the back-end infrastructure to a SaaS vendor, getting a best-in-class solution that you couldn’t develop yourself, and helping us focus on our mission-critical domains. The same digital ecosystem also presents imminent downsides. The threats posed by your third-party providers are compounded by the risks their providers (your fourth parties) present. This creates an intricate, ever-expanding web of potential vulnerabilities. Each new technology brings additional layers of partners and added risks. Additionally, increasing cyber debt and persistent threats like ransomware are constant concerns.

New Technologies: Uncovering the Hidden Risks and Blind Spots

As we navigate the complexities of our digital ecosystem, it becomes increasingly apparent that the innovations we embrace can also introduce new vulnerabilities. These are not just hypothetical risks; they are the tangible issues we’ve touched upon earlier, manifesting as third and fourth-party risks, cyber debt and the persistent threat of ransomware.

In the spirit of addressing these challenges head-on, let’s further examine the specific areas that demand our vigilant focus:

1. Chain Reaction Risks in Your Digital System

If you’re already losing sleep over cybersecurity, you can be sure to lose even more over the risks your partner’s partners present. The deepening relationships with technology partners enable our digital businesses, but every new provider you integrate into your ecosystem exponentially increases your risk.

I’m confident that every third-party provider you onboard is vetted for risks. But do you apply the same scrutiny to your fourth parties (your third-party providers’ providers)? How many third- and fourth-party providers is your organization actively working with? Let me share some insights.

CyberArk’s 2024 Identity Security Threat Landscape Report indicates that 84% of organizations expect to employ three or more cloud service providers (CSPs), consistent with 85% last year. Moreover, our respondents anticipate an 89% increase in the number of software-as-a-service (SaaS) providers in the next 12 months, up from 67% in the 2023 report. Consider the footprint of your digital ecosystem. Your extended family of third-party providers includes service providers, integrators, hardware and infrastructure suppliers, business partners, distributors, resellers and telecommunications providers. External to your organization, these entities are crucial for enabling your digital business.

Do you have visibility into all your third-party providers’ security practices? What about your fourth-party providers? Does your organization actively measure and mitigate the risks posed by your third- and fourth-party providers? It’s implied in these questions, but I’ll say it anyway: you should be doing all these things.

2. Cyber Debt is Real

You’ve probably heard of tech debt, which results from prioritizing speed to market over a robust and agile technology environment. In today’s landscape, tech debt is amplified by cyber debt. Consider the accumulated risks and vulnerabilities within your IT infrastructure due to neglected updates, lack of tools, or too many disparate tools, coupled with a shortage of skilled cybersecurity staff. It’s a recipe for disaster, and cybercriminals thrive on it.

The proof is in our survey findings. Breaches due to phishing and vishing attacks have impacted nine out of ten organizations. Nearly the same number of organizations were targeted by ransomware in 2024 (90%) as in 2023 (89%), with an increasing number reporting irretrievable data loss. With bad actors utilizing generative artificial intelligence (GenAI) to scale sophisticated attacks, we should anticipate that every organization will be breached in the coming years. This is a reality every CISO must brace for.

3. Ransomware is Still a Thing

Ransomware remains a significant threat, with no honor among thieves. Despite our hopes for a world free of ransomware, the truth is that old threats are enduring, and humans are the weakest link. Ransomware will continue to grow in volume and sophistication, especially with AI-enabled deepfakes. No amount of cybersecurity awareness training can completely prevent a user from clicking a malicious link or sharing a one-time password (OTP), compromising their identity and the organization’s data.

The damage caused by ransomware is severe. Our findings reveal that 75% of organizations impacted by ransomware paid the ransom but did not recover their data. However, protecting against ransomware doesn’t have to be as challenging as climbing Mount Everest. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers several no-cost resources to help you proactively protect your organization against ransomware. I highly recommend taking advantage of these resources

Building a Resilient Digital Defense Against Emerging Threats

Although a day in the life of a CISO may seem grim, it’s not all doom and gloom. My peers in the industry will agree that we successfully protect against threats frequently, but a single breach can leave a lasting mark. I advise everyone to thoroughly review their IT environments, scrutinizing gaps and prioritizing remediation. This process needs to be ongoing and methodical, performed at regular intervals.

While we must anticipate and mitigate the risks of new technologies like GenAI, we cannot ignore the persistent threats of traditional vulnerabilities. Simplistically, I recommend three actions:

1. Audit and evaluate all legacy and new technologies across your environment. You must conduct an annual vendor assessment, which evaluates and prioritizes the critical vendors that might pose a high risk for your business. You can use specific tools for external security scoring and put specific liability phrases in the contracts. You should also ensure that access to your systems includes secure authentication and that the exposed data is only what is required.

2. Assess the risks these disparate tools pose versus the time and effort required to maintain them. I recommend a dedicated cadence for discussing cyber risk management and reviewing outcomes, including a toolset to reduce third-party risks.

3. Create a plan to consolidate your technology stack based on the right balance for your organization. Proceed slowly but surely. As a CIO, I can confidently say that the platformization movement is real. It’s not just a way to reduce overall costs but also a means to mitigate third-party risks. If you have a trusted vendor that you’re continuously reassessing from a cyber risk perspective, it will eventually get you to a more secure posture. Just don’t put all your eggs in one basket.

I am already implementing these strategies. Are you?

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

In the intricate healthcare ecosystem, cybersecurity is akin to the human immune system – a vital defense that safeguards the body from external and internal threats. Healthcare cybersecurity is essential for protecting patient data, ensuring medical service availability and maintaining compliance across the medical industry. The future of healthcare is increasingly digital, and its security depends on the strength of identity security measures. Identity security is the defense against data breaches and unauthorized access. By ensuring that only the right person has the right access at the right time, identity security helps secure data and empowers healthcare providers.

The Heart of Healthcare Cybersecurity: Identity Security

Identity security is a vital defense mechanism, like how the immune system protects the human body. It ensures appropriate access for authorized personnel through various safeguards, crucial for protecting against cyberthreats in an industry vulnerable due to its high-value data and extensive IT reliance. It plays a fundamental role in tackling challenges, ensuring the system’s overall health and integrity through the following essential functions:

1. Establishing Patient Trust
   Patient trust in the healthcare industry is arguably as vital as a healthy heart in a living body. What isn’t arguable, however, is the need to guard sensitive health information precisely and carefully. Identity security plays a crucial role by tightly controlling access to sensitive data, thereby helping preserve the confidentiality, integrity and availability of patient information. This secure management is critical for maintaining patient trust and compliance with stringent regulations like HIPAA.
2. Enhancing Operational Efficiency
   Just as the circulatory system efficiently delivers blood to where it’s needed most, identity security solutions streamline healthcare authentication and authorization processes. These solutions ensure that healthcare providers have timely yet secure access to crucial patient information, optimizing workflows while guarding against unauthorized access.
3. Supporting Innovative Technologies
   As new technologies such as generative AI, telehealth and electronic health records expand the healthcare landscape, they also introduce new vulnerabilities. Identity security acts like a selective barrier, allowing beneficial innovations while protecting against potential threats. This balance supports innovation and safeguards the system’s integrity.

Identity Security Strategies for Healthcare Providers

In the dynamic and ever-expanding healthcare field, the cybersecurity landscape is fraught with challenges that can impede safe and effective patient care. Identity security addresses these challenges by fortifying the infrastructure that handles sensitive patient information. Identity security responds to immediate threats and builds resilience by anticipating and neutralizing potential vulnerabilities through the following actions:

• Securing sensitive data through measures such as multi-factor authentication (MFA), encryption and access management. As digital health data proliferates, so does the need to protect it against unauthorized access and breaches.
• Maintaining regulatory compliance by enforcing compliant policies and avoiding penalties and legal complications. A complex web of regulations regarding data protection binds healthcare providers to protect patient privacy.
• Mitigating insider threats by monitoring and managing user access and data usage within the organization. Like a body’s cells turning against it, insider threats can be as damaging as external attacks – identity security can significantly reduce the risk of insider misconduct.

By addressing these challenges, identity security protects against immediate threats and strengthens the healthcare system’s ability to adapt to new technologies and evolving threats, ensuring long-term health and resilience. This proactive approach is vital to maintaining a secure and trustworthy environment where healthcare providers can focus on delivering the highest quality patient care.

Safeguarding the Future: Identity Security in Healthcare

Cybersecurity leaders and healthcare stakeholders increasingly recognize that identity security is crucial. It acts as the immune system of the digital healthcare organism, essential for maintaining operational health and enabling the safe adoption of innovations. As healthcare evolves, the commitment to strong identity security measures will be vital to delivering patient care that is both secure and progressive.

Discover how companies apply an identity security-first approach to implement Zero Trust and protect personal health information (PHI) for 1.8 million members.

Lee Godby is a business development director, and Brian Carpenter is a senior business development director at CyberArk.

It’s a familiar post-disaster scene in seemingly every television medical drama. A ferry has crashed, or a train has derailed. Patients flood into the ER, each requiring urgent medical attention. The impossibly attractive medical staff must quickly assess and prioritize patients based on the severity of their injuries and the likelihood of survival. Someone with great hair likely says an inspiring quote and jumps immediately into action.

To carry the plot, the medical staff often struggles to make decisions under pressure, leading to confusion and delays in treatment. As the chaos intensifies, the absurdly well-lit ER becomes overwhelmed, with patients and their families increasingly anxious and frustrated. The risk of medical errors and adverse outcomes rises, further compounding the crisis. And then your favorite character probably gets killed off. All thanks to one element the writers left out of the scene: triage. Great TV – terrible medicine.

While the chaos of a TV trauma center may seem far removed from the world of cybersecurity, the concept of triage is just as relevant when it comes to prioritizing and addressing cyberthreats. Just as medical staff must quickly assess and prioritize patients based on the severity of their injuries, organizations must also assess and prioritize cyberthreats to maintain order, efficiency and safety in any environment. With a multitude of identities possessing varying levels of privilege and access, the challenge lies in effectively prioritizing security measures.

Defining Risk: A Common Lens

Before delving into the prioritization strategies, a quick note about establishing a common understanding of risk. Organizations may define risk differently, but in our experience mitigating identity-related threats, we define risk as a combination of three fundamental factors:

1. Level of privilege refers to the type of privilege granted to an identity, ranging from read-only access to full administrative control, including the ability to modify other identities’ permissions.
2. Scope of influence, also known as the blast radius, describes the extent to which an identity can access systems and resources. This can range from access to a single cloud-native service to multiple services with access to elastic workloads to full access to every resource and service.
3. Ease of compromise refers to the level of difficulty for a malicious actor to compromise access. This includes the existence of technical vulnerabilities and the level of controls applied to protect the identity.

Building on this definition of risk, let’s examine two effective risk-based prioritization methods that can provide a framework for triaging your cloud security priorities.

Method No. 1: Security Control-Based Risk Prioritization

Our first method for triaging cloud security priorities is based on the understanding that not all organizations can deploy all security controls simultaneously. Therefore, priorities are determined by assessing the risk impact and the effort required for mitigation. In this approach, organizations implement security controls iteratively, focusing on specific control families. If we look back at the triage scene, this would be like simultaneously treating patients with similar injuries.

The recommended prioritization for this control-based method follows these steps:

1. Progress toward zero standing privileges (ZSP). You can work toward achieving this by implementing role-based access, multi-factor authentication (MFA), session protection and audit functionalities. ZSP helps to ensure that users only have access to resources when needed and for the duration necessary to perform their tasks. Controls facilitating ZSP are prioritized to mitigate the sprawl of excessive access. This step will have the most significant impact on minimizing risk.
2. Implement standing privileged access controls. This can be done through credential vaulting, password management, MFA and session monitoring. Prioritize root and registration account security, minimize freestanding access and use robust credential management for necessary cases. Continuously refine non-emergency account privileges to enforce least privilege.
3. Deploy secrets management controls. This includes secrets vaulting, rotation, complex policies, removal of hard-coded secrets and just-in-time (JIT) delivery to applications. Focus on refining privileges for machine workloads and apply these controls to machine passwords and keys to mitigate credential theft and privilege abuse.
4. Establish identity governance controls. Focus on lifecycle management and compliance mechanisms. Start by rolling out lifecycle management to IT admin roles, followed by developers and other privileged roles. Ensure roles are explicitly defined and implement identity compliance across all human users to certify and adjust access as needed periodically.

Method No. 2: Identity/Persona-Based Risk Prioritization

In contrast to security control-based prioritization, the second method for triaging cloud security priorities focuses on securing identities based on their roles or personas, assuming simultaneous application of all security control families. The ideal prioritization hierarchy, which would be akin to treating women and children first in our triage scenario, typically follows this sequence:

1. Secure root and registration accounts. Start by securing high-privileged accounts, such as those with Global Administrator access, with measures like MFA.
2. Prioritize IT administrators. Focus on roles with extensive administrative access across cloud service provider (CSP) accounts, as they have the potential for the most significant impact.
3. Tailor security controls for developers and service administrators. Apply tailored security controls to individuals with privileged access to specific services or resources within CSPs.
4. Address other application and audit teams. Secure users with lesser privileges, including read-only access.
5. Safeguard machine workloads and cloud-native services. Protect automation and orchestration workloads, often with sensitive permissions, using secrets management and least privilege controls.

A Note on Regulatory Compliance

Regulatory compliance is a critical factor to consider when prioritizing security measures. Adhering to frameworks such as GDPR, HIPAA or SOC 2 is essential for ensuring data protection and privacy. To align your risk prioritization efforts with regulatory mandates, consider the following steps:

1. Implement Data Protection Requirements. Take steps to safeguard sensitive data and comply with data protection regulations by implementing new or additional security controls.
2. Establish Auditing and Reporting Mechanisms. Set up mechanisms for auditing and reporting to demonstrate compliance with regulatory requirements.
3. Develop Incident Response Preparedness. Create incident response plans and procedures to address data breaches and security incidents in compliance with regulatory guidelines.

Streamlining Your Cloud Security Risk Prioritization

Just like in a TV medical drama, effective prioritization is essential when dealing with many threats, including cyberthreats. The coiffed chief of surgery has aligned the triage strategy with standard Hollywood hospital protocol. Each staff member has a clearly defined role; every patient is cared for when needed. Someone with great hair still probably says an inspiring quote.

By addressing the common challenges and considerations outlined in this blog, organizations can more effectively navigate the complexities of risk prioritization, enhance their cloud security posture and ensure compliance with regulatory mandates.

Effective risk prioritization requires a nuanced understanding of risk dynamics and a strategic, adaptive approach. Organizations can use a combination of security control-based and identity/persona-based approaches to enhance their resilience against evolving cyberthreats while optimizing resource allocation and effort.

The bottom line is that cutting the drama in your cloud security requires risk prioritization. A clear strategy and well-defined priorities can help maintain order, efficiency and safety in your cloud environment.

To dive deeper into cloud security fundamentals and learn how it plays into compliance, check out our whitepaper 2024 Playbook: Identity Security and Cloud Compliance.

Alyssa Miles is a product marketing manager at CyberArk.

Data theft, data protection and the leakage of passwords or secrets are the top two cloud security concerns for 2,400 cybersecurity experts, according to the recently released CyberArk 2024 Identity Security Threat Landscape Report. In an ever-brewing digital ecosystem of multi-cloud environments, countless on-prem and SaaS applications – and third-party and fourth-party providers, 94% of organizations report having faced at least one identity-related breach in the last 12 months. Nearly all (99%) of these victimized organizations report negative impacts on business, such as the cost of recovery and financial burden from lawsuits and regulatory fines.

Post-breach scenarios are often tense and scrutinized heavily by stakeholders, including auditors, boards of directors, customers and shareholders. In such a scenario, cybersecurity teams intensify their focus on remediation and containment of the attack. In contrast, privacy teams focus on understanding and limiting the extent of regulatory non-compliance, potential fines and customer impact. The impact of a breach extends beyond the cybersecurity teams to others, including privacy teams critical to defining data privacy requirements.

Yet, often, organizations make the mistake of carving individual swim lanes for the roles and responsibilities of cybersecurity vs. privacy teams. This approach is simply bad practice – I am convinced that privacy and cybersecurity should be on the same team, working in lockstep with one another, similar to synchronized swimmers.

At its best, synchronized swimming is not just a beautiful sight but a challenging sport that takes enormous effort and commitment to get right. Drawing on the concept of synchronization, it’s essential to understand that privacy and cybersecurity are not separate swim lanes with competitive goals; they are inseparable components of a perfectly synchronized swimming act. I think cybersecurity and privacy are much like the individual athletes committed to a group sport with a singular goal – securing sensitive data and maintaining confidentiality.

Let me explain how.

The Inseparable Bond Between Privacy and Cybersecurity Teams

Privacy and cybersecurity teams need to collaborate more to ensure the highest level of protection for their organizations’ sensitive assets. For example, the Chief Privacy Officer’s (CPO’s) team should ideally define a data collection, retention, storage and usage policy. The policy should address critical questions, including what organization is collecting the data, its purpose and intended use, the data processing location, the data retention duration and, most importantly, who is authorized to access it.

Only when this is defined can the Chief Information Security Officer (CISO) and their cybersecurity team ensure data is protected throughout its lifecycle, mainly when it’s in use, in flight and at rest in the appropriate geographical location as required by regulations.

Now, consider a situation where the CPO and CISO aren’t actively collaborating. We can assume that data or access to data is secured but not per the applicable (country and industry-related) privacy laws. Such conditions can lead to heavy non-compliance fines but not a data breach. For a robust cybersecurity and privacy program, privacy teams must classify the data sensitivity level by law so cybersecurity teams can apply security controls to protect it.

The CPO and CISO must collaborate regularly to consider the impact on confidentiality, integrity and availability of data and privacy. The industry interchangeably uses the words confidentiality and privacy, but they are different. Confidentiality can be enabled through agreements between two or more parties that limit data sharing by controlling access.

Ethical considerations can also play a role in limiting data sharing and enabling confidentiality. On the other hand, privacy is the right to freedom from intrusion into personal information. Adopting disparate tools or processes in a siloed manner will only increase gaps in maintaining the confidentiality and privacy of data. A synchronized approach wherein privacy teams classify data requirements and cybersecurity experts use this framework to secure data is the only proper approach to maintaining confidentiality and data privacy.

Cybersecurity Tools and PETs: A Comprehensive Approach to Data Protection

As a technology leader, I see a combination of cybersecurity tools and privacy-enhancing technologies (PETs) in today’s market. For example, data encryption in flight or at rest, data masking or obfuscation protects sensitive information in many ways. While cybersecurity capabilities have been around for a long time and continue to evolve, PETs are relatively new and aim to protect private data in a regulated landscape. Many PETs, like data security posture management (DSPM) as a part of cloud-native applications protection platform (CNAPP), already enable streamlined data security and privacy capabilities. Other PETs, like homomorphic encryption or confidential computing, are built to address specific use cases, such as maintaining data privacy.

Homomorphic encryption and confidential computing both show promise in enhancing privacy. However, as mentioned earlier, these technologies have yet to be widely adopted. Confidential computing is not easy to adopt and is not yet a multi-purpose technology. It is limited to some use cases, mainly in cloud-based encryption for data-in-use. As a result, they are far from being adopted at scale. In this case, the only way to ensure data confidentiality and privacy is by securing every human and machine identity that accesses sensitive data across your IT environment.

Identity at the Core of Privacy

Maintaining privacy by securing access for all identities involves managing access rights effectively for every identity throughout its lifecycle. The privacy teams outline access to resources for every identity based on the roles of every business function. Whether it’s sales representatives accessing customer data, HR professionals handling sensitive employee information, or IT managers overseeing system resources, it’s essential to uphold the principle of least privilege (PoLP) to ensure that only the right people have access to specific data, reducing the risk of unauthorized data exposure. Implementing comprehensive Identity and Access Management (IAM) controls and capabilities is necessary to secure access for all identities and maintain privacy.

Here are two examples:

• An adaptive form of multi-factor authentication (MFA) can enable organizations to strengthen their security posture through additional checks to validate identities in multiple layers.
• Automated lifecycle management can help organizations easily define and enforce each user’s unique role, responsibilities and access privileges.

Privacy and Cybersecurity: A Synchronized Act

I am convinced that cybersecurity enables privacy – and not vice versa. To illustrate this theory, let’s look at the relationship between the different layers of swimmers in a synchronized swimming “lift.” The base is a swimmer underwater at the bottom of a lift. The base swimmers provide the force for pushers to stand up explosively and thrust flyers, the top layer of this aquatic human pyramid.

Our industry’s privacy teams are the equivalent of the pushers, with a core strength of data privacy regulatory requirements and a thorough understanding of the law. The base swimmers are cybersecurity teams who harness their information technology (IT) background and technical skills to implement security controls according to the regulatory requirements outlined by the privacy teams (the pushers).

Without the pushers, cybersecurity teams (the base) will secure data and access to it, but not in accordance with applicable laws. As such, cybersecurity teams enable privacy teams to fulfill their responsibilities better. With the pushers and the base strong in their positions, the flyers are athletes thrust upward – or, for the sake of this comparison, the flyers are the average business user (or identities) – who can execute their daily tasks productively and securely while maintaining confidentiality and privacy.

When privacy and cybersecurity teams collaborate and align, it feels like a perfectly executed synchronized swimming performance with the three groups of athletes – the flyers, the pushers and the base – in perfect lockstep.

The Perfectly Synchronized Act of Privacy and Cybersecurity Teams

As easy as this act looks, it’s not – unless – it’s planned strategically and collaboratively. As much as synchronized swimming is a treat to behold, it’s a demanding sport with dangerous and challenging maneuvers. For cybersecurity teams, these challenges and difficulties translate to a changing regulatory landscape, evolving threat landscape, deepening digital ecosystem of third- and fourth-party providers and an increasing number of identities that have access to growing sensitive datasets, among other concerns.

However, our act as cybersecurity leaders and technologists can be a virtual treat in collaboration with the privacy teams and with a regularly evaluated risk framework.

All this talk about synchronized swimming has gotten me thinking of the Summer Games set to take place in France this year. I look forward to watching the swimming heats and synchronized swimming competitions this summer. While doing so, I’ll brainstorm how to actively and effectively coordinate with privacy teams to protect sensitive data for CyberArk and our customers. I kid you not.

I hope you’re inspired to do the same.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

What a week! We just wrapped up CyberArk IMPACT 2024, the world’s largest identity security-focused conference. It was amazing to be joined by thought leaders and practitioners from around the world to talk about the present and future of identity security. Nashville provided a colorful, musical backdrop for this year’s event, which was the perfect combination of information exchange and networking in a dynamic, fun event experience.

Thank you to our customers, partners, employees and everyone who made the trip to Nashville! Your engagement and enthusiasm were palpable across the entire three days, and I could not be more excited and inspired about the road ahead. As I reflect on the many highlights, I’m filled with gratitude for this incredible community and energized by the meaningful work we’re doing together to create a safer digital world for all.

Embracing Change: Paradigm Shifts in Music and Identity Security

At IMPACT ’24, we talked about paradigm shifts – in music, we were in Nashville after all, and in identity security. There is no better example of an industry that has embraced paradigm shifts than the music industry. Over the past 25 years, we’ve all experienced firsthand the evolution of new technology, new access methods and new experiences when it comes to how we purchase and consume music.

When it comes to securing identities, a paradigm shift is also required. Every organization is facing new forces that are creating a rapid increase in the number and types of identities and increasingly complex hybrid cloud environments to secure. These forces are driving new attack methods, which are made even more sophisticated and effective by AI. We believe that to be secure, every identity, from workforce to IT, to developers to machine, needs the right level of privilege controls intelligently applied. Equally important, we need to provide these controls without getting in the way of productivity, efficiency and innovation. This is the paradigm shift that we must all make to keep our people and our organizations safe from cyberthreats.

CyberArk + Venafi: Securing Machine Identities at Scale

To tackle the growing challenge of securing machine identities at scale, we were thrilled to announce that we’ll be joining forces with Venafi, a leader in machine identity management. The combination of Venafi’s certificate lifecycle management, private public key infrastructure, IoT identity management and cryptographic code signing, with CyberArk’s secrets management capabilities, will enable organizations to keep machine-to-machine connections and communications secure. This acquisition marks a pivotal milestone for CyberArk and we look forward to leveraging our collective strengths to deliver end-to-end machine identity security to our customers once the deal closes.

In addition, there is no greater honor than sharing the IMPACT stage with cybersecurity leaders on the front lines. Our customers’ real-world stories of innovation and ingenuity inspired us while bringing today’s greatest identity security challenges into sharp focus. Security leaders from Healthfirst, Unilever and IHG Global talked about how they are applying privilege controls to meet the unique needs of users across their organizations. Dozens of other customers spoke at breakout sessions. Thank you to these wonderful customers for sharing your insights and learnings with the broader community.

A New Era of Productivity and Security with CyberArk CORA AI

We also shared some exciting news on the product front with new capabilities across our platform. Most notably, we introduced CyberArk CORA AI, a new set of AI-powered capabilities that will be embedded within our platform to make our customers more productive and more secure. Much more than a digital assistant, CORA AI will fundamentally transform how users interact with the CyberArk Identity Security Platform, reducing the time it takes to sift through human and machine identity data to analyze anomalies and apply next-level identity threat detection and response actions from hours to minutes.

IMPACT ’24 was by far our largest and most engaging conference ever. It was an honor to be surrounded by so many customers and partners who share our vision for identity security. Not to mention the wonderful CyberArk employees who contributed to deliver an amazing event experience.

The world is changing rapidly. We simply cannot expect the paradigms of the past to solve today’s problems, let alone prepare us for what’s to come. Our time in Nashville provided a glimpse into what’s possible when you flip the script – and how shifting paradigms can truly transform an industry. I’m incredibly excited for the journey ahead as we continue to shape the future of identity security together.

Next, on to IMPACT World Tour as we take the experience to cities around the world.

Matt Cohen is the CEO of CyberArk.

CyberArk IMPACT 24 in Nashville was a week packed with firsts for me:

• My first time in Nashville.
• My first time at our flagship global event.
• My first time being involved in a genuinely significant acquisition: Monday’s Venafi announcement.

And not to be too trite – IMPACT 24 is a conference, after all – it was a week packed with The New. Day One of IMPACT is typically a quieter day, with many side events and no keynotes, serving as the calm before the storm. This time, Day One began at 7 a.m. with the zero-to-sixty-mph-in-three-seconds news that CyberArk announced the $1.5 billion acquisition of machine identity management leader Venafi.

As well as sparking an immediate media frenzy, this news and what it means for identity security – particularly for securing machine identities – infused the whole IMPACT 24 event. CyberArk CEO Matt Cohen talked about it in terms of broken models and the need to change, to introduce new thinking and a new model. He drew a parallel with the record industry. He took us back to the days of buying a vinyl album from a physical store and listening to it all the way through*. He then reminded us of what happened to that industry and its once-major players when they stayed still. They waited for events to happen to them instead of driving the change, many soon ceasing to exist as a result. A guest speaker on Day Three perhaps put it best: “Waiting for something to occur is not a luxury that firms have anymore.”

Matt also discussed the need for a paradigm shift in how we secure identities, a framework that will create a better path to the desired result. Why is this necessary? We all face immense and growing identity challenges, and how we currently secure these identities is often siloed and inefficient. But they must be secured; it is critical to do so. As another speaker from a global consultancy firm bluntly stated, “Everything bad that happened to your organization started with a compromised identity.”

The Future of Identity Security: Harnessing the Power of GenAI

The proliferation of identities was a thread running through many of the IMPACT 24 talks from the CyberArk team and our customers and partners. Organizations have so much more to deal with today than in the quaint, dim-and-distant days of, say, five years ago. Security has moved from perimeter-based to identity-centric and can only be delivered effectively through the use of automation built on Zero Trust principles. In the succinct words of one of our customers on what multi-cloud means for his organization’s employees, their identities and access demands, “It’s global, it’s everywhere, it’s all hours.”

How is this new paradigm of identity security going to be delivered? New paradigms are not just about knowing where you want to get to – they must include how you get there – or they’re just hot air. GenAI was, of course, a key theme of the conference and will be one of the building blocks of this new model of securing human and machine identities. GenAI has changed our relationship with data, allowing us to interact with it more conversationally rather than simply searching for it. GenAI will play a pivotal role in attacks by enabling the democratization of advanced attacks. It will also be central to cyber defenses. At IMPACT 24, the announcement of CyberArk CORA AI represents, in part, how this new model will be delivered through a new set of AI-powered capabilities that, over time, will be embedded across the CyberArk Identity Security Platform.

A Look Back: (a Couple of) My Favorite IMPACT 24 Moments

I mentioned at the outset that this was my first time at our flagship U.S. conference. Our IMPACT World Tour events take place throughout 2024 and are a great way of bringing the experience closer to our customers, but Nashville is on a larger scale. Among the many aspects that I enjoyed:

   1. CyberArk Labs sessions are always a favorite of mine, particularly when VP of Cyber Research Lavi Lazarovitz presents. As usual, he didn’t disappoint at IMPACT 24. The big reveal included his team’s work on attacking AI models via malicious prompts. They used the privileged access of an AI model to send data to attackers and jailbroke large language models (LLMs). By taking advantage of their design flaws, they manipulated the LLMs to share information they were not supposed to. These included psychological manipulations, context attacks and moral bugs, where certain words and phrases overcome the LLM restrictions.

   2. One of the event’s highlights was the Day Three fireside chat with CyberArk VP of Brand Experience Anna Walsh, our Founder and Executive Chairman Udi Mokady and Robert Herjavec. Yes, that Robert Herjavec. Robert, of course, is the CEO of Cyderes and Shark Investor on ABC’s “Shark Tank.” The learnings of their formative years in the industry were poignant, from Robert talking his way into the IT industry to sell mainframes by offering to work for free to Udi’s early days at CyberArk selling the idea that leaving – metaphorically – the valuable stuff (critical data and assets) lying on a table in a locked house with an open window was a flawed concept.

Finally, IMPACT wouldn’t be IMPACT without the people who make it happen, from the event team to all our speakers, sponsors, partners and customers – a huge thanks to all of you.

*Yes, I still listen to albums all the way through.

Nick Bowman is director of media relations at CyberArk.

In the rapidly changing cybersecurity landscape, Identity and Access Management (IAM) is a critical pillar, safeguarding organizational data and access across different enterprise systems and platforms. As the head of CyberArk’s Artificial Intelligence Center of Excellence (AI CoE), I’m witnessing firsthand the transformative impact of artificial intelligence (AI) in this domain. AI is not just reshaping how we manage digital identities and access controls but also how we balance productivity and security.

After announcing the launch of CyberArk’s AI CoE last September, my team and I dedicated ourselves to understanding the needs of our customers and the industry. We conducted interviews, analyzed market trends and made predictions. At the same time, we began working on several imperative AI initiatives. Just over six months later, we have even more AI initiatives underway and many more in the planning stages.

This week, I’m participating in CyberArk’s annual IMPACT conference, where our customers and partners will preview CyberArk CORA™ AI*, the first wave of AI-powered capabilities that will be embedded across our Identity Security Platform and that we plan to release this year. In this post, I will share insights into our current work and the direction we envision for the future. While some predictions are involved, it’s important to note that they do not reflect our product roadmaps.

AI and the Security-Productivity Balancing Act

When developing AI-based capabilities for IAM systems, we often must choose between improving user productivity and enhancing security measures. Some AI capabilities streamline user operations and improve efficiency, while others aim to tighten security.

From conversations with customers, I understand they primarily see AI-based features as productivity boosters. These features help them work more efficiently and shorten the learning curve. Some AI-based features, like chatbots, focus on productivity, while others, like policy recommendation engines, combine productivity with security. These features can streamline users’ work and provide collective or heuristic-based knowledge, guiding them to make better decisions and enhance security.

Other capabilities, such as discovering and alerting suspicious activities, lean even further toward the security end of the spectrum. But, even in this case, there’s an argument that these capabilities also increase user productivity and effectiveness.

The Three Pillars of AI in IAM and What’s on the Horizon

As charted in the illustration above, we’ve categorized AI in IAM into three main pillars for this blog post, each blending productivity enhancements with security improvements. While securing GenAI is an exciting topic, it only relates tangentially to IAM, so I’m not discussing it in this blog. Looking into the future, we can expect a wide range of technologies to emerge in each category, from the near and achievable to the more distant and complex.

So, with my (cyber) crystal ball in hand, to follow are my predictions (and my predictions only) for what will happen in each area of AI in IAM over the next few years.

1) Chatbots and AI Assistants

Imagine a world where intelligent AI assistants guide every interaction with your IAM system. Information answers retrieval, context-specific recommendations and even system configuration or system debugging are delivered instantly and accurately. AI-driven chatbots and assistants in IAM will soon be able to provide not just text-based Q&A interactions but also create context-aware recommendations that include integrations with third-party systems.

These AI functionalities are built to understand users’ individual needs and the unique circumstances of different customers, making operations more intuitive, efficient and tailored to the specific situation. Whether answering queries, suggesting next steps or executing commands on the user’s behalf, AI assistants are set to become indispensable in the IAM toolkit.

Here’s what’s likely to roll out in the next few years in this area of AI in IAM:

Predicted Release: 2024

• Documentation chatbots will continue to evolve and improve their ability to answer generic questions based on the body of documents, knowledge base and other sources of information.
• Assistant chatbots will understand the user’s natural language and run commands for them, but at a much deeper and more complex level than what we’ve seen thus far. For example, some user queries may involve executing a chain of API calls that requires correctly understanding the necessary parameters for each subsequent call and how to provide the appropriate response to the user. These assistants will be simple to start, but as time goes by, they will add more and more capabilities and support ever more complex use cases.

Predicted Release: 2025-2026

• Context-aware chatbots and assistants will be more knowledgeable about individual user circumstances than their current AI predecessors. Rather than providing the same outputs to different users, these next-gen chatbots will “know” things about you and tailor their responses accordingly. For example, they will be able to identify if the user is new to the system, which operations they typically perform and which services they subscribe to. Additionally, these assistants will consider broader context, such as progress in onboarding or completing a to-do list.

Predicted Release: 2027-2030

• Automatic issue detection and guided remediation will enable AI chatbots and assistants to become more proactive, suggesting actions and next steps. Whether it’s the next item on your to-do list or resolving an error on your screen, these assistants will increasingly offer solutions to problems and tasks – asking only for your confirmation.

2) Access Policies

The integration of AI tech is poised to significantly transform the definition of access policy. Algorithms will generate dynamic least privilege access policies, ensuring users have only the access necessary for their roles. These policies will be based on natural language and intent rather than technical language currently representing this intent.

This shift means that IAM administrators will transition from hands-on operators to strategic supervisors who set high-level guidelines, accept or update suggested policies and handle anomalies.

This change should accelerate task completion and reduce the technical knowledge required for policy managers within organizations. Yet, it raises an interesting question: Will this efficiency come at the expense of precision (for instance, will you get used to unquestioningly accepting the suggestions), or will it enhance security? The trend points toward the latter, considering simpler, AI-generated policies tend to be less prone to human error and misconfiguration.

Here’s what to look for in the next few years:

Predicted Release: 2024

• Policy recommendations based on best practices or the collective knowledge of other customers. You can expect to see lots of these soon.

Predicted Release: 2025-2026

• Intent as policy is one of my most anticipated and revolutionary AI promises to the world of IAM (and other sister industries that handle multiple access policies). We’ll see natural language used to define new and explain existing policies. The intent will become the policy. For example, an access policy rule could look like this: “Give John SRE-level access to his team’s AWS production account for the upcoming two hours.” Or, “Don’t allow non-admin users to see payment-related fields in the CRM app.”

Predicted Release: 2027-2030

• Automatic policy creation is the logical next step after policy recommendation. Such policies can rely on history or heuristics for their creation.

3) Risk-based Access

The third pillar focuses on the nature of access itself. As AI makes access to systems more personalized and contextualized, access becomes more dynamic and transparent. This means fewer repetitive logins and multi-factor authentication (MFA) prompts during normal operations, leading to smoother workflows and less user frustration.

Here’s what I predict we’ll see in this area in the near and not-as-near future:

Predicted Release: 2024

• Activity summaries and security insights will be generated from the user’s interactions with systems, which produce a digital trace (like a video recording, a log or an audit record). Generative AI (GenAI) will transcribe and summarize this trace into human-readable text. Additionally, GenAI will alert you if you perform a risky operation during the session.

Predicted Release: 2025-2026

• Behavioral profiling and threat detection will work together to create and continually update risk profiles for workloads and users. These profiles will be based on their activity within the systems, allowing for the creation of specific profiles for each workload and user. As a result, more granular and precise risk-level management and threat detection will be achievable.

Predicted Release: 2027-2030

• Automated threat prevention will be the next natural step following the arrival of threat detection mechanisms. It will likely take many forms, such as stopping a suspicious session or suspending or requiring additional login measures for a questionable user.
• Automatic policy creation (extension): With the ability to maintain user-specific profiles, systems will use this data to create user-specific and context-specific behavior, resulting in more personalized and dynamic access policies.

The Impact of AI on IAM: A Look Into the Future

Integrating AI in IAM is an ongoing journey toward creating more secure, efficient and user-friendly systems. As we look to the future, the focus will be on how AI can seamlessly integrate into the core areas of IAM to provide increased security and productivity.

At CyberArk’s AI CoE, our mission is to drive state-of-the-art technological innovation in our products and create value for our customers by meeting today’s challenges and future-proofing against tomorrow’s cyberthreats. We strive to seamlessly integrate AI into the core areas of IAM, enhancing security and productivity. As we continue exploring the exciting possibilities, we are grateful for our customers and partners in this journey toward a more secure and efficient future.

Together, we can achieve great things.

Daniel Schwartzer is CyberArk’s Chief Product Technologist and the leader of CyberArk’s Artificial Intelligence Center of Excellence.

*Learn more about CyberArk CORA AI.

Editor’s note: For more insights from Daniel Schwartzer on this subject and beyond, check out his appearance on CyberArk’s Trust Issues podcast episode, “AI Insights: Shaping the Future of IAM.” The episode is available in the player below and on most major podcast platforms.

The last 12 months have witnessed a rapid-fire round of innovation and adoption of new technologies. Powerful new identities, environments and attack methods are shaping the quickly changing cybersecurity threat landscape, rendering it more complex and causing the diffusion of risk reduction focus. New CyberArk research indicates that the rise of machine identities and the increasing reliance on third- and fourth-party providers are deepening the existing threats and creating novel vulnerabilities.

The CyberArk 2024 Identity Security Threat Landscape Report, released today, surveyed 2,400 identity-related cybersecurity experts and decision-makers across 18 countries to provide deep insights into the evolving threat landscape. The report reveals that an overwhelming majority (93%) of organizations have experienced two or more breaches due to identity-related cyberattacks. These organizations anticipate the total number of identities to increase more than 2.4 times in the next 12 months.

Several factors contribute to this surge in identity-related attacks, including the rise in volume and sophistication of cyberattacks perpetrated by both skilled and unskilled bad actors who utilize generative AI (GenAI) to amplify their attacks. These threat actors target an already intricate and expanding digital ecosystem, exploiting unsecured identities to gain access to their victims’ environments. To that end, the report finds that nearly all (99%) organizations affected by identity-related attacks suffer negative business impacts.

Read on to get a look at some key trends outlined in the report.

The Perils of GenAI

GenAI is, of course, not new to organizations or bad actors. In fact, 99% of organizations use AI-powered tools in their cybersecurity initiatives, while bad actors also use GenAI to increase the volume and sophistication of their attacks. As a result, 93% of organizations anticipate a negative impact from AI, expecting an increase in AI-augmented malware, phishing and data breaches. In the last 12 months, nine out of 10 organizations experienced a breach due to phishing or vishing attacks. With AI-powered cyberattacks becoming more challenging to detect, the likelihood of widespread organizational breaches increases.

Deepfake videos and audio generated by GenAI are becoming increasingly difficult to discern. Yet, in the B2B world, over 70% of respondents are confident that their employees can identify deepfake content featuring their organizations’ leaders. These insights suggest complacency among respondents, likely fueled by an illusion of control, planning fallacy – or just plain human optimism. The full extent of the potential damage that GenAI-augmented attacks can inflict and the damage multiplier of compromising the data models feeding defensive GenAI remains unknown, and our vulnerability to it may be greater than we realize. These responses underscore the need to plan for more advanced future attacks and invest in protecting the data models used by machine intelligence and extending strong governance to this new AI identity.

New Era: Rise of the Machines

Nearly half of the 2,400 surveyed cybersecurity experts anticipate a threefold increase in machine identities, which are primarily under-secured and over-privileged, driving this growth. Ongoing automation efforts at scale and pervasive cloud computing further exacerbate the proliferation of vulnerable machine identities. The increase in the total number of these identities is neither new nor surprising. However, what is surprising (and concerning) is that nearly two-thirds (61%) of surveyed organizations have an exceedingly narrow definition of “privileged user,” which solely applies to human identities with access to sensitive data.

This definition contradicts our respondents’ observations, with nearly three-quarters (68%) indicating that up to 50% of all machine identities have access to sensitive data.

Still, their organization’s definition of a “privileged user” reveals a massive gap in excluding machine identities. Organizations report that they are primarily focused on securing human identities, which is a cause of concern in securing machine identities. They also report that a security incident requires significant manual effort to address or remediate.

Chain Reaction: Third and Fourth-party Risks

The report also highlights a lack of rigorous focus on vendor risk management despite the expanding web of our digital ecosystems. In the next 12 months, 84% of organizations plan to employ three or more cloud service providers (CSPs), and projections show an 89% annual increase in the number of SaaS applications, compared to 67% in 2023.

It’s crucial to understand that your network of third-party providers extends beyond CSPs and SaaS providers to include service providers, integrators, hardware and infrastructure suppliers, business partners, distributors, resellers, telecommunications and other external entities that enable digital business. Third- and fourth-party breaches can quickly cascade to your organization, creating a multiplier effect on risk.

The report finds that while 91% of respondents are concerned about third-party risks and 83% about fourth-party risks, vendor risk management remains a low priority for post-breach investments. It’s important to note that bad actors often employ a ‘buy one, get one’ approach, targeting multiple victims through double software supply chain and multi-tenant environment attacks. This means if bad actors target your third- or fourth-party providers, they could put your organization at risk. As such, regular vendor risk assessments and heightened vendor accountability are crucial. Likewise, this vendor accountability and risk assessment strategy should extend to cybersecurity vendors, too.

Cyber Debt: ‘Shiny Object’ Syndrome and a Blind Spot

Facing growing threats, organizations may prioritize adopting the latest technologies over foundational controls to address cybersecurity challenges. However, this can lead to the accumulation of cyber debt, where organizations incur significant costs and risks by neglecting existing vulnerabilities. This shift in behavior and negative results shows a need for consistency across foundational and new attack paths and tooling. According to the report, core social engineering attacks like phishing and vishing remain highly effective, resulting in breaches and substantial financial losses for nine out of 10 organizations.

Organizations must balance addressing existing vulnerabilities and adopting new technologies. Despite the complexity and challenges inherent in the future of cybersecurity, organizations can mitigate risks by staying informed and adopting a proactive approach to risk management that is consistent across all identities and environments.

Identity Security: The Key to a Robust Cybersecurity Posture

In today’s fast-paced world, where challenges abound, every defense erected becomes a new tower that bad actors seek to conquer. Our most significant advantage against these threats lies in our ability to collaborate. As Michael Jordan famously said (I’m told…), “Talent wins games, but teamwork and intelligence win championships.” Our collective defense extends beyond immediate colleagues to encompass our entire organization and third- and fourth-party providers. Securing every identity across the IT environment is paramount, necessitating a new cybersecurity model centered on identity security. The future of security starts with identity.

Download the CyberArk 2024 Identity Security Threat Landscape Report for comprehensive insights into navigating the evolving cybersecurity landscape.

Brandon Traffanstedt is a senior director in CyberArk’s Field Technology Office.

We’re in the throes of another pandemic, but this time, it’s not transmitted through the air – it spreads with just a click.

Welcome to the world of deepfakes.

While COVID-19 significantly impacted our physical and mental well-being, deepfakes affect our minds differently. Their influence is causing confusion, mistrust and a distorted perception of reality, both personally and globally. In this crucial election year – with over 4 billion people across 60 countries gearing up to choose their leaders – deepfake technology is being weaponized to spread misinformation, influence global events and shape the course of history.

Voter influence campaigns fueled by deepfake videos will spread across social media platforms with a mere click. In the midst of elections now, India is grappling with an onslaught of deepfakes. Moreover, deepfakes are infiltrating B2B environments, exemplified by a recent fraud case in Hong Kong that incurred significant financial losses for a financial firm.

Further chaos will ensue as GenAI races toward super-fakes.

Mitigating the Risks of GenAI

Ongoing innovation in GenAI will likely render the average person incapable of discerning authentic content from deepfakes. Currently, there are no tools capable of identifying and mitigating this threat. This gap will put added pressure on cybersecurity teams already pressed with limited resources and budgets to defend against the existing threat landscape. However, here are three measures we must consider now to address this modern risk:

   1. Establishing Regulations Quickly

Regulations, though not foolproof, serve as guardrails against unchecked technological innovation. The absence of regulations, as witnessed in the case of social media, allows for rampant issues like misinformation and polarization. Governments worldwide, mindful of not making the same mistakes they made with social media, are swiftly enacting regulations to hold both vendors and users of GenAI accountable. Examples from 2023 include the EU AI Act and the U.S. Executive Order (EO) on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence.

The current regulations are – to some extent – slowing down the pace at which vendors release GenAI-powered tools to the market. For example, OpenAI is delaying the release of Sora AI to ensure content provenance and enable users to identify real vs. increasingly real-looking but fake videos.

   2. Addressing Misplaced Confidence and the Need for Self-Regulation

AI-driven phishing and deepfake scams are already working. In February, a Hong Kong-based multinational company lost HK $200 million (U.S. $25.6 million) to a deepfake scam that fooled a clerk into executing a financial transaction discussed during a virtual meeting where every attendee – even the chief financial officer (CFO) – was fake. Unfortunately, this first-of-its-kind AI heist (and worst day ever for the clerk) will not be the last. AI-powered phishing attacks will soon target and potentially breach nearly all organizations. In addition to this dire forecast, the report forecasts a steep rise in GenAI-powered phishing that will be harder to detect because of the sophistication and scale of the attacks.

Yet despite the growing threat of AI-driven phishing and deepfake scams, there’s a widespread misconception among employees regarding their ability to identify deepfakes. Our recent survey of 4,000 U.S. office workers finds that over 70% of employees (yes, you read that correctly) are largely confident in their ability to identify a deepfake video or audio of the leaders in their organization.

It’s a bad bet. This misplaced confidence underscores the need for rigorous fact-checking and self-regulation. Individuals must verify information from multiple trusted sources and exercise caution, particularly in high-stakes scenarios. And if you can’t fact-check it with numerous trusted sources, don’t believe it.

   3. Tackling the Debilitating Lack of Tools

Among other notable executives to make bullish statements about AI, JP Morgan Chase CEO Jamie Dimon recently said that AI could be as impactful as electricity. And who can fault them for making such statements? After all, GenAI boasts over a billion users in just a matter of months. No other technology has seen such unprecedented adoption.

I’m excited about AI, too.

However, the unchecked proliferation of GenAI poses significant challenges for organizations, including the need for more effective training and oversight. GenAI tools learn from vast datasets, raising concerns about inadvertently sharing sensitive data. Moreover, some GenAI models inherently lack adequate cybersecurity safeguards – controls too complicated to configure – leaving organizations vulnerable to exploitation by malicious actors. It’s particularly concerning that the number of GenAI tools that can generate deepfakes is increasing, but tools that can detect and prevent them are too few or next to non-existent.

As a leader, I sympathize with my peers facing the same ordeal who still must find ways to maintain a robust security posture.

What Your Organization Can Do to Protect Against Deepfakes

The good news is that there are some things organizations can do now to protect against deepfakes. These actions include:

• Identify and train external-facing employees who interact with customers and may have access to sensitive information. For example, support and services staff should be trained to ask additional questions to verify whether the external caller is a human or a deepfake.
• Educate all employees on the risks of engaging with unverified content and discourage amending or amplifying such content.
• Prioritize investment in responsible and ethical AI practices, particularly during times of budget cuts.
• Hold AI vendors accountable by embedding language in contracts to review capabilities periodically and ensure alignment with expectations.
• Foster collaboration between employees and leadership to address gaps in perception and enhance awareness of deepfake threats. You can start by socializing and discussing our Identity Security Threat Landscape Report findings with them (my gift to you!).

As we navigate the uncharted territory of GenAI, collaboration, vigilance and proactive measures are essential to combat the threat of deepfakes. Let’s work together to ensure that GenAI shapes a future where technology is a force for good rather than a pervasive pandemic of misinformation.

Don’t wait – take action now to protect your organization from the dangers of deepfakes.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

Let’s head back for a moment to when some of us were partying like it’s 1999, in 1999. Among that year’s notable milestones were the release of The Matrix, the introduction of the euro – and the impending clock turn to 2000 (aka Y2K), which propelled prophylactic tech upgrades far and wide. Simpler times – at least in retrospect.

Somewhere amid the Czech Republic, Hungary and Poland joining NATO and “Hotmail hacking,” the company that now underwrites this blog debuted in the spring of 1999. CyberArk launched in a small sublet office outside Tel Aviv with a digital vault solution and a handful of employees. Soon after that came U.S. expansion and a rising focus, born from customer need, on securing privileged access – initially for IT admins.

CyberArk would soon become instrumental in pioneering the privileged access management (PAM) market and continuously driving its evolution. With the advent of multi-cloud, hybrid working and the dissolving of the security perimeter that followed, what began with IT admins expanded to the wider workforce and all other human identities, as well as bots and applications – all with degrees of sensitive access that need to be managed, monitored and controlled. Privileged credentials are everywhere around us, and attackers, of course, still relentlessly attempt to compromise privileged credentials and use them to move laterally throughout networks to reach intended targets.

Then identity security entered the fold – centered on PAM – making it easier for organizations to protect themselves against advanced cyber threats by securing all human and non-human identities, accessing all resources from every location. CyberArk established the category, and identity security has quickly become essential to extensive digital initiatives that drive businesses forward.

Critical to the company’s rise, continuous innovation and business transformation is co-founder Udi Mokady. Propelled in large part by his vision, under Mokady’s leadership, CyberArk has grown to over 3,000 employees and offices in 16 countries. And it was just last year when he shifted to a new executive chairman role after serving as the company’s CEO for over 18 years, including the first eight-plus years since he took the company public in 2014.

To commemorate CyberArk’s 25^th anniversary, Mokady recently sat down with me for an episode of our Trust Issues podcast. It’s a wide-ranging discussion that looks back, looks forward and dips into philosophies and lessons learned. In the episode, Mokady reflects on the significance of CyberArk’s quarter-century milestone, its ongoing growth and innovation’s pivotal and enduring role in that growth. He also talks about the ever-evolving threat landscape and how the company has, in turn, grown and scaled to meet it while maintaining its culture and values.

The following excerpts from the podcast have been edited and condensed for clarity.

On CyberArk’s early days: “There’s no way in the world that I envisioned getting to where we are today. This would have been a crazy dream at the time when we were in a sublet in Israel.”

On the 2014 IPO: “Going public created a platform we could ride on to build a long-lasting company … It was a way to show our customers and partners that we were going to be around for the long haul. It was a way to earn the right to say that we were built to last … Everything we did was about thinking long-term and doing what was best for the company in the long-term. Going public was good for business and it was good for our brand.”

On the transition from CEO to Executive Chairman: “It’s been a wild year. I’d been CEO of CyberArk for more than 18 years until we decided to do this transition. I turned it over to Matt Cohen, who is a superb CEO, so that I can focus on things that are strategic to CyberArk. It’s been a great transition, and I think we’re writing a case study of a founder/CEO transitioning to another CEO while the founder stays connected to the company, customers, partners, culture and employees.”

On endurance: “You can’t be built to last in cybersecurity without making innovation a major pillar and a major part of your strategy. It’s all about continuously extending our solutions to address modern-day attacks, both organically and inorganically, through partnering and acquisitions. We’re very unique in how much we partner in the C3 Alliance, which has thousands of integrations with third parties. That approach of security as a team sport is another thread of innovation … And part of our culture is to think like an attacker, so every team member at CyberArk approaches their role by bringing the attacker into the room in everything we do. That really drives our innovation – we not developing in silo – we’re thinking about defending against that attacker.”

On culture: “Company culture is the most important aspect of a successful business. At CyberArk, we have a unique culture that’s built on the values of being smart, bold, but humble. These values are ingrained in our DNA and are reflected in everything we do. We hire and retain people who possess these traits, and it has been a key factor in our success. Our culture is global, and we have a reputation for having amazing people. I am most proud of our people and the culture we have built.”

On humility: “You can’t train humble. It’s very much how people grew up. It’s people who influenced them in their life. It could be their parents, a mentor, their friends, or something that they were part of. When you’re humble, it means you’re not full of yourself. It means you’re going to listen.”

On perseverance amid geopolitical tensions: “I am very proud of the resilience of the team in Israel … Something happened where people huddled and covered for each other. Like, if somebody was out in reserve duty, people covered for one another. And the output in R&D and delivery and support – everything – was greater than 100 percent.”

On aspirations: “My ultimate dream for CyberArk is for it to continue to grow and scale, while maintaining its culture and values. I want the company to be a trusted and reliable partner for its customers and to continue to innovate and address the evolving threat landscape. Personally, I hope to remain energetic, curious and always learning. Always be learning.”

On identity security: “What I’ve learned is that the rise and importance of identity security is paramount in today’s digital age. With the proliferation of identities, both human and machine, the need to secure them has never been greater. The threat landscape has evolved rapidly, and attackers are becoming increasingly sophisticated in their methods. Identity security is no longer a luxury, but a necessity. It’s the key to protecting against privilege escalation, credential theft and other forms of cyberattacks. It’s a critical layer of defense that every organization must have in place to protect their most valuable assets.”

On 25 years of attacker innovation: “Some things that have evolved in the attacker landscape are the makings of science fiction movies … Who would’ve imagined that there was going to be the ability for criminals to encrypt organizations and the extortion is not going to be in cash that they have to deliver in a suitcase? Instead, you can deliver a Bitcoin, and it’s going to be untraceable and they’re going to be sitting in their air-conditioned rooms getting a massage while the Bitcoin is coming in. No one would have imagined.”

On extracurricular pursuits: “Outside of work, I have a love for music and playing the guitar. I’ve been studying some riffs, like the ‘Comfortably Numb‘ solo from ‘The Wall‘ that David Gilmore plays so well – but I’m not ready for live-streaming yet. I’m also passionate about how we educate the younger generation to read real news sources and not get their news from TikTok – and reducing hate around the world. I want to stay closely in touch with innovation, and I’m able to contribute more to the ecosystem by mentoring startups – some in cybersecurity, but some not – because I think it’s beneficial to CyberArk and our customers that I get exposed to other things.”

You can listen to the entire Trust Issues podcast interview with CyberArk Founder and Executive Chairman Udi Mokady in the player below or on most major podcast platforms.

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

There’s currently a cybersecurity adage with varying verbiage and claimed origins – the point, however, is unmistakable:

“Attackers don’t break in. They log in.“

This saying underscores the strategic shift associated with cloud adoption’s prominence in shaping the digital landscape. New environments have created new attack methods to gain access by logging in rather than infiltrating a perimeter. As technologies continue to advance, we cannot expect previous security methods to tackle these new challenges.

Before cloud environments, attackers had to break into on-premises infrastructures with a protected perimeter. Networks, servers, hardware and software were all safely within this perimeter, monitored and managed by IT. Now, organizations are effectively demolishing it. They are utilizing cloud technology and storing data on several different clouds.

Once attackers gain entry to these multi-cloud estates, any movement can mean organizational destruction. Keeping the cloud secure is vital to an organization’s business success.

But what exactly does it mean to secure the cloud? Let’s first rewind to equip ourselves collectively with the basics of cloud identity security.

Defining Cloud Environments and Deployment Types

The cloud is comprised of internet-based computing services for storage, processing and software access.

Though it sounds simple enough, when tasked with protecting “the cloud,” this answer becomes somewhat more complex. Your mission also includes protecting the various forms of cloud deployment models. Responsibilities are often unclear, but your organization is always responsible for your data, regardless of your cloud type.

Cloud environments have four different cloud deployment models, each with unique benefits and security risks. These models are:

1. Public Cloud: The Open Playground on the Internet
   Think of the public cloud as a vast, shared playground accessible to anyone with an internet connection. Third-party vendors, such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), provide cloud services in this model.
2. Private Cloud: The On-premises Infrastructure
   Unlike the public cloud, the private cloud is like having your own exclusive club – an infrastructure dedicated solely to your organization. In this model, cloud resources are provisioned and managed within a private network, offering enhanced security, control and customization. A private cloud also increases management responsibility.
3. Hybrid Cloud: Not Fully Committed to the Public, But Also Not Fully On-premises
   As the name suggests, the hybrid cloud combines on-premises infrastructure and cloud services, interconnected to create a unified environment. This model allows organizations to leverage the scalability and flexibility of the public cloud while maintaining control over sensitive data and applications in the private cloud. But, a hybrid cloud also increases technical complexity.
4. Multi-cloud: Everything, Everywhere, All at Once
   In the multi-cloud model, organizations harness the power of multiple cloud providers. All hybrid clouds are multi-clouds – but not all multi-clouds are hybrid clouds. By spreading workloads across multiple clouds, organizations can mitigate risks, avoid vendor lock-in and optimize performance and cost.

Understanding Cloud Services and Resources

Now that we’ve covered cloud deployment models let’s get closer to learning how to secure the cloud by first discussing what needs to be secured.

All cloud environments contain two elements:

1. Management platform and services
   Management consoles (accessed via the web UI, CLI or API) are the main access points into the cloud. Cloud management platforms (CMPs) are your organization’s tools to monitor and control your cloud environments. Capabilities and integrations can vary widely across vendors, but your organization will require some form of CMP, depending on the type of cloud model. All the resources in the cloud are called cloud services.
2. Infrastructure workloads
   The second element is infrastructure workloads. Cloud resources, including virtual machines, containers, serverless functions, cloud-native apps and storage created by different cloud services, can run specific apps, services and workloads.

There are services to administer and create these various workloads, but what’s unique about these resources is that they, too, require a separate layer of identity security controls, separate from that of the platform or services.

The Shared Responsibility Model

To comprehensively grasp cloud services and resources, it’s crucial to delineate the respective responsibilities of organizations and cloud service providers (CSPs). Enter the shared responsibility model, which created for this reason. This is how CSPs communicate responsibility for the management and security of services. Some things are their problem, and some things are yours.

You will always be responsible for who can access the management console, cloud services and infrastructure workloads, which is where cloud identities come in.

Exploring Cloud Identity Types

Identities refer to who can access what in the cloud. Each type of identity has different access needs, which means each identity poses a different level of risk to your organization.

The four different types of identities that need to be secured are:

1. Cloud Operations Identities
   Having evolved from traditional IT roles such as infrastructure operations, networking engineers or database admins, cloud operations identities are roles like cloud operators, architects and site reliability engineers. Within cloud operations, full cloud administrators have complete administrative access and the ultimate permission to affect every service and resource within the CSP account. There are also service-level admin roles, like engineers with specializations in networking or databases, that can only administer a smaller scope of services and resources.
2. Developer Identities
   The umbrella of developer identities includes any human engineers who write code. Developers will self-administer various cloud services, create cloud-native applications, push workloads into the cloud and access supporting resources.
3. Application and Audit Team Identities
   Other application teams, aside from developers and any audit teams checking compliance, will require access to cloud environments. Though they will require lesser privileges, like read-only access to various services, read-only access can still pose a security threat to your organization.
4. Machine Identity Workloads
   The cloud-native applications, services, automation tools and processes that run your business are considered machine identities – and they now outweigh human identities by a factor of 45:1. Some risks for machine identities include access keys coded into software and released to the public.

The ‘How’ of Cloud Identity Security

Now that we’ve discussed the what and where of building secure, well-architected cloud environments, tackling the how requires adhering to a couple of essential guiding principles:

1. Zero Standing Privileges
   The dream scenario of access is to reduce its availability and impact, giving someone access to the one thing they need to do and nothing else. However, these logistics are often viewed as unrealistic in the highly complex world of cloud security, especially in keeping up with cloud innovation and required velocity. The principle of zero standing privileges (ZSP) is the best solution to these challenges. You can remove persistent privileges to limit implicit trust and provide several levels of control to verify access.
2. Time, Entitlements and Approvals (TEA)
   Designing a better user experience while keeping security foundational can be a significant challenge, especially for roles that require velocity, like developers. The key to this balanced cloud strategy is TEA:
   • Time: How much time is access granted?
   • Entitlements: What level of access have you granted?
   • Approvals: What level of checks have you undertaken on access?

You can achieve ZSP by controlling the time of sessions, dynamically provisioning least privilege entitlements and ensuring proper approvals are in place. To dive deeper into implementing ZSP and increasing the adoption of security controls, check out this fireside chat with CIO Mentor and Advisor Simon Ratcliffe and CyberArk VP of Engineering Shay Saffer.

As threat actors continue to refine log-in attack methods during the escalating adoption of cloud technology, it becomes increasingly clear that relying solely on legacy security measures is no longer sufficient. Embracing a cloud-first mentality and prioritizing identity security in the cloud is the next step in fortifying defenses in this perimeter-less era.

Alyssa Miles is a product marketing manager at CyberArk.

In an era when every aspect of our society depends on reliable critical infrastructure, the role of identity security in safeguarding these essential services has never been more pivotal. With sophisticated cyberthreats escalating, understanding the transformational potential of identity security is akin to orchestrating a symphony. Each section – strings, woodwinds, brass and percussion – must perfectly harmonize to produce a masterpiece. Similarly, every identity and device in a network must function in secure sync to protect the critical infrastructure of our digital and physical worlds.

The Symphony of Security: Why Identity Matters Now

The future of strong cybersecurity strategies is intrinsically linked to the identity of each user and machine across your network. This insight is crucial at a time when critical infrastructure sectors such as energy, healthcare and finance face unprecedented risks. Identity security acts as the conductor, ensuring that every network element performs its role securely and effectively, safeguarding the services vital to our daily lives.

“Identity security acts as the conductor, ensuring that every network element performs its role securely and effectively, safeguarding the services vital to our daily lives. “

Identity Security: The Cornerstone of Resilience

Identity security is not just about protecting human and non-human identities —it’s about helping to ensure the continuity and resilience of services that society depends on. Focusing on identity can help transform the security landscape of critical infrastructure by:

• Proactive Threat Detection. By harnessing the power of artificial intelligence, identity security solutions can predict and neutralize threats before they manifest, transitioning from a reactive to a proactive security posture.
• Enhanced Compliance and Control. As regulations become stricter, identity security can help organizations stay ahead of the curve. Managing privileged credentials and monitoring access can help ensure that only the right entities have the right access at the right time, aligning with compliance needs.
• Securing the Remote Frontier. As remote work and the increasing need for third-party vendors become the norm, securing identity extends beyond the physical office and remote employees. Comprehensive identity management ensures that secure remote access remains a gateway to productivity, not vulnerabilities.
• Innovative Access Technologies. The shift toward passwordless authentication is helping to transform it into a seamless yet secure process, authenticating each user while reducing the reliance on credentials.

Harmonizing Security: The Zero Trust Model

In the grand symphony of identity security, adopting a Zero Trust framework is like tuning each instrument before a performance – ensuring every note plays only at the right moment and precisely as intended. Zero Trust operates on the principle that trust is never assumed for humans or machines. By implementing measures like just-in-time (JIT) access and zero standing privileges (ZSP), organizations orchestrate a dynamic and resilient security infrastructure. This approach ensures that every element within the network contributes harmoniously, maintaining the integrity and security of the entire ensemble.

Strengthening Partnerships and Sharing Intelligence

Just as a symphony grows through collaboration among its musicians, strengthening partnerships and enhancing information sharing across sectors – including agriculture, communications and transportation – play a critical role in orchestrating effective security measures. Identity security solutions should enable secure, confidential information sharing among third-party vendors and stakeholders, which is vital for developing timely, actionable intelligence.

Your Role in the Cybersecurity Symphony

As a cybersecurity professional, your role is to ensure that every “instrument” – every user and device within your network – plays its part perfectly. By integrating advanced identity security solutions, you contribute to a secure, resilient future for critical infrastructure, ensuring this vast symphony performs flawlessly for generations.

Learn how a global multi-energy provider protects privileged users and vendors with a comprehensive privileged identity security strategy.

Chris Maroun is a senior director in CyberArk’s field technology office, and Ryne Laster is a product marketing manager at CyberArk.

Identity security and Zero Trust have emerged as critical components in the defense against quickly evolving cyberthreats. Together, the solution and the approach support a default stance of “never trust, always verify,” with every risky action requiring authentication, authorization and audit. In the CyberArk 2023 Identity Security Threat Landscape Report, we found that 74% of organizations have begun the implementation of Zero Trust initiatives, with another 18% planning to do so in the next 12 to 24 months. If you’re reading this blog, you may be on a team driving these strategic initiatives and working with cybersecurity vendors to implement them. And if you haven’t yet considered extending identity security over your desktops and servers, it’s high time you do so. Read on for the why and how.

When working on strategic programs, some investments in cybersecurity, such as multi-factor authentication (MFA) and Single Sign-On (SSO), are widely recognized for reliably delivering relief to the defending teams – and, as such, prioritized. Some are even explicitly called out as examples of required capabilities, such as MFA. Critically, though, these programs remain no more than a set of siloed technologies for far too many Zero Trust implementations as technologies are viewed as belonging to certain domains (for MFA, that would be the IAM domain) instead of a broader angle.

The omissions are the most glaring when you look through a holistic identity-first approach lens, especially considering the first mile of user access and the last mile of information consumption – the endpoint. In fact, according to the Identity Security Threat Landscape Report, 79% of 2300 cybersecurity experts around the globe indicated that Identity Management is the most critical principle for successful Zero Trust initiatives, followed closely by endpoint security device trust (78%).

These stats imply that these capabilities are vastly different. But are they? Should we consider some capabilities of identity management and security as critical contributors to endpoint security?

I certainly think so.

Zero Trust in the Endpoint Department

If your day-to-day job lies in Identity and Access Management (IAM), you should be familiar with many paradigms that fit into and comprise Zero Trust. Those include least privilege, zero standing privilege (ZSP), just-in-time (JIT) access and privilege, continuous authentication and risk assessment. The same logic should apply to endpoints – both workstations and servers. Not for nothing, the principle of least privilege (PoLP) is designated as the cornerstone of Zero Trust. It is an ever-present recommendation of auditors and authorities in the cybersecurity field.

So, if your endpoint security strategy is built around capabilities that scrutinize applications, processes and actions and respond to those deemed malicious, your Zero Trust initiative should get some attention in the endpoint department. After all, isn’t Zero Trust fundamentally about proactive rather than reactive measures?

Now consider the simple diagram below. A very traditional endpoint security setup would include a combination of unified endpoint management (UEM) and endpoint detection and response (EDR). These technologies, while providing a near-complete coverage of an attack kill chain, are very asset or resource-centric, meaning they usually focus on specific files, folders and processes. What should have been there from the very start – the identity context – has been notably missing. Analysts and the industry recognize this and have now expanded detection and response to include protection from identity threats in the form of ITDR.

But what about identity-centric prevention?

Despite the widespread adoption of various security measures, their effectiveness is ultimately contingent upon their convergence at the endpoint. The endpoint is where identities interact with critical resources and identity security and Zero Trust approaches must converge to provide a comprehensive defense. In today’s environment, characterized by an abundance of new identities, hybrid environments and sophisticated AI-driven threats, security is a question of how seamless your identity security fabric is and how complete the coverage of your assets is.

The Case for Proactive, Identity-centric Endpoint Security

Perhaps surprisingly, if you shift your mentality from the comfortably numb, “It’s not a question of if, but when,” back to attack prevention – and do a good enough job of setting endpoint privilege fundamentals – it may just be the security formula you’re looking for.

If you are a tenured defender, you may be thinking, “We tried that. It didn’t work 20 years ago – why should it work today? There’s a reason we ended up in an EDR-centric endpoint security camp.” All true – we did try, heard back from users, and opted for business agility and moving fast. Around 10 years ago, ransomware changed the game, and, as a result, cybersecurity today is a topic at the board level, and businesses today have to proactively inform the shareholders about security measures they take to prevent cyber incidents. What is also different now is that we finally have the right tools for the job.

Identity – the new (and the last standing) security perimeter – must be woven into anything happening within our infrastructure. It should be continuous and reliable. As part of identity security, this job is performed by an endpoint identity security agent that provides the ability to discover and secure privileged accounts on the endpoints, secure user authentication mechanisms, provide passwordless and strong authentication injection points into user workflows, harden other security agents and browsers and play a critical identity bridging role to ensure a single point of authority over identities throughout the organization.

Couple this with common endpoint privilege management (EPM) that helps discover and remove local admin rights, provide automated and transparent elevation for applications and isolate risky applications from accessing certain resources, enforce role-specific least privilege, defend credentials and security tokens, and add additional ransomware protection – and you have an excellent foundational layer of defense.

Having completed this loop and extended the identity security over your workstations and servers, you’ve ensured that your endpoint security plays into your Zero Trust initiative. Getting this identity-centric prevention right will help your organization do four critical things:

1. Extend identity security and Zero Trust to your workstations and servers
2. Decrease the endpoint attack surface and prevent zero-day attacks
3. Reduce IT security and operational costs with endpoint privilege controls
4. Demonstrate compliance and meet audit requirements on the endpoint

Additionally, this layer of security can improve user productivity and experience for all employees.

In short, if you extend identity security over your desktops and servers, your users, administrators, SOC analysts and shareholders will appreciate it.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

Not too long ago, when I was designing, building, operating and defending networks, the government organizations I worked with were burdened with many tasks related to deploying a new capability. We needed to decide and plan how it would be assessed and authorized, deployed, maintained, operated, patched, defended and, of course, when and how to upgrade the capability.

Assessment and authorization would take months, if not over a year, for a system or set of capabilities. Deploying and setting up complex on-premises software demanded extensive time and resources from our IT teams. Maintenance was continuous, requiring regular monitoring and troubleshooting to ensure smooth operation.

Patching was particularly critical and time-sensitive, as any delay in addressing vulnerabilities could lead to security breaches. Our IT staff had to be constantly alert, integrating updates while minimizing business interruption. Upgrading software often posed a significant challenge, as comprehensive testing was needed to avoid operational downtime.

Cybersecurity was another intense area of focus. Internal resources had to construct and maintain robust defense systems, with dedicated personnel to monitor and counteract threats promptly. Each application increased the potential attack surface, necessitating sophisticated and wide-ranging security expertise.

“A FedRAMP-authorized identity security solution is more than a product – it’s a strategic ally in the mission to protect the nation’s digital frontiers. “

The Challenges of Deploying New Capabilities

The responsibilities of securing, maintaining and refreshing software were complex and costly, falling squarely on organizations’ internal teams – a demanding reality now alleviated by the software-as-a-service (SaaS) model.

Another factor in designing, operating and defending networks has been the evolution of cybersecurity toward the Zero Trust framework. The increasing complexity of cyberthreats has driven organizations to adopt a Zero Trust mindset, the rise of cloud and remote access technologies – and the recognition that traditional perimeter-based security is no longer sufficient.

Today, federal agencies have many competing requirements to meet beyond cybersecurity directives. We often talk about agencies needing to meet Executive Order (EO) 14028, issued in 2021 and centering around improving U.S. cybersecurity. The Biden administration has also tasked federal agencies with “Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government” (EO 14058). The Office of Management and Budget (OMB) issued further guidance in 2023 with “Delivering a Digital-First Public Experience” (OMB M-23-22). In essence, agencies have two daunting goals in the digital transformation of their services while improving their cybersecurity.

One way to quickly achieve both requirements is to use software-as-a-service (SaaS) capabilities that have gone through the FedRAMP authorization process. Using the trusted FedRAMP process, agencies can rapidly procure and deploy solutions to meet their mission objectives.

Improving Cybersecurity Today Means Going on a Zero Trust Journey

Agencies have a lot on their plates, and for most of them, cybersecurity is not their core competency. Using solutions that have a FedRAMP authorization enables agencies to focus on their core competencies, delivering services to customers while conducting their digital transformation and maintaining cybersecurity. Adopting cloud-based solutions is an attractive business strategy, as organizations can streamline operations and reduce costs.

EO 14028 assigns agencies the responsibility to modernize their cybersecurity and advance toward a Zero Trust architecture. Zero Trust can be considered a foundational initiative that, together with an organized framework like the NIST Cybersecurity Framework, enables decision-makers and security leaders to achieve pragmatic and effective security implementations. Zero Trust efforts must incorporate, coordinate and integrate a challenging combination of policies, practices and technologies to succeed. As agencies begin consuming more capabilities from the cloud, the ability to use solutions that have already undergone the FedRAMP process will speed the transition.

Identity Security Capabilities Need the Highest Security

Identity security capabilities are foundational to protecting agency assets and identity is the target of many of the new attack methods we hear about from our customers and red team. I firmly believe that identity security capabilities should be a focus area of an organization’s overall security efforts. In today’s digital landscape, where cyberthreats constantly evolve and become more sophisticated, strong identity and access management controls are crucial for protecting sensitive data and systems. Identity security capabilities serve as the gateway to an organization’s resources. Identities, whether they belong to users, applications or devices, are the primary vectors through which access is granted or denied. Without robust identity security measures in place, an organization becomes vulnerable to unauthorized access, data breaches and other cyberthreats.

Agencies should use solutions authorized at the FedRAMP High-impact level since the effect of the loss of confidentiality, integrity or availability will have severe repercussions on operations. The newly authorized identity and endpoint privilege management solutions from CyberArk are what many agencies can use to evolve their Zero Trust maturity and meet the control requirements for your IT environments.

Benefits of FedRAMP to Zero Trust – Maintaining Speed to Value

As agencies continue to deploy more pieces of their Zero Trust architecture, the union with a FedRAMP-authorized identity security solution is more than compatible – it’s strategic. It enables a robust, compliant, future-focused stance against cyberthreats, ensuring the journey is embarked upon and sustained with a vigilant and compliant guardian.

I recommend that agencies adopt FedRAMP-authorized identity security solutions and engage in continuous education and training for their personnel. Understanding that adversary and agency objectives are dynamic means ensuring your security solutions’ functionality matures in response and recognizing that your people are your best line of defense. Moreover, agencies should work closely with their solution providers to ensure mission objectives are effectively accomplished as a team. Collaboration is vital in cybersecurity – a partnership approach can significantly enhance the effectiveness of serving your customers and maturing your Zero Trust strategy.

The journey to Zero Trust is ongoing. With the right tools and mindset, government agencies can look forward to a more secure future. A FedRAMP-authorized identity security solution is more than a product – it’s a strategic ally in the mission to protect the nation’s digital frontiers.

James Imanian is senior director of the U.S. Federal Technology Office at CyberArk.

In the past, many security teams considered securing secrets enough – if your secrets were secured, you were good. While you’re still kind-of-good staying on this course, security professionals increasingly recognize that just securing secrets is not enough – organizations require a more sophisticated solution to help protect themselves in today’s increasingly sophisticated threat landscape.

For large organizations with vast application portfolios, safeguarding these secrets and the newly created secrets from agile dev teams is challenging. And the growing number of secrets can increase the cyber debt associated with unsecured applications if not addressed. Fortunately, with a defense-in-depth approach, AI and automation, security teams increasingly have opportunities to further address and improve the security of the organization’s machine identities and reduce cyber debt.

“Security professionals increasingly recognize that just securing secrets is not enough – organizations require a more sophisticated solution to help protect themselves in today’s increasingly sophisticated threat landscape.”

The High Cost of Unknown Secrets and Leaks

Security teams recognize that they can only secure the secrets and machine identities they know. The problem is that security is often unaware of all the secrets, especially with cloud workloads. And essentially, if you’re unaware of a secret, you’re probably not securing it.

Organizations also increasingly recognize that when secrets management best practices are not followed, there is an increased likelihood of secrets being leaked and exposed publicly.

And with all the ongoing breaches of human and machine identities, there’s increased awareness that the consequences of a secrets breach can be devastating for the enterprise. Organizations look to remediate the situation rapidly when a problem, such as an unsecured secret, is discovered or a leaked secret is detected.

Secrets and Vault Sprawl: A Growing Challenge

But why now? What’s changed, that makes just vaulting secrets no longer enough? While cloud, digital transformation and DevOps adoption have driven incredible business benefits, they’ve also created many secrets and, too often, vault sprawl. Cloud service providers’ (CSPs) built-in secrets stores, such as AWS Secrets Manager (ASM) and Azure Key Vault (AKV), are becoming increasingly popular and widely used by development teams – they can be very effective tools. Dev teams can easily start using the built-in secrets stores, creating a store for each project or on an account or subscription basis. This is often encouraged by the CSP – Azure, for example, recommends using separate key vaults. The result is multiple secrets stores, running into potentially thousands of secret stores in a large enterprise. In many organizations, the challenge for security teams is that the vaults can be created without their knowledge. So, security teams are too often, especially when less familiar with the cloud, unaware of the secret stores and the secrets in these stores.

The Challenge of Securing Secrets for Security Teams

So now developers and cloud teams are establishing new secrets stores and securing secrets in them, without security being aware that the secret stores even exist. Okay, but is that so bad? The secrets are at least vaulted in a secrets store. Still, while this can provide some level of security, this approach doesn’t scale and is unlikely to meet corporate compliance and security policies. Some critical problems with this approach are:

1. Security teams are unaware of the secrets in the secret stores, the policies followed (or not followed), and how effectively they are being secured – e.g., what are the secrets used for? What does the secret provide access to? What are the security policies? Which apps are using these secrets?
2. Multiple secrets stores create vault sprawl and secrets sprawl. Instead of the enterprise having a single copy of a secret that’s secured and managed in a single centralized vault, with vault sprawl, there are multiple copies of the same secret in numerous vaults and even across multiple cloud environments. If attackers can’t steal from one vault, they will just find another that’s less secure.
3. Secrets rotation is typically not supported by the cloud providers’ built-in secrets stores. And with secrets sprawl, secrets rotation often becomes essentially impossible when multiple apps potentially use the same secrets in production environments. Unless the secrets are rotated in a coordinated manner, one or more production apps will go down because they are still using the old credentials.
4. Meeting compliance and audit requirements is challenging without a centralized view of secrets. How will auditors be comfortable that applications and secrets are in compliance if the same secret is stored in multiple secrets stores, and with the uncertainty that there may be some secrets stores they are not even aware of?

So why doesn’t the corporate security team simply get developers to secure secrets in a central store? Well, let’s get real – security is rarely going to be able to change the developers’ workflows and behavior. So, how can security teams secure these secrets scattered across potentially thousands of secrets stores? Well, the good news is that there are solutions that can centrally secure secrets without forcing changes in the developers’ workflows.

Protecting Secrets: Are You Responsible for What You Don’t Know?

In many organizations, security is likely to be held responsible for secrets they may not even know exist. It’s not a great situation, so first, let’s figure out what secrets exist. Fortunately, security teams can increasingly get visibility and secure the secrets in these built-in secrets stores. Discovery tools are becoming increasingly important because they can give security visibility into all the secrets stores across the enterprise.

These discovery tools can also derive insights such as when the secret was last used, whether it is idle or unused – and when it was last rotated – if at all. They can also provide a mechanism to track the owner of the secrets stores and the secrets. Most importantly, security teams can now assess and prioritize which secrets and secrets stores they want to centrally manage in a vault and potentially even work with the cloud and development teams to ensure that best practices are followed.

Automating Onboarding Secrets: The Ideal Solution

Of course, in an ideal coding environment, there would be no unmanaged secrets to discover. For example, as soon as the developer uses their AI-assisted IDE (integrated development environment) to write the code that requires a secret, simply having the secret request in the code would ensure that the secret is centrally secured or a policy established for securing the secret automatically at run time. Effectively, this approach shifts left and creates the secret within the infrastructure as code so that the newly created secret is automatically onboarded and centrally secured when the infrastructure is spun up.

Unfortunately, in most situations today, this is not the case and secrets are not automatically onboarded to a central secrets store managed by the application security team. Instead, too often, they are unsecured (e.g., hard-coded) or dropped into one of the CSP’s built-in secrets stores – a store that security is potentially unaware of. So, in this case, the security team will need first to discover the secrets and then, once found, centrally secure them.

AI Tools: Offering Insights and Promising More

Once you can discover secrets across all the various secrets stores, AI tools coupled with discovery, other secrets tools and automation promise to detect anomalies, force rotations and prioritize which secrets need to be onboarded, providing another layer of defense. Today, we’re still in the early stages of determining the most effective use cases for AI to improve the security of machine identities and their associated secrets, and it’s a fast-moving area.

Leak Detection: Preventing Incidents When Best Practices Aren’t Followed

Of course, development and cloud teams do not always follow best secrets management and coding practices. We’re all human, and too often, there’s the potential for human error, workarounds and quick fixes that can expose secrets that should have been secured across public code repositories.

Consider a developer prototyping an automation script or app for a quick demo that needs some credentials – it’s just too easy to hard-code the secret. Attackers don’t care if it’s a simple script or a complex app – they just want to steal that database credential or cloud access key. Of course, once the secret is rotated, the hard-coded secret is useless, but until it’s rotated, it’s something an attacker can exploit. In another scenario, the hard-coded secret has been removed and vaulted.

So, is it all good?

Well, no, not until it’s rotated.

What happens when the code with a hard-coded secret is posted to a public Git repository?

It’s exposed.

Yes, these edge cases shouldn’t happen; the problem is that they occur. Over 10 million secrets and credentials were detected in Git repositories in 2022, according to GitGuardian.

These are examples of secrets you thought you’d safely secured but were leaked by human error. An added layer of defense is to secure secrets in a central vault and continually check that none of these secrets have been inadvertently leaked because of human error. Of course, once a leaked secret is detected, it needs to be rotated so that any existing copies are invalidated.

Automated Remediation: Reducing Cyber Debt

Another challenge for security teams is the vast number of applications, secrets stores and cloud use cases. There are many secrets and machine identities, and more are being added constantly. Unsecured applications are often referred to as cyber debt, and reducing cyber debt is becoming an increasing challenge for security teams, forcing them to at least keep pace with development teams to prevent it from growing further.

Cyber debt and the desire for multiple layers of defense make for an increasingly compelling need to not only detect problems such as unsecured secrets in the cloud providers’ secrets stores or leaked secrets but also to provide automated tools for remediating these challenges. Without a doubt, AI tools are going to help security teams detect potential issues and anomalies, and this will, of course, make automated remediation of anomalies even more critical.

While attackers will inevitably become more aggressive and innovative in exploiting machine identities, security teams have the tools to protect their organizations more effectively. Fortunately, with layered defenses, discovery, leak detection, AI tools, automation and other innovative approaches, we can prevent an unsecured secret from exposing the entire organization to an attack.

Chris Smith is a director of product marketing at CyberArk.

In the throes of the Fourth Industrial Revolution, the manufacturing sector stands at the crossroads of groundbreaking innovation and an ever-growing shadow of cyberthreats. IT modernization has created digital fortresses by transforming legacy manufacturing systems and operations into connected, smart factories – the demand for robust cybersecurity measures has never been more critical. Identity security acts as a noble knight armed with a sword and shield in the ongoing battle against digital adversaries. It can help to give manufacturing cybersecurity leaders the strategic advantage needed to help safeguard their domains.

The Dawn of a New Era in Manufacturing Cybersecurity

Envision the digital landscape of manufacturing as a vast kingdom. Alive with innovation and growth, this realm faces relentless threats from digital hackers eager to exploit any vulnerability. The merging of the Internet of Things (IoT) and operational technology (OT) has unveiled new gateways for cyber intruders, transforming cybersecurity from a mere concern to the bedrock of manufacturing resilience.

The introduction of smart factory technologies also carries a double-edged sword. It propels us toward unmatched efficiency and connectivity and widens the battlefield, necessitating fortified defenses.

The Vanguard of Manufacturing Cybersecurity

In this evolving arena, identity security solutions emerge as the knight in shining armor, equipped to protect the realm’s digital and physical assets. By tackling the core challenges of privileged access management (PAM), endpoint security, secure remote access, credentials and overarching compliance, identity security doesn’t merely defend – it empowers manufacturers to secure their innovation processes, uphold operational integrity and nurture trust among customers and partners alike.

Solutions for Manufacturing’s Greatest Cybersecurity Challenges

To fortify your manufacturing operations, understand the evolving realm and digital attack landscape. Start with a comprehensive audit of your assets to assess their maturity and interconnectivity. As manufacturing merges more with digital technologies, vulnerabilities may increase, particularly through legacy systems and complex supply chains. The most successful business transformations come from prioritizing cyber-safety within your organizational culture, fostering a shift toward recognizing the critical role of digital technologies in traditional manufacturing environments.

Implementing such strategic measures is vital for protecting your kingdom, maintaining operational integrity and gaining a competitive edge. With these foundations, there is a clear path for safeguarding your operations with the assistance of an identity security knight.

Here are some essential strategies that can help to achieve this:

• The quest for authorized access. PAM systems can help to ensure that only authorized personnel have access to sensitive systems and data – the keys to the kingdom. These systems act as gatekeepers, verifying identities and enforcing access policies to protect against unauthorized entry and the spread of ransomware and malware.
• Guardians of the OT environments. Endpoint security solutions are essential for protecting the operational efficiencies of manufacturing environments. These solutions defend against the dark arts of malware and other cyberthreats, ensuring the continuity of production processes and the safety of critical data.
• The bridge to secure remote access. With increased remote operations, secure remote access solutions are vital for maintaining secure connections to core business systems. Proper remote access lets in authorized users (aka friendly traders and countrymen) and disallows non-authorized users – and cyberthreats – from accessing privileged systems, helping you remain secure and private.
• The isolated access to OT. Effective management of both human and non-human credentials is critical to securing sensitive systems. However, some legacy machines and systems can’t or won’t be changed. By providing authorized and authenticated users with isolated, secure access (aka fortress trenches and tunnels) to those machines or systems in OT environments, businesses can help mitigate risks.
• A guide through compliance and risk management. Navigating the treacherous waters of regulatory requirements and cybersecurity risks requires robust identity security solutions. These solutions assist in managing compliance effectively, reducing risks and ensuring that the business remains protected and compliant.

Exploring Strategies for Enhanced Future Security

In an era where digital innovation and cybersecurity threats advance hand in hand, standing still is not an option. Your journey toward a more secure manufacturing operation begins with a single, crucial step: enhancing your identity security.

Discover how a comprehensive identity security solution has helped Coca-Cola Europacific partners create a robust defense against attacks that brought them closer to being the world’s most digitized bottling operation, all because they now have a 360-degree view of privileged access activities.

Christian Goetz is a director of presales success at CyberArk.

Editor’s note: Attackers constantly set their sights on any aspect vulnerable to an organization. To explore how you can build a defense-in-depth approach to securing all human and non-human identities across OT systems, check out our webinar, “13 Ways to Improve OT Security.” And, for a dive into OT cybersecurity and its challenges and opportunities, listen to our Trust Issues podcast conversation with Mike Holcomb, the Fellow of Cybersecurity and the ICS/OT Cybersecurity Lead at Flour. You can check it out in the player below or wherever you get your podcasts.

You’ve undoubtedly heard Michael Jordon’s famous quote, “Talent wins games, but teamwork and intelligence win championships.” Jordan’s words encapsulate the fruition of team spirit and strategic thinking through tactical implementation. Similarly, in the cybersecurity world, we often say that security is a team game, but have you ever considered who’s on the team and who isn’t but should be?

Cybersecurity is the collective responsibility of every employee, partner, contractor and vendor to fortify all the walls and stop bad actors from gaining access to your kingdom. We can divide this collective responsibility into three layers that touch all aspects of the business. Internal collaboration is a starting point for this collective responsibility across all business functions. Then, there’s collaboration with the third-party vendor community. And then, we collaborate to share and learn from our peers’ experiences.

A three-fold approach to cybersecurity collaboration will bring constant scrutiny and attention to security issues while enabling faster communication. In essence, you’ll have more eyes across the organization’s IT environment that identifies impending risks, security incidents and potential breaches with shorter response time.

Let’s take a detailed look at the three-fold approach and how the effort can help you benefit from driving collaboration on collective cybersecurity responsibility.

The Three-Fold Approach to Cybersecurity Collaboration

Here’s what an optimal three-pronged cybersecurity collaboration effort looks like:

1. Internal Collaboration

While cybersecurity teams are responsible for securing the network, data, endpoints, workloads, user access, automation, orchestration and continuous threat detection and prevention, other business functions have an equal hand in ensuring continued education and responsible behavior that protects your organization’s digital assets. Think of your cybersecurity team as your Tier 1 stakeholder, with the authority to make decisions and implement security controls for the entire organization.

Your Tier 2 stakeholders include leaders of various business functions, such as HR or finance. For instance, HR ensures all new hires receive an optimal onboarding process intertwined with IT services and security controls deployment. These functional Tier 2 stakeholders can collaborate with Tier 1 stakeholders to implement best-in-class security controls and cybersecurity awareness training for all Tier 3 stakeholders, including employees, contractors and third-party partners.

We should consider all three tiers of stakeholders equally significant because if the average user – a Tier 3 stakeholder – can’t follow the recommended security hygiene by the other stakeholders, the entire organization winds up at risk of a security incident or a breach.

2.  External Collaboration

Now that we’ve spotlighted internal stakeholders let’s consider that our external stakeholders are third-party vendors in the increasingly complex technology ecosystem. A vulnerable software stack is a gateway for bad actors to unleash the chaos of malware and identity-related attacks. It’s, therefore, essential to build trust with each third-party vendor providing your organization with any product or service. These third-party vendors must address critical CVEs promptly and allow your organization’s Tier 1 stakeholders to review their offerings for quality and the vendor’s security posture.

Particularly now in the burgeoning era of AI-powered products and services, it’s more critical than ever that your organization’s Tier 1 stakeholders have a cadenced opportunity to evaluate the AI implementation in the products or services you use.

3. Peer Collaboration

Technology leaders and practitioners must learn from one another. As such, peer collaboration is the most important part of comparing and contrasting cybersecurity strategies that support unique business requirements.

There are a couple of different ways to participate in peer collaboration. For example, meet-up groups on relevant topics such as AI seek to bring together like-minded leaders to discuss their unique experiences and learn from shared experiences. Alternatively, industry-focused peer groups that focus on specific topics, such as the intersection of FinOps and security, can bring a wealth of knowledge to CIOs and CISOs of organizations operating in regulated industries. To this end, I will hold a CISO roundtable at CyberArk’s marquee identity security event, IMPACT ‘24, in Nashville next month. I hope to create a trusted circle of cybersecurity leaders who can leverage shared experiences to optimize cybersecurity collaboration on all three fronts mentioned above and deliver better defenses against back actors.

How Can Cybersecurity Collaboration Work Effectively?

For any initiative to succeed, it needs a detailed process plan. To design an effective collaborative approach, we must:

• Communicate. Clear, concise and cadenced communication is the foundation of any successful collaborative initiative. I often recommend that more communication is better than none. This way, we can ensure that internal and external stakeholders know their roles and responsibilities.
• Commit. I recommend a dedicated individual or team responsible for committing to cybersecurity collaboration initiatives within each stakeholder group. This way, we ensure accountability on key initiatives with assurances that they do not fall through the cracks.
• Empower. Part of any team sport is to ensure your team members are empowered to make effective decisions quickly. If you are the bottleneck, make sure you have a plan to get out of the way. Remember, agility is essential because, in cybersecurity, no one day is the same as yesterday.
• Educate. Continuously educate all stakeholders on standard cybersecurity hygiene. The basics of common security practices are often the key to thwarting bad actors.
• Motivate. Remember that every sports competition ultimately crowns a winner, and every winner receives a prize. Think of how you can motivate and incentivize your stakeholders to remain committed to continued cybersecurity collaboration. It may be as simple as a quarterly award or recognition to help ensure collaboration practices run deep within your organization’s DNA.

I would love to hear about how you initiate collaboration in your organization. I also hope you attend (and participate in) my CIO and CISO roundtable at CyberArk IMPACT in Nashville. Here’s to fostering collaboration because … we’re all playing for the same team.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

Simply put, APIs (short for application programming interface) are how machines, cloud workloads, automation and other non-human entities communicate with one another. They also represent an access point to highly sensitive company data and services. Almost every organization uses these machine interfaces, and their usage is only growing because they are essential to digital transformation and automation initiatives. Machine identities and APIs are closely connected because any programmatic interface accessing important data or protected services needs an identity, such as a password, API key or another secret.

While essential and prevalent, APIs are potential attack vectors when not properly protected via machine identity security best practices. They can be exploited to expose sensitive data (e.g., customer lists, personally identifiable information (PII) and credit card details) while enabling application-to-application communication.

How Cyber Criminals Abuse and Exploit APIs

Cyberattackers are constantly attempting to steal and compromise the powerful secrets that allow machines to run APIs as the stolen machine identity. By doing so, they can assume the identity of whatever had that secret and use it to gain more access and privileges to reach their goal. Along the way, they could, for instance, enable a script or a user to stop or start a virtual server, copy a database or even wipe out entire cloud workloads.

Fortunately for attackers, developers under pressure to move quickly often take shortcuts, such as hard-coding API keys and other secrets. Take the Uber breach reported in 2022 as an example: the attacker found and used hard-coded secrets embedded in a PowerShell script to gain high-level access and escalate privileges.

Since many security teams view API security as a code issue, they may not know how many APIs and API secrets exist within their organization, where they’re located or how they are used. A 2023 Ponemon Institute study reveals that more than half of IT and IT security professionals say it’s challenging to discover and inventory all APIs. The many third parties connected to an organization’s APIs exacerbate this challenge. And as attackers shift left into software development and testing environments, insecure API design and functionality significantly increase software supply chain risks.

These factors may be why organizations are only confident in preventing 26% of API attacks and believe that only 21% of such attacks can be effectively detected and contained, according to the same Ponemon study. As API access to critical resources continues to sprawl, it’s time for security to change how they think about APIs.

Top API Identity Security Risks

Most of today’s top API security risks relate to identity. Yet, critical identity security controls in many organizations, including least privilege enforcement and continuous monitoring, only cover human users. This means that secrets used by applications, scripts and other machine identities – that outnumber human identities 45:1 – are exposed. Attackers can “hook” API keys and other secrets through phishing attacks, find them embedded in applications, automation scripts and DevOps tools and steal them from public repositories like GitHub to access sensitive company assets. Artificial intelligence (AI) advancements have made it even easier for cybercriminals to automate and scale identity-based attacks.

The Open Web Application Security Project (OWASP), a recognized industry source for software security research, highlights some recent pressing API identity security issues in its 2023 API Security Top 10 list, including those outlined below.

Simplify API Security with Centralized Secrets Management

Forward-looking organizations are working to understand how digital business characteristics impact their security practices and move toward a Zero Trust model. As part of this, they view human and non-human identity security as equally important. They’re tackling secrets management challenges by centralizing and automating how applications, DevOps and automation tools use API keys and other secrets to access databases, cloud environments and other sensitive resources. With this approach, they only have one program to support but can gain the full visibility, audit trails and policy enforcement capabilities they need to ensure nothing falls through the cracks.

Companies we work with have also seen how centralized secrets management simplifies how development and security teams protect applications, CI/CD pipelines and the software supply chain. They’re doing this with out-of-the-box integrations with existing tools and platforms so that tasks like secrets rotation, audit and data collection automatically run in the background without impacting developer workflows.

Properly securing APIs and other non-human identities is imperative for business. Organizations that do it right will be better positioned to defend against cyberattacks, drive operational efficiencies, satisfy audit and compliance requirements and enable innovation.

John Walsh is a senior product marketing manager at CyberArk.

In the past few years, we have witnessed a significant shift in the attack landscape, from stealing clear text credentials to targeting session-based authentication. This trend is driven by the proliferation of multi-factor authentication (MFA), which makes it harder for attackers to compromise accounts with just passwords. However, MFA is not a silver bullet, and post-authentication materials like session tokens, cookies, API keys and machine certificates can still be exploited to bypass authentication and gain access to sensitive systems and data.

In this blog post, I will share some of our red team insights and explain how session-based attacks are evolving beyond the web browser. I will also recommend ways for organizations to protect themselves from these threats and reduce their attack surfaces.

What Are Post-Authentication Attacks and Why Are They Dangerous?

Post-authentication attacks are a type of attack that targets the authentication tokens that are used to maintain a user’s or a machine’s identity and access rights after the initial login process. These tokens can take various forms, such as cookies, API keys, machine certificates and OAuth tokens. They are often stored in the browser, in files, in memory or in databases and are transmitted over the network when a user or a machine interacts with a web application or an API.

The main advantage of session-based attacks for the attackers is that because they happen after the authentication phase and the user is already validated, they can bypass MFA and other security controls applied at the login stage. An attacker can impersonate the user or the machine and access their authorized resources by stealing or forging a valid session token (via the Golden Ticket or Golden SAML attack technique). Moreover, session tokens are often long-lived and have broad privileges, meaning the attacker can maintain persistence and move laterally within the network.

How Post-Authentication Threats Are Evolving Amid the Expanding Attack Surface

The most well-known and common form of post-authentication attack is cookie stealing, which involves capturing or manipulating the cookies used by web browsers to authenticate users to web applications. Cookies are session tokens issued to the web server after users log in with their credentials and MFA and are stored in the browser. The browser then sends the cookies along with every request to the web server, which validates them and grants access to the user.

Cookie stealing can be performed in various ways, such as:

• Exploiting vulnerabilities in the web application or the browser, such as cross-site scripting (XSS), cross-site request forgery (CSRF) or XML external entity (XXE) injection, that allow the attacker to execute malicious code or requests on behalf of the user and access their cookies.
• Sniffing or intercepting the network traffic between the user and the web server and extracting the cookies from the HTTP headers. This can be done by compromising the user’s device, the web server or any intermediate node on the network, such as a router, a proxy or a firewall.
• Accessing the browser’s storage, where the cookies are saved, and copying them to the attacker’s device. This can be done by exploiting the user’s device or by tricking the user into downloading a malicious browser extension, a file or software that can read the browser’s storage.
• Scraping the browser process memory space, some cookies are stored as session cookies, which means they are not written to disk and exist only within the browser memory as ephemeral cookies for the duration of the session and as long as the browser is open. Since the browsers are designed to run as unprivileged applications, any other program with the same level of access (unprivileged) can read the browser memory.

As you can see, cookies are key security material and are thought out by threat actors. If you were to eliminate cookies from the browser, the experience would become more secure. And that’s no longer a hypothetical scenario, with the arrival of our recently released, identity-centric CyberArk Secure Browser – an industry first (and which our red team helped develop). The browser eliminates the writing of cookies to a device’s disk, which means there are no cookies for attackers to steal. By eliminating cookies from the disk, organizations can help protect themselves from certain types of session-based attacks that rely on stealing cookies to bypass the authentication process.

However, cookies are not the only form of session token that session-based attacks can target. As web applications and APIs become more complex and diverse, and as more machines and devices communicate with each other over the internet, other forms of session tokens are emerging and becoming more prevalent. These include:

• API keys, which are secret tokens that are used to authenticate and authorize machines or programmatic users to access APIs. API keys are often used for programmatic or automated interactions with cloud services, such as spinning up virtual machines, accessing storage buckets or sending notifications. API keys are usually stored in files or databases and transmitted over the network as HTTP headers or parameters.
• Machine certificates, which are digital certificates that are used to authenticate and authorize the communication between machines or devices. Machine certificates, such as VPNs, HTTPS or SSH, are often used to secure connections between servers, clients and IoT devices. Machine certificates are usually stored in files or hardware modules and are transmitted over the network as part of the TLS handshake.
• OAuth tokens, which are tokens that are used to delegate access to third-party applications or services. OAuth tokens are often used for social login, where a user can sign in to a web application using their existing account from another platform, such as Google, Facebook or X (née Twitter). OAuth tokens are usually stored in the browser or databases and transmitted over the network as HTTP headers or parameters.

These session tokens are also vulnerable to session-based attacks and can be stolen or forged by attackers in ways similar to cookies. For example:

• API keys can be exposed by vulnerabilities in the API or the client, by network sniffing or interception – or by accessing the files or databases where they are stored
• Machine certificates can be compromised by vulnerabilities in the TLS protocol or the implementation, network sniffing or interception or accessing the files or hardware modules where they are stored.
• OAuth tokens can be hijacked by vulnerabilities in the OAuth protocol or the implementation, network sniffing or interception or accessing the browser or databases where they are stored. (A recent example of this is APT29’s attack on Microsoft, where the attackers breached a legacy test OAuth application and then created a series of malicious OAuth apps, which enabled them to gain further access. This ultimately allowed the attackers to access certain corporate email accounts.)

How Organizations Can Help Protect Themselves From Post-Authentication Attacks

Post-authentication attacks are a serious and growing threat, and organizations need to take proactive measures to protect themselves and their users from these attacks. Some of the best practices and recommendations that organizations can follow are:

• Implement the principle of least privilege (PoLP) and limit the scope and duration of the session tokens. Session tokens should only grant the minimum access rights needed, when needed (just-in-time), for the specific task or interaction and should expire or be revoked as soon as possible. This can reduce the impact and the risk of session token compromise.
• Enforce strong encryption and integrity checks on the network communication and the session tokens. Session tokens should be encrypted and signed by the issuer and transmitted only over secure channels, such as HTTPS or TLS. This can prevent the attackers from sniffing, intercepting or tampering with them.
• Monitor and audit the usage and activity of session tokens. The issuer should log and track session tokens and any abnormal or suspicious behavior, such as multiple or concurrent logins, unusual locations or devices or anomalous requests or actions, should be detected and alerted. This can help organizations identify and respond to session token compromise.
• Educate and train the users and the developers on the risks and the best practices of session token security. Users should be aware of the dangers of phishing, malware and social engineering and avoid clicking on suspicious links, downloading unknown files or sharing their session tokens with anyone. Developers should be familiar with the latest session token security standards and guidelines and follow secure coding and testing practices.

With attackers relentlessly finding new ways to exploit them, post-authentication attacks are a complex and evolving challenge. Organizations must be prepared and vigilant to defend themselves from these threats by implementing security measures such as least privilege, monitoring and maintaining an assume breach mindset. Additionally, solutions such as CyberArk Secure Browser, which completely eliminates cookies from the disk, can provide an added layer of protection.

Shay Nahari is VP of CyberArk Red Team Services.

Editor’s note: For more insights from Shay Nahari on this subject, secure web browsing and beyond, listen to the April 2024 CyberArk Trust Issues podcast episode, “Secure Browsing and Session-Based Threats.” The episode is available in the player below and on most major podcast platforms.

In the automotive industry’s fast lane, the fusion of digital innovation with vehicular engineering has revolutionized how we manufacture, drive and protect our vehicles. It also helps to ensure our cars are safeguarded against cyber risks. And it’s at this juncture that identity security emerges as a critical priority – serving as both a shield and a guide, leading the industry through the complexities of cybersecurity in automotive challenges with unmatched precision.

Defending the Digital Road

Imagine the automotive industry as a vast, interconnected network of highways, where every vehicle – from family sedan to motorcycle to the most sophisticated autonomous car – communicates within a world far beyond the asphalt through connected vehicle technology. This seamless interaction is powered by vehicle-to-everything (V2X) technology, enabling connected cars to communicate with one another – and with infrastructure, pedestrians, networks and even the power grid. Connected vehicle technology forms the backbone of modern automotive safety and efficiency, facilitating real time sharing of crucial data such as traffic conditions, weather updates and road safety alerts.

However, it also introduces novel challenges in cybersecurity, making the role of secure identity verification more critical than ever at the manufacturing stage. Each connected car, acting as a pivotal node in the safety and operational efficiency of our digital highways, relies on a next-generation automotive and mobility security solution to safeguard the integrity of data exchange and protect against cyber threats to help ensure the seamless functionality of this intricate and interconnected network.

Elevating Automotive Security Through Identity Protection

The mastery of securing the privileged pathways of the automotive manufacturing ecosystem acts like an invisible shield. From the initial design sketches to the factories that bring new cars to life, a comprehensive approach to identity security helps ensure that every entity, human or machine, is thoroughly verified, authenticated and monitored.

The journey from innovation to vulnerability can unfold through a sophisticated attack chain in the rapidly evolving automotive industry. Sometimes, it might begin with credential theft, where attackers mine sensitive information through methods like social engineering. These malicious actors, whether external or internal, navigate an organization’s digital ecosystem, moving laterally across systems or vertically to higher privileges, aiming to disrupt operations or steal valuable data. Understanding and dismantling this attack chain, with a strategic approach for identity security, is critical for automotive leaders to shield their operations and vehicles against today’s multifaceted cyber threats.

For manufacturers, this means securely guarding their blueprints, production secrets and assembly output.

Navigating the Top Seven Automotive Cybersecurity Challenges with Identity Security

Understanding the seven critical areas of automotive cybersecurity is crucial, as identity security can significantly enhance your organization’s preparedness and strengthen its stance against potential breaches. This strategic knowledge enables you to stay ahead in safeguarding against identity-related vulnerabilities within the automotive sector:

1. V2X communication. Today’s vehicles are manufactured with the capability to communicate with one another, and their infrastructure and identity security act as trusted couriers that validate human and non-human identities in the automotive manufacturing process.
2. Identity verification. Cyber threats loom like bandits in the digital expanse. Advanced identity verification acts as a vigilant patrol, safeguarding the credentials and secrets of administrators, users, applications, and machines interacting with connected vehicles and data.
3. Regulation and compliance. The automotive world’s regulatory environment is a labyrinth and ever-changing. A robust identity security strategy is like GPS, guiding manufacturers through compliance and helping to ensure a smooth regulatory journey, which is a growing challenge for automotive manufacturers as cars become increasingly data-centric.
4. Supply chain. Picture the automotive supply chain as a network of roads and bridges. A unified identity security approach provides rigorous checkpoints, verifying each component’s integrity before it enters the production line, underpinning the seamless integration of connected devices.
5. Data privacy. Strict identity security protocols secure this data within cloud and enterprise environments against unauthorized access, safeguarding the manufacturing of connected vehicles.
6. Market growth. As the realm of automotive cybersecurity widens like an expanding network of roads and infrastructure, scalable identity security solutions help provide safe passage across a burgeoning ecosystem of connected devices.
7. Collaboration. Automakers and cybersecurity entities must unite to share insights and strategies. Secure identity management facilitates this collaboration, helping to ensure the secure exchange of information and bolstering the collective defense of connected vehicles throughout the auto manufacturing process.

Driving Toward a Secure Horizon

Cybersecurity leaders can help steer their organizations toward secure, modernized processes with a comprehensive identity security strategy. Learn how a leading manufacturer reduced operation time by 87% while improving security.

Brian Carpenter is a senior director of business development, and Christian Goetz is a director of presales success at CyberArk.

Editor’s note: The complexities of the automotive industry require a holistic platform-based approach to secure cars of the present and future. Take a spin into this topic and listen to our Trust Issues podcast episode, “What’s Driving the Future of Automotive Security,” with guest Kaivan Karimi, Global Partner Strategy and OT Cybersecurity Lead – Automotive Mobility and Transportation at Microsoft. Karimi discusses the emphasis on identity security, data sovereignty, data privacy and compliance as we collectively navigate technological advancements in the automotive industry.

With over 50 countries heading to the polls this year, including major economies like the U.S., India and the U.K., 2024, one way or another, will be a defining year with over 4 billion voters – around half the world’s population – participating in the democratic process. However, amid this global exercise in democracy lurks a growing threat landscape fueled by ongoing geopolitical tensions, evolving technology and the ever-present risk of malinformation that can sway the election outcomes.

In recent years, misinformation and disinformation campaigns have influenced public opinion. In the 2019 U.K. election, several political advertisements and social media campaigns deceived voters with false claims and hidden agendas. In 2016, we witnessed how foreign adversaries’ potential involvement led to a breach and a leak of confidential data to influence the public and the outcome of the U.S. presidential race. Recognizing this, federal law enforcement and cybersecurity officials have warned state election officials about the impending threats ahead of the November 2024 U.S. Presidential elections.

With lots of cyber drama undoubtedly around the corner, let’s look at what’s at stake.

Geopolitical Risks and Nation-state Attacks

The intersection of global armed conflicts and cyber warfare significantly amplifies the risk to critical infrastructure, which is pivotal in supporting election machinery across countries on the verge of upcoming elections. Elections officials and their security teams will be highly vigilant. They are planning robust security strategies in a game to checkmate their aggressors who aim to disrupt the networks of government agencies and their technology partners.

According to the Election Cyber Interference Threat Research Report 2024, the U.S., U.K., South Korea and India are the riskiest countries concerning election cyber interference from geopolitical adversaries like China and Russia. We have seen a rise in state-sponsored cyberthreats recently, with the most recent infiltration by APT29 into the Microsoft and HPE networks to spy on executives’ emails. While initial reports from Microsoft and HPE indicated limited damage, after further investigation, Microsoft reported that APT29 gained access to the company’s source code repositories and internal systems. There’s no doubt that this is a warning sign that bad actors are quietly and strategically placed in the backyards of the technology vendors who provide critical infrastructure to many governments worldwide. Similarly, in February 2024, Volt Typhoon, a Chinese group, breached vital network systems from a widely used supplier by U.S. government agencies. These are known instances of cyberthreats from foreign adversaries in the first two months of 2024 alone. Throughout the year, it’s expected that these foreign adversaries – intent on wreaking havoc – will relentlessly try to penetrate inside the walls of every sovereign democracy. While we know what we know, I’m certain we’re unaware of plenty of bad actor activity.

The Age of AI, Misinformation and Disinformation – The Run-up to Election Day

As any country approaches election day, a new battleground emerges – one where artificial intelligence (AI), misinformation and disinformation collide. The rise of phishing and vishing attacks threatens to exploit voter identities, potentially leading to election fraud. Covert influence campaigns, meticulously orchestrated, can sway voter mindsets and election outcomes. The recently published Annual Threat Assessment of the U.S. Intelligence Community, released by the Office of the Director of National Intelligence, confirmed potential international interference via social media during the 2022 U.S. midterm election cycle. And now, with the advent of AI, strategic targeting of individuals or groups of individuals via impersonation attacks will be on the rise and increasingly difficult to identify as legitimate. For example, in January, voters in New Hampshire received a robocall seemingly from U.S. President Joe Biden asking them not to vote in the state’s primary. Upon investigation, state officials determined it was an AI-enabled vishing attack intended to manipulate the elections.

In an attempt to pre-empt similar attacks, South Korea’s National Police Agency (KNPA) has implemented a tool to detect deep fakes. These sophisticated algorithms aim to identify manipulated videos and prevent their spread during the elections. The issue we must recognize here is not limited to the spread of misinformation but the human tendency to readily believe the messages they see or read regularly.

In our increasingly digital world, many voters depend on social media as their primary source of news and information despite the general knowledge that it’s a breeding ground for rampant misinformation and disinformation. Safeguarding elections is a combined responsibility – of the people and by the people – in any democracy. As such, all stakeholders, including political parties, election officials, social media websites and voters, must work together and adopt best practices and measures to protect the electoral process.

Election Infrastructure is an Expanded Threat Vector

The shift from analog to digital and physical to virtual impacts not only the workforce in the digital era but also voters worldwide. In this sea of change, nations must secure and protect every aspect of their election machinery. These are the critical aspects that require special attention to ensure a successful democratic election exercise:

• Voter registration databases store the personal information of millions of voters in each country and decide who can vote where. These databases hold highly sensitive personal information, such as names, government I.D. numbers, dates of birth and the addresses of millions of voters in each country. Voter fraud is a real threat if voter identity and credentials are stolen and misused to cast unauthorized votes. If exposed, this information can be used to swing election results by various methods where bad actors can persuade (via social engineering) voters to vote a particular way.
• Electronic poll books (EPBs) are endpoint devices or kiosks designed to partially automate the voter check-in process, detect ineligible voters, assign correct ballots and keep tabs on voters who have issued a ballot. EPBs can be targeted in many ways, including DDoS, malware attacks, data breaches and system vulnerabilities.
• Electronic voting machines (EVMs) are terminals where voters can cast ballots in-person or scan mail-in votes. The threat vectors for EVMs are like EPBs. Outdated EVMs are at high risk. For example, the EVMs used in India were designed in 1989. They can run the risk of dated software with potential vulnerabilities that can cause irreparable harm to the election results if exploited by bad actors.
• Tabulation is the process of counting the ballots cast at the polling places. Bad actors can hack into voter tabulation systems to disrupt an election and its results.
• Websites that provide voters with information on election processes can be disabled by bad actors and cause inconvenience and confusion for voters.

Defend the Democratic Exercise with Defense-in-depth

In the high-stakes world of election security, trusting a single line of defense is not enough. That’s where the concepts of defense-in-depth and Zero Trust come in, offering a layered approach to protecting critical election machinery. The following multi-layered approach is crucial for protecting all access points to election systems, from voter registration databases to voting machines:

• Defense-in-depth strategy uses multiple, independent security controls, such as firewalls, intrusion detection systems and network segmentation, to protect election systems from different angles. Even if one layer is compromised, the others can prevent or slow down the attackers, buying valuable time to respond and contain the threat. This is a non-negotiable consideration in fortifying every aspect of the election machinery.
• Zero Trust is a principle that assumes no trust within the system and requires continuous verification of every user and device, regardless of their level of access. Users and systems should be verified continuously and given minimum access to perform their duties while always assuming breach. Our research indicates that most organizations believe identity and endpoint are the top two considerations for a successful Zero Trust implementation. This means IAM capabilities (i.e., phishing-resistant MFA, SSO and PAM) and endpoint protection are critical to ensuring fine-grained control over who accesses which data where and for how long.
• Identity Threat Detection and Response (ITDR) is a relatively new capability that detects and responds to identity-based threats, such as credential theft, privilege misuse and misconfiguration across the complex IAM landscape spanning hybrid and multi-cloud environments. ITDR can help analyze, report and remediate unprotected access paths and adversarial behaviors.
• Endpoint protection incorporates antivirus software, removing admin rights and patch and change management.
• Data security is bolstered by encryption, access controls, backups, monitoring and data classification to ensure data confidentiality and integrity.

Don’t Forget Basic Cyber Hygiene

As we battle the rising cyber risks during this election year by enabling security practices and processes to help safeguard the democratic exercise, it is equally important to brush up on the basic cybersecurity hygiene practices that have been around for years. Remember, even though national elections around the world happen on a cadence of four to five years, these cybersecurity hygiene practices have to be done more frequently for them to become second nature for every individual, whether it is election year or not.

• Poll worker training should include methods to recognize and report suspicious behavior, identify EVM errors or glitches and safeguard voter data.
• Voter training and awareness must include best practices for identifying legitimate sources of news and information and incorporating practices to protect against potential AI-generate deep fakes, phishing and vishing attacks.
• Audit and monitor the security posture and threat landscape frequently across all aspects of the election machinery in the run-up to the elections and after that.
• Equipment testing should include user-centric design, ballot secrecy, security (such as software updates and change management), language options, consistency in user experience and general accessibility.
• Contingency planning must cover backup and disaster recovery strategies in the event of a cybersecurity incident to avoid disruptions and unexpected outages.

The Election Process is a Collective Responsibility

As a CIO, I recognize that securing our election processes is not an isolated task but a collective responsibility, and we cannot do this alone. It requires partnerships between government agencies, technology vendors, election officials and, most importantly – voters. The 2024 elections, encompassing over half the global population, face unprecedented threats from cyberattacks, misinformation and outdated technology. Defense-in-depth does not start with products; it begins with us. It’s time we all do our part as individual voters, election officials, politicians – and, yes, technology providers – the time to act is NOW.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page. 

Now is the time.

It’s been over 30 years since the introduction of the first web browser. Since then, the browser has evolved into an application that allows us to stream entertainment, work and interact through social media. It’s the most widely used application among consumers … and now the enterprise.

Unfortunately, there’s little separation between work and personal life when you use a browser designed for consumer use. In short, it means any organization’s security is at risk – and there’s no lack of data breach headlines to make this painfully obvious.

In my travels over the years with CyberArk and as an entrepreneur, I’ve had numerous conversations with CISOs, CIOs and security practitioners about security risks and what this means for the browser. There’s consensus in the realization that consumer browsers like Google’s Chrome, Microsoft’s Edge and Apple’s Safari aren’t enough for the workplace.

In recent years, attackers have exploited vulnerabilities in consumer browsers by stealing cookies to breach organizations. In fact, our CyberArk Labs team has conducted research on cookie theft that resulted in hijacked sessions. In minutes, they can demonstrate how to take over sessions quickly. It’s a scary scenario, but we must ensure organizations are protected using an enterprise browser through cookieless sessions and a true passwordless solution.

So, here’s the problem: browsers designed for consumers lack critical controls for the enterprise workspace. They don’t consider the surge of workforce identities and the multitude of endpoints employees use to access company data. This shortcoming opens consumer-based browsers to vulnerabilities attackers can exploit to steal an organization’s critical data. It’s a significant gap for any organization, especially when workers use a regular browser to access corporate resources.

At CyberArk, we listened to our customers, and today, we’re excited to deliver an identity-focused enterprise browser that provides added protection to one of the most frequently used applications in any organization. An enterprise browser is the gateway to securing identities and your corporate data.

There are three key areas a secure identity-focused browser will address in any organization:

1. Improved security
2. Enhanced productivity
3. Increased privacy

Improved Security Driven by SaaS

In the last decade, enterprises have rapidly shifted toward using SaaS-based applications for work fueled by on-premises applications that have transformed into SaaS models. This transformation of how we work, combined with the fast-paced growth in identities thanks to remote workforces, unmanaged Bring Your Own Device (BYOD) policies, new environments and attack methods, have all contributed to the need to improve how we protect an enterprise from all access points.

The shift toward SaaS was also fueled heavily by the pandemic’s onslaught. Now, with remote workers more reluctant to return to an office setting, the hybrid work model or even a fully remote office has become the wave of the future.

Accessing our enterprise resources through the browser drives the need for an added layer of security that sits within the security infrastructure. At CyberArk, we take a defense-in-depth, layered security approach to securing web sessions, least privilege on endpoints, passwordless and privileged access, for example. A secure browser brings the layers together at the highest level to secure our identities and serve as the gateway to our corporate data.

Enhanced Workforce Productivity

There’s a balance between security and worker productivity. How we protect the enterprise using a secure browser cannot come at the cost of worker productivity. An enterprise browser must offer the same seamless, familiar experience as their favorite browser, providing users access to their enterprise resources without affecting the user experience. It must be frictionless.

Workers will find that using a secure enterprise browser will be a better experience. Users can log into their enterprise resources from the enterprise browser without requiring reauthentication for every federated application and those that are password protected, accelerating the user’s workflow to a single click. The enterprise browser secures users without impacting productivity. It’s a win-win scenario.

Improved Flexibility for Security Compliance and Privacy

Compliance concerns are becoming greater and greater as new cybersecurity regulations require tighter restrictions on privacy. CISOs are also held responsible by their boards for ensuring their organizations comply with existing and new security regulations. Compliance and privacy teams continually work toward ensuring organizations adhere to the regulations that prescribe how corporate data is used and stored and that users and customers receive the privacy required for their data.

Consumer-based browsers store everything – from passwords to credit card data – in, say, Google Cloud. They also share data with third-party apps, expanding the attack surface. The enterprise browser shifts control back into the hands of security teams, providing organizations the flexibility to determine which data can reside in the cloud and which should remain on corporate premises. It offers built-in security to support compliance and help ensure privacy regulations are already in place. This capability alleviates concerns from compliance and privacy teams, knowing that critical enterprise data remains secure through flexible storage options and addresses privacy concerns before users access applications and data resources.

Secure Identities With an Enterprise Browser

As the industry continues to fend off new attacks and an evolving attack surface, our customers cannot be exposed to vulnerability gaps from unprotected browsers. In the current reality, the browser is an island among the IT admin’s security infrastructure with less consideration for security. This approach must change for organizations to implement an enterprise browser fully integrated within the security stack to help ensure identities don’t become compromised. However, we must balance security with worker productivity and offer a frictionless user experience.

It’s critical for your future, so now is the time.

Learn more about CyberArk Secure Browser and take a step toward securing your organization and all its identities.

Gil Rapaport is CyberArk’s Chief Solutions Officer. 

“It’s discouraging to try to be a good neighbor in a bad neighborhood.” –William Castle

This quote from the late American horror film director has recently been running through my head as I think of the new NIST CSF 2.0 framework, the new AI regulations and the myriad software product certificates. In a nasty neighborhood of bad actors, these frameworks, regulations and certifications act as good neighbors. They are poised to enable organizations of any size to protect themselves against a barrage of cyberattacks. But, I also see the complexity they bring to CIOs and CISOs of various organizations in ensuring the right balance of security initiatives and alignment to frameworks, regulations and certifications, especially in cases where technology advances faster than a framework or regulation.

The following recent events have made me think about the three areas in which we as a collective can influence the cyber world positively, which is otherwise packed with many negative forces.

1. A Decade in the Making – CSF 2.0 is Finally Here

In January 2024, nearly 10 years after its first release, the National Institute of Standards and Technology (NIST) released an updated 2.0 version of the Cyber Security Framework (CSF). As you may already know, CSF 2.0 is designed to be used by organizations of all sizes across all sectors as opposed to its predecessor, which focused only on critical infrastructure. CSF 2.0 also takes into consideration technologies that have emerged since the original iteration of the framework and elevates the importance of supply chain risk management and cybersecurity governance.

While the CSF 2.0 is a vast improvement over its 10-year-old predecessor, the problem with this framework remains the same – the voluntary compliance to this framework has essentially failed to improve or implement effective cybersecurity. In July 2022, 10 of the 24 U.S. federal agencies received an F on cybersecurity practices, according to the Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Fast forward to January 2024, nearly half of the same 24 federal agencies improved their scores to C or D in the same category.

This improvement comes at the heels of the Biden administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028), which mandated all federal agencies to transition to a Zero Trust approach to cybersecurity with specific guidance on securing pillars such as identities and endpoints. The progress of every federal agency is tracked and aligned to NIST’s CSF 2.0. The point is that NIST’s CSF 2.0 is an excellent guide to reducing cyber risks, but that on its own will not do the trick and secure your organization. Much like the EO 14028, what will push the needle forward is if executives and the board of any organization mandate a regular performance assessment against CSF 2.0 to ensure continuous risk assessment and improved security posture to keep your organization secure.

2. Regulation vs. Innovation – Problem or Peril?

The European Union has led the charter for regulatory frameworks and set an example for the world. Having set the standard and implemented regulations for data privacy, carbon emissions and mergers, the EU has done the same for AI. The EU AI Act was passed in February 2024. It will be implemented in 2026 and seeks to regulate the use of AI models based on their potential risks while applying stringent rules to riskier applications vs. separate regulations for general-purpose AI models such as ChatGPT. Following the EU, President Biden issued his AI executive order (EO 14110) in the United States, seeking to manage the risks stemming from AI and protect the government and American citizens.

The EU AI Act and the U.S. Executive Order on AI seek to preserve and protect the data privacy of millions of residents. To do this, there is a particular focus on identifying and mitigating the risk of fraud, misinformation and disinformation. So, while these new regulations continue to be introduced in the market, what good is data privacy without cybersecurity? This often leads me back to my drawing board. I ask myself, is my cybersecurity strategy still producing optimal results for my organization, or do I need to make changes?

3. Complexity of the Number of Certifications

Certifications formally recognize a product, system or service’s compliance with specific standard requirements. These certifications often serve as a benchmark for customers and prospects evaluating various companies and technology products to ensure that a product’s functionality, reliability, usability, efficiency and manageability are on par with the set requirements. However, the number and types of certifications can often put enormous pressure on organizations that seek to get their products certified or maintain certification. Software product certifications include, but are not limited to, NERC and the many types of ISO certifications like SOC 1 Type 1, SOC 2 Type 2, CMMC and FedRAMP. The list goes on.

However, if we closely examine the requirements of many of these certifications, we’ll find many overlaps. As an industry, I wish we would strive toward consolidating the common parts of every – or at least many – certificates and focus on differentiation when dealing with a specific certification. But I won’t hold my breath for this day to come.

My Advice on How to Effect Change in a Bad Neighborhood

If you are a CIO or CISO, I recommend that you take ownership as a good neighbor and actively support your industry peers and organizations like NIST and NCSC, which develop guidelines for securing a nation’s critical infrastructure and any organization of any size across any sector. I recommend you consider the following as the duties of a good neighbor to slowly and effectively increase the good in the bad neighborhood.

• Engage in bi-directional partnerships. Technology vendors and NIST must ramp up their collaboration to regularly review and update existing frameworks with faster feedback loops to keep up with the changing technology landscape. In a world increasingly influenced by AI, the industry cannot afford to wait another 10 years for NIST to update its CSF again.
• Harden your cybersecurity foundation. No matter which regulation or framework you are dealing with, a robust security posture will remain the bedrock for regulatory compliance and continuously protecting your sensitive assets against relentless bad actors.
• Mandate metrics. If your organization leverages CSF 2.0 or its earlier version to reduce risks, ensure that you mandate regular evaluations of specific cybersecurity and risk assessments to improvise and iterate as necessary. Voluntary evaluations can take a backseat amid a time crunch, but a mandate is often helpful in ensuring thorough evaluations regularly and periodically.
• Remember that certifications do not necessarily correlate to good security posture. My advice to any organization evaluating and procuring security products based on certifications is to remember that the success of your security programs is on implementing your initiatives within your specific environment, not using a standalone certified product.

Finally, I advise all CIOs and CISOs to do their part as good neighbors and help other good neighbors. For example, encourage proactive interaction and partnership with NIST or other governing bodies. This partnership will go a long way in a world where technology moves faster than the pace at which government can effect change. As a leader, share your experiences and knowledge base with the new generation of CIOs and CISOs. These good neighbor gestures will help build a strong community to protect against bad ones.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

I’m honored to share that CyberArk is FedRAMP® High Authorized and ready to support U.S. federal agencies in securing access to critical government data and systems, meeting Zero Trust mandates and advancing their missions.

Two of our leading identity security SaaS offerings, CyberArk Endpoint Privilege Manager and CyberArk Workforce Identity, have achieved Federal Risk and Authorization Management Program (FedRAMP) High Authority to Operate certification, and are now available on the FedRAMP Marketplace.

This designation reinforces CyberArk’s long-standing commitment to providing trusted, independently verified solutions that meet the U.S. government’s most stringent security requirements. And it comes on the heels of the FedRamp Authorization Act, a law that streamlines the approval process for cloud services by enabling federal agencies to implement FedRAMP-authorized solutions without additional security and risk assessments. As a standardized approach, FedRAMP reduces duplicative efforts and cost-inefficiencies while promoting innovation across the federal government.

The explosion of new identities, new environments and new attack methods has rapidly expanded the attack surface, creating an acute need for both public and private organizations to secure all identities, human and machine. By delivering FedRAMP High-Authorized identity security solutions, CyberArk is uniquely positioned to help federal agencies accelerate secure cloud adoption while protecting critical assets from damaging ransomware, supply chain attacks and emerging AI-fueled threats.

Digital Visionary Theresa Payton Weighs in on the State of Federal Cloud Adoption

I had the opportunity to speak with Theresa Payton, former White House CIO, bestselling author and founder and CEO of Fortalice Solutions, about today’s government-wide migration to the cloud. In our conversation below, we explore key opportunities and challenges, and the push to remove adoption barriers.

The federal government’s shift to the cloud has taken place slowly but surely over the past decade. Then came an unanticipated disruptor: COVID-19. Suddenly, cloud services became even more critical to advancing agency missions. Can you describe an example in action?

“When the pandemic hit, agencies were forced to work on the fly to adjust how they do business. Hitting fast forward on cloud initiatives certainly had its benefits. One example comes from the federal civilian area: The U.S. Postal Service, backed by AWS , rapidly scaled up their COVID test kit website and quickly responded to over 100 million households requesting kits.”

According to MeriTalk research, only 30% of federal, state and local government IT leaders say their cloud strategy has kept pace with this accelerated adoption; 56% say managing and securing data is their biggest challenge. Every new cloud-based initiative generates a massive number of identities, further exacerbating these concerns. How can government security leaders turn things around?

“Agencies must come to terms with several cloud-based risks that lurk beneath the surface in this new technology landscape. To see just how many threats a cloud-based organization with under-developed security protocols will face, look no further than cloud identity and access management. Beyond the schemes of cybercriminals, non-malicious human error on its own has the potential to hinder mission-critical functions in the form of misconfigured networks and mismanaged controls. Now, as agencies and private sector organizations no longer have to “build the plane while they fly it,” they should take the time to resolve any built-up technical debt and ensure proper configuration is factored into any new cloud components.”

More sensitive government information flows across cloud infrastructure and applications than ever before, yet federal cloud adoption lags the commercial sector. Procurement hurdles are contributing factors. Will measures outlined in the FedRamp Authorization Act help agencies fast-track efforts?

“Federal agencies and commercial organizations face numerous regulatory and compliance hurdles to efficiently conduct business and move the mission forward. Regulations such as FedRAMP and CMMC, though critical to discerning organization, service and product suitability, can lead to a lack of agility and efficiency when combined with each other and with other compliance requirements. Much like how multiple government agencies have required their own suitability processes on top of clearances, overlapping but differing compliance processes can lead to backlogs and delays in achieving mission success. But don’t mistake the differing regulatory requirements for being redundant or unnecessary. Look no further than the major 2020 cyber incident that was SolarWinds to understand the dire implications of any missteps in supply chain risk management.

Ultimately, threading the needle of decreasing the compliance burden while maintaining the necessary level of regulatory scrutiny may be a tightrope walk, but laws such as the FedRamp Authorization Act are a step in the right direction.”

How can programs like FedRAMP help the Department of Defense and other federal agencies achieve their Zero Trust goals and advance national cybersecurity priorities?

“FedRAMP had already begun preparing for the Zero Trust cybersecurity posture before the DoD released its Zero Trust Strategy, but as new tools, technologies and threats arise, continued attention will need to be paid by government and government-adjacent regulatory programs.

The ‘never trust, always verify’ mentality puts the security responsibility on everyone involved, which includes products and services provided to the government. By adopting Zero Trust-focused compliance requirements, FedRAMP can place a greater onus on private sector organizations to launch the federal government efficiently and expediently into a more secure and more efficient future.”

CyberArk is FedRAMP Ready to Serve

Identity-based attacks aren’t just the future. They’re the present. The front line. The new battlefield.

Fedral agencies require advanced identity security capabilities to meet their dynamic and evolving cybersecurity needs. As the pioneers of privileged access management, CyberArk offers the most complete and extensible Identity Security Platform in the world, empowering government agencies with a security-first approach grounded in Zero Trust. By applying intelligent privilege controls to all identities – human and machine – CyberArk enables secure access to any resource, anywhere, everywhere – with a single, unifed platform. Today, more than 8,000 organizations worldwide trust CyberArk to protect their critical assets and surround every identity with a powerful force field of continuous protection.

CyberArk stands FedRamp Ready to support your federal agency, protecting sensitive government data and infrastructure and helping you move forward, fearlessly, to achieve mission success and unlock the endless potential of progress, growth, innovation and hope.

Troy Grubbs is U.S. federal sales director at CyberArk.

After a decade in the making – or waiting, as the case may be – the National Institute of Standards and Technology (NIST) has released the first major revision to its Cybersecurity Framework (CSF), a set of voluntary standards and best practices for managing cybersecurity risks. NIST CSF 2.0, released on Feb 26, 2024, expands the scope and applicability of the framework to cover more types of organizations and industries, including the private sector, government and nonprofits. The new framework comprises six core functions: Govern, Identity, Protect, Detect, Respond and Recover. (I will detail these functions later on in this blog post.)

In this era of heightened digital vulnerability, the need for robust security measures has never been more pressing. NIST CSF 2.0 provides organizations with detailed guidance on managing their cybersecurity risks based on six main functions. The new framework includes a list of desired outcomes for organizations when building their cybersecurity strategy. It does not, however, detail how to achieve those outcomes in an identity security program – this is where you’ll want to take the advice of a trusted partner that can provide you with a best practices framework to follow.

This blog post will overview how identity security best practices related to people, processes and technology can help organizations adhere to NIST CSF 2.0 guidelines. The published guidelines are constructed on six interconnected functions, as shown in the figure below.

NIST CSF 2.0 functions (Source: https://www.nist.gov/)

Function 1: Govern – Understanding the Organizational Strategy and Policy

Focused on organizational strategy, the Govern function guides actions to achieve and prioritize outcomes in alignment with the organization’s mission and stakeholder expectations. NIST highlights understanding organizational context, establishing cybersecurity strategy and supply chain risk management, defining roles and responsibilities and enforcing policies.

Best practice identity security frameworks can help you achieve these goals. Organizations need clear and documented KPIs for their identity security programs.  Such frameworks could offer risk-based prioritization guidance to help accelerate risk management decisions and determine key KPIs.

A comprehensive privileged access management (PAM) program should also include solutions for securing third-party access to reduce supply chain-related risks as much as possible. According to NIST, vulnerabilities resulting from external identities can directly impact an organization’s security. By identifying and mitigating those risks, organizations can enhance their overall cybersecurity posture and better protect themselves against threats.

Function 2: Identify – Mapping and Understanding Organizational Assets and Risks

The Identity function covers identifying and prioritizing the organization’s current cybersecurity risks in alignment with the strategy and mission needs. This function involves identifying opportunities for improvement in policies and processes related to risk management and informing actions across all organizational functions.

A best practices framework can also help you recognize high-risk resources and identify common identities such as IT admins, developers, workforce and machine identities. Advanced solutions for account discovery,  intelligence and auditing can help with ongoing control and visibility of your environment.

Function 3: Protect – Securing Risky Assets

The Protect function involves utilizing capabilities to safeguard sensitive assets and reduce or eliminate the risk of incidents. Outcomes covered by this function include identity management, authentication and access control, awareness and training, data security, platform security and the resilience of technology infrastructure.

Thorough identity security programs can help address all these subcategories. A unified set of solutions that enables secure access to organizational assets with intelligent privilege controls, regardless of the environment (i.e., cloud services, elastic workloads, long-lived systems and high-risk apps) is recommended. Solutions include:

• Credential management and rotation – including extensibility to workforce passwords and application secrets.
• Automated discovery and onboarding of privileged accounts.
• Adaptive multi-factor authentication (MFA) to secure access to resources.
• Support for access to cloud workloads and services with zero standing privileges (ZSP), with best-in-class control of time, entitlements and approvals (TEA) settings for access to cloud services.
• Native UX for privileged sessions to servers, elastic VMs and databases, cloud services and SaaS apps.

Function 4: Detect – Finding and Analyzing Attacks

The Detect function calls for continuous monitoring of assets and detecting anomalies from internal users and external vendors, as well as incident response and recovery solutions. Taking a proactive stance on risk management can significantly enhance your ability to uphold this function.

Centralized audit and identity threat detection and response (ITDR) capabilities, should be applied consistently across all sessions. This entails centralized monitoring of employee and external vendor access to corporate resources.

Function 5: Respond – Acting Upon and Containing Attacks

In the NIST CSF 2.0, the Respond function outlines the necessary actions to take upon detection of risky activities, including containment and eradication of incidents. It covers incident management, analysis, mitigation reporting and communication. The first step in this process is deploying your incident response (IR) plan and conducting an ongoing investigation to ensure an effective response.

Once again, intelligent privilege controls and expert remediation services can help you detect and identify threats faster, with broader coverage, quick response and minimal damage.

Function 6: Recover – Restoring Affected Assets

This function involves restoring assets and operations affected by the incident and executing the recovery portion of the IR plan. This function covers reporting, documenting and communicating the outcomes and consequences of the incident, both internally and externally.

Strong identity protections facilitate easier auditing of malicious access and can help reduce the damage and allow faster and easier recovery. For instance, access can be deemed invalid if not provisioned through a PAM solution. Additionally, through lessons learned, the recovery process identifies relevant attack methods, targeted identities and resources, which triggers new risk assessments and reassessments of the security roadmap and plan.

The six functions of NIST CSF 2.0 are circular and interconnected. Therefore, the greater the investment organizations make in preparing and implementing the necessary protections, the smoother their ability to respond to threats and recover from cybersecurity incidents.

Unified under CyberArk’s identity security platform, our solutions align closely with NIST’s approach, offering comprehensive support and services for securing all identities – human and machine – across hybrid and multi-cloud environments.

Lilach Faerman Koren is a senior product marketing manager at CyberArk.

In the modern digital landscape, cybersecurity isn’t just a technical challenge – it’s a business imperative. At the heart of cybersecurity is identity security – the principle that the right people have the right access at the right time. As we venture further into the digital world, protecting the business from modern threats is crucial, which inherently adds complexity, making smart privilege controls a must-have step toward an identity-first strategy.

The cost of bypassing identity security can be high – data breaches, loss of customer trust and financial penalties are only part of the leadership issues in digital service management. For example, a simple case of an employee having excessive access rights can lead to data theft or sabotage.

Identity security is not just about authentication and authorization but also visibility, governance and compliance. For instance, the insurance industry increasingly recognizes identity security as a foundational element of effective cyber insurance, highlighting the need for robust identity and access management (IAM) practices to mitigate cyber risks. These criteria demonstrate the insurance industry’s commitment to elevating identity security as the foundation of cyber resilience, ensuring that organizations are well-equipped to protect against and respond to cyber threats.

Identity security is the source of trust and security for all other security controls and policies. In this blog post, I’ll explain why security-first identity is essential to your cybersecurity strategy, and organizations can leverage identity as a key enabler of security in the digital age.

Why Identity is the Future of Security

Identity is the core of cybersecurity, as it defines what constitutes good or bad, legitimate actions – and what’s considered malicious behavior. Identity is the primary way organizations can determine and manage who has access to which resources – and under what conditions – and ensure that those access privileges are used appropriately. Identity is how organizations can monitor and audit their users, devices, applications, activities and behaviors and detect and respond to anomalies or incidents.

With identity security, you can know who’s accessing data and systems, why they’re accessing it and what they’re doing with it. Without identity security, you cannot enforce security policies and compliance requirements, and your organization cannot hold users and partners accountable for their actions. Identity security is especially critical in today’s context of digital transformation, cloud migration, remote work and mobile devices. These trends have increased the complexity and diversity of identities, the attack surface and the potential for identity compromise.

Your security strategy must accommodate many identities, such as employees, customers, partners, contractors, vendors, devices, applications and services, each with distinct levels of trust and access requirements. You must also deal with various identity-related challenges, such as identity sprawl, orphaned accounts, privileged access abuse, credential theft, password reuse, shadow IT and identity fraud. To address these challenges, you can take a security-first identity approach, which means that identity security is not an afterthought or a definitive solution but rather a creation of principles that guide the construction of your cybersecurity strategy. A security-first identity approach means implementing security controls and policies based on the identity context and risk profile of your users, devices and applications.

How to Cultivate Identity as a Key Security Enabler

To establish identity as a key security enabler, you must adopt an identity security framework that covers the following:

• Identity lifecycle management – involves creating, provisioning, updating and de-provisioning identities and access privileges for all users, devices and applications based on their roles and responsibilities within the organization. It also ensures that identities and access privileges are accurate, up-to-date and compliant with the organization’s policies and regulations.
• Identity and access management – involves verifying and validating the identities and access privileges of all users, devices and applications based on their context, behavior and risk level. Identity and access management also involves enforcing granular and dynamic access policies and rules, such as least privilege, multi-factor authentication (MFA) and conditional access.
• Identity protection and intelligence – involves detecting and preventing threats and attacks that target the identities and access privileges of all users, devices and applications. Identity protection and intelligence also include analyzing and correlating the data and insights from the identity security framework and applying advanced analytics, machine learning (ML) and artificial intelligence (AI) to identify and respond to anomalies, incidents and risks.

The Benefits of Prioritizing Identity Security

By implementing an identity security framework, you can achieve the following benefits:

1. Improved security posture. Organizations can reduce the attack surface and the potential for identity compromise by ensuring that only the right people have access to the right resources under the right conditions and use their access privileges appropriately. Organizations can also improve their visibility and control over their data and systems by monitoring and auditing the activities and behaviors of their users, devices and applications – and detecting and responding to any anomalies or incidents.
2. Improved compliance and governance. Organizations can comply with security and privacy regulations and standards that apply to the industry and region, ensuring that their identities and access privileges are accurate, up to date and compliant with their policies and requirements. Organizations can also demonstrate their accountability and transparency by generating reports and alerts for their internal and external stakeholders and providing evidence and proof of their compliance and security efforts.
3. Increased productivity and efficiency. Organizations can streamline and automate their identity security processes and workflows, eliminating manual and error-prone tasks such as password resets, access requests and approvals. Organizations can also optimize their resources and costs by reducing the complexity and overhead of managing and maintaining multiple and different identity security solutions.
4. Improved user experience and satisfaction. You can provide your users and partners with a seamless and secure access experience, allowing them to access the resources they need. When needed. from any device and location. Organizations can also empower their users and partners with self-service capabilities and delegated administration, allowing them to manage their identities, access privileges and request and approve access changes.

Identity security is foundational to robust cybersecurity programs and critical for managing related controls and policies. By prioritizing identity security in cybersecurity strategies, organizations can effectively determine and manage who has access to which resources under what conditions and ensure that these access privileges are used appropriately. This approach is critical to establishing a robust and effective cybersecurity framework, considering it relies on identity as a key security enabler.

Claudio Neiva is CyberArk’s Field Technology Director (LATAM), PAM and Identity Security.

In today’s rapidly evolving digital landscape, organizations confront a formidable array of cyber threats, with attacks and data breaches becoming increasingly prevalent. As businesses embrace transformative technologies such as AI, automation, cloud-native architectures, microservices and containerization, the proliferation of machine identities has surged, often surpassing human identities. CyberArk research underscores this exponential growth of machine identities, highlighting the critical need for robust secrets management best practices to safeguard machine identities. However, navigating the landscape of secrets management can be daunting, and missteps in selecting the right approach can leave organizations vulnerable to attacks.

In this blog post, we’ll delve into two fundamental secrets management approaches – dynamic secrets and secrets rotation – providing clarity on their distinct roles and guiding you in selecting the optimal solution for your organization’s unique needs that will help mitigate risk effectively.

Dynamic Secrets: Enhance Security in Agile Environments

Similar to secrets rotation, dynamic secrets play a crucial role in minimizing the attack surface and mitigating the exposure of sensitive information. Operating on the principle of on demand or just-in-time (JIT) credential generation, dynamic secrets are ephemeral and short-lived, with a predetermined time to live (TTL). Once this TTL expires, the credential is rendered invalid, bolstering security in ephemeral cloud-native environments or microservices architectures where service consumers are transient.

However, while dynamic secrets offer significant advantages in dynamic environments, they may not be ideal for auditing account activity over an extended period. This is because the ephemeral nature of dynamic secrets can result in varying user account names, complicating audit trails.

Moreover, one common pitfall organizations encounter is setting a long TTL or perpetually renewing the same dynamic secret. This practice essentially transforms the dynamic secret into a static one, as it isn’t changed frequently enough. Consequently, the risk of a leak or unauthorized access increases substantially. This is a prime example of trying to fit the wrong solution into a use case.

Secrets Rotation: Audibility and Compliance for Persistent Accounts

Rotated secrets, a cornerstone of robust security practices, are subject to regular replacement at scheduled intervals. This proactive approach to secrets management isn’t just a best practice; it’s often a regulatory requirement enforced by stringent standards such as PCI DSS, which mandates rotation cycles of up to 90 days.

A key between rotated and dynamic secrets is that only the secret information is changed during the rotation process, while the account name or identifier remains consistent. This characteristic makes rotated secrets particularly well-suited for long-standing access or accounts expected to persist beyond the lifespan of individual secrets.

While the principles of rotation are simple, the successful implementation of secrets rotation demands a sophisticated solution that can automate and orchestrate the process with precision and reliability. By using automation and advanced rotation capabilities, organizations can uphold security standards, mitigate risks and safeguard their sensitive information effectively.

Building a Flexible and Comprehensive Secrets Management Strategy

Both dynamic secrets and secrets rotation serve distinct purposes within a comprehensive secrets management strategy, and each has unique benefits for specific use cases and environments.

Here’s how organizations should employ each approach:

• Dynamic Secrets should be used in ephemeral environments where temporary access is needed and the time to live is less than when a secret should be rotated. For example, less than 90 days if you follow the PCI DSS standard.
• Secrets Rotation is ideal for auditing and tracking access for persistent accounts or when the account needs to live longer than the amount of time when a secret needs to be changed.

Organizations can effectively address a broader range of security requirements and operational challenges by incorporating both dynamic secrets and secret rotation into their secrets management practices. Dynamic secrets cater to the dynamic nature of modern IT environments, while secrets rotation strengthens long-term security and compliance adherence. Together, they form a robust and comprehensive approach to safeguarding sensitive information and mitigating security risks effectively. Benefits include:

• Improved operational efficiency. Allows you to automate the creation, distribution and revocation of secrets while reducing the manual effort and human error involved in secrets management.
• Enhanced auditability and visibility. Enables you to track and monitor the usage and lifecycle of secrets and identify abnormal or malicious behavior.

Increased scalability and flexibility. Equips you to support different types of secrets and environments, so your organization can adapt to changing business and security needs.

Maximizing Security with Dynamic Secrets and Rotation

Dynamic secrets and secrets rotation are essential components of a comprehensive secrets management strategy. By understanding their distinct roles and applying them appropriately, organizations can enhance their security posture, mitigate risks and effectively secure their sensitive information against the ever-changing threat landscape.

A SaaS-based secrets management solution empowers organizations with the flexibility required to establish a comprehensive secrets management strategy.

To learn more, check out this on demand webinar, where we explore the principles of identity security and discuss the use cases behind dynamic secrets and rotation.

John Walsh is a senior product marketing manager at CyberArk.

A popular topic of conversation in my day-to-day work is how to secure privileged access to cloud management consoles and workloads. And that’s no surprise, considering more and more applications and workloads are migrating to the cloud.

Up until recently, the answer has typically been clear when it comes to identity security and privileged access management (PAM). It’s simple: first, you manage credentials by securing them in a vault. The next step is to rotate them. I’ll even give you extra points if you implement session management for recording and isolation between the end user machines and target systems.

This advice has been the same for quite a while now, and for good reason. It works. But new best practices – like zero standing privileges (ZSP) – are emerging to secure federated privileged access in the cloud.

[Author’s note: In this blog, I will focus solely on access to cloud management consoles.]

A Cloud Access Revolution

Things become a bit more complicated when we start talking about PAM for cloud consoles such as AWS, Azure or GCP. But why would a strategy that’s worked for years suddenly not be as straightforward for the cloud?

One primary reason is that cloud service provider (CSP) consoles behave much like SaaS applications. A key benefit is that they are easily accessible from anywhere via a web browser with internet connectivity.

This accessibility is something that CSP console end users – notably, developers and cloud engineers – love and have come to expect. At the same time, this benefit clashes with the user experience (UX) that PAM best practices have previously constrained them to.

Let’s dive into an example of this challenge…

Imagine an application running in AWS, Azure or GCP that’s not functioning as expected. Our DevOps engineer, Chuck, needs to gain access to the CSP console or command line interface (CLI) to diagnose and fix the issue. Chuck must first access the PAM solution that securely manages the CSP credentials, following the previously mentioned best practices. Once he obtains access to that solution, he must connect to the cloud console via session management.

There’s a bit of irony in this user experience – the CSP console is supposed to be a SaaS application available anywhere from a web browser.

From Chuck’s point of view, restrictions are preventing him from working natively on his system with his own credentials. Not to mention, things become even more difficult if he wants to use the CSP CLI like many developers. If you’re still with me, let’s acknowledge that this scenario doesn’t exactly spotlight smooth accessibility.

Suppose we flip the script and look at this from the security perspective. In that case, a certain number of standing credentials with privileged entitlements must be available at any given time for end users (and potentially attackers) to utilize. Not a great scenario either.

The Time, Entitlements and Approvals (TEA) Concept Enters the Picture

So, how do we design a better experience for our developers and cloud engineers while keeping security foundational? Combining the concept of time, entitlements and approvals (TEA) is an approach we can use to our advantage. With TEA, we no longer need to manage standing credentials for “what if” scenarios and force developers and cloud engineers to use them.

From the example above, let’s see how TEA can provide a better experience for our DevOps engineer, Chuck. When Chuck needs to gain access to the CSP console to diagnose and fix the app issue, he no longer needs to go to another solution to utilize standing credentials through a proxy. Instead, he can log in to the CSP console or CLI natively with his own federated identity.

In addition to this improved user experience, Chuck’s federated identity has ZSP to the CSP console. This setup means that no entitlements are available by default, providing an essential layer of security. Only after the necessary approvals are met (automatic, contextual, manual) will privilege access be granted. This access is only approved for the window of time required and with specific entitlements (aka the principle of least privilege (PoLP)). An audit will also readily pinpoint the work Chuck performed during this period because he logged in with his federated identity. Once the approved session expires, those entitlements are automatically revoked, taking Chuck back to ZSP and securing our environment.

Reimagining PAM and Its TEA UX Makeover

PAM has been an essential pillar of cybersecurity for years and will continue to be even as more development moves to the cloud. However, this doesn’t mean PAM shouldn’t adapt. Concepts such as ZSP, just-in-time (JIT) and dynamic access are paving the way for the evolution of PAM.

It’s (TEA) time to give developers and cloud engineers their desired user experience – one that capitalizes on the benefits that SaaS and CSP consoles provide while still enforcing the necessary level of security. And it all comes down to the right combination of time, entitlements and approvals.

Let the evolution of PAM continue.

Mike Bykat is a global solution strategy architect for Cloud Security at CyberArk.

Just like a snagged strand can ruin your garment, overlooking the security of machine identities can tear the very fabric of Zero Trust that protects your organization from bad actors. As a quick refresher, Zero Trust operates on the principle that no entity inside or outside the network perimeter is trusted by default. As we usher in an era where the traditional network perimeter has dissolved due to cloud services, remote work and mobile access, the necessity for Zero Trust becomes even more pronounced.

However, too often, a critical and overlooked component of this framework by security teams is the management of machine identities. But while security teams don’t always apply Zero Trust principles to machine identities, for attackers, unprotected machine identities are another entry point to your organization’s sensitive data. And the problem is getting bigger.

Machine Identities Now Outnumber Human Identities by a Factor of 45 to One

A machine identity is a unique identifier distinguishing software code, applications, virtual machines or even physical IoT devices from others on a network. It’s used to authenticate and authorize the machine to access resources and services. Machine identities use secrets, API keys, Cloud Access Keys, digital certificates and other credentials to enable machines to communicate securely with other systems.

As organizations digitally transform, the number of machines – applications, containers, automation scripts, virtual machines, Lambda and other computing functions – grows exponentially. Machine identities now outweigh human identities by a factor of 45:1. Therefore, we can assume they also have greater access to sensitive data than human identities. Without the right policies and automation, machine identities and secrets become a vastly expanding attack surface for cyber adversaries.

Digital Transformation: Fueling the Proliferation of Machine Identities and Secrets

Most organizations today enable their missions with software as a service (SaaS) applications – storing data in one or more clouds and even developing software applications to serve their customers. The CyberArk 2023 Identity Security Threat Landscape 2023 report finds that organizations expect an increase of 68% in the number of SaaS applications deployed in their environment. Additionally, another CyberArk report indicates that 80% of organizations will use three or more cloud service providers (CSPs). This digital transformation spurs the proliferation of machines in our networks and the corresponding growth in the number of secrets needed to access IT and other resources securely. And the rapid growth has outpaced our ability to manually track the number, purpose and location of machines and secrets. That’s why it’s unsurprising that 65% of organizations either took steps to protect machine identities last year or plan to do so in the next 12 months.

The dynamic nature of hybrid and multi-cloud environments and DevOps practices requires automated secrets rotation and issuance, renewal and revocation of machine identities. Manual processes are prone to errors and cannot keep pace with the speed at which modern IT environments change. To protect your organization’s digital assets holistically, it’s imperative that you implement a robust Zero Trust strategy that includes a plan for securing and managing machine identities and their secrets.

Why Machine Identity Management is a Zero Trust Strategy Essential

As your organization builds its Zero Trust roadmap, ensure machine identities and secrets management are specifically called out in your identity governance policy and procedures. Machine identities and secrets management are essential components of a Zero Trust security strategy because they provide a means of authentication and secure communication between machines on a network. By including machine identities and secrets management in your Zero Trust strategy, organizations can ensure that only trusted machines can communicate on the network and that unauthorized access attempts are detected and prevented.

Machine identity management policies should be established to govern machine identity generation, renewal and revocation. Regular audits and monitoring should also be conducted to identify abnormal or unauthorized activity.

It’s crucial to aim for at least four goals as you build out your machine identity practices:

1. Greater visibility. Currently, 62% of security teams operate with limited visibility across their environment, making the task of securing human and especially machine identities cumbersome and inefficient. A comprehensive secrets management and machine identity management policy can give organizations greater visibility into their network, allowing them to closely monitor and track managed and unmanaged secrets and machine activity. By enhancing visibility, you can ensure the provisioning of certificates across all areas of IT infrastructure, including hybrid and multi-cloud environments.
2. Improved security. Centralized management of secrets and machine identities is a key element of a comprehensive Zero Trust strategy. Functions like centralized rotation of secrets help eliminate the problem of hard-coded secrets and enable organizations to audit which applications and machines are using each secret.
3. Lower risk digital transformation enablement. The dynamism of hybrid and multi-cloud environments and DevOps practices demands agile central management for secrets and machine identities. Integrating identity security automatically in CI/CD pipelines, for instance, ensures that identity integrity is baked into your development processes and not just an afterthought.
4. Improved operations efficiency. Automation tools improve efficiency. Additionally, native integrations with DevOps tools and the cloud provider’s built-in (native) services increase developers’ adoption of secure coding practices, ultimately increasing overall productivity and accelerating the deployment of new services more rapidly.

Ultimately, incorporating machine identities and secrets management into a Zero Trust strategy can help your organization establish a more robust and secure network architecture and reduce costs associated with traditional security approaches while reducing the time to deploy new services. A comprehensive machine identity management policy can help organizations secure their networks and protect against cyber threats. By proactively managing machine identities and secrets, organizations can ensure that only trusted machines can communicate on the network and that any unauthorized access attempts are quickly detected and prevented.

As organizations continue to adopt Zero Trust, they must pay attention to the pivotal role that machine identities play in digital environments. And that’s why the overall security strategy must account for them. Investing in tools and processes to manage these identities effectively will pay dividends by reducing risk and ultimately fortifying the organization’s security posture in the face of an ever-changing threat landscape.

Machine Identities and Secrets: Organizational Binding Strands

My call to action for any organization is straightforward: Embed the management of machine identities and secrets into your Zero Trust strategy. Rigorously verify identities, systematically manage machine identities and secrets – and use threat analytics to understand when and where they’re being abused. Remember, in the fabric of cyber defense, a layered defense is critical and letting even one thread unravel can lead to a garment’s undoing. That’s why machine identities and secrets are not just threads; they are vital strands that hold together the security tapestry of our digital enterprises.

James Imanian is the senior director of the U.S. Federal Technology Office at CyberArk.

With new identities, environments and attack methods dominating today’s threat landscape, cybersecurity leaders are hyper-focused on securing identities to safeguard enterprises. However, a glaring, high-touch security gap exists that threat actors actively exploit to steal confidential data. And unsuspecting as it seems, that gap lies in the most used enterprise application of all time – the web browser.

In today’s cloud-first world, browsers are the gateway to a company’s most critical assets and house sensitive information, such as user credentials and cookie data, making them prime targets for attackers. Yet, in a decidedly ironic reality, browser security rarely ranks on the priority list of security teams, making enterprises susceptible to attacks.

This seemingly nonsensical practice – or lack of practice – is primarily because organizations continue to use consumer-focused browsers for enterprise needs. Built for convenience over protection, these browsers enable access without securing it and lack the control and visibility security teams need to mitigate potential security incidents. This exposes organizations to various browser-based vulnerabilities – pre- and post-authentication, such as cookie hijacking, malware attacks on unmanaged endpoints and unauthorized user access leading to data exfiltration.

In an increasingly complex IT world, browsers that are disconnected from a broad end-to-end identity security infrastructure pose a massive threat to enterprises. For instance, workforce identities and their actions within browser environments often remain hidden from security teams, creating a gaping Achilles’ heel that enables attackers to steal confidential data without detection.

As such, security leaders need a solution that integrates a foundational identity security strategy into the browser environment and layers with existing infrastructure to balance enterprise security and workforce productivity effectively.

Securing Enterprise Web Browsing with an Identity-centric Approach

As organizations migrate to the cloud and the workforce grows, web browsers have become an intrinsic part of enterprise operations. From employees to third-party vendors – everyone uses a browser to access the confidential corporate resources required to do their jobs.

But with access comes risk, and mitigating it requires deep end user visibility and security control that traditional browsers aren’t designed to provide. Adding additional risk, employees often use the same work browser to access their personal data in cloud consoles. This can invite more opportunities for breaches, insider exfiltration and malware attacks.

Even for organizations with an identity and access management (IAM) strategy and dedicated privileged access management (PAM) solutions in place, browser-based vulnerabilities can easily expose them to potential threats and breaches.

The following are some common browser capabilities that, in an enterprise environment, can pose serious security threats:

• Allowing users to install unverified extensions that can secretly upload data to attacker-controlled servers.
• Providing enterprise workers with built-in tools to circumvent preventative controls put in place by the organization.
• Enabling users to store passwords for all their applications – work-related and personal – in built-in password managers that are prone to breaches.

Attackers can harness the same basic functionalities designed for a convenient user browsing experience to carry out nefarious activities unless they are adequately protected. A prime example is cookie hijacking, where attackers steal, forge, alter or manipulate cookies from users’ web sessions to gain unauthorized access to sensitive resources. It’s a relatively simple post-authentication attack vector in which, in three steps, a threat actor:

1. Acts as an imposter to hijack the cookies after a session has been authenticated.
2. Replays the cookie in the session to bypass multi-factor authentication (MFA).
3. Hijacks ongoing sessions to steal data, move laterally and escalate privileges to disrupt operations.

The bottom line is that enterprises need a comprehensive identity security strategy based on intelligent privilege controls that goes beyond endpoints into browsers to secure every workforce identity with access to the heart of your enterprise.

So, what does it take for browsers to integrate with your larger security infrastructure?

The simple answer would be extending the identity-based approach used for everything else into browsers. This would give IT teams the vantage point to ensure all workforce identities – employees, vendors and remote workers – adhere to risk-tolerant practices, guided by the principles of least privilege (PoLP) and just-in-time (JIT) access.

Navigating Today’s Threat Landscape with an Identity-focused Enterprise Browser

The actual value of an enterprise browser can be realized when combined with existing security infrastructure. For instance, enterprise browsers can prevent cookie hijacking by storing cookies on secure servers. This enables organizations to keep sensitive data beyond the reach of attackers so user web sessions, data and accounts remain protected.

Enterprise browsers should also come with built-in controls that can extend access to privileged targets using native integration to enable security teams to monitor end user activities within high-risk browser sessions, enforce policy-based browsing and prevent misuse of confidential corporate data.

By working together with other defense-in-depth solutions such as MFA, single sign-on (SSO) and session monitoring, enterprise browsers can:

• Secure identities, endpoints, passwords and credentials from pre- and post-authentication attacks.
• Enable users to access their resources and applications securely.
• Unify identity security controls while ensuring privacy for every identity on every endpoint.

Breaking Browser Siloes to Balance Security and Productivity

While traditional browsers are largely siloed and not built to tackle the challenges posed by today’s identity-focused threat landscape, enterprise browsers alone can disrupt user experiences, given their restrictive controls.

For optimal web security and a seamless workforce experience, the enterprise browser and your current security solutions must work together to pave the way for an identity-based security posture that can prevent modern attacks.

Learn about CyberArk Secure Browser.

Sobhan Pramanik is a senior copywriter at CyberArk.

If the first month-plus of 2024 is any indication, this year is likely to be anything but ordinary in the cybersecurity realm. In January alone, a triad of events unfolded, each more riveting than the last, setting the stage for a year that promises to be as unpredictable as it is exciting.

The following recent events have me reflecting on processes and controls that can help you better protect your organization’s most sensitive assets:

1. Nation-State Threat Actors Target High-Tech Companies

ATP29, the threat group behind the 2021 Solarwinds attack and linked to the Russian Foreign Intelligence Service (SVR), resurfaced in January when two tech giants – Microsoft and HPE – reported that the group lurked into their systems and accessed, monitored and exfiltrated data from various employee accounts, including those of executives.

Before these high-profile attacks, ATP29, also known as Cozy Bear, is believed to be responsible for the 2015-16 breach of unclassified networks at institutions such as the White House, the U.S. Department of State and the Democratic National Committee (DNC). Reports indicate that the same group successfully operated in Germany, South Korea and Ukraine.

A few days ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued multiple critical vulnerabilities and exposures (CVE) advisories that identify vulnerabilities in products or services from a reputed cybersecurity vendor used by many government agencies. CISA has warned that bad actors from China, part of the Volt Typhoon group, are exploiting these vulnerabilities and the potential risk to nation-states.

It’s certain now that the espionage and reconnaissance activities of nation-state threat actors are not limited to hacking critical infrastructure owned and operated by national government agencies. Instead, the increasing reliance of government agencies on an ever-growing technology ecosystem makes any supplier a potential victim. And the next victim could be you.

2. Unmitigated CVE 10 Invites Exploitation Attempts

On Jan. 16, 2024, Atlassian published an advisory on a critical vulnerability in its out-of-date versions of Confluence Data Center and Server that allows an unauthenticated attacker to achieve remote code execution. If successfully exploited, this vulnerability allows unauthenticated remote attackers to achieve remote code execution (RCE) on an affected instance. Days after publishing this advisory with a CVE score of 10, the Shadowserver Foundation observed nearly 40,000 exploitation attempts of this CVE. I assume these exploitation attempts were observed in instances that did not heed the warning to patch.

CVEs with a score of 10 indicate critical severity and require an immediate AppSec remediation plan. Security breaches often occur from known vulnerabilities left unmitigated, thus underscoring the importance of a mature change management process. The inability to patch or upgrade the software immediately despite an advisory often reflects complex or ill-defined change management processes. Additionally, interdependency can slow patching or upgrading with potential downstream impact on other processes.

3. Ransomware Continues to be Evergreen

The CyberArk 2023 Identity Security Threat Landscape Report finds that 89% of 2,300 global respondents have faced at least one ransomware attack. Ransomware is a big, if not the biggest, cybersecurity problem in the connected digital world and the first month of 2024 was no different. Tigo, a large telecommunications company in Paraguay; Kenya Airways, one of the largest airlines in Africa; AerCap, the largest aviation leasing company based out of Ireland; and Swedish government agencies are just a few examples of enterprises or government bodies that have suffered a ransomware attack in January 2024.

With the advent and adoption of GenAI, I expect ransomware attacks to increase substantially and potentially impact organizations of all sizes – even yours.

Buckle Up This Year – We’re Likely In For a Ride

Brace yourself for what I expect to be a roller coaster ride in 2024 for several reasons. This year, over 49% of the world’s population is expected to participate in national elections in over 64 countries. As a result of this, in addition to the regular threat landscape, we’ll see nation-state actors increasingly targeting rival government agencies, tech providers supporting the critical infrastructure and netizens to maximize their bounty – whether it be influence, espionage or purely monetary gains. In the wake of these impending attacks, I recommend that you bolster your organization’s defenses by considering the following:

Encrypt your email. Email accounts are often the lowest-hanging fruit that bad actors target regularly and incessantly. In today’s world, compromised emails are a gateway not just to financial bounty but to espionage for nation-state actors. In a world of cybersecurity and cyberwarfare, you must implement end-to-end email encryption (including attachments) to protect your organization’s data and, in turn, your customers.

Bring Your Own Key (BYOK). Your encryted data is secure only as long as the encryption keys are secured. BYOK lets you fully control the encryption key used to encypt your data. Since you are fully responsible for hosting, managing access, rotating, and revoking the encryption key, you maintain control over your data, particularly in complex multi-cloud environments.

Review and iterate change and risk management processes. Change management based on risk assessment offers a systematic method for modifying security procedures, technologies and operations that ensure every change is assessed, planned, communicated, monitored and, most importantly, reduces the risk of disruption and vulnerabilities. Ensure emergency cyber response (ECR) processes are in place to execute robust patch management cycles within 24 hours of a critical severity CVE advisory. This will help you contain the vulnerability swiftly and keep the genie in the bottle.

In this changing technological landscape, I recommend assessing the residual impact of change management to protect your organization’s sensitive assets. Sometimes, during the risk assessment process, you may discover that upgrading or patching might offer less than a 50% chance of improved protection, in which case you may choose to accept the risk and stay with the existing software version. In this case, robust compensating controls are your best savior.

Ensure compensating controls. This addresses any weaknesses of existing controls or compensates for the inability to meet specific security requirements due to various constraints. Virtual Private Network (VPN) and phishing-resistant multi-factor authentication (MFA) are implemented to bolster your defense in depth capabilities.

Consider the value of SaaS. Your AppSec teams might benefit from leveraging SaaS offerings, considering that patching and preventing vulnerabilities are daily tasks that consume a considerable amount of time. Be sure to evaluate not just your SaaS vendor’s processes to secure its environment but the focus and rigor it applies to the best practices on patching cadence based on a vulnerability’s severity. SaaS offerings provide proactive application and infrastructure support, including weekly or monthly patch management. They can effectively and efficiently implement patches or upgrade software in case of CVEs with scores of nine or 10 that require immediate attention. You’ll also potentially improve the availability of services by leveraging SaaS.

Bad Planning is Worse for Security Than Complexity

This first month of this year reminded us of the challenges we face in the digital age and our capacity to rise to these challenges. I encourage you to review your change management process and risk assessment cadence. Ensure you have the right compensating controls and consider if it’s time to adopt SaaS. Also, as you consider implementing these recommendations, the complexity of your environment or processes may seem like a roadblock to improved security. In my experience, it’s an ill-defined plan that is often the roadblock to security than the complexity itself. So, I’d suggest starting with your risk assessment plans, making them robust and agile enough to address your business goals and working backward to implement the above suggestions.

See you next month.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.

A new and concerning chapter has unfolded in these troubled times of geopolitical chaos. The Cozy Bear threat actor has caused significant breaches targeting Microsoft and HPE, and more are likely to come. These recent events have sent shockwaves throughout the tech community, and for good reason. As we continue to uncover the fallout from these breaches, it has become apparent that the magnitude of the incident is more significant than we first realized. Today’s blog post sheds light on who exactly APT29 is, its motives, what tactics it continues to use – and ultimately, how organizations might prevent similar attacks from happening to them.

Who’s Behind the Microsoft Attack and Why?

The U.S. government has classified this threat actor as the advanced persistent threat APT29. The group also goes by many other names, such as CozyCar, The Dukes, CozyDuke, Midnight Blizzard (as Microsoft calls them), Dark Halo, NOBELIUM and UNC2452. Most people, however, know it by the moniker Cozy Bear. This group has rightfully earned a reputation as one of the world’s most advanced and elusive espionage groups.

In reviewing security camera footage, the Dutch government determined that the Russian Foreign Intelligence Service (or SVR) led this group. APT29’s primary objectives include acquiring political, economic and military intelligence to gain a competitive advantage, supporting geopolitical goals and enhancing Russia’s influence on the global stage. The group’s long-term and covert approach reflects its commitment to achieving sustained access to sensitive information, allowing it to conduct strategic operations over an extended period.

Industry experts generally agree that this threat actor formed in 2008 and has been targeting government entities, think tanks and critical infrastructure since 2010. Cozy Bear has since been linked to several high-profile cyber-attacks, including the 2016 breach of the Democratic National Committee (DNC), the SolarWinds supply chain attack of 2019 and the Republican National Committee (RNC) in 2021. This threat actor is known to be extremely patient and cautious. Cozy Bear sometimes dwells inside a network for years if the target is valuable enough.

Quick aside: An interesting thing to note is that the SolarWinds breach was the first time an attack method called Golden SAML was documented in the wild. The attack method was first discovered by CyberArk Labs’ Shaked Reiner in 2017.

What Happened to Microsoft (What We Know So Far)

On Jan. 12, Microsoft detected a threat actor who gained access to a small percentage of corporate email accounts, exfiltrated emails and attached documents of high-value targets, including those of senior leadership, cybersecurity and legal teams, along with other internal employee identities.

Based on the details provided by Microsoft at the time of this writing, it appears the initial objective of the attack was to acquire information. Once inside target email accounts, Cozy Bear searched for specific information about, well, Cozy Bear. The group likely wanted to better understand its adversary (the intelligence teams gathering information on it) and discover the countermeasures intended to lure and stop it. Examples of what the threat actor might be interested in include indicators of compromise (IoC), exposed cloud infrastructure used by the attacker, IP ranges and known tactics, techniques and procedures (TTPs).

Analyzing the Microsoft Breach

Based on the information provided by Microsoft on Jan. 19, it appears the threat actor gained access to a “legacy, non-production test tenant account” through a password spray attack.

Password spraying is a brute-force attack where the attacker slowly tries a list of passwords against accounts from various source IP addresses. This simple attack keeps the number of requests below the standard rate limit to stop rapid login attempts from single IP addresses. This technique helps its attacker avoid detection by not locking out user accounts due to multiple failed login attempts, a common identity threat detection and response (ITDR) capability offered in access management and privileged access management (PAM) solutions. This type of attack is significantly slower but much more difficult to detect. Subsequently, password spraying has a much higher chance of succeeding.

Using this technique, the attacker compromised and accessed the account. The question that comes to mind is, if this was publicly facing, why was multi-factor authentication (MFA) not part of the authentication flow?

In this situation, the permissions set was limited. However, the test account had access to an OAuth application that had elevated access into their corporate environment. Although this was deemed a “legacy” account, it still was authorized to access the production systems. This coverage gap is a familiar blind spot for many organizations; even with great technical controls to implement least privilege access, people and processes (such as ongoing entitlement reviews) remain essential elements of identity security programs.

At this point, the attacker created a series of malicious OAuth applications that enabled them to have multiple hooks into the target, providing higher persistence while making the defender’s job even harder. Afterward, the threat actor created a new user account to grant access to the Microsoft corporate environment for the other newly created and malicious OAuth applications. Then, the attacker used the initial compromised legacy test OAuth application to grant the newly created OAuth apps the Office 365 Exchange Online *full_access_as_app* role. This role typically grants extensive access and privileges to an application – which, in this case, allowed access to target mailboxes.

The granted privilege here is meaningful because it enabled the adversary to read and exfiltrate emails and attachments. This unauthorized connection was accomplished by generating valid access tokens to Microsoft’s Exchange server, even if the original user was not allowed to do so.

Surmised Microsoft Attack Flow

The graphic above charts APT29’s steps:

1. Performed reconnaissance to identify potential victims (e.g., through LinkedIn, OSINT).
2. Performed password spraying attack on the identified entities discovered in step 1.
3. Accessed the compromised account (legacy test tenant).
4. Escalated privileges by accessing an OAuth application with elevated privileges to the corporate environment.
5. Created a few malicious OAuth applications.
6. Created a new user account to grant consent in the Microsoft corporate environment for the malicious apps created in step 5.
7. Granted the malicious apps Office 365 Exchange Online *full_access_as_app* role using the credentials gained from step 4.
8. Read and exfiltrated emails belonging to Microsoft’s executive leadership team and security staff.

Prerequisite Misconfiguration Assumptions

Based on the information disclosed, we assume that certain misconfigurations were present:

• Access to an OAuth application with elevated permissions to the internal environment.
• Privileges allowing the creation of OAuth apps and users.
• Privileges for reading emails.

It’s also worth mentioning that even though this attack created limited practical impact (stolen emails and file attachments), it can still escalate damage through various other paths, such as the exfiltration of regulated data or the disruption of systems.

What Your Organization Can Do to Help Prevent a Similar Attack

Protect Your Non-production Environments

One common mistake IT organizations make is that under-protected development environments are exposed to the internet, allowing access to threat actors. These environments should be segmented and not easily accessible from outside an organization’s perimeter. Organizations should extend cybersecurity controls in production environments into non-production environments – failure to follow best practices cause data breaches.

Another common mistake I see organizations make is using unsensitized data in test environments, allowing easy exfiltration. End user emails and attachments were not present in the legacy tenant. Still, Microsoft admitted it used the same credentials in its production environment and this legacy tenant. The threat actor’s ability to pivot and access production data resulted from reusing privileged credentials and the absence of segmenting nonproduction and production environments.

Because organizations cannot implicitly trust that best practices are adhered to by the people implementing the environments, we need to extend multiple controls, such as MFA, to environments outside of production. Everyone knows that MFA is important. That said, many organizations, including one of the largest tech giants in the world, didn’t use it correctly, at least in this case. Additionally, we must assume that systems are not always set up securely. Misconfigurations and accounts being over-provisioned are inevitable, which is why we preach taking a defense-in-depth approach to cybersecurity. Leveraging controls like least privilege and MFA to non-production environments is incredibly important.

Implement Identity Threat Detection and Response (ITDR)

The ATP29 attack on Microsoft is a textbook example of how ITDR is critical to an organization.

Starting with the initial access through password spray using a proxy, the lack of MFA followed – and the creation of privileged OAuth applications eventually led to generating a user account with a sensitive privilege … All these actions had the potential for detection and response.

Like every element of cybersecurity, ITDR capabilities are more effective when tightly integrated into an identity fabric that proactively reduces risk rather than waiting for an attack to be detected. CyberArk Labs is working on a project in the ITDR world, and we are pleased to share that our suggested ITDR list of rules covers most aspects of the attack.

Defenders should re-evaluate the effectiveness of their password spray detections against the “low volume” style of attack described above. The focus on OAuth emphasizes the importance of such detections and the need for a comprehensive ITDR solution covering both on-prem and Cloud aspects.

An additional line of defense includes having controls to prevent credentials reuse and to rotate all credentials consistently according to organizational policy. Finally, detecting the entry of risky commands could have further reduced the risk of this attack by limiting lateral and vertical movement.

Security teams should carefully review every impersonation action between non-human and human entities. Require administrative privileges for the OAuth application approval process (Consent).

Suggested ITDR Detections and Responses

The following recommendations correspond to password spraying attacks, OAuth abuse, and other malicious actions. You can monitor the following events to detect:

• Login without MFA (and respond automatically, accordingly)
• Reuse of authentication credentials and force rotation
• Suspicious creation or reactivation of OAuth applications
• The idle activity of an OAuth application
• New admin privileges granted to a user and try to add correlation with deviation from an approved organizational process for changing and adding privileges (e.g., the need to open an IT support ticket or to authenticate with MFA again)
• The activity of a user without a prior explicit user authentication (or session start event)
• MFA-configured user behavior without a prior MFA check
• Attempted actions that failed due to the post-expiration time of the credentials\tokens\cookie used
• Entry of malicious commands
• Attempts to bypass privileged access management solutions
• User login using a proxy

The Time to Act is Now (and Always)

This recent attack on Microsoft is a stark reminder of the persistent and sophisticated threats from nation-state threat actors. And it isn’t likely the last we’ll see from Cozy Bear. Days after Microsoft’s breach announcement, other organizations have also announced they had fallen victim to this threat actor. CyberArk Labs expects that more attacks will continue to become public now that these indicators of compromise are available to everyone. It’s also essential to acknowledge that the threat landscape is not limited to a single actor or nation. Other states are actively developing and refining their cyber capabilities, ready to launch similar attacks with varying motives.

The attack is also a sobering glimpse into the future of cyber warfare. It serves as a call to action for heightened vigilance, collaboration and investment in cybersecurity. The looming specter of nation-state cyberattacks demands our attention, and the time to fortify ourselves is now. Ignoring these warnings would be to our peril. As a global community, we must work collectively to safeguard our digital infrastructure from the growing threat of nation-state cyber aggression.

Andy Thompson is CyberArk Labs’ Offensive Security Research Evangelist.

Editor’s note: For more insights from CyberArk Labs’ Andy Thompson on this subject and beyond, check out his appearance on CyberArk’s Trust Issues podcast episode, “Behind the Data Breach: Dissecting Cozy Bear’s Microsoft Attack.” The episode is available in the player below and on most major podcast platforms.

Left to their own devices, your organization’s devices can be a significant source of risk. Consider operational technology (OT), which is crucial for organizations but is not engineered and operated with a security-first mindset. Often, OT systems are beyond the purview of CISOs and are focused on meeting key objectives for system uptime and efficiency – leaving them vulnerable. Attackers seek to exploit human and non-human identities with high-risk access, including:

• Devices used by third-party vendors that often remotely operate and service their client organizations’ OT systems.
• Devices used by employees whose access to applications or endpoints leading to OT are protected by passwords that can be easily compromised through phishing or ransomware.
• Devices embedded with machine identities with high-risk access to data and infrastructure, such as industrial control systems (ICS) and SCADA systems.

Outside of OT are Internet of Things (IoT) devices, including interconnected devices like smart thermostats or lightbulbs, wearable devices, and connected security cameras. What do these variables across OT, IoT and ICS have in common? The risks of interconnectivity.

One compromised identity can allow attackers to employ tactics such as installing malware that enables control over OT or IoT devices – often with devastating outcomes, including shutting down a manufacturer’s equipment, preventing compliance with regulations or taking IoT devices offline due to a widespread DDoS attack. These technologies are crucial for running business operations, making them appealing to attackers.

Understanding the Risks Embedded in OT and IoT Devices

Attackers have always sought to exploit privileged access, and now they’ve broadened their view of privilege. Securing this access remains critical, but now attackers know they can chart a similar attack path by exploiting human and non-human identities within OT environments and IoT devices. It is vitally important to know the status of all the devices on your network and take actionable steps to protect them from potential attacks.

According to the Microsoft Digital Defense Report 2023 (MDDR), 25% of OT devices use unsupported operating systems, making them more susceptible to cyberattacks. Traditionally, organizations separated OT from the internet by “air-gapping” these devices. However, increasing device interconnectedness, even in once-air-gapped environments, has posed new threats to business continuity. This change increases the need for comprehensive protection outside of foundational practices that once satisfied OT security.

In 2022, transportation, discrete manufacturing, and the food and beverage industries were the top three targeted sectors. The reason for the targeting? Interdependencies between IT and OT systems are the main factor. The consequences of cyber-attacks on OT systems are significant and only growing. 2023 saw an increasing number of more sophisticated attacks, with “More than 80% of the OT/ICS incidents started with an IT system compromise attributed to increased interconnectivity…”

Why It’s Essential to Redefine Your PAM Program for OT and IoT Threats

There are many challenges when we look at OT security, such as aging, fragile technology,  no longer supported operating systems and software – and a longer lifespan that suggests vulnerability. There is also an opportunity to improve and prepare before it’s too late. Organizations must redefine their PAM programs to secure a broader set of identities with high-risk access.

While OT and IoT are inherently different, these devices have common ground from a security perspective. Let’s look at three core areas of risk and how to reduce that risk when securing the broader ecosystem of unmanaged or loosely connected devices, including OT, IoT devices, and ICS.

1. Discovery of Devices and Firmware Updates

Privileged access management (PAM) programs should continuously discover and onboard new devices and accounts when added to your network(s), enhancing control and oversight. These accounts and the credentials used to run your organizational devices and assets must be securely managed and rotated, especially away from default passwords.

Isolating access to monitor and record sessions helps proactively report on and achieve continuous compliance. Managing privileged credentials on certain OT devices can be daunting due to the complexity and lacking visibility of the whole environment. Best-in-class PAM solutions allow you to control and rotate credentials on these devices securely, ensuring unauthorized access is mitigated. Leading PAM solutions can work with the gateway controlling these devices to ensure credentials are secured, rotated regularly and centrally managed to reduce the risk of credential theft.

It is crucial to safely provide credentials for device management solutions performing firmware updates and patches. Secrets management capabilities securely store and provide these credentials, ensuring the devices remain updated and maintain security protocols.

2. Gateway and Remote Access Vulnerability

Manage endpoint privileges to secure workstations (with desktop MFA, if possible) and stop the spread of ransomware and malware to OT. Endpoint security should also be implemented on IT-like systems that sit inside the OT boundary. For example, shared workstations that sit on factory floors. Sensitive equipment requires stringent security controls over workstations and servers that can reach OT devices by network.

Utilize an endpoint privilege manager (EPM) to harden the systems, maintain strict endpoint privilege security, and enforce least privilege, reducing the risk of unauthorized changes to critical systems. Ransomware remains the most significant threat to industrial infrastructure, and there’s been an observed shift towards ransomware attacks specifically targeting OT environments.

Many different identities can physically and remotely access IoT devices and OT environments. Ensuring a secure remote connection and advanced controls when these machines are being used is crucial. Remote access capabilities in PAM solutions provide secure access to credential vaults without VPNs, passwords or agents, plus the ability to provide offline access to credentials.

Secure, remote access is a vehicle to the vault or entry point to the OT environment. Apply controls to ensure vendors or contractors operating air-gapped environments can securely retrieve credentials offline. Rotate credentials based on organizational policy and sync them to users’ mobile devices after they leave and before they re-enter offline worksites.

3. Defense in Depth: Paperclip Resets, Unidirectional Gateways and Device Monitoring

Attackers will never stop innovating their methods to exploit credentials and data. They will also use old tricks like the Paperclip reset on devices, allowing them to reset devices to default passwords and then take over. Look for security-first solutions designed to detect this type of action and automatically remediate the threat by rotating the credentials for the device.

Actively observing, analyzing and managing the activities of connected devices and systems is paramount when securing your IoT devices and OT environments. Leading PAM solutions offer identity threat detection and response (ITDR) capabilities such as real-time monitoring, anomaly detection, security event and integrity monitoring, user behavior analytics and regulation compliance monitoring to ensure all interconnected devices are accessed properly by authorized personnel.

Securing and strengthening the flow of data in OT environments is essential. Unidirectional gateway, or a data diode, integrations with CyberArk’s OT and ICS partners allow you to monitor and detect any attempt to bypass PAM, preventing unauthorized access and high-risk account usage.

Don’t Forget Visibility for Audits and Compliance

Redefining your PAM program to satisfy OT and IoT use cases will satisfy industry-specific audits and compliance such as SOC, NIST and NERC CIP – and help you start implementing a Zero Trust architecture. Organizations involved in computer-integrated manufacturing (CIM) or rely heavily on ICS security and follow the Purdue Enterprise Reference Architecture (PERA/Purdue Model) or follow the IEC 62443 framework for the growing prevalence of Industrial Internet of Things (IIoT) technologies can fend off vulnerabilities and challenges in terms of cybersecurity threats.

Layering Identity Security for Operational Resilience

According to the Waterfall 2023 Threat Report, adding additional layers of security improves cyber and operational resilience in your manufacturing plants, automation systems, healthcare devices and smart cities. OT and ICS cybersecurity incidents in the last three years have already exceeded the total number reported between 1991 and 2000. Building a comprehensive cybersecurity program does not start and end with IT. Extending identity security concepts to go beyond the “walls” of IT to strengthen OT allows your organization to proactively thwart cyber threats that can impair business-critical operations, disrupt essential services and possibly threaten public health safety.

Ryne Laster is a product marketing manager at CyberArk.

Editor’s note: Attackers are constantly setting their sights on any aspect vulnerable to an organization. To explore how you can build a defense-in-depth approach to securing all human and non-human identities across OT systems, check out our webinar, “13 Ways to Improve OT Security.” And, for a dive into OT cybersecurity and its challenges and opportunities, listen to our Trust Issues podcast conversation with Mike Holcomb, the Fellow of Cybersecurity and the ICS/OT Cybersecurity Lead at Flour. You can check it out in the player below or wherever you get your podcasts.

It’s said that life truly begins when you step out of your comfort zone. Living in California provides me with many options for hiking and trekking, a perfect backdrop for spending time with nature and enjoying it with friends and family. As a hiking and nature enthusiast, I have done many moderately challenging trails in and around the Bay Area – my comfort zone.

Last year, I decided I needed to get out of my comfort zone and do one of the most challenging hikes in the world, the trek to Everest Base Camp (EBC). Spanning 10 days and covering 80 miles through the scenic Himalayas, culminating at 18,000 feet – about half the cruising altitude of a commercial jet. Reaching the summit was incredibly uplifting and gave me a profound sense of accomplishment. However, the preparation and planning for the adventure provided long-standing benefits. Training for Everest propelled me into a disciplined physical routine and diet, adhering to best practices and guardrails since ensuring optimal fitness and enhancing my well-being.

Climbing the Cloud Transformation Mountain

There are parallels to my experience with the EBC hike in my career leading digital transformation and cloud initiatives for large enterprises and digital-native businesses. Organizations must constantly challenge their comfort zones, particularly when securing their application environments. As large enterprises complete their migration to the cloud and digital native businesses scale their offerings on the cloud, breaking away from their comfort zones by adhering to the well-architected frameworks published by their cloud providers, like AWS, Azure and GCP, becomes imperative. This urgency amplifies with the surge in cloud services and increased threats on cloud workloads due to the rise of artificial intelligence (AI). And this transformation should occur without slowing the pace of delivery.

All cloud providers abide by a shared responsibility model with organizations, making it their duty to adhere to the guardrails, ensuring the overall health of their cloud environments. Embracing solutions aligned with well-architected frameworks for security has been my strategic approach throughout this transformative time.

Key Guidelines for Securing Cloud Identities

When building secure and well-architected cloud environments, the following guidelines are essential for securing identities in the cloud:

1. The principle of least privilege (PoLP). Assign the minimum necessary permissions to users, processes and systems to perform their tasks, reducing the risk of unauthorized access. Implementing zero standing privileges (ZSP) and allocating just-in-time (JIT) access to roles scoped for least privilege ensures that only the required and essential permissions are granted to any user accessing cloud resources by console or command line interface (CLI) for the time allocated and enable non-human interactions through APIs (Application Programming Interface) securely.

2. Authentication and authorization. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), and ensure proper authorization controls to manage access to cloud resources effectively. Platforms requiring MFA at login and supporting third-party IdPs to collaborate with existing SSO/MFA solutions can enforce the necessary authorization controls for cloud-native services.

3. Centralized identity management. Use a centralized identity management system for user authentication and authorization, facilitating better control and monitoring of access across your cloud environment. Leveraging a centralized identity management platform that integrates with third-party IdPs ensures complete identity lifecycle management and identity compliance mapping.

4. Credential management. Regularly rotate and manage credentials securely, avoiding hard-coded credentials and utilizing Identity and Access Management (IAM) roles whenever possible. Integrating privileged access management (PAM) capabilities for long-term credentials helps safeguard them.

5. Audit trails and monitoring. Implement robust logging and monitoring for all identity-related events, enabling timely detection and response to security incidents. Leveraging cloud log solutions and cloud monitoring capabilities allows recording and monitoring of user activity within web applications and cloud consoles.

6. Automated compliance checks. Employ automated tools and processes to regularly assess and ensure compliance with security best practices, IAM policies and configurations. Regular reviews of inactive identities, identities with unused privilege permissions, and those with standing privilege permissions are essential.

7. Secure DevOps practices. Integrate security measures into the DevOps pipeline, ensuring that identity and access controls are considered and tested throughout the development lifecycle. Organizations should secure access to a broad range of applications, including COTS, BOTS, automation platforms and CI/CD tools – running in hybrid, cloud-native and containerized environments.

A Disciplined Approach for Taking Your Organization’s Cloud Health to the Next Level

Adhering to these guardrails, organizations can elevate the health of their cloud environments and take them to a higher level of maturity, optimizing their cloud solutions for security. Like my personal fitness journey conquering the EBC hike, a disciplined approach to cloud health requires discipline to reach peak performance.

An integrated identity security strategy, enforcing least privilege and enabling Zero Trust, is the best line of defense against attacks in today’s threat landscape. To explore our research, based on a survey of how 1,500 cybersecurity professionals are looking at securing the cloud as part of a holistic, risk-based identity security strategy for thwarting attacks and increasing cyber resilience, check out our Identity Security Model report.

Prashant Tyagi leads cloud solutions GTM (Go to Market) technology strategy at CyberArk.

The cybersecurity industry has a major people problem: it doesn’t have enough of them. The global shortage of more than 4 million cybersecurity workers isn’t a new phenomenon, but as digital and cloud initiatives accelerate, the effects are even more profound. This is especially true in the identity security domain. There aren’t enough skilled professionals to securely manage the ever-growing number of identities in the enterprise, and many teams lack specialized expertise in critical areas such as cloud security and Zero Trust architectures. This is, in part, why compromising identities remains the most effective way for cyberattackers to circumvent cyber defenses and access sensitive data and assets.

Reimagining the Classic Run-Grow-Transform (RGT) Model

Many organizations are turning to generative artificial intelligence (GenAI) and machine learning (ML) technologies to help bridge gaps, upskill existing teams, boost productivity through automation and improve their defensive strategies. When supported by robust processes and people practices, these technologies have the potential to optimize and elevate IT and security organizations at every step – from run (maintaining day-to-day business operations) to grow (scaling systems to support business evolution) to transform (implementing new systems and processes that drive new business value). Perhaps most importantly, GenAI and ML technologies can make cybersecurity an even more enticing career option by eliminating manual drudgery and emphasizing creativity, analytical thinking and other uniquely human characteristics.

Bridging Skills Gaps with GenAI and ML

GenAI and ML offer incredible promise for identity security areas such as policy optimization, risk reduction and threat detection – empowering teams to accomplish more with greater speed, increased accuracy and less manual work.

Take endpoint security policy creation, for example. Historically, experienced IT security professionals would spend hours sifting through alerts and creating policies based on these alerts. Before the policies could actually be enforced, they had to be tested manually, implemented without breaking the business and propagated to the organization. AI-powered policy creation is changing the game by delivering prescriptive policy recommendations within minutes. Teams can set these policies quickly and confidently for rapid risk reduction without manual analysis or senior-level (tier-3) analyst involvement. Of course, it’s important to test the outcome before moving to production, but an AI capability makes this a much easier task.

Security operations centers (SOCs) are harnessing ML algorithms to analyze vast amounts of identity-centric threat data in real-time and integrate it with security orchestration, automation and response (SOAR) systems to optimize response workflows. This can significantly reduce the workload on human analysts while driving down mean time to detection (MTTD) and mean time to response (MTTR) to improve overall security posture.

AI/ML can also give cybersecurity education a boost, helping to reduce the number of human-led security errors and incidents. AI-based user behavioral analytics (UBA) tools, for instance, help organizations analyze large datasets and identify patterns that could indicate risky user activities. By configuring security systems to alert on anomalies automatically, these organizations can quickly investigate potential issues and address risky habits or inadvertent slipups before they become problems.

Throughout my career, I’ve learned to take advantage of teachable moments like these, as a majority of people are very receptive to feedback and want to do the right, secure thing. With the appropriate training and support, employees outside of IT and security functions can become cybersecurity champions.

Investing in People to Elevate Security

One of the best cybersecurity investments an organization can make is in their people, empowering staff with the skills they need to navigate the evolving threat and regulatory landscapes, utilize emerging tools to enhance security measures and achieve their professional ambitions. Training doesn’t have to be a heavy lift. Simple actions can make a big difference, such as hosting a lunch-and-learn session for executive assistants – primary targets of many phishing campaigns – or sharing security guild insights.

Though the sky’s the limit with online education options in 2024, convenience and customization are key for busy cybersecurity professionals. Keep them informed of relevant upcoming training opportunities, such as online courses offered by a partner university, industry webinars or certification training. Incentivize upskilling and make learning a non-negotiable part of their work schedules. Otherwise, it may fall through the cracks.

Specialized training programs, such as the identity security courses offered through CyberArk University, can help supplement professional development curricula. By deepening their knowledge and technical abilities, team members can advance their professional goals and validate their expertise, increasing job satisfaction and retention.

The cybersecurity industry at large must continue to improve its approach to re-skilling workers and attracting new professionals to a field that needs them urgently. Recent data-backed research from ISC2 makes a compelling case for more open-minded hiring practices, diversity, equity and inclusion (DEI) and professional development reimbursement. As IT and security leaders, we must pay attention to such findings and act on them to move our industry forward – all while exemplifying optimism, cultivating trust and inspiring commitment.

Aligning with Business Processes to Effectively Manage Change

Enterprise IT environments are complex and hyper-connected – they’re not green fields. Newton’s Third Law often comes to mind in my work as a CIO, bringing me back to my university days as a physics major: for every action, there is an equal and opposite reaction. Introducing AI-powered technology (of any sort) into the mix can create a ripple effect of changes.

Each new tool must be implemented to correlate with existing processes, systems and policies. Understanding the new tool’s impact on, and interplay with, upstream resources (i.e., databases, microservices), downstream resources (i.e., logging and security monitoring tools) and entities (i.e., business users and service accounts) is critical. And ultimately, it comes down to Zero Trust.

AI/ML tools must also be optimized for your specific environment and use cases. It’s important to lean on vendor partners who can help fine-tune algorithms, adjust alert thresholds and streamline integrations with existing security infrastructure to meet organizational requirements. Once you’re up and running, establish feedback loops with your internal security teams and make continuous process improvements based on their hands-on experiences.

For the Love of the Game

GenAI and ML cannot replace cybersecurity’s critical human element. Still, with a focus on enablement and close business process alignment, these technologies can help bridge skills gaps, strengthen identity security programs and even reignite a passion for cybersecurity work. After all, the love of the game is why 73% of cybersecurity professionals say they joined this business to begin with.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page. 

Identity Threat Detection and Response (ITDR) is one of many aspects of an effective identity security program. Yet despite what some detection and response-focused vendors may argue, ITDR is not a silver-bullet solution to prevent identity-centric attacks. Such a thing doesn’t exist.

In fact, modern data breaches, industry analyst perspectives and compliance requirements make it crystal clear that organizations need more than ITDR to build an identity security program.

Today’s Attack Methods Circumvent ITDR Solutions

Major recent breaches highlight the value of proactive identity risk reduction. New identity-centric attack methods that bypass ITDR and other reactive controls are emerging. Agents on endpoints collect data for many ITDR systems, but without them, the systems cannot detect or respond to activity.

Take, for example, the September 2023 MGM breach. The Scattered Spider ransomware group behind the attack relied on stolen credentials but did not follow traditional methods of deploying malware on employee endpoints. Instead, the attackers used generative AI to voice phish (or ‘vish’) employees and help desk teams to provide their credentials and reset multi-factor authentication (MFA) settings.

Even with ITDR agents deployed on all endpoints, Scattered Spider could have still gained access. The attack specifically circumvented the endpoint, relying on social engineering in a medium (phone calls) where detection-focused security tools would not have visibility or context.

The same was the case with the October 2023 Okta Breach, where attackers first compromised the personal laptop of an Okta employee, knowing it was likely outside the estate covered by ITDR and other detection-focused technology. The attackers then found and used credentials for a corporate privileged service account in the password manager of the employee’s personal account.

This breach also illustrates the need for ITDR as part of the identity fabric. On the employee’s home laptop, the attackers found credentials for a privileged service account in the employee’s personal password manager. With a mature, integrated program spanning PAM and ITDR, the organization could not only have prevented the employee from seeing (and saving) the service account credentials but also detected anomalous or unauthorized use of the credentials and terminated the session.

To defend against modern attack methods, organizations need both proactive and reactive controls.

ITDR, Identity Security and Zero Trust

Take, for example, the core mantra of the Zero Trust philosophy – “Never Trust, Always Verify.” Organizations that rely on ITDR alone set themselves up to fail in both regards. ITDR can neither proactively reduce the attack surface (never trust) nor authenticate user connections (always verify).

Agent-based ITDR solutions also cannot often detect behavior beyond an identity’s endpoint – such as in web browser sessions to SaaS apps or a CLI session to an elastic cloud workload. Essentially, ITDR systems require integrations by default to detect or respond to attacks.

However – ITDR can help progress Zero Trust initiatives as part of a broader identity fabric. Through integration with privileged access management (PAM) and identity governance and administration (IGA) disciplines, ITDR adds a layer of defense-in-depth control to help organizations adopt the ‘assume breach’ mindset. ITDR also adds value to access management systems, authenticating end users in alignment with Zero Trust principles, helping organizations detect anomalous or risky activity – and denying access. ITDR capabilities from PAM solutions can also help detect privilege misuse, credential theft, and attempts to bypass PAM controls and workflows – without any agents.

In effect, ITDR can add value to Zero Trust initiatives through tight integration with existing identity security investments.

Analyst Perspectives: ITDR and the Identity Fabric

Industry analysts have long agreed on the need to secure identities with both proactive and reactive controls. In particular, many analysts cite the imperative for an interconnected identity fabric architecture that blends modular technologies to consistently enforce risk-aware, adaptive and resilient access controls – for both human and machine identities.

Operational efficiency is an essential element of the identity fabric concept. Analysts emphasize security teams should reduce complexity by focusing on IAM disciplines, not tools, and aiming to improve the composability of those disciplines. Mature ITDR disciplines can help realize this concept via data exchange with other disciplines like access management, PAM and IGA.

Of note, leading analysts emphasize identity fabrics are not synonymous with any single vendor’s suite of products; instead, the concept describes a proposed architecture of people, processes and technologies from different vendors that collectively provide defense-in-depth protection for all human and machine identities.

Compliance and Cyber Insurance Perspectives

Auditors and cyber insurers also offer clear recommendations to proactively reduce the identity attack surface. For example, compliance with frameworks like PCI DSS and AICPA SOC II requires adherence to proactive requirements like restricting access to sensitive systems and authenticating all connections.

The NIST Cybersecurity Framework is particularly clear in its guidance, specifying five core elements: Identify, protect, detect, respond and recover. Access control is the very first category of controls in NIST’s ‘protect’ phase, and NIST views proactive access control as foundational. The framework provides clear guidance to ensure:

• “PR.AC-1: Identities and credentials are managed for authorized devices and users”
• “PR.AC-3: Remote access is managed”
• “PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties”

Cyber insurance underwriters, who have direct ‘skin in the game’ when keeping clients secure, also recognize that phishing, ransomware and software supply chain attacks all rely on compromised identities and credentials. Not surprisingly, underwriters look for proof an organization is both proactively and reactively reducing the risk of identity compromise.

Examples of common cyber insurance requirements include:

• Taking endpoint security past endpoint detection and response (EDR/XDR) by proactively removing local admin credentials from employee workstations and servers.
• Enforcing MFA to verify use of administrative privileges.
• Securely managing and rotating credentials for highly privileged accounts and machine identities like service accounts.
• Isolating usage of privileged accounts to prevent lateral movement.
• Extending privileged access management controls to third-party vendors.

Beware of Wolves in Sheep’s Clothing: ITDR Vendor Claims to Watch Out For

Some ITDR vendors continue to market their capabilities as superior to PAM, access management and IGA, despite the consensus recommendation for both proactive and reactive identity security controls.

In particular, certain ITDR-focused vendors have communicated that PAM solutions are insufficient – even releasing misleading claims, like the ones illustrated in the “ITDR Vendor Claim” column in the chart below (yes, they are actual vendor claims, which we’ve reworded, in an effort not to directly call out the vendor). For clarity, we’ve includedan analysis of where each discipline adds value to an identity security program in the right column (“Identity Security Reality”).

CyberArk believes security is a team game, which is why we aren’t singling out the vendor behind the claims in the table’s left column. But you should evaluate baseless claims that any one vendor can ‘do it all’ with caution. Understand that to truly reduce risk, your identity security program needs both proactive and reactive controls.

TL;DR: You Need More Than ITDR to Secure Your Organization’s Identities

ITDR does not replace widely recommended security disciplines like access management, PAM and IGA. Rather, ITDR can add value and help make Zero Trust a reality through tight integration with these disciplines in an identity fabric model.

Want to learn more about the connection between identity security and Zero Trust? Check out our whitepaper on Guiding Your Leadership Team Through the Zero Trust Mindset.

Sam Flaster is a director of product marketing at CyberArk.

2023 was a tumultuous year that drove technology transformations at a pace unknown. The industry saw an accelerated and unrivaled pace of technology adoption, persistent yet evolving challenges and unparalleled market dynamics around the world.

The following are the top three trends from last year that influenced my thinking as a CIO at the top of 2024:

1. Software Supply Chain: The Root Cause of 2023’s Notable Breaches

2023 saw the industry’s first double supply chain attack that spotlighted third- and, particularly, fourth-party suppliers as a potent threat vector.

Take, for example, the massive compromise of 3CX – a VOIP and teleconferencing provider – who was Trojanized, unfolding multi-staged attacks against users in early 2023. According to Mandiant, this was the first double supply chain attack that the industry had likely seen, impacting a large portion of over 600,000 customers. In mid-2023, the exploitation of file transfer software MOVEit, leading to ransomware, was yet another instance of a software supply chain attack. Several impacted organizations were suppliers or vendors to other organizations, causing downstream impact to organizations large and small, as well as U.S. and French government agencies.

2. GenAI’s Hype Cycle and Adoption

In less than a year of its launch, ChatGPT hit 100 million weekly users, and over 2 million developers are currently building on the company’s API, including the majority of Fortune 500 companies. As a technologist, I find this exciting but troubling at the same time.

It’s an exciting time to harness the potential of AI to advance, yet navigating AI’s Wild West is challenging. With no playbook or precedent to follow, technologists and cybersecurity professionals must skillfully navigate the potential and real-world secure applications of GenAI. While GenAI is expected to boost productivity and innovation, fearmongers warned early on that bad actors would use it for nefarious purposes. Underscoring this concern, in January 2023, CyberArk Labs published a blog based on their research, proving that ChatGPT could produce sophisticated polymorphic malware with the right prompts.

To tackle these issues head-on, the U.S. issued an executive order on AI, and the EU introduced the AI Act in 2023 to help enforce best practices and regulatory frameworks.

3.Global Political and Economic Uncertainty

Last year was also marred by geopolitical conflict in different parts of the world, resulting in several attempted attacks on critical infrastructure and supplier ecosystems. According to the World Economic Forum, in 2024, 90% and 79% of its chief economists expect geopolitics and domestic politics to be sources of volatility in the global economy, respectively. With several armed conflicts likely to continue well into the new year and three of the world’s five largest economies (U.S., India, and U.K.) heading for national elections, there is no doubt in my mind that attacks on critical infrastructure and, in turn, on technology vendors will amplify around the globe.

I expect complexities to rise as the lines between nation-state actors and cybercriminals blur and there is a steady shift in the intent of attacks from espionage to sabotage.

My Outlook for 2024

2024 will be a cat-and-mouse game between cybersecurity teams and bad actors in a politically charged world. I expect relentless social engineering attacks, attempts to cripple critical infrastructure, exploitation of the supply chain and every other possible vulnerability to rise multi-fold.

In 2024, to protect your organization, you’ll need to:

• Periodically evaluate your vendors’ security capabilities. Your vendors’ ability to secure their products and services will ensure your organization can stay secure and confidently conduct business. Given the heavy reliance on third-party SaaS solutions, 98% of organizations have a relationship with a vendor that experienced a data breach within the last two years. Your organization may be one of them; therefore, it’s important to leave no stone unturned to boost your defenses. Also, pay special attention to end-of-life products that are still in use and secure them.
• Remember that the definition of AI systems is not limited to GenAI. AI systems include GenAI along with systems using neural networks and tools built over several years. In 2024, it is essential to evaluate, secure and manage all systems – both old and new. You should consider contractual agreements that periodically allow you to review your suppliers’ risk-based governance and risk management policy for all products and systems using AI in any capacity. This practice should include provisions for any information-sharing on relevant audit trails, reviews, bias and fairness in decision-making, data retention, etc.
• Go back to the basics and do them right. Focus on improving employee training, organizational security hygiene, round-the-clock threat detection and response, upskilling cybersecurity skills and adopting automation and artificial intelligence.
• Implement a robust Zero Trust strategy. If you have not started your journey to Zero Trust, wait no more. Start Now. On the other hand, if you have already implemented a Zero Trust strategy, evaluate and iterate your strategy against the backdrop of any changing environments. Remember, comprehensive security means implementing a Zero Trust strategy throughout the entire identity lifecycle.
• Treat your people as the greatest asset, not the weakest link. We can have all the tools in the world to protect our organization, but the most valuable assets are the people – cybersecurity experts, employees, contractors, and partners, among many others. Be sure to treasure, train and nurture them. At the end of the day, it’s all about the people.

Finally, as a CIO and a technology leader, I recommend that you take a step back and find your balance and scale, but do not rush as you grapple with these new issues.

In 2024, I plan to share my thoughts and recommendations with you on a regular basis. In the upcoming blogs, I will discuss several important issues, including the right balance between upskilling cybersecurity talent and adopting AI tools, best practices to maintain privacy and managing cloud complexities. I hope you’ll find it helpful in your journey to protect your organization.

Happy 2024 to all of you.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page. 

My team and I were on a call with a customer who saw a critical need to secure access to his company’s cloud service provider (CSP) containers. Our conversation comes to mind often, because it reflects the fast-evolving nature of privileged access and what it takes to secure it in today’s complex IT environment.

As we spoke, the customer stood out to me as a forward-thinking leader. His job: protect and enable an enterprise that is no stranger to the cloud. While more than eight in 10 IT leaders are adopting a hybrid cloud environment, this customer’s company was born there. Our job: help him finalize an integrated set of solutions and controls to protect his CSPs.

Our discussion about applying zero standing privileges, or ZSP, to cloud power users – was capturing everyone’s imagination and attention, even my own (and I talk about these things quite a bit). Why? Consider what’s at stake. The risk of having standing access to highly privileged administrative roles is too high. Attackers who compromise cloud users’ identities can disrupt operations, steal data and more.

With ZSP, users are elevated just-in-time (JIT), with only the entitlements necessary for the task at hand. In turn, ZSP enables security teams to secure their cloud environments by:

• Reducing the risk of credential theft by preventing standing access.
• Enforcing real-time least privilege in the cloud by granting only the relevant permissions a user needs – and only when needed – for a given task.
• In turn, lessening the potential impact of an account takeover; an attacker’s options are extremely limited without admin-level access.

PAM’s Essential, Foundational Role Goes Next-Gen

As we dug deeper into how we could help our customer with contemporary use cases – like securing access for cloud engineers and non-human identities – we still needed to talk about the essential role of foundational privileged access management (PAM) controls. Because whether you’re a 100-year-old corporation migrating to the cloud, or a 1-year-old startup native to the cloud, you face a set of constants:

• Your organization has privileged users, accounts and credentials.
• Attackers will try to compromise these users’ identities, move laterally and elevate privileges.
• These users, including IT admins of all types, require fierce protection.

Considering those constants, we wouldn’t be doing our jobs if we didn’t ask the question: “Have you thought about the need for fundamental PAM controls like securely storing and rotating the credentials of highly privileged users?”

The response: Crickets. At first.

Some key “ah-ha moments” arose as we continued exploring our customer’s challenges. For example, securing privileged credentials actually transcends both PAM’s well-established and next-gen eras. It’s a key example of a PAM mainstay that can and should be reimagined, to secure a broad range of high-risk users.

Think about the textbook-definition privileged IT users that companies’ PAM programs have focused on for years – like Linux admins who use SSH keys to access their organizations’ systems. The risk we’ve all seen, time and time again: these admins often store their credentials locally on workstations, where attackers can easily find them.

But you know who else does this? Cloud developers.

Redefining PAM for Today’s and Tomorrow’s Threats

Similar to traditional IT admins, it’s common for cloud developers to download an SSH key from a console, save it on their workstations and use it to log into an Amazon EC2 instance in their organization’s cloud environments. Why? The need for speed leads to risky actions. Regardless of their job descriptions, power users in the cloud are bound by urgency. This is true for:

• Architects under deadline pressure to complete lift-and-shift migrations.
• Developers collaborating in the cloud to continuously build and maintain apps.
• On-call engineers ready to fix any cloud outages that would impact application users.

Enterprises know that every new service rolled out by CSPs comes with a host of new roles and entitlements – with which their existing identity and access management controls are often incompatible. To avoid the problem, they simply give cloud users far more entitlements than they’d ever need – in the name of speed and convenience.

The result: identities are over-permissioned beyond what their roles require and often have powerful standing access. Threat actors know all of this – to the point that the National Security Agency (NSA) suggests misconfigurations are the most common and easiest entry point into cloud environments for attackers.

And like many security leaders, our customer knew it too.

By the time the conversation wrapped up, he was keen to incorporate a balance of reimagined PAM controls like ZSP and time-tested PAM fundamentals into his plan – to the point where he asked: “Why wouldn’t we apply these controls to securing our users’ credentials?” His question applied not only to his cloud users, but to the traditional IT admin roles found within any enterprise of any size, industry or cloud maturity. Because he knew that securing identities in a fast-changing field like PAM means keeping an eye toward the future, while never forgetting the fundamentals.

What One Security Leader’s Story Can Teach Us About PAM’s Evolution

Today’s PAM programs face an increasingly vast and dynamic threat landscape, upended by innovation and reshaped by new identities, environments and attack methods.

Technology shifts have allowed organizations to delegate powerful access to anyone or anything. Any human identity can gain high-risk access, from admins and vendors to cloud engineers and developers. Even the day-to-day business user can now perform admin-level tasks in their domain. The same goes for non-human identities, including automation accounts found in manufacturers’ operational technologies. Moreover, privilege moves with IT. While IT will always exist on-premises, privilege is increasingly in the cloud.

In times like these, PAM is more important than ever – and should be as consistent and dynamic as privilege itself. Organizations will always need foundational PAM. At the same time, IT security teams need to reimagine their PAM programs. Nearly all (99%) security decision-makers say they’ll face an identity-related compromise in the year ahead – with the number-one reason being transformational initiatives like cloud migrations.

Securing Privileged Access in Transformative Times

In a new perspectives piece, I explore two use cases requiring a mix of time-tested principles and innovative new controls.

• The first area is privileged access in cloud environments – we only scratched the surface here regarding the risks and how to secure access for not only human but also non-human identities. Only 25% of security leaders say they secure sensitive access to bots and robotic process automation (RPA) that are integral to cloud-based development – we’ll talk more about how to solve problems like these.
• The second area is operational technology (OT). About 70% of business leaders who’ve invested in securing OT (which includes devices, machinery and systems used in sectors such as manufacturing, energy and healthcare) face implementation challenges. And the stakes are high, especially in critical infrastructure sectors where an OT attack can jeopardize critical services that society relies on. We’ll share best practices on that, as well.

For further insights on today’s fast-changing threat landscape and what it takes to protect your organization, check out Barak Feldman’s viewpoints piece, “Securing Privileged Access in Transformative Times.”

Barak Feldman is senior vice president of privileged access management (PAM) and identity security at CyberArk.

Throughout an eventful 2023, CyberArk Labs remained focused on uncovering emerging cyberattack patterns and producing threat research aimed at helping organizations strengthen their identity security defenses.

We covered a lot of ground this year and had the opportunity to share our findings at events around the world. Today, we’re revisiting some notable threat research projects from 2023:

Chatting Our Way Into Creating a Polymorphic Malware

AI-enabled threats were top-of-mind for security professionals this year – with good reason. CyberArk Labs began experimenting with ChatGPT in its earliest public days to see how attackers might try to use it, starting with polymorphic malware generation. We asked ChatGPT to create an info-stealer, which it delivered after making some major security snafus along the way, such as hardcoding credentials. Ultimately, we found that attackers can use AI-generated polymorphic malware to evade defenses. For example, an attacker could use ChatGPT to generate (and continuously mutate) information-stealing code for injection. By infecting an endpoint device and targeting identities – locally stored session cookies, in our research – they could impersonate the device user, bypass security defenses and access target systems without detection. We expect that automated identity-based attacks like these will become even more prevalent as AI models improve.

Read the full research.

The (Not so) Secret War on Discord

Cybercrime groups are increasingly using legitimate resources – from publicly available repositories to enterprise software applications – for their own nefarious purposes. This spring, CyberArk Labs discovered a new malware strain distributed over Discord, a popular chat service loved by developers and used by hundreds of millions of people around the world. Dubbed Vare, the malware uses Discord for dual purposes: for targeting new malware operators via social engineering and as an infrastructure for data exfiltration. Our team’s research exposed the group behind the malware, their attack methods and their potential motivations. Most important, we emphasized caution, as any corporate developer using Discord could potentially put their organization at risk if their endpoint is infected with the Vare malware.

Read the full research.

White Phoenix: Beating Intermittent Encryption

Ransomware actors can significantly speed up their attacks by encrypting just enough data to make files useless (but not all of it). Our team set out to combat this “intermittent encryption” method used by BlackCat and other large ransomware groups. The result was White Phoenix: an open-source ransomware recovery tool that allows victim organizations to recover files encrypted by ransomware strains that use intermittent encryption. White Phoenix supports PDFs, Microsoft Office documents and zip files. But other formats, such as video and audio files, may also be recoverable. We welcome continued community contributions to enhance the tool and improve ransomware protection for all.

Read the full research and explore the free tool.

Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation

Docker is one of – it not the – most-used developer tool in the world today, which makes it an interesting threat research subject. But in this case, Docker wasn’t even on our radar until a CyberArk Labs researcher installed Docker Desktop (the primary Windows service for Docker) as part of unrelated Windows containers research. He observed the service’s various privileged processes communicating with each other via named pipes, which can be risky. Our resulting research found that Docker uses a named pipe with REST API that allowed us to call its methods from a low-privilege user, with the actions done by a privileged service. This enabled us to impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest-level privileges. We ultimately discovered six privilege escalation vulnerabilities in Docker Desktop by hunting through a massive maze of pipes, and developed an open source tool named “PipeViewer” to help scan for Windows named pipes and show their permissions.

Read part one and part two of this research and explore the open-source tool.

Explore CyberArk Labs’ Full Threat Research Library

These highlights offer just a glimpse into the many important projects CyberArk Labs worked on over the last 12 months. We invite you to explore the CyberArk Threat Research Blog, where among other topics, you’ll learn how we:

• Used the increasingly popular Ethereum development framework Foundry to create a proof of concept (PoC) for uninitialized smart contract vulnerabilities
• Highlighted innovative rootkit techniques on a non-traditional architecture (Windows 11 on ARM64)
• Turned the tables on phishing as a service attackers
• Dove deep into macOS application penetration testing
• Introduced a network safety tool for fellow cybersecurity researchers

You can also read our 2024 cybersecurity predictions for our team’s perspectives on what’s to come in the year ahead.

Lavi Lazarovitz is CyberArk Labs’ Vice President of Cyber Research.

If you’re reading this, a major part of your job is making the case for security-related issues that you know are urgent.

You may be among the 97% of CISOs being asked to present to their boards — briefing them on new attack methods and recommending protective solutions. Or you might be a security admin preparing to relay that same information to your CISO. Either way, you’re on point to convince key stakeholders that:

• These threats require attention.
• Your plan merits support.
• The time for action is now.

Why now? IT security teams face pressure to act quickly when threats emerge and scrutiny rises. The consequences of delayed action loom large. For example, what if you don’t move quickly enough to find a vendor whose solution can protect against the latest threat? No doubt this is a valid concern — but it could also be why two-thirds of organizations use security tools from up to 40 different vendors.

The trouble is when security solutions are bolted together in haste, they typically cannot:

• Share data on potential threats and turn insights into action as a unified front.
• Correlate alerts across data to find the signal in the noise.
• Extend an effective control for securing one type of identity (IT admin) to another identity (everyday employee).

Your organization likely has a solution for securing highly privileged IT users’ identities. And you probably have tools to authenticate employees who use business applications. All good things! However, in a typical organization, these solutions are often siloed. So, if you happen to notice that a control from the privileged access management side (like session monitoring) could also be useful for securing identities across your workforce — well, that’s a spot-on observation.

But without integration, your solutions can’t share controls, nor can they provide the visibility you need — be it into users’ access or into potential threats — in a unified way. Let’s talk about how you can change that.

The Role of Intelligent Privilege Controls

You’re protecting the enterprise at a time when three realities — new identities, new environments and new attack methods — are making the job more complex than ever. This dynamic calls for extending intelligent privilege controls to all identities, from IT users and everyday employees to developers and non-human identities.

Any identity can become privileged based on the sensitive resources they can access — and the actions they can take. Consider the example of a healthcare system, where a wide range of identities (human and non-human) requires protection, including:

• IT admin identities with high-risk access to critical healthcare infrastructure.
• Everyday hospital employees, 65% of whom have access to sensitive data such as patient records and billing information.
• Automated tools used by the hospital’s DevOps team to build out cloud operations as healthcare modernizes.
• Built-in identities on endpoints and servers that an attacker could use to steal patient data or install ransomware that could shut down hospital operations.
• Machine identities built into healthcare Internet of Things (IoT) devices used by medical staff and patients.

Healthcare is just one example. This phenomenon — in which identities of all types are gaining access to critical resources, infrastructure and environments — is happening across all industries and government sectors.

What we’re seeing is an evolution of privilege beyond the textbook definition. Any identity can become privileged based on what it can access — and what actions it can take. This is why a converged identity security approach is so essential.

In an identity security approach, the underlying solutions are designed to share data, benefit from each other’s respective controls and — similar to the people who are instrumental to making identity security work — collaborate with each other. With intelligent privilege controls at the center of that approach, you can enforce least privilege across all of your identities, infrastructures, applications, endpoints and environments.

Five Types of Intelligent Privilege Controls to Secure Your Organization’s Identities

At this point, you might be thinking to yourself, “Okay I get the general premise here. But what kinds of controls are we talking about exactly, and what kinds of identities would I apply them to?”

Let’s break it down. We created a helpful list you can refer to when building or refining your own identity security approach. It can also be useful when you’re making the case to your stakeholders — from your board to your team — on how to better secure your organization at a time when all types of identities are under attack.

As detailed, intelligent privilege controls aren’t just for the IT admins of world. They can help you secure the entire ecosystem of identities driving your organization’s most important initiatives.

Finding a True Identity Security Platform: How to Vet Providers

So where can you find a platform in which the underlying controls can be applied to any identity with access to potential targets? Could it be as simple as consolidating providers? Not quite. The word “consolidation” doesn’t do justice to the challenge at hand. We’re talking about building something bigger that can take on a threat landscape in which:

• 84% of organizations experienced an identity-related breach in the past year.
• 62% of IT security decision-makers say their organizations lack a complete picture of human and non-human access to sensitive resources.
• 63% say their processes and technologies do not adequately secure the highest-sensitivity access for employees.

Today’s threats require an identity security platform that’s integrated in every way — built to protect every identity (human and machine) and every resource they touch, across every one of your environments. The million-dollar question is: how can you find such a platform? We’ve got you covered on that front as well.

Check out our recently published eBook, “Buyer’s Guide: What to Look for in an Identity Security Platform.” It’s a quick read containing vendor-agnostic recommendations on the strategies, controls and technologies that comprise a true identity security platform. In the guide, you’ll find insights on what questions to ask and how to evaluate providers’ offerings to make sure they can meet your organization’s needs.

You can also watch our on-demand webinar, “Top Considerations for Identity Security Platforms.”

Amy Blackshaw is vice president of product marketing at CyberArk.

 “If we can control identity, we can stop most modern attacks. And if you control identity, then you control every perimeter, application, container – effectively every part of the environment.” – Brian Miller, CISO at Healthfirst

Organizations are experiencing explosive growth in identities – both machine and human. This includes machine identities such as applications and workflows, which now outnumber human identities 45:1. With new norms such as hybrid work, new environments like hybrid cloud and the continuous flow of rapid innovation, the reality is that organizations are facing a constant onslaught of identity-related attacks like ransomware and phishing.

The solution for getting a handle on the chaos? Identity security.

Identity security is considered the bedrock of modern-day cyber resilience. It converges the strength of identity and access management (IAM), identity governance and administration (IGA) and privileged access management (PAM). This combination of capabilities enables least privilege from enterprise endpoints to data centers to the cloud, allowing organizations to secure their digital assets and conduct business with confidence.

Privilege Controls for Any Identity

Gone are the days when only the most privileged users had access to an organization’s most critical systems and sensitive data. Today, more than half (52%) of workforce identities have access to that level of information. Meanwhile, 77% of IT security decision-makers say developers have too many privileges, and only 25% say their organizations have secured sensitive access to bots and robotic process automation (RPA). This expansion of high-risk access across the enterprise can lead to greater cyber risk.

Looking back, 84% of organizations experienced an identity-related breach in the past year. Meanwhile, looking ahead, 99% of security decision-makers believe they’ll experience an identity compromise in the coming months.

This, of course, is not a new trend. In its FY22 Risk Vulnerability Assessment (RVA) report, the Cybersecurity Infrastructure and Security Agency (CISA) indicated that in over half (54%) of organizations it assessed, attackers used valid accounts to gain initial access and elevate privileges to access to critical resources and sensitive data.

The numbers are staggering, but organizations can take steps to secure all identities with intelligent privilege controls such as zero standing privileges (ZSP) and just-in-time (JIT) access, session recording and protection, session isolation and monitoring – and endpoint least privilege. These intelligent privilege controls must work in conjunction with one another to secure access for every identity. Continuous and constant monitoring and analysis of all activities of every identity allow organizations to detect and respond to unusual behavior.

Here’s a bit of a deeper look at the five critical intelligent privilege controls:

1. Zero Standing Privileges (ZSP) and Just-in-Time Access (JIT)

Many organizations provide users with powerful standing access that is always available to users, regardless of whether it’s required in the moment – or ever. This issue is prevalent in cloud environments, where organizations grant users far more entitlements than they actually need to ensure they can work quickly.

To reduce risk, your organization can implement JIT access provisioning, which grants users elevated access privileges in real time so that they can perform necessary tasks. In other words, a user can access required resources for a specific duration to complete a task at hand – and then the access is revoked.

Taking the JIT concept to the next level, ZSP is a fast-emerging security principle that elevates cloud power users just-in-time, with only the specific entitlements required for a given task – and only when needed. ZSP enables organizations to reduce the risk of credential theft and the potential impact of an account takeover by significantly limiting an attacker’s options.

2. Session Isolation

Session isolation creates separation between a user’s device and the resources they aim to access by routing traffic through a proxy server. In doing this, if an end user is attacked, the risk of compromising the system the user is accessing is reduced.

3. Session Recording and Protection

Session recording and monitoring, in contrast, is a searchable recording of every user’s actions – down to the clicks during sessions within web applications, cloud consoles and other devices. When security teams combine session isolation and monitoring, they can detect anomalous user activity and suspend risky sessions. This control can protect organizations’ most critical assets from malicious processes originating on endpoints. The more privileged (with higher access levels) the session, the more these controls become increasingly necessary in protecting an organization’s sensitive digital assets.

4. Endpoint Least Privilege

Comprehensive, conditional policy-based application control can help you create safe working environments for every user group in your organization, from HR to DevOps. Organizations can manage and secure their endpoints with controls that enable continuous least privilege and consider variables such as an application’s context, parameters and attributes to allow or block certain scripts, applications or operations.

This is especially important at a time when ransomware attacks are growing in frequency, consequence and cost. Within an integrated identity security approach, endpoint least privilege can significantly reduce an organization’s attack surface and ability to meet various regulatory requirements.

5. Credentials and Secrets Management

Credentials like usernames and passwords are pieces of evidence that confirm an entity’s claimed identity. Credential management includes password/key rotation, enforcing password policies and consistently validating the authenticity of the entity requesting the access. Secrets management allows organizations to enforce similar security policies for non-human (machine) identities. Typically, these credentials and secrets are used to gain elevated privileges to perform a business task.

The Benefits of Intelligent Privilege Controls

Identity-related attacks are also growing more sophisticated. While most businesses operate under the “assume breach” mentality, it is equally important to be cyber resilient with a proactive, reactive and predictive approach. The above-mentioned intelligent privilege controls enable security at scale, risk reduction and unmatched cyber resilience by securing access for any identity.

The results of a robust identity security strategy speak for themselves: CyberArk research indicates that 60% of 1,500 security decision-makers believe they can mitigate risk in an acceptable timeframe. Without a robust identity security strategy with the right tools, integrations, automation and continuous monitoring and reporting, 80% of the respondents state they would require up to 15 additional cybersecurity staff.

Beyond these measurable benefits, identity security based on intelligent privilege controls provides organizations with the added advantage of long-term durability, adaptability and recoverability in the face of potential attacks.

Don’t just manage identities. Secure them with a comprehensive identity security strategy based on intelligent privilege controls.

For more insights, download our identity security guide “When Every Identity is at Risk, Where Do You Begin?” The piece covers critical areas where intelligent privilege controls can help you reduce risk and gain efficiencies.

Amita Potnis leads thought leadership marketing at CyberArk.

My career began with read-only access.

In my first job, I worked night shifts in a data operations center. Our team handled incidents identified either by monitoring or from end customers. This meant I often had to perform first, second and third-line troubleshooting. If we couldn’t identify and resolve the issue, our only option was to wake up a rather exhausted escalation engineer.

To further protect that on-call engineer’s sleep, I was empowered with read-only access to the network for our data centers. I could check configurations, confirm the state of elements and, as my knowledge grew, the on-call teams observed that my escalations became requests like ‘run the following command for me, I don’t have access.’

A lot has changed since then; I now spend my time working in the cloud rather than in the on-premise world of data centers. I would never grant someone the same level of access I started with, even if it’s just read-only.

Why Even Think About Securing Read-only Access?

The James Bond film “Goldeneye” (1995!) vividly illustrates the risks that read-only access presents in the cloud. In the film’s climax, the ‘lead programmer,’ Boris, dismisses a former junior peer for not having access to the firing capabilities of the satellite superweapon used for the sinister plot. He winds up eating his words as her reduced access allows her to steer the satellite into re-entry (thus, its destruction).

[Click here for the 90s, recorded off VHS magic.]

This is my favorite way to visualize the risk of ‘we don’t need controls over the read-only access we give juniors.’ The result was that Boris’s evil plan was spoiled. If only he’d been a little more considerate with how he handled access.

What Can an Attacker Do With Read-only Access?

Why am I focusing on what is often dismissed as a lower-risk element that doesn’t warrant attention? Attackers are creative folk; it’s known that attackers will always seek to reconnoiter their environment. Often, read-only is enough for them to do that. [Here’s a real-world example.] Giving read-only rights to the cloud without suitable controls will enable an attacker to do exactly that.

To expand on the example, many organizations are happy to permit the managed policy ‘ReadOnlyAccess.’ The policy is a great example of what is often perceived as a harmless read-only role – aside from the policy granting the ability to read and copy the contents of any element of blob storage in the account. That means the read-only access can be used to read any data store. And that isn’t good.

“Attackers are creative folk; it’s known that attackers will always seek to reconnoiter their environment. Often, read-only is enough for them to do that. “

It’s an obvious example, and most organizations remove the capability to read all the data stores. But there are plenty more things you could do to map or identify targets. List roles and the users they are mapped to? YEP! Download container images from your hosted private registry? For sure!

Going deeper, without turning this into a rant against managed policies, that managed policy also includes a little subset of permissions for SSM, AWS’s System Manager service. The section that grants SSM:Describe* worries me because it grants entitlements to all Describe functions aligned to SSM. The entitlement SSM:DescribeParameters allows you to see the environment variables of a running EC2 instance retrieved from Parameter Store. There are many people out there who still use parameter store for storage of credentials.

Knowing that I could possibly return a secret under management and read all the data in an AWS account paints a clear picture to answer, ‘How far can you go with just read-only?’ The more I research, the more I realize that any access to cloud consoles comes with a relatively high element of risk.

How Do We Address the Risk and Secure Read-only Access?

The reality is that you should treat read-only access the same way you treat any other elevated access when accessing the cloud. At CyberArk, it’s why we talk about zero standing privileges (ZSP); read-only access should be something you request, even if the request is auto-approved. You must make sure adequate controls are in place.

There is a temptation to say that not applying the same controls to users with just read-only entitlements will save you time and money too. But that’s a mistake; you’ll have to manage two sets of controls and monitor the read-only accounts to ensure they don’t end up with higher-risk entitlements that would warrant extra controls.

Flexibility in access should not compromise security; instead, it should be a strategic approach to grant the right privileges to the right users at the right time. Doing so would put you one step ahead of Boris from Goldeneye; you don’t have to worry about any second-level programmers crashing your satellite to foil your evil plan.

Understanding and mitigating the risks associated with read-only access in the cloud is paramount. Organizations can frustrate potential attackers and safeguard their cloud environments by implementing robust controls and adopting a proactive approach.

To explore the concept of zero standing privileges further and learn how to fortify your cloud security, check out our blog, “PAM and Cloud Security: The Case for Zero Standing Privileges.”

Josh Kirkwood is a senior product marketing manager at CyberArk.

The growing frequency and sophistication of cyberattacks, especially on the ransomware front, have compelled even more companies to seek cyber insurance coverage. But as the need for coverage grows, so do the complexities.

Even though we’re seeing a trend in which premiums have flattened, with expectations that this will continue as a market correction occurs, significant challenges remain for companies seeking coverage. Increased risk profiles are causing insurers to be stricter in their evaluations and underwriting requirements. And regarding controls and processes, what was considered acceptable in past years may no longer be acceptable.

How does this affect your organization? If you’re in the market for cyber insurance, be prepared to answer a litany of pre-audit questions and demonstrate a hardened defense strategy. In this blog post, we’ll discuss cyber insurance trends and best practices to help you be ready.

Top Challenges Shaping Today’s Global Cyber Insurance Market

Rampant ransomware attacks have made cyber insurance a priority for corporate leaders and boards. This epidemic has also changed the equation for cyber insurers’ profitability.

As we’ve noted in past years, many cyber insurance providers have reported massive direct-loss ratios for standalone policies. At the same time, they’ve struggled to adequately cover escalating costs as conditions change quickly. Consider these statistics:

• The average total cost of a ransomware attack increased by 13% to $5.13 million since 2022.
• Nearly nine in 10 security decision-makers say their organizations were targeted by at least one ransomware attack in the past year.
• Almost three-quarters of organizations paid ransoms at least once in the last 12 months.

As a result, requirements are becoming more stringent as carriers aim to mitigate risks. This is a significant part of why obtaining a cyber insurance policy with favorable terms, conditions, pricing coverage and low retention has proven to be a struggle for many organizations.

Several years ago, a security team could fill out a brief cyber insurance application and answer a handful of questions. Fast forward to today: the world has changed, as new identities, environments and attack methods reshape what it means to have a strong security posture. Insurers aren’t only considering ransomware risk as they tighten up qualifications – current market volatility and continued geopolitical tensions also factor into the equation.

High-profile incidents such as MoveIt Transfer, Accellion, SolarWinds and Log4j have intensified concerns about software supply chain risks, prompting new questions about aggregation exposure and systemic losses. Meanwhile, global privacy regulations like GDPR and CCPA continue to evolve in a patchwork fashion, and litigation and fines are growing. The average cost of a data breach rose 12.6% to $5.05 million for organizations with high levels of regulatory non-compliance.

Together, these variables fuel even more underwriting questions.

Cyber Insurance Requirements Dig Deep – A Solid Controls Narrative Provides an Edge

Scoring a cyber insurance policy or renewal with the right terms may be difficult, but it’s not impossible. Carriers and underwriters are responding favorably to companies instituting robust security controls and incident response plans — especially those prepared to dive deep into their cybersecurity architectures and planned roadmaps. It’s essential to be proactive in implementing baseline security measures and to articulate a meaningful risk-based approach to cybersecurity.

Underwriters often assess security systems and practices using open-source scanning tools like OpenVAS and OpenSCAP to probe applicants’ networks for vulnerabilities and security rating services like SecurityScorecard and BitSight to evaluate risk. Many underwriters partner with outside cybersecurity firms to vet customers.

Recognizing the challenges organizations face amid stricter vetting, Amazon Web Services (AWS) launched a program to help its AWS marketplace customers find and obtain affordable policies.

During these evaluations, they’re looking for evidence of specific cybersecurity controls and practices, and upcoming audits will examine certain areas more closely than ever. They are:

1. Endpoint privilege security

Since ransomware attacks typically start on workstations and servers, endpoint privilege security will be under the microscope. Initially, insurers wanted to see that a company trained its employees in phishing and credential theft techniques and used endpoint detection and response (EDR/XDR) solutions to help identify and remediate suspicious activity.

Today, even these critical measures are not considered sufficient on their own. Attackers are constantly switching things up and finding ways to turn off or bypass EDR/XDR by abusing administrative credentials, as seen in the SolarWinds attack. This has prompted more underwriting scrutiny around endpoint privilege controls, especially a company’s ability to remove local admin rights from all users — senior system administrators, developers and even people using legacy applications that require admin rights.

To demonstrate effective risk reduction for underwriters, many organizations apply a defense-in-depth mindset by limiting privilege escalation, enforcing application control on endpoints and managing local admin passwords in a PAM solution. Organizations must prioritize between least privilege control and operational efficiency.

2. Multi-factor authentication (MFA)

Requirements for MFA — a checkmark item for insurers until recently — are also growing. Insurers started to dig deeper as more post-payout analyses revealed that MFA wasn’t being fully utilized, particularly in the healthcare and higher education sectors. They found significant coverage gaps for privileged accounts, which are not often linked to a specific person (i.e., the admin account on every server) but are used by system administrators and other privileged users to protect sensitive data.

3. Privileged Access Management (PAM)

As a result, underwriters have started mandating PAM for privileged accounts not tied to specific users (i.e., local admin, root and service accounts) to achieve MFA and isolate high-value assets. Embracing modern use cases for PAM programs – such as the emerging concept of zero standing privileges (ZSP), in which high-risk access is elevated on the fly, restricted to the bare minimum permissions, and protected from malware – can also help prove to insurers that an organization is defending against credential theft.

A defense-in-depth approach can help here too. Aim to apply several layers of control, like enforcing least privilege access on endpoints and in hybrid cloud environments, programmatically rotating credentials and secrets, verifying all access attempts with MFA, and monitoring high-risk access. Again, efficiency is critical – minimizing friction for end users is key to building the adoption of security controls that auditors and insurers want to see.

4. Controls for third-party access

Insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. As enterprise reliance on vendors and contractors grows, third-party involvement increases the average total cost of a data breach by roughly 5% to nearly $4.7 million. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk. Visibility is also essential.

Organizations should fully isolate and monitor privileged sessions with full audit capabilities – akin to how they secure internal privileged users’ access and actions.

5. Security for non-human identities

The heightened focus on privileged access management extends beyond users to non-human identities, which outnumber human identities by 45:1. These identities could be service accounts, hardcoded secrets or any off-the-shelf or homegrown solution requiring powerful credentials to perform its function (i.e., configuration management databases platforms and DevOps orchestration tools), along with automated processes such as robotic process automation (RPA). As part of this, insurers are looking for stronger privilege controls around automated patch management systems, vulnerability scanners and other existing security tools that attackers may try to disable.

6. People and processes

Beyond technology safeguards, insurance carriers still want to see sound people practices, such as conducting ongoing cybersecurity awareness training. They’ll also evaluate data backup practices and incident response plans to understand how quickly the organization could restore operations in the wake of an attack. Any security program relies on people, practices and technology – and insurers know it.

Steps in the Right Direction: Adopting an Identity Security Approach

As companies prepare for cyber insurance renewals, they should be cognizant that security control requirements are evolving to address the fast-paced world of digital business – and the ever-evolving nature of today’s threats.

Yet accelerated change is always difficult from an organizational and cultural standpoint and can create fear and uncertainty. The best way to minimize this is to ensure people understand the “why” and that risk mitigation controls will not impact operational efficiency. Companies need to spend time on the education factor.

The good news is that more companies are stepping up and taking meaningful steps to bolster their ransomware defenses. As stronger controls are implemented and used more effectively, insurer losses are starting to stabilize and soften the market a bit. We’re not out of the woods yet, but we’re starting to move in the right direction.

As organizations work to meet today’s requirements with an eye on the future, they must focus on effectively mitigating cyber risk without slowing down their businesses.

Today, any compromised identity (human or non-human) can be a gateway to the resources attackers target through tactics such as ransomware. And you’re protecting the enterprise at a time when three realities — new identities, environments and threats — are making the job more complex than ever. An integrated identity security strategy is the best line of defense against attacks in today’s threat landscape, with a unified approach that enforces least privilege and enables Zero Trust.

Organizations looking to close security gaps within a specified period to land or maintain a cyber insurance policy can benefit by aligning with the right security partner. CyberArk can play that role, helping you strengthen security, meet pre-audit requirements, keep premiums down and maintain business velocity. To learn more, check out our cyber insurance resources.

John Natale is a senior content marketing manager and Ryne Laster is a product marketing manager at CyberArk.

Editor’s note: For more on the complex and rapidly evolving world of cyber insurance, check out the CyberArk Trust Issue’s podcast episode, “Cyber Insurance: Managing Risk and Protection,” with guest, Ruby Rai, Cyber Practice Leader, Canada at Marsh McLennan. The episode is available in the player below and on most major podcast platforms.

2023 was a lucrative year for ransomware actors, with victim organizations paying $449.1 million in the first six months alone. Maintaining this cash stream requires frequent technique shifts, which may be why more attackers are exploiting legitimate software to propagate their malware.

Abusing organizations’ existing enterprise tools can help attackers blend in while they’re doing reconnaissance, and also aids them with privilege escalation and persistence. Coupling this technique with ransomware as a service (RaaS) also lowers the bar to entry by eliminating the need for attackers to create malware – something that requires skills, resources and time. This means more adversaries can get in the game and do more damage.

Enterprise software isn’t the only target. Ransomware actors have also been known to exploit vulnerabilities found in open-source software (OSS), inject their own payloads into OSS and use OSS in lieu of custom-crafted malware. According to a recent advisory from the U.S. The Cybersecurity and Infrastructure Security Agency (CISA), the notorious Lockbit operation has been observed using legal freeware for a host of nefarious purposes, including network reconnaissance, remote access and tunneling, credential dumping and file exfiltration.

When attackers exploit legitimate tools, traditional endpoint security solutions are unlikely to catch them unless behavior analytics capabilities are in place to flag unusual logins, privilege escalation, program execution or other risky activities.

Tracking Legitimate Software Abuse Across the Attack Chain

Ransomware actors increasingly use legitimate software to their advantage at various stages of the attack lifecycle. They employ many different tactics, techniques and procedures (TTP) to advance their missions, including the examples highlighted below.

Initial infection. It’s choose-your-own adventure when it comes to gaining initial access. Some attackers use exploits such as employing common vulnerability exploitations (CVEs) against vulnerable targets. They also steal, forge, alter or manipulate cookies from users’ web sessions to get in. Or, they send phishing emails and trick users into downloading legitimate applications. For instance, in January 2023 CISA warned of a widespread campaign involving remote monitoring and management (RMM) software that, once downloaded, could be used as part of a refund scam to steal money from victims’ bank accounts.

Persistence. Attackers also use legitimate software to establish backdoors for persistence and/or command and control (C2). Along the way, they may use them to bypass MFA and/or modify or disable existing security tools to avoid detection, from terminating endpoint detection and response (EDR)- protected processes to modifying/deleting registry keys or configuration files. In the RMM ransomware attacks described above, threat actors used the software’s portable executables to gain access without the need for local admin privileges or full software installation. This allowed them to “effectively bypass common software controls and risk management assumptions,” according to CISA.

Many software programs run by default on a machine. By hijacking these programs, attackers can guarantee that their malicious programs will run too. They can also abuse application features such as task schedulers (that launch programs or scripts at pre-defined times or after specified time intervals) to maintain persistence. Even legitimate tools built into the operating system, such as living off the land binaries (LOLbins), can be maliciously abused to cover attackers’ tracks, gain persistence or escalate privileges.

Privilege Escalation. Windows operating systems are protected by User Account Control (UAC), a native security feature designed to protect against malicious software and unauthorized changes. If regular business users try to run a program as an administrator, UAC will prompt them to enter the credentials of an admin user before changes can be made. Though most ransomware on the market today doesn’t require admin rights to encrypt data, attackers often target and bypass UAC to elevate access and establish persistence.

Lateral Movement. Many tools can inadvertently facilitate malicious privilege escalation and lateral movement. AdFind, a free command-line query tool used to search Active Directory (AD), is a popular choice. Another is AdvancedRun, which allows software to be run with different settings and enables privilege escalation by changing settings before running software.

What’s more, numerous Windows features built for managing machines are also remote procedural call (RPC) servers. This means that they can receive remote commands from other machines on the network to run programs. Many RPCs expose functions to end users while enabling communication between client and server programs, opening the door for attackers who can abuse them to move laterally.

Encryption. Encryption can be used both as a tool and a weapon. Encryption tools are critical for hiding data from unauthorized users. These same tools can also be used as ransomware. Or attackers can compromise users with legitimate access to encrypted data to bypass encryption controls altogether.

This summer, the U.S. Department of Health and Human Services (HSS) alerted healthcare organizations of a ransomware attack on a medical facility that “significantly reduced patient treatment capability, rendered digital services unavailable and also threatened exposure of patient personal health information (PHI) and personal identifiable information (PII).” TimisoaraHackerTeam – the ransomware-as-a-service (RaaS) group behind the attack – is described as “unique among attackers” due to its characteristic tactic of abusing legitimate encryption tools including Microsoft BitLocker and Jetico BestCrypt to live off the land and eventually encrypt data.

Data Exfiltration. Somewhat surprisingly, ransomware operators that employ double-extortion techniques rarely create their own tools to steal the data used for their leak sites. Rather, they’ll often use legitimate backup tools or similar programs to exfiltrate their victims’ data. Earlier this year, CyberArk Labs observed threat actors using Discord, a popular collaboration app, to exfiltrate data via webhooks. Rclone, a command line program for syncing files with cloud storage, is another appealing option as it allows attackers to easily move files via transfer protocols such as FTP and SFTP. Attackers also employ tools like 7-zip, an open source file archiver, to compress data, which helps them avoid detection before exfiltration.

While most of the above examples focus on Windows, ransomware actors are also modifying their tools to attack across platforms and operating systems. For instance, some employ the cross-platform programming language Rust to target Linux. macOS isn’t immune either. One popular method to infect macOS and iOS devices is exploiting Find My iPhone, an Apple feature that helps users lock their devices if they get lost. If an attacker successfully steals or purchases a user’s Apple ID and password and logs into the device, they can enable the remote device lock via the Find My iPhone app, hold data hostage and display a ransom note on the screen.

Block Ransomware Across the Attack Lifecycle

Attackers’ shift to legitimate software is concerning given the highly stealthy nature of these attacks. But fortunately, organizations that take an identity-centric defense-in-depth approach to ransomware protection can largely stay the course. Fundamental endpoint security controls remain the same, including endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR) email security and patching. But most important of all is application control. It doesn’t matter if it’s RaaS, polymorphic malware or some other malicious ransomware variety, if it can’t execute, it can’t deploy ransomware.

This trend underscores the fact that endpoints play a leading – but not singular – role in ransomware attacks. This is becoming increasingly clear as more adversaries embrace this method. When attackers hijack legitimate tools to gain a foothold, least privilege and behavioral analytics capabilities become even more critical for quickly detecting and blocking cloaked threats as they attempt to move through the network, bypass or disarm security systems and reach high-value targets.

CISA offers a list of in-depth mitigations recommendations for organizations looking for ways to improve their cybersecurity posture to better defend against ransomware attacks utilizing legitimate software programs. This defense-in-depth perspective on ransomware also outlines best practices for shoring up vulnerabilities to mitigate risk. And CyberArk Labs offers extensive research insights on ransomware families, commonalities, the path to encryption and mitigation strategies.

Andy Thompson is CyberArk Labs’ Offensive Security Research Evangelist.

Many of us took ChatGPT for a first-time spin just 12 months ago. Then someone hit the speed multiplier button, and just like that, we’re exiting 2023 with whiplash. Generative artificial intelligence’s (GenAI) breakout year was both exciting and unnerving for cybersecurity professionals who understand that technological change and cyber risk are inextricable. Meanwhile, dramatic shifts in the physical world reshaped the threat landscape, redirected cybersecurity strategies and sparked regulatory reforms. Yet some things didn’t change, like attackers’ relentless pursuit of identities and proven ways to steal and use them.

Our team came together to discuss how 2023 trends will impact 2024 and beyond. Here’s a look at our year-by-year predictions based on CyberArk research, customer and partner interactions and industry collaborations.

In 2024 …

Session hijacking will take on an increasingly prominent attack role …

Even more organizations will shift to passwordless access management, from passkeys to MFA, to help thwart attacks. Threat actors will evolve their tactics in lockstep to dupe enterprise and third-party users, steal session cookies and bypass strong authentication mechanisms. Their creativity will pay dividends; by 2024, session hijacking will account for 40% of all cyberattacks. Continued vigilance in securing, monitoring and responding to user sessions and cookies abuse/compromise is critical – especially with Google’s encouraging promise to wipe out cookies for good, never underestimate innovative attackers who will find another way.

… but 30% of organizations will pay for lax password protections.

Traditional credential theft will be less prevalent when passwordless takes hold and is used correctly. Yet, credential theft isn’t going away. Why? Organizations implementing passwordless authentication may require a backup factor, and many companies will fall back on insecure options – passwords. As security teams fight new fires, attackers will take advantage of lax password protections, and 30% of organizations will experience an increase in data breaches linked to credential theft.

55% of enterprises will expedite tech consolidation to simplify security.

Most organizations’ IT and security environments are already too expansive, complicated and difficult to manage. Teams are rarely skilled in every tool they must cobble together with other ones, forcing them to hire or bring in outside experts. And since each platform focuses on specific things and overlap with others, teams struggle to see – let alone understand – every potential vulnerability and threat in their cloud-centric environments. Missed SLAs, spiraling overheads and dangerous security drift will push 55% of enterprises to accelerate tech consolidation. They’ll aim to simplify operations and maximize existing resources by working with fewer vendors and systems.

By 2025 …

Unprotected AI-driven security mechanisms will fuel a vicious cyber risk cycle.

Though organizations are embracing GenAI to bolster cyber defenses, 80% will fail to protect these same AI-based security models – fueling a vicious cyber risk cycle. Gaining an edge on attackers will require an adversarial mindset, from training GenAI models with both offensive and defensive samples to adopting model assurance and regular stress testing (including red teaming and pen testing). Hosting these AI models in highly secure environments with highly secure access protections will be equally critical. Governments will issue forward-thinking guidelines on this front, yet organizations can’t wait for codified standards that may quickly become outdated. Embedding GenAI in product security must happen now.

Under pressure, CISOs will advocate for timely, transparent breach disclosures.

Cybersecurity accountability is getting personal. First, Uber’s security chief was charged with failing to disclose a 2016 data breach to federal regulators. This fall, the SEC charged SolarWinds and its CISO with fraud and internal controls failure in a landmark that comes on the heels of the agency’s ruling on tighter cybersecurity disclosure requirements. Security leaders around the world are watching closely. By 2025, 60% of Fortune 2000 company CISOs will champion transparent, rapid disclosure practices – not just because of policy but because their careers and reputations are on the line.

By 2026 …

Nearly half of Fortune 500 company boards will seek out a chief AI security officer.

Cybersecurity isn’t an IT issue; it’s the fulcrum of business resilience and stakeholder trust. Most Fortune 500 organizations recognize the high stakes and are beefing up cybersecurity aptitude at the corporate director level. Emerging AI risks are driving an even greater sense of urgency. By 2026, 45% of these enterprises will recruit and work to appoint a chief AI security officer to the board. This leader will possess both technical expertise and business acumen, playing an influential role in advancing AI innovation, managing resulting risks and safeguarding the AI-based security models. They will be deeply entrenched in cybersecurity strategy and expand oversight and reporting mechanisms to better measure and improve security initiatives, risk assessments and incident response plans.

Multinational organizations will face a regulatory reckoning.

Sixty percent of all regulated global entities will struggle mightily to comply with ever-increasing data protection and breach disclosure requirements, especially as GenAI use cases expand. More organizations will face non-compliance penalties as regulators’ bite catches up to their bark. Consider that today, failure to comply with the European Union’s GDPR alone can cost organizations as much as €20 million or 4% of annual global turnover, whichever is higher. Already hefty fines will continue to climb with potentially crippling impact.

Major global powers will call for a Cybersecurity Geneva Convention.

Sophisticated nation-state attacks, particularly those targeting critical infrastructure, can result in widespread disruptions, life-threatening outages and rippling damage across software supply chains. Growing concerns of escalation to conventional warfare will prompt major global powers to take dramatic steps to enhance cyber resilience, legal frameworks and international cooperation. As part of this, these countries will push to establish a Cybersecurity Geneva Convention to deter nation-state attacks and hold perpetrators responsible.

2023 threw some major curveballs. But it also reminds us that strong cybersecurity programs don’t swerve or stall in reaction. They’re agile enough to stay in the game, continuously refining practices, making strategic, risk-based investments and proactively preparing for whatever comes next.

When complying with regulations and frameworks, it’s hard to keep up when the rules keep evolving.

Auditors are no longer just seeking reports on what your identities can access – they now require proof that you have controls for securing those identities (like a math assignment, you have to show your work).

And if a framework or regulation’s requirements previously focused on highly privileged IT users’ access … that’s evolving too. While foundational PAM controls and reporting will always be essential, now you must apply the requirements to a broader range of human and non-human identities across any environment.

What does this expanded focus look like? Here are a few examples:

• The NIS2 directive emphasizes strengthening security for critical infrastructure sectors, which are increasingly reliant on cloud infrastructure and operational technology (OT), two areas full of frequently-targeted identities.
• The Digital Operational Resiliency Act (DORA) calls upon financial services companies to apply security oversight to internal users and third parties (e.g., vendors) with high-risk access.
• The NIST Secure Software Development Framework requires that software developers and procurers attest to adequate and proper security features, including identity management.

Meanwhile, the stakes of security compliance keep rising. The average cost of a data breach increases by as much as 12.6% when an organization is found to be non-compliant:

Average cost overall: $4.45 million
Average cost when non-compliant: $4.67 million
Average cost when highly non-compliant: $5.05 million

The good news is that there’s a direct correlation between strong controls and strong compliance. With the right capabilities for discovering, securing and reporting high-risk access, you can achieve a proactive stance to meet regulatory demands. In this post, we’ll explore some key steps you can take.

Discovering and Assessing High-Risk Access

You can’t protect (or report on) what you can’t see. And that’s why it’s so concerning that 62% of security decision-makers lack a complete picture of human and non-human access to sensitive resources.

Let’s look at a few examples of how discovering high-risk access can bolster your visibility, security, and, in turn, compliance posture.

One place to start: conduct an inventory of all accounts with administrative or elevated privilege to systems, apps, servers, networks and more. Another critical step is discovering privilege across your organization’s myriad endpoints, like workstations and servers. These are fundamental types of visibility; many organizations are accustomed to them.

But when we delve into new types of identities and environments, compliance becomes more difficult.

For example, developers and cloud ops teams are often over-permissioned with direct access to sensitive resources as their organizations rush to innovate. A CyberArk analysis of the three major cloud service providers shows that a user can access approximately 1,400 native services that, collectively, have over 40,000 access controls.

As part of their compliance programs, security teams should lean into cloud complexities and discover the following:

• Over-permissioned IAM roles and excessive permissions.
• Toxic combinations of permissions allowing privilege escalation or lateral movement.
• Unmanaged shared accounts and their myriad dependencies.
• Hard-coded credentials for developers working in the cloud.
• Everyday employees’ access to business applications.

In many cases, it’s up to you to interpret compliance requirements and guidelines in the context of new identities, environments and threats (these variables won’t necessarily be mentioned by name in a 100-page regulatory document). In other cases, the direction may be clear-cut, calling out specific areas like virtual infrastructure. Regardless, high-risk access – in all its shapes, forms and locations – requires fierce protection.

Implementing and Demonstrating Identity Security Controls

As mentioned, giving auditors a report on what you’ve discovered is only part of the job. You must demonstrate that you have strong controls in place to reduce risk and build organizational resilience against attacks.

Let’s say you’ve completed an inventory of high-risk across privileged IT users and accounts. Your next step is securing that privileged access. This starts with creating policies and implementing controls around password length, complexity, storage and rotation schedules. The work continues with steps such as enabling just-in-time (JIT) access and requiring multi-factor authentication (MFA).

What comes next after you’ve finished discovering privilege across your organization’s endpoints, like workstations? Here, a near-term priority would be revoking local administrator rights. An essential next step would be implementing capabilities to elevate privileges for authorized applications or tasks. These are effective ways to protect against ransomware – and great proof points for auditors to demonstrate progress.

As mentioned, even if securing access in the cloud isn’t explicitly described in a regulation – you’re still on point to bring entitlements and roles into compliance. Where to start? Consider applying a fast-emerging security principle known as zero standing privileges (ZSP), which – among many benefits – can help your organization by:

• Reducing the risk of credential theft by preventing standing access.
• Enforcing real time least privilege in the cloud by granting only the relevant permissions a user needs – and only when required – to accomplish a given task.
• Invalidating developer secrets that are embedded into code.

Gaining Nonstop Visibility Across Identities

You can build upon the findings from your initial discovery process with ongoing, real-time visibility into the access (and actions) of identities across your organization.

This is where it’s essential to look beyond siloed categories of controls or tools. We recommend an integrated identity security approach, where the underlying solutions can share information, act on insights and provide a unified view of audit data across all forms of human and non-human access.

With this approach, you can gain a comprehensive view of who has privileges and authorization to what resources, with capabilities for discovering, adjusting, certifying and revoking access.

With identity security, you can bring together:

• Session recordings and audit trails for high-risk scenarios – applied to highly privileged IT users and third-party vendors or workforce users in web applications storing sensitive data.
• User behavior analytics for building a knowledge of each user’s access behavior, authentication history, and anomalous activity.
• Audit trails to track and analyze privilege elevation attempts for human users and applications, enabling continuous visibility and control over endpoints.
• Integration with security information and event management (SIEM) tools for collecting/exporting log data.

Gaining Efficiencies to Help Overstretched Security Teams

Improved visibility and controls can help you build a proactive stance to meet auditors’ requirements. But how do you account for the limitations many organizations have regarding time, bandwidth and staffing?

For example, research shows that the mean time for organizations to identify a data breach is 204 days. And yet, the SEC now requires public companies to report attacks within four days of determining an incident is “material.”

How can organizations be proactive when timelines are tighter than ever?

Organizations can gain back time and potentially save money by applying automated capabilities to replace resource-intensive, manual tasks that often bog down security teams. This includes automating governance processes to ensure checks and balances are in place for maintaining compliance.

For example:

• Continuously enforcing least privilege with access reviews and certifications scheduled for recurring dates.
• Integrating access certification processes with your privileged access management (PAM) program and generating detailed logs and reports for audits.
• Continuously discovering which identities have access to specific privileged accounts and sensitive resources.

Building Compliance Strategies to Earn Auditors’ Trust

Visibility and controls can’t exist in a vacuum; they need to be part of a strategy that you can communicate to auditors. Here are three key building blocks for developing a compliance program that reflects today’s realities.

1. Discover and Plan
As mentioned, you can only secure and protect what you know. This part goes beyond an inventory or system discovery process to include:

• Engaging in dialogue with relevant teams (application, support, etc.) to understand how they currently work.
• Documenting their systems and access – but also ensuring they’re on board early. Successful adoption requires winning hearts and minds.

2. Implement and Rollout
If you’re regulated or if external auditors have called out gaps in controls, focus your implementation on a combination of:

• Prioritizing critical systems and reducing complexity, e.g., avoid getting bogged down by low-priority, high-complexity use cases.
• Employing automation from the implementation, e.g., automated checks and balances, to ensure recurring access certifications.

3. Expand and Communicate
You can’t do everything on day one. But in the same breath, attackers only need one gap to breach and wreak havoc. A proactive approach means building:

• A clear plan for how you intend to bridge gaps identified in your discovery process. Audits and reviews are always a work in progress.
• An implementation roadmap for a) progression tracking and b) open dialogue with regulators to discuss plans, goals and gains.

Building a Proactive Compliance Approach Centered on Identity Security

The best practices we’ve discussed apply to a wide range of frameworks and regulations across industries and geographic regions. No matter what, the connection between a strong security posture and a strong compliance program is clear. If you have full visibility into what your identities can access, complemented by controls for securing that access, you’ll be in a much better place to meet auditors’ requirements.

If you’d like to learn more, here are two resources that can help you:

• Watch our webinar, “How to Achieve Continuous Audit and Compliance with PAM.”
• Download the CyberArk Blueprint for Identity Security Success.

John Natale is a senior content marketing manager at CyberArk.

As technology evolves, so do the threats that loom over our communication infrastructure. The rollout of 5G, the rise of artificial intelligence (AI) and our ongoing dependence on these networks combine to make the telecommunications industry a prime target for cyberattacks.

The consequences of attacks on telecommunications organisations – usually a component of critical national infrastructure – can be far-reaching, extending beyond affecting corporate interests and compromising staff and customer identity security, right up to affecting national security. As such, regulators and operators are motivated to act in tandem to protect these critical national assets.

The Growing Threat to Telecom Providers

Over the last few years, several cybersecurity regulations have set out requirements for how telecom providers are required to approach and implement security. Some are specific to the telecom sector, like the U.K.’s Telecommunications (Security) Act (TSA). In contrast, others are generic – like the NIS2 directive, which applies to multiple critical industry sectors, telecommunications being one.

Driving these global security efforts in the telecom industry is a collective recognition and awareness of not just the severity of the potential threat but the interests of billions of users. With this shift, many advanced economies are increasingly placing the onus and burden of protection on the shoulders of the big telecom providers, prominent actors in the digital ecosystem who can absorb and implement that responsibility. As a result, stakeholders are subjecting telecom providers’ services and networks in their downstream supply chain to high scrutiny, especially concerning identity security – like vendor admin access – and managed service provider (MSP) contract requirements and obligations.

This scrutiny is welcome because telecommunications providers – though very different in terms of the services they provide and infrastructure that they sit on compared to, for instance, a bank – are vulnerable to cyberattack in very similar ways to other organisations that have fully embraced the power of software, digitalisation and the cloud. Attacking the software supply chain of an organisation that has an extensive digital ecosystem is a proven method of infiltrating the target infrastructure to compromise identity security, extract privileged credentials, modify scripts, spread malware, take sensitive data and many other potentially devastating actions. The effects can and often are magnified beyond users of the compromised software to their customers, suppliers and partners.

The drive to up the cybersecurity game across telecommunications infrastructure is a global phenomenon, which stems from recognizing how fast and how far the threat landscape has evolved. In attempts to address the current threat landscape, many countries are now updating their legislative frameworks, while others – like the U.K. – have recently made updates.

“While the scope of the TSA is broad, there are smart ways that telecom providers can achieve significant wins, in particular by ensuring identity security is maintained, with the knowledge that the majority of breaches and attacks involve the compromise of identities as an essential step for attackers…”

Building Telecommunications Cybersecurity Resilience

The U.K., like many other countries, is home to a competitive telecommunications market serving its 68 million residents. Recognizing the critical importance of securing the nation’s telecommunications industry, in 2020, the National Cyber Security Centre (NCSC) conducted its security analysis for the U.K. telecom sector, highlighting the risks associated with telecommunication companies’ supply chains, especially those linked to high-risk vendors such as non-national infrastructure suppliers. The U.K. government subsequently passed the TSA in 2021 to address these concerns and bolster national infrastructure security.

The TSA empowers the U.K.’s communications regulator Ofcom (Office of Communications)  to intervene in the cybersecurity practices of telecom service providers. It establishes a comprehensive security framework to identify, reduce and mitigate security risks. Furthermore, the accompanying 2022 Telecommunications Security Code of Practice classifies public telecom providers into one of three tiers based on their commercial scale, each with distinct compliance obligations and measures in the code to comply with. The Code of Practice document outlines specific timelines, with Tier 1 providers having to implement some measures as early as March 31, 2024. In cases of non-compliance, Ofcom can issue financial penalties.

The three provider tiers are:

• Tier 1. Public telecom providers with annual revenue over £1 billion
• Tier 2. Public telecom providers with annual revenue over £50 million but less than £1 billion
• Tier 3. Public telecom providers with annual revenue of less than £50 million

Implementing the TSA requirements is no small task. It introduces a comprehensive security framework that must be applied across complex and extensive networks, interconnected systems and legacy infrastructure. Reevaluating current security practices, identifying vulnerabilities and making necessary adjustments is resource intensive. Moreover, it may impact ongoing network upgrades and transformation projects. Collaboration with internal stakeholders and coordination with regulatory bodies add to the complexity.

Preparing to Meet TSA Requirements Now

Telecom providers, services and networks in the U.K. are now under pressure to dial up their cybersecurity posture, take accountability and present to Ofcom what cybersecurity measures are in place. The 2022 Telecommunications Security Code of Practice also outlines specific technical requirements in areas such as network architecture, data and network protection, supply chain management and identity security to help organisations prepare.

While there is an enormous amount of information to absorb, here are four simple steps we suggest to help you get started now:

1. Plan based on your tier classification. Take time to read and absorb available legislation materials applicable to your tier classification, and keep in mind that more rigorous regulations are coming.
2. Define your scope and conduct an asset inventory. Identify which systems and operations are in scope for the regulation and prioritise work according to the timelines set by the tiered classification guidance.
3. Scrutinize your supply chain. Supplier assurance is a huge part of achieving compliance with 80 codes of practice measures related to supply chain validations. Identify and develop a system for validating and managing your supply chain appropriately.
4. Seek help from a reputable partner. Work with an experienced cybersecurity partner that can help interpret the regulation, understand your organisation’s current scope and posture, and devise a plan to help you achieve compliance.

While the scope of the TSA is broad, there are smart ways that telecom providers can achieve significant wins, in particular by ensuring identity security is maintained, with the knowledge that the majority of breaches and attacks involve the compromise of identities as an essential step for attackers – nation-state and other bad actors – to achieve their goals.

One of the fundamental TSA principles (point 1.11) is “assumed compromise,” a cybersecurity mindset that expects an organisation to be breached if it hasn’t already been. This assumption leads to the expectation that any identity across your organisation – whether human or machine – may be compromised. Therefore, your focus should be on identifying, isolating and stopping threats.

Assumed compromise is also a foundational tenet of Zero Trust architecture, where all identities are continuously authenticated and authorized before securely granting just-in-time (JIT) access with the right set of permissions.

Specific actions to reduce the attack surface should include introducing the following capabilities:

• Securing, logging and monitoring privileged access for internal and external users.
• Removing default passwords for systems, users and applications.
• Discovering and onboarding unmanaged privileged accounts and credentials Detect anomalous behavior and indicators of compromise with policy-driven remediation capabilities.
• Removing local admin rights and implementing application controls will limit what the users can do on specific endpoints and which applications are whitelisted.
• Ensuring every user is who they claim to be with strong, contextual, risk-based authentication.

Telecom Providers: Guardians of the Grid

The telecommunications industry’s critical role in our connected world necessitates rigorous security measures. The TSA and accompanying Telecommunications Security Code of Practice provide a much-needed framework to ensure the resilience and integrity of our communication networks in the U.K. Introducing the TSA and potential fines imposed by Ofcom compels telecom providers to adopt a new approach and invest in a robust security strategy. In our evolving digital landscape, telecom providers are the guardians of the grid, and their commitment to protecting critical national infrastructure is essential for a secure and connected future.

CyberArk, with many years of experience partnering with the U.K.’s largest telecom providers, has closely collaborated with the U.K.’s NCSC to comprehend the complex technical requirements of the TSA. Check out our eBook, “Identity Security: Why It Matters and Why Now,” to learn how CyberArk’s Identity Security framework – grounded in Zero Trust and intelligent privilege controls – can help your organisation defend against identity-centric threats.

Mark Seddon is CyberArk’s Director of Solution Engineering UKI; Violeta Pavel is CyberArk’s Director of Corporate Sales EMEA.

More than 130 global jurisdictions have enacted data privacy laws. While each contains rules and requirements distinct to their regions, they share a common priority: identity security.

That’s because if an attacker compromises a single identity in an organization where sensitive data is collected, stored and handled, it’s all downhill from there. A single stolen credential – an IT admin’s SSH key, a developer’s secret or a vendor’s password – is the starting point for a nefarious momentum that’s tough to stop. This is why securing the identities that can access sensitive data and the identity-rich infrastructure where your data lives is essential.

Read on for an examination of why identity security should live at the core of data privacy strategies and provide best practices.

What’s at Stake? Data’s Value and Inherent Risks

In today’s digital age, data is the lifeblood of businesses and organizations, fueling decision-making, innovation and customer trust. And the benefits of being an effective data steward are often rooted in outcomes that don’t happen. For example, a health insurance company that keeps its members’ data off the dark web won’t appear in reputation-damaging headlines; that’s the ideal outcome. A consumer technology company that protects its users’ data from breaches won’t join the ranks of firms contributing to the billions other companies have paid in General Data Protection Regulation (GDPR) fines.

The list goes on; the stakes keep rising.

In short, data is the currency of the digital economy. It can be quietly stolen, sold and exploited relatively easily, making it an attractive target. And the owners of personal data have very few options for stopping these outcomes. If consumers learn their credit card information was affected by a breach, they can cancel the card or change the password relatively easily. In contrast, personal data is far more challenging to modify once compromised. It is intrinsic to who you are, the life you’ve built and every entity you engage with – people, healthcare institutions, businesses and governments.

Controlling Access to Data: Start with Identity

This heightened value of data underscores the need for comprehensive data privacy measures and strong identity security controls and hygiene. And the pressure is on. Regulations like GDPR, the California Consumer Privacy Act (CCPA) and the Network and Information Systems (NIS2) directive in the EU have set stringent standards for data protection. But the job of securing data is complex. Across privileged IT users and everyday employees, there are too many identities and privileges to handle. The economic pressure and staff burden make it impossible for security teams to keep up with access certification.

Data privacy begins with controlling who can access sensitive information. In the realm of identity security, this involves managing access rights effectively. Whether it’s sales representatives accessing customer data, HR professionals handling sensitive employee information or IT managers overseeing system resources, it’s essential to maintain the principle of least privilege (PoLP) to ensure that only the right people have access to specific data, reducing the risk of unauthorized data exposure. This requires comprehensive identity and access management (IAM) controls and capabilities.

Here are two examples:

• An adaptive form of multi-factor authentication (MFA) can enable organizations to strengthen their security posture through additional checks to validate identities in multiple layers.
• Automated lifecycle management can help organizations easily define and enforce each user’s unique role, responsibilities and access privileges.

Data Location and Privileged Access: Where PAM Comes into Play

While controlling access to data is crucial, securing the infrastructure where data is stored and managed is equally essential. This is where privileged access management (PAM) controls come into play.

Consider admins needing access to critical databases or engineers responsible for maintaining cloud-based storage and data services. A comprehensive PAM program, rooted in fundamentals but evolved to secure a broader range of identities, can ensure:

• Access is tightly protected with layers of powerful, holistic control, helping organizations adopt a Zero Trust mindset and deliver measurable cyber-risk reduction.
• Privileged users’ sessions are fully isolated and monitored to prevent the spread of malware and monitor end user behavior for forensics, audit and compliance purposes – without sacrificing the native user experience.
• Identities are continuously verified with strong authentication mechanisms, including biometrics, to help validate identities following a Zero Trust philosophy.
• Users’ web application and cloud services sessions are secured, which is crucial in preventing malware and providing audit trails.

Also worth mentioning: encryption plays a pivotal role in safeguarding data, ensuring that even if unauthorized access occurs, the data remains unreadable.

Privilege and Machines: Protecting Non-human Identities

In the context of data privacy, privilege isn’t limited to human users alone – especially at a time when machine identities outnumber human identities by 45:1. Non-human entities like servers, applications and automated processes also require identities and privileges.

It’s essential to align these non-human identities with PoLP to limit access to only what’s necessary. Furthermore, the authentication of machines must be fortified to prevent misuse or compromise. Secrets management and credential rotation are as critical for non-human identities as humans, and organizations look to secure them without compromising agility and development workflows.

Here are a few best practices to apply:

• Integrate secrets management with existing tools and applications to simplify secrets management.
• Centralize secrets management and reduce secrets sprawl.
• Automate security functions to improve operational efficiency.
• Provide easy-to-use options for developers.

Reporting and Audit: Ensuring Compliance

Complying with data privacy regulations requires meticulous reporting and auditing processes. Organizations must provide specific insights into their data security practices and demonstrate adherence to best practices. In this context, data sovereignty becomes increasingly relevant as regulators and organizations work to maximize ownership and control of data.

The problem is that economic pressures such as staffing and resource gaps make it hard for security teams to keep up with audit and reporting demands.

This exemplifies how automation can help – and why it’s essential. The work associated with compliance will only increase; if teams aren’t growing in parallel, you need efficiencies that can help you scale up to audit requirements. Automated access certification processes and ensuring a constant review of existing entitlements can help remove time-consuming manual tasks from the equation.

A Zero Trust approach is standard practice for compliance across industries. This means working under the assumption that all users and devices are implicitly untrusted and must be authenticated, authorized and continuously validated regardless of location or network.

Many directives and guidelines reflect Zero Trust principles; in conversations with auditors, it’s essential to show which identities have access to what resources and demonstrate what controls you have in place to secure it all.

High-Risk Access in the Cloud and Zero Standing Privilege

Cloud environments are complex, and the sheer number of servers and accounts makes it easy to overlook security configurations, making robust identity security controls in the cloud crucial. In turn, misconfiguration of cloud access is a common pitfall for organizations’ security. Recent data breaches have highlighted the importance of proper cloud access management. Many incidents result from simple misconfigurations rather than sophisticated cyberattacks.

But there’s hope. Pursuing zero standing privileges (ZSP) can significantly reduce the risk of identity compromise and credential theft and misuse. By limiting access to only what is necessary for a specific task and reducing standing privileges to the minimum, ZSP enhances data security and privacy.

Especially in developing their own cloud-based software offerings, implementing least privilege and ZSP principles can help organizations meet requirements for data privacy regulations and earn SOC 2 or ISO 27001 certifications. These certifications also accelerate growth opportunities by building trust and credibility for consumers.

While zero standing privilege (ZSP) is often associated with privileged access, a growing discussion exists about extending its application to data consumers across departments, such as HR, sales and finance. Ensuring all users operate under PoLP is a proactive step toward bolstering data security and compliance.

Protecting Data in Today’s Threat Landscape

Data privacy and security remain critical for organizations and the stakes are higher than ever. With regulations and frameworks increasing, the rising value of data and the integration of data-driven technologies all demand a proactive approach to identity security. Organizations must prioritize robust identity security controls and hygiene, implement ZSP and stay abreast of evolving compliance requirements to safeguard their most valuable asset: data. By doing so, they can mitigate risks, protect customer trust, and thrive in a world where data is the new currency.

Lilach Faerman Koren is a product marketing manager at CyberArk.

Do you need to secure high-risk access to the back end of your customer-facing apps? Yes, you do – assuming you care about cybersecurity risk, uptime or compliance with SOC II and NIST and AWS, Azure and GCP architecture frameworks.

To meet compliance requirements and grow your business, you must properly secure access to the cloud services and workloads powering your SaaS app. No matter the size and scale of your cloud-hosted app, addressing identity security-related compliance requirements is a necessary step to grow your business – especially when working with customers in highly regulated industries.

Sensitive data is sensitive data. Auditors assessing compliance with SOC II, NIST and other compliance standards don’t care if organizations are lifting and shifting apps to VM workloads or building on containers and serverless functions. Auditors don’t care which cloud providers a dev team uses to build their apps. And auditors definitely don’t care about the cool microservices architectures, design assessments and sprint deadlines top of mind for your engineering teams.

Auditors only care that companies properly secure all identities accessing sensitive data in their applications.

Here’s the good news: several identity security and privileged access management (PAM) best practices can help organizations reduce risk and build SaaS apps that comply with SOC II, NIST and other standards.

The following are several of these proven best practices.

Implement Least Privilege

Compliance frameworks require organizations to adhere to the principle of least privilege (PoLP), a foundational cybersecurity concept. Frameworks differ in their terminology – SOC II has requirements for “logical access control,” for example, while the NIST Cybersecurity Framework explicitly uses the term “least privilege.” But make no mistake – to build compliant SaaS applications, organizations need to ensure all identities have the minimum necessary entitlements to perform their duties.

Organizations must, in the words of the AWS Well-Architected Framework, “Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources.”

Identity security programs can meet these requirements by:

• Removing local administrator rights on developer endpoints, reducing the risk of credential theft.
• Onboarding local admin credentials to PAM solutions for automatic rotation and role-based access control, further reducing the risk of stolen credentials.
• Reducing excessive permissions in multi-cloud environments with Cloud Infrastructure Entitlements Management (CIEM) CIEM is emerging as a core element of PAM programs that reduces the risk of lateral movement. This includes reviewing cloud IAM roles and removing access to protected information assets and services.

Aim for Zero Standing Privileges (ZSP) With All Operational Access

Once least privilege is in place, organizations must secure privileged access. To meet compliance, many organizations are embracing the emerging security philosophy of zero standing privileges (ZSP). This security principle’s methodologies build on the foundation of least privilege by elevating access just-in-time and minimizing the use of long-lived passwords and credentials to access cloud workloads and services.

Leading cloud service providers recommend using federated access models – not shared accounts – for access to workloads and services. Developers, site reliability engineers and data scientists are able to assume IAM roles without the use of standing credentials. As a result, most developer access can be considered operational; cloud users do not need persistent access to resources, they only need them for specific tasks.

Organizations can satisfy audit and compliance requirements for this operational access by embracing a ZSP approach. Key elements of ZSP include:

• Elevating console and CLI access to cloud services on a just-in-time basis, using roles scoped with the minimum necessary permissions for the task at hand. Examples include accessing CSP services to change networking, database and compute auto-scaling configurations.
• Elevating access to workloads running on the cloud on a just-in-time basis. Examples include operational access to Linux and Windows VMs for lift-and-shift apps, or Kubernetes and other containers for apps running cloud-native, microservices architectures.
• Integrating access request workflows with existing developer tools to avoid slowing velocity. Developers often need to request additional access to solve issues during outages or critical situations (aka critsits). Making it easy – and fully auditable – is essential for compliance.

Securely Manage and Rotate Credentials Used for Standing Access – Including Application Secrets

Even in the cloud, some long-lived, system-level access is inevitable. Common examples include the root and registration accounts required to establish a cloud footprint, DevOps secrets used by applications, service accounts and other machine identities – and administrative accounts for lift-and-shift software workloads running inside VMs, such as admin accounts for ERP, database or security systems.

Security and compliance strategies must account for the heightened risk these long-lived, system-level accounts represent. Long-established approaches to PAM and secrets management can help. Examples include:

• Discovering credentials used by administrators, service accounts and other identities and onboarding them to a PAM solution. This reduces the risk of credential theft.
• Centrally managing secrets used by developers, including through integration with CSP native secret stores. This approach to secrets management enables developers to use their preferred tools while enabling credential management and rotation that meets compliance objectives.
• Automatically rotating credentials at intervals aligned with organizational policy (which are often specified in compliance frameworks).
• Logging all usage of privileged accounts to deter insider threats. To maximize audit efficiency, centrally store audit trails for both sessions using shared privileged accounts or sessions using federated access with Zero Standing Privileges.
• Isolating usage of these accounts to prevent ransomware and other malware from reaching VMs and other cloud workloads.

Extend Identity Security to Your Third-Party Vendors

Internal employees aren’t the only human identities with access to the backend of your SaaS apps. Many organizations leverage remote, third-party vendors and contractors to set up or run the cloud workloads and services powering their apps.

Auditors assessing compliance with leading cybersecurity frameworks often zero in on this access. SOC II compliance in particular relies on specific requirements to manage remote access and all points of access to data. Organizations can demonstrate compliance with these requirements with familiar strategies. Examples include:

• Managing all points of remote access to data – for both internal and external identities like contract developers, IT contractors and other third-party vendors.
• Removing any standing privileged access for third-parties to cloud workloads and services. Excessive third-party access has been linked to several data breaches of cloud environments in recent years.
• Enforcing strong, biometric authentication on third-party access to the back end of SaaS apps.

Apply Strong Authentication and Monitoring for Defense-in-Depth

Access control is a powerful way to reduce risk. But embracing the Zero Trust paradigm requires organizations ‘never trust’ and ‘always verify’ access to their cloud environment.

This same Zero Trust philosophy can provide additional value to organizations as they strive to build secure, compliant applications. To strengthen compliance with SOC II and other frameworks, organizations should consider additional defense-in-depth controls such as:

• Enforcing strong, adaptive multi-factor authentication (MFA) and identity threat detection on all attempts to access the back end of SaaS apps. This should include authenticating third-party identities and applying controls like step-up and continuous authentication.
• Ensuring all machine-to-machine connections are authenticated.
• Monitoring all high-risk sessions to workloads and services, with full audit trails. To maximize insight, screen recording and video playback can help auditors and forensics teams streamline their tasks.
• Systematically reviewing and certifying access, removing entitlements to ensure access permissions align with job roles and responsibilities.
• Implementing capabilities to ensure prompt response to misuse of privileged accounts or any high-risk access.

These identity security best practices can strengthen your compliance initiatives. To learn more about building compliant SaaS apps, check out our whitepaper, “2024 Playbook: Identity Security and Cloud Compliance.”

Sam Flaster is a director of product marketing at CyberArk.

You may not recognize the term Identity Threat Detection and Response (ITDR), but this emerging security discipline aims to address an all-too-familiar challenge: managing and securing the massive number of identities – human and machine – across the enterprise.

What is ITDR?

To understand ITDR, it’s helpful to first define what ITDR is not. ITDR isn’t a silver-bullet cybersecurity solution that offers complete identity protection from security breaches; there is no such thing. It isn’t a group of identity and access management (IAM) prevention controls. ITDR coverage isn’t limited to a specific area such as the endpoint, nor is ITDR meant to detect a broad swath of cyber threats.

Instead, ITDR is a system of structured processes, cross-functional team collaboration and threat intelligence and behavior analysis tools working in concert to protect the identity infrastructure itself. ITDR adds a defense-in-depth layer to preventive identity security defenses – such as privileged access management (PAM), multi-factor authentication (MFA) and identity governance and administration (IGA) – to rapidly remediate identity-centric attacks. ITDR supports Zero Trust by employing detection and response mechanisms to identify potential threats, examine any suspicious activity during and after the authentication and authorization process and take the appropriate countermeasures through security orchestration and response.

Why Does ITDR Matter?

In this ITDR crash course, you’ll explore eight adoption drivers that demonstrate why ITDR matters and how it fits into the broader cybersecurity picture.

• If you can’t trust the identity or identity source, you can’t trust any security control. Threats that target identity infrastructures can compromise an entire environment – underscoring the need for ITDR. Similarly, the infamous SolarWinds software supply chain breach showed that if an attacker can successfully infiltrate systems with privileged access to high-value systems and data, they could potentially impersonate any human or machine identity, pass any authentication/ authorization challenge and other entitlement controls and rapidly escalate privileges to reach their goal. To counter these sophisticated threats, organizations must implement strong controls to block and contain attacks from the start. But assuming that your environment has already been breached also means adopting ways to rapidly identify and analyze post-authentication red flags, then take appropriate countermeasures to safeguard the trustworthiness of the identity infrastructure through security orchestration and response.
• Identities are everywhere. IT security professionals understand that stolen, abused or misused identities – whether privileged or not – are a gateway to sensitive information. According to the CyberArk 2023 Identity Security Threat Landscape report, nearly all IT security professionals (99%) anticipate an identity-related compromise this year. Unaddressed identity risks due to economic slowdown, an expected 240% growth in human and machine identities, increased cloud migration and accelerating attacker innovation are all contributing factors.
• In the security operations center (SOC), most threat detection tools monitor a broader scope to cover many use cases. HelpNetSecurity reports that on any given day, the SOC team receives about 4,484 threat alerts from these systems and spends nearly three hours on manual triage. Overwhelmed by false positives coming from disjointed tools, 97% of SOC analysts worry about missing a relevant security event. According to the 2023 Verizon DBIR, 74% of security breaches involve the human element (i.e., social engineering attacks, errors and misuse), so there’s a good chance those missed events tie back to identity. Unlike most SOC tools, identity-based threat detection tools specifically aim to protect the identity infrastructure to maintain the trust of the identity database.
• Individual user access control often ends after the authentication/authorization process. Most of today’s threat detection and response tools focus on very specific threats. For example, EDR tools focus on the endpoint and lack visibility and control beyond that (e.g., cloud-based applications and infrastructure and local datacenters are not under the EDR coverage). Controlling and monitoring user access to different environments requires a more centralized and granular solution that focuses on the identity infrastructure. With this approach, organizations can continue to monitor the user session – regardless of the environment – after the authentication and authorization process. This allows them to respond to threats quickly and reduce possible breaches to identity infrastructure.
• Identity security isn’t linear. Since identity is the perimeter, a security continuum – not a straight line – is the only way to continuously track trust. With ITDR, policy-based threat prevention, detection and response exist in a continuous feedback loop, constantly learning from – and acting upon – identity threat insights. A centralized threat analysis engine automatically detects anomalous behavior that, on its own or in combination with privileged access misuse, could be a potential threat, along with risky access to both business applications and privileged accounts. The engine also tracks the entire chain of events leading up to these suspicious actions to streamline investigations and create clear audit trails.
• Innovation can’t wait. Adaptive authentication and continuous threat monitoring mechanisms look at user behavior history and context to discern typical activities from risky ones. When they detect risky behavior (e.g., connection via a new IP address or OS, multiple failed logins or suspected credential theft), they can automatically move the user into a “risky user group,” update the MFA policy in real time (e.g., requiring more difficult factors like number-matching challenges) and temporarily limit or revoke access. Meanwhile, actionable identity-based analytics strengthen the broader cybersecurity product stack and deepen the enterprise’s overall threat intelligence capability.
• Teamwork makes the dream work. Preventing attacks requires skilled security analysts with specialized knowledge and cloud adds another complexity factor. But cybersecurity shortages make this difficult: more than four out of five companies say they have fewer than five security analysts or don’t have enough analysts to run the SOC, reveals a Censuswide study. Under-staffed SOC teams are forced to act broadly, making rapid decisions based on experience and information at hand. These professionals aren’t deeply entrenched in identity access management (IAM), which is usually a separate function in the organization. ITDR challenges this siloed model by synchronizing identity data and unifying cross-functional security teams to expand the SOC. This isn’t a shift that happens overnight, but organizations that prioritize it can dramatically enhance identity protection and bridge knowledge gaps, while creating a centralized, end-to-end threat detection and response flow in the closest real-time way possible.

ITDR Supports Zero Trust and Enhances Cyber Resilience

Changes in the digital environment have upended conventional thinking and positioned identity in cybersecurity’s center. And recent attacks on identity infrastructure underscore the need for a Zero Trust model involving least privilege enforcement and continuous threat detection for every identity across its lifecycle. This is the only way to truly ensure that only the right users access only the right resources at only the right times and for only the right reasons.

ITDR supports Zero Trust by continuously monitoring threats and automatically responding to attacks to help businesses keep their identity infrastructures secure. Now is the time to dig deeper into this critical security discipline and discover the benefits of implementing ITDR as part of a holistic identity security approach.

Claudio Neiva is CyberArk’s Field Technology Director (LATAM), PAM and Identity Security. For best practices and advice to help you plan your Zero Trust approach within your organization, check out Neiva’s new whitepaper, “Guiding Your Leadership Team Through the Zero Trust Mindset.“

Picture yourself immersed in your favorite mystery novel, eagerly flipping through the pages as the suspense thickens. You’re enthralled, engrossed in the story of a hotel burglar with an uncanny ability to sneak into guest rooms without leaving telltale signs of break-ins or lock-picking.

As you read on, you’re captivated – and stumped – by how this elusive bad actor can deftly close the doors behind them, leaving no clues. The enigma builds and ultimately is paid off with a thrilling finale when the secret is revealed: a singular, powerful tool called a “skeleton key.”

Unlike regular keys unique to a specific lock, a skeleton key has a shape that enables it to work in multiple locks by manipulating their internal mechanisms. It’s like a universal access pass, granting effortless entry without requiring individual keys for each lock. This makes it a versatile tool, ideal for someone looking to navigate and access various spaces easily. Skeleton keys are still widely used – you more likely know them as “master keys” or “arrow keys.”

Just like in our favorite detective novels, bad actors use master keys to access things like mailboxes, luggage, apartments, hotel rooms and even to pull off bank heists.

Skeleton keys embody a trade-off between security and convenience that today’s security teams are intimately familiar with.

• Pros: On one hand, they offer unparalleled convenience, enabling swift access to many locks with a single tool. This efficiency appeals to those who routinely need to navigate spaces without carrying a massive key ring.
• Cons: However, this convenience comes at the cost of security. The universal nature of the skeleton key means that if it falls into the wrong hands, it poses a significant security risk, potentially granting unauthorized access to areas and compromising the safety measures that locks are meant to provide.

And, of course, there’s a digital version of these keys used for cybercrime.

Skeleton Keys in the Digital Era: From Bad to Worse

In the digital era, the scale and ease with which a skeleton key equivalent can compromise security have reached unprecedented heights.

Picture vast organizations with tens of thousands of endpoints: workstations and servers, both physical and virtual, scattered across offices, on-premises data centers and cloud environments. It’s not uncommon to encounter a troubling practice where system administration is built around the routine use of local admin accounts, often with the same password – mirroring the concept of a universal skeleton key. Although advantageous for management, this simplistic approach results in a colossal vulnerability – a true Achilles’ heel (!) – akin to granting unrestricted access to an entire hotel’s secret passages and rooms through a single master key.

The implications are profound, and the stakes for IT security have never been higher.

In today’s complex enterprise landscape, the prevalent use of what can be termed as “modern digital skeleton keys” – local administrator accounts – poses a significant risk to organizational cybersecurity. Virtually every endpoint within a system is equipped with at least one of these local admin accounts, presenting a potential gateway for unauthorized access.

Compounding this risk, these local accounts cannot be protected with strong authentication, leaving them vulnerable to relatively easy exploitation. Adding to the concern, security teams can’t employ multi-factor authentication (MFA) to help protect these accounts. That’s because strong authentication and MFA require a source of truth and controls to prevent attackers from cracking or bypassing them.

Local authentication, however, is by definition its own authority and is usually constrained by legacy requirements. For instance, Windows is still using NTLM for local authentication. Also, the lack of an out-of-the-box method for centralized management leaves organizations grappling with scattered and unmonitored access points. Together, these gaps further underscore the urgent need for a comprehensive and secure approach to endpoint privilege management (EPM) and endpoint privilege security (EPS).

Let’s pause here to note that this is the actual state that too many companies are in right now. For these organizations, everything you read next – even the basic mitigations outlined in the next paragraph – is, at best, a part of future cybersecurity strategy, which is a humbling realization about where we are as defenders.

Unpause.

Strategic Steps and Security Controls to Help Reduce Risk

The following are some mitigations your team can implement to help mitigate the risk of local privileged account misuse:

1. Eliminate the practice of reusing passwords for local admin accounts. Don’t create the “skeleton key” for your entire endpoint infrastructure in the first place! Each local account on every endpoint MUST have a unique password.
2. Closely monitor local admin account usage. Yes, we understand this can be tricky. Who is the “local administrator” anyway? The answer is in itself a whodunit: Is it someone from IT? Is it the end user? Is it someone who got the password and is already in a system on your network? The simple answer is that it’s whoever currently has the password, and that’s a big part of why every organization needs to have a solid identity security component in their cybersecurity strategy.
3. Rotate the passwords to local admin accounts frequently, and especially rotate them after each use. This is very important because cyberattackers can use different techniques to compromise the password, on use (e.g., a keylogger or a camera).

These mitigations are somewhat straightforward, but I must caution you against using half-baked solutions. There are many ways to get this wrong. When selecting a solution, ensuring it gets the basics right regarding controls and capabilities is essential.

Here are some examples:

• Management of all privileged accounts on the endpoint, not just the built-in local administrator account
• Encrypted and secure storage of passwords
• Assured custody of the next, current and previous passwords
• Reliable communication with the service and transaction-based password rotation
• Support for major operating systems, workload types and deployment types
• Continuous discovery of local privileged accounts and their transition under the password rotation policy umbrella
• Robust deployment and recovery workflows

Reusing local administrator account passwords is a double-edged sword within today’s enterprise framework. The inherent risk lies in their omnipresence across endpoints and the inability to deploy authentication measures like adaptive MFA. This exposes organizations to potential security breaches, highlighting the critical importance of proactive measures.

Implementing rigorous security protocols, including regular monitoring and auditing of these accounts, enforcing strong password policies and segregating privileges to limit excessive access, forms the cornerstone of effective mitigation. However, this needs to be done in a way that increases the security and reliability of the infrastructure.

Out with Skeleton Keys, in with Endpoint Privilege Security

It’s time to rewrite the narrative to match this evolving digital landscape and banish skeleton keys from news headlines. The constant portrayal of cybersecurity breaches and vulnerabilities stemming from unsecured local admin accounts is a predictable plotline.

Addressing the local admin account password challenge requires a powerful and reliable solution. Organizations can mitigate this persistent risk by applying endpoint security controls for loosely connected devices.

When considering a solution, critical capabilities should include automated local privileged account discovery and enforcement of password rotation based on policies. This approach delivers security reinforcement even when endpoints have limited internet connectivity.

Organizations can streamline operational efficiency by focusing on loosely connected devices and heightening security, fundamentally transforming how they manage and safeguard endpoints. In doing so, organizations can get the best of both worlds – a positive security outcome because every endpoint now has a unique password that has never been used before (read: not compromised, guaranteed) and convenience, because even though a skeleton key for your endpoints doesn’t exist, your administrators have a simple and secure way of authenticating to any endpoint.

Author’s note: After you’ve finished reading that mystery novel, check out how CyberArk Endpoint Privilege Manager and CyberArk Privilege Cloud can help drive security and convenience outcomes, with a new and innovative focus on loosely connected devices and automated local privileged account discovery. Outcomes, with a new and innovative focus on loosely connected devices and automated local privileged account discovery.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

Update, Nov. 30, 2023: On Nov. 29, Okta revealed that the October Okta breach we wrote about in the following blog was more extensive than initially reported. Okta has now revealed that a threat actor ran and downloaded a report containing the names and email addresses of all Okta customer support system users. This impacts all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, excluding those in FedRamp High and DoD IL4 environments. This contrasts with Okta’s earlier statement that less than 1% of its 18,000-plus global customers were affected. Okta clarified that while there is no direct evidence of active exploitation, the stolen information, including names and email addresses, poses a risk for potential phishing or social engineering attacks targeting Okta customers. The company did not attribute the attack to a specific group and acknowledged the uncertainty surrounding the perpetrators. This update further illustrates the need for all organizations, especially administrators, to enhance their identity security by implementing adaptive multi-factor authentication (MFA) and considering phishing-resistant authenticators.

____

The October 2023 Okta breach is the latest example in a long line of third-party identity attacks. Based on reports to date, it seems that the attack on Okta’s support case management system enabled a threat actor to launch downstream attacks into other companies. So far, 1Password, BeyondTrust and Cloudflare have publicly confirmed they were targeted.

Such attacks don’t discriminate and pointing fingers is unproductive. However, there are opportunities to learn and share to help improve our collective cyber preparedness – and prevent history from repeating itself. We join the unfolding conversation in this spirit.

Okta Breach Timeline and Flow: What We Know So Far

The following is an overview of the Okta breach, along with some observations and speculations based on early reports.

•  Initial infection (date unknown): Exactly when and how the attacker initially comprised Okta’s support system remains unknown. Possibilities include, but aren’t limited to, password re-use from previous data dumps and lack of multi-factor authentication (MFA), cookie theft from a compromised endpoint, phishing and MFA bypass, social engineering, keylogging, improper access to the portal through an unmanaged endpoint.

The attacker’s reported movements suggest that they may have identified a specific Okta engineer, stole their credentials (via spear-phishing or another social engineering tactic) and infected their endpoint machine with command and control (C&C) tools such as Cobalt Strike or BruteRatel, which are used by pen testers, red teamers and threat actors alike. This would allow them to actively monitor the endpoint, exfiltrate data at will and use the stolen credentials to access Okta’s support system.

•  September 29: 1Password, an Okta customer, detected suspicious activity on its Okta instance used to manage its employee-facing apps. According to reports, a member of the 1Password IT team opened a support case with Okta and provided a HAR file (short for HTTP archive – a type of file used for recording web browser data for support and troubleshooting services) created from the Chrome dev tools. An investigation confirmed that an attacker had accessed the Okta tenant with administrative privileges.

•  October 2: BeyondTrust, another Okta customer, detected an issue involving one of its internal Okta admin accounts and immediately notified Okta.

Later in the month, the customer publicly disclosed more attack details. One of its employees was experiencing ongoing technical issues with the Okta system and, at the request of Okta support, uploaded a HAR file for troubleshooting purposes. Not only did this HAR file contain browsing data, it also contained a valid Okta session token (or cookie). Attackers target cookies as they enable users – and threat actors – to skip over login and MFA prompts.

Just 30 minutes after the Okta support engineer downloaded the HAR file to their infected machine, an attacker – who used an unfamiliar IP address in Malaysia linked to anonymizing proxy/VPN services – extracted session tokens/cookies from the HAR file to access the Okta customer’s network.

The attacker also tried using a cookie to access the client’s Okta console and create an admin account. After failing, they used the cookie again to hijack and replay the browser session to impersonate the user. Notably, the attacker created a backdoor user account in the company’s typical naming convention to help it blend in with existing accounts. Attackers often use backdoor accounts like this to maintain persistence and avoid detection, move laterally to gain control of the victim organization’s network then escalate access privileges to reach their goal. Fortunately, in this case, the customer detected and blocked the attack quickly.

•  October 18: A third organization, Cloudflare, investigated and reported a similar incident to Okta. Through early detection and immediate response, no customer information or systems were impacted in this particular event.

•  October 19: Okta confirmed the breach in a message to affected customers nearly three weeks after receiving the first customer alert.

•  October 20: Okta issued a public statement explaining that Okta had “identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

This identity attack targeting Okta customers has a familiar ring to it. In January 2022, Lapsus$ attackers compromised an Okta third-party support engineer’s endpoint and gained access to Okta customers’ data. The company confirmed the breach in late March 2022 and announced sweeping changes to its support system to strengthen third-party security. Yet is seems that something went wrong along the way – reinforcing the need for strong security processes and operational procedures.

Mitigate Risk with Six Steps and New CyberArk HAR Tool

A recent Cyentia Institute study of 230,000 organizations found that 98% of firms have at least one third-party partner who has suffered a breach. It’s highly likely that your organization buys from or works with at least one third party and is indirectly connected to numerous vendors across the software supply chain. One of these companies will inevitably experience an identity breach. Don’t wait until it reaches your doorstep.

1.  Take the time to review your detection and response processes and timelines and focus on ways to reduce your mean time to detection (MTD) and mean time to response (MTR). The emerging Identity Threat Detection and Response (ITDR) discipline can serve as a helpful framework and an ideal end state.

The ability to baseline user behavior and continuously monitor suspicious connections to accounts – especially powerful admin accounts – can help you catch suspicious activities faster, such as logins via a VPN or outdated user agent, logins from unknown locations, logins directly following a support session, or accounts created/modified via REST API.

2.  Enforce MFA for all users, preferably with FIDO passwordless (i.e., passkeys related to physical devices) for securing the network identities.

3.  Only allow access to admin portals from verified sources (e.g., device, IP address and regions).

4.  Create a whitelist of specific machines that can access sensitive accounts (e.g., admin accounts) and block all others.

5.  Harden the operating system and enforce least privilege at the endpoint, which can significantly limit an attacker’s ability to access endpoints, establish persistence, steal files, compromise credentials and cause damage.

6.  Sanitize all credentials and session tokens (cookies) within a HAR file before it’s shared. We’ve created a tool to help simplify this process. Additionally, require support personnel to erase all support-related files immediately after the session ends.

Identity is the root of trust in all organizations. When trust is abused – even if it involves just one compromised or misused identity – risk can travel downstream quickly. We must all remain vigilant, prioritize speed in detecting, mitigating and disclosing attacks, and evaluate all cybersecurity decisions through an identity lens.

Shay Nahari is VP of CyberArk Red Team Services, Andy Thompson is CyberArk Labs’ Offensive Security Research Evangelist and Khizar Sultan is CyberArk’s Senior Director of IAM Product and GTM Strategy.

____

Editor’s note: To learn more about the Oct. 2023 Okta breach and what your organization can do to mitigate risk, here are two resources that can help you:

• Watch CyberArk Labs’ webinar, “Assessing the Attack on Okta’s Support Unit – Mitigate Your Risk with Six Steps and New CyberArk HAR Tool,” featuring Khizar Sultan and Andy Thompson, two of the authors of this blog.
• Listen to CyberArk’s Trust Issues podcast episode, “Analyzing the MGM and Okta Breaches: the Identity Connection,” for further insights from Andy Thompson on this subject and beyond. The episode is available in the player below and on most major podcast platforms.

When creating a new password, you know the drill – it must be at least eight characters long, contain special characters and avoid sequential characters or be based on dictionary words. Although these requirements can be a pain in the neck and seriously hamper end user experience, they are not a sign of officious IT security teams. Instead, they are a necessary evil in modern enterprises because password cracking remains a viable vector for threat actors, and passwords are some of the most vulnerable targets for attackers.

By obtaining valid password credentials, attackers can stealthily infiltrate systems, escalate their privileges to an administrator or superuser level and wreak havoc on an organization’s security, reputation and bottom line.

To counter this, enterprises have increasingly adopted multi-factor authentication (MFA) to prevent users from logging into applications, corporate networks and resources without entering an additional form of verification. For instance, users may be asked to verify their login attempts by supplying a code via email, approving their login request in the authenticator app or tapping a smart card.

Unfortunately, threat actors have numerous tools in their arsenal to bypass MFA protections, including stealing cookies, employing social engineering or using MFA fatigue-based attacks. This brings us to square one: exposing passwords as the weakest security link.

But what if there was no password to start with? This would mean no infuriating password complexity requirements to adhere to, no periodic password updates, no password rests and, most importantly, no passwords for attackers to steal.

Passwordless Authentication Gains Traction

While the concept of passwordless authentication has been around for a long time, the market has just recently pivoted to actively using the technology. Passwordless authentication can use any means of validating the user except for a memorized secret. It could be a QR code displayed at login, an SMS message with a one-time code or a physical USB key, among other examples.

In the back-end, passwordless authentication relies on the same principle as digital certificates that use public and private keys. Think of the public key as the door and the private key as the key that unlocks it. With passwordless authentication, there is only one key for the door and only one door for the key. In one scenario, a user wants to create a secure account and uses a mobile authenticator app to generate a public-private key pair. The public key is provided to the system, and the private key is accessed from the user’s local device using an authentication factor such as a QR code.

Passwordless authentication offers a better user experience and improved productivity by providing a more seamless sign-in experience. It also increases security by eliminating password-related risks. As a side benefit, it also reduces IT overhead by freeing up resources used to assist end users with account unlocks and password resets.

While passwordless technology promises significant benefits, it’s important to understand that the journey to passwordless authentication is unique to the requirements of every business.

Why Going Passwordless is a Marathon

The hard reality is that no organization can go passwordless from day one. Most enterprises won’t ever be able to go completely passwordless. There are just too many legacy systems deeply entrenched in IT infrastructure that require passwords. So, it’s about finding the balance of what makes sense from a security, effort and cost point of view.

Going passwordless is no small task, especially when organizations deal with thousands of users, countless applications, hybrid and multi-cloud environments and complex login flows. Achieving an entirely passwordless environment involves a phased approach as technology continues to evolve and user adoption increases.

The following graphic encapsulates CyberArk’s view of a typical trajectory from passwords to passwordless while delivering a frictionless user experience.

Organizations must understand that not all passwordless experiences are created equal and its success depends upon selecting the best authentication factors that align with the business and user needs. Although eliminating passwords entirely is far off, reducing reliance on them is feasible by implementing the right IAM solutions that support passwordless use cases.

When considering IAM solutions, look for the following capabilities:

1. Zero sign-on (ZSO). The first pillar of a true passwordless solution, ZSO, uses strong cryptographic standards such as certificates and combines user identities with contextual information such as device fingerprints and security posture. The key benefit of ZSO is that it enables users to seamlessly log in to their assigned applications and services without additional authentication once their devices are verified and meet security posture requirements. Remember to combine ZSO with other passwordless authentication factors best suited to your business requirements to enhance usability and security.
2. FIDO 2 integration and support. Almost every identity vendor supports FIDO2 Web Authentication (WebAuthN) and this standard is critical to enabling passwordless authentication for typical end users. Along with FIDO2, FIDO’s passkeys are a new multi-device passwordless factor that uses your devices’ security capabilities, further improving user experience. In addition, passkeys are highly phishing-proof and eliminate attack vectors possible with factors like MFA that require human interaction.
3. Passwordless endpoint authentication. In a multi-device world, it’s essential to approach authentication to endpoints in the same way as applications and internal resources. Passwordless endpoint authentication can provide a better user experience and stronger security without negatively impacting user productivity.
4. Secure VPN access for remote and hybrid users. As a critical security control to enable secure remote and hybrid user authentication, it’s recommended that users use adaptive MFA when accessing a corporate network through a VPN. Enforcing MFA for VPNs secures remote access to your corporate network, on-premises applications and resources while delivering a frictionless-yet-secure login experience that continuously evaluates and steps up with passwordless factors – as needed – based on contextual and risk analytics.
5. Self-service passwordless authenticator replacement. For a true passwordless experience, it’s crucial to implement a solution that offers users the ability to self-enroll, replace and delete passwordless authenticators with the appropriate security controls, along with a wide variety of alternative passwordless authenticators to choose from. For instance, suppose a user were to lose their YubiKey or misplace their mobile phone. In that case, the user should be able to replace the passwordless authenticator factor from various factors with the appropriate security controls.

Planning For Passwordless

As with any security-related undertaking, going passwordless requires strategy, planning, partnership with trusted vendors and a disciplined move toward organizational adoption and continued education. Leadership backing is an absolute must to drive this initiative, as is the choice of an experienced and well-established vendor that supports the journey to passwordless.

As you think of taking your organization passwordless, consider the following:

• What use cases are most suited for passwordless authentication?
• Who are the riskiest users in the organization?
• What passwordless factors offer the right level of security and convenience?
• What’s the best way to pilot and scale the elimination of passwords without business disruptions or introducing additional risk?

When you engage with an IAM provider, do not hesitate to ask them about their idea of a true, holistic passwordless solution — and what innovation and intellectual property they have invested in to make that a reality. Finally, remember that passwordless authentication is just a piece of the enterprise security puzzle. Make sure your IAM partner can support your current and future identity security needs.

Amita Potnis leads thought leadership marketing at CyberArk.

We are horrified by the barbaric attack on Israel and the Israeli people. Those of us who are watching from a distance are standing in solidarity with our friends, loved ones and colleagues who are on the ground in Israel. We stand by our employees and every Israeli around the world.

We’re thankful that our team in Israel is safe. A small percentage of our team has been called to military reserve duty. Some employees have bravely volunteered. We’re incredibly proud of all our team members and will continue to support them and keep them in our hearts and minds.

Our priority is the safety and well-being of our employees, while we remain committed to our customers and broader business stakeholders and our mission of securing the world against cyber threats, so together we can move fearlessly forward.

We believe CyberArk is in a strong position to operate successfully in this challenging environment. Right from the beginning, resiliency has been foundational to our operations, and we have built each function with business continuity in mind. We are a global organization with employees located around the world. Our operations, including global services and support, and executive management are diversified, and like every global company, our operating functions are supported from local offices in various geographies.

What’s happening in Israel is a human tragedy that’s impacting every Israeli around the world. Now, more than ever, we must stand united not just as colleagues, but as a community and do everything we can to support the people of Israel. These atrocities are horrific, but the people of Israel are strong and resilient, and they will prevail. We will prevail.

Matt Cohen is the CEO of CyberArk.

The cloud has introduced entirely new environments, roles and circumstances that require us to reimagine the definition of privileged access management (PAM) and how to apply those principles to secure identities. PAM was built on the notion that identities must be secured, not just managed, to protect an organization’s most valuable assets. The well-recognized values of PAM remain highly desirable – least privilege, role-based access control and auditability of high-risk sessions. The challenge is applying all those principles to these new environments, roles and circumstances.

New Cloud Environments, New Security Requirements

It’s relatively straightforward to delineate security responsibility in on-premises environments, as clear lines can be drawn at each infrastructure layer. There’s a physical data center, physical network cables, separate network protocols that flow through the wires, physical racks that contain compute or storage – and so on – all the way up the IT stack.

Those lines of separation and segregation of duty disappear completely in cloud environments, whether you operate in a hybrid environment (lifting and shifting workloads to the cloud) or take a cloud-native approach (building applications using a microservices architecture).

Perhaps the most mundane example of cloud usage occurs when an AWS user provisions a simple storage service (S3) bucket to store electronic files. In the on-premises world, this is the equivalent of someone breaking into a data center, pushing a rack on a trolley to the data center, placing the rack on the data center floor, plugging hard drives into that rack and connecting ethernet cables. Clearly, this would never be allowed in a traditional on-premises setting and demonstrates why we can’t think of access to a cloud service provider (CSP) as ‘just another console’ in cloud environments.

Our analysis of the three major CSPs shows that a user can access approximately 1,400 native services (e.g., AWS S3, Microsoft Azure Kubernetes Service or Google Cloud BigQuery), which collectively have 40,000 different access controls … and that number grows every day.

It’s clear we can’t apply a traditional notion of a small number of admin roles with static privileges to this dynamic environment.

Admin Overload and Evolving Roles

Traditional applications have straightforward, clear-cut boundaries between admins and users. With these applications, regular users couldn’t typically access sensitive systems and data. For instance, an employee using Outlook could send and receive emails but never perform tasks like changing POP or SMTP settings or adding or deleting users. Anyone with cloud access may be provisioned with entitlements to tap into 1,400 native services, ranging from fundamental capabilities like compute or storage to sophisticated capabilities such as artificial intelligence (AI) and machine learning (ML) engines. Perhaps surprising to some, there are also an array of SaaS services among these 1,400 native services, such as workflow engines, video processing and instant messaging. Clearly, anyone with the right to buy and use any of the above should be considered an admin.

It’s especially important to note that an entire new population of ‘admins’ have appeared: software developers. With few exceptions, all modern software development tools and processes are done in the cloud and the resultant software is deployed in the cloud. All software developers are now considered cloud ‘admins’ and must also be secured. Yet, identity security has been sacrificed to accelerate velocity.

Seventy-seven percent of security professionals say developers have too many privileges — making these human identities highly attractive targets for attackers and driving up cybersecurity debt. These expansive user permissions were set to account for all possible circumstances the user may face because prior systems were inflexible and static. Developers need to innovate; they cannot wait for their shared accounts to be created and secured for every service or workload they need to access, particularly those that are short-lived. This inflexible approach deviates from cloud provider best practices and creates unacceptable delays to engineering timelines.

Cloud Architectures and New Circumstances

The rise of microservices has generated fantastic scale, efficiency and cost savings. However, it has also created an intertwined web of dependencies and complexity for any true cloud native application. A sophisticated view is of the interactions between the 700 Netflix microservices in 2014. Today, Netflix has well over 1,000.

The new circumstance created by cloud microservice architecture is that an outage impacts all customers. Simple isolation is gone. It’s not a single monolithic ERP application or simple email application where only a segment of users are impacted. A microservice application architecture means all users are impacted. When any system has an inevitable instability or an outage the on-call engineers must be allowed to roam all over the production environment to troubleshoot, diagnose and fix the issue.

While dramatic, this is clearly one of many circumstances that didn’t exist in a classic IT setting.

Zero Standing Privileges: A Practical Cloud Identity Security Approach

A new approach is required to apply the principles of Zero Trust in a world with these environments, roles and circumstances, and to maintain velocity: a zero standing privilege (ZSP) system. ZSP completely deletes all entitlements associated with any user when not in use, but can dynamically provision on-the-fly entitlements for users based on the circumstance. Additionally, a ZSP system eliminates the possibility of lateral movement and will enforce rules against embedded credentials.

Security professionals must minimize access availability and risk while also maintaining the velocity of developers, DevOps and IT. Focusing on ZSP is the most viable way to reach these goals by preventing credential theft and limiting lateral movement, enabling organizations to embrace the full benefits of the cloud.

Charles Chu is the general manager of Cloud Security at CyberArk.

In 2019, I founded and served as the CEO of a cloud security company (C3M), a journey that eventually led to our acquisition by CyberArk in 2022. Back then, the cloud security scene was budding, filled with migration buzz and a shifting urgency around securing the cloud. Acronyms like CSPM (cloud security posture management) were emerging, and enterprise security leaders grappled with where to begin.

Jump to 2023, and cloud security has transformed. And those then-burgeoning acronyms are now part of our security vocabulary; CSPM is now the vital CNAPP (cloud-native application protection platforms). In this space, Cloud Identity and Entitlement Management (CIEM) steps up, fixing identity misconfigurations and taming permissions.

Yet, a clear pattern emerges in conversations with leaders from some of the world’s largest organizations. While detection platforms provide excellent insights into their cloud posture, addressing the identified issues isn’t straightforward. In fact, most security teams struggle to take the right risk-reduction measures for their environments. Effective cloud security goes beyond fixing configurations or permissions; it’s fundamentally about controlling “access” to your cloud—your consoles, data and infrastructure.

CyberArk’s Insight to Action framework helps address this gap between detection and remediation and offers a deep dive into six pivotal areas recognized as substantial threats in the cloud environment. Addressing these challenges provides a secure cloud experience and ensures smooth operations, eliminating potential loopholes and vulnerabilities.

The Insight to Action framework builds on CyberArk’s history of risk-focused best practices and identity security framework, the CyberArk Blueprint for Identity Security Success. Enterprises can achieve a proactive and resilient identity security posture by focusing on six “insights” across major cloud platforms like AWS, GCP and Azure.

In my previous blog, “Operationalizing Identity Security in the Public Cloud,” I discussed the significance of a comprehensive framework that transforms risk insights into actionable remediation measures. Taking it a step further, I’m now excited to share the following critical insights that can significantly help your organization reduce risk in the cloud.

Six Insights to Drive Actions to Reduce Cloud Risk

Insight 1: Dormant Users in the Cloud – The Hidden Threat

Dormant users or inactive accounts with retained access privileges pose a significant risk. They often go unnoticed in expansive cloud environments, offering backdoor entries for malicious actors. To mitigate this threat, you can:

• Use automation to revoke access or deactivate accounts after a certain period of inactivity. Removing the dormant account eliminates the risk associated with that account being exploited. Fewer inactive accounts mean fewer entry points for attackers.
• Audit user activity regularly. Implement monitoring tools to identify and report on accounts with prolonged inactivity.
• Conduct frequent access reviews of user roles, permissions and activity to ensure only necessary and active accounts exist. Keeping only necessary and active accounts helps maintain compliance with many regulatory frameworks that require minimization of access.
• Set up alerts for any activity on dormant accounts. Any sudden activity should be treated as suspicious.

Insight 2: Misconfigurations – The Identity Blindspot

Misconfigurations in a cloud environment refer to incorrectly set up assets or services that can expose an organization to risks of varying levels. With the complexity of modern cloud architectures, configuration settings can number in the thousands. Each setting provides a potential opportunity for error. Amid thousands of settings, a few incorrect ones can easily go unnoticed.
To address this threat, here are some steps you can take:

• Review and audit cloud configurations frequently to align with industry best practices.
• Review IAM policies regularly to ensure the principle of least privilege.
• Enforce multi-factor authentication (MFA) for all users.
• Implement a just-in-time (JIT) access model, removing standing permissions and aligning to zero standing privilege (ZSP). This one step alone can drastically reduce your risk surface by ensuring that access is given to the right people at the right time – no more and no less.
• Deploy automated scanners. Integrate advanced tools designed to scan for IAM misconfigurations systematically. This proactive approach enables a comprehensive understanding of the identities present in the cloud (and their configurations) and identifies potential discrepancies.

In the event of misconfigurations, automated scanners alone can pinpoint issues and provide actionable insights on rectifying them, ensuring a swift and effective resolution.

Insight 3: Persistent Access to the Cloud – The Overlooked Backdoor

Persistent access means that if an attacker compromises an account, they have indefinite access until detected. This extended time frame allows malicious entities to establish a stronger foothold, conduct reconnaissance, and even spread to other parts of the network.

To mitigate this threat, you can:

• Shift to JIT access, providing temporary access that auto-revokes after a certain period or post-task completion. This reduces the time window in which credentials can be misused.
• Conduct frequent access rights reviews to ensure that users have only the permissions necessary for their roles and that any excess permissions are promptly revoked.
• Enforce MFA for all users, especially those with elevated privileges. This adds an additional layer of security, ensuring that even if credentials are compromised, attackers have a harder time gaining access.
• Adopt a ZSP model. Transition away from standing privileges where users have continuous elevated access. In a ZSP model, all privileges are revoked by default and users request elevation only when needed.

In the case of ZSP, it’s an approach gaining traction because it limits the time window for potential abuse of elevated privileges. This ensures users get only the access they need and only for as long as they need it. Coupling ZSP with JIT further reduces the exposure window, making it a powerful combination against potential threats.

Insight 4: Excessive Permissions – A Gate Wide Open

Excessive permissions in the cloud provide users, and potentially attackers, more access than required to perform their tasks, turning even a minor breach into a potential catastrophe. Excessive permissions in the cloud can lead to data leaks, privilege escalation and operational risks.
To address this threat, you’ll want to:

• Assign permissions based on organizational roles (aka role-based access control (RBAC)). Ensure that each role has only the permissions necessary to perform its tasks.
• Automate permission assignments. Use tools that automatically assign and adjust permissions based on roles, tasks and workflows.
• Adhere to the principle of least privilege (PoLP). Always provide the minimum necessary access. Regularly review and adjust permissions, ensuring they align with users’ current roles and tasks.
• Switch to a JIT access model. Instead of permanent high-level permissions, provide temporary access for specific tasks. Once the task is done, permissions revert to their normal levels. This great risk reduction measure buys you time to study and refine the permissions.
• Continuously monitor user activities and employ AI or machine learning-based tools to detect and alert anomalous behaviors.
• Implement permission boundaries. Set hard limits on what permissions can be granted, ensuring that even administrators cannot inadvertently grant excessive rights.

Insight 5: Unrotated Secrets – A Ticking Time Bomb

In the world of multi-cloud architecture secrets — be it API keys, tokens, public/private key pairs or passwords — act as vital access conduits to crucial data and services. AWS, GCP and Azure, three cloud giants, all offer their versions of secret management services. However, if these secrets remain static, the risk factor compounds. The threat is akin to leaving a backdoor unlocked indefinitely; it’s just a matter of time before someone or something exploits it.

Proactively managing these secrets across all cloud platforms is not a mere best practice — it’s a necessity.
To mitigate this threat, you can:

• Implement a mandatory policy to rotate secrets at regular intervals. The frequency might vary based on the sensitivity of the secret.
• Automate secrets rotation. Use cloud-native tools or third-party solutions to reduce manual errors. In multi-cloud environments, establishing a centralized management system for all secrets and enforcing consistent controls is crucial for maintaining robust security practices.
• Revoke and replace secrets instantly. Ensure you have mechanisms in place to do this in the case of suspected breaches.

Insight 6: Non-Vaulted Admin Accounts – The Exposed Crown Jewels

Admin accounts are the crown jewels of any IT infrastructure, granting privileged access to the heart of systems and data. In the realms of AWS, GCP and Azure, these accounts, when not vaulted, can be likened to leaving the keys to the kingdom unguarded. As businesses expand their cloud presence, securely managing these accounts, with their elevated permissions, is essential.

To mitigate this risk, you can:

• Implement and enforce MFA for all admin accounts. This ensures an extra layer of security even if credentials are somehow compromised.
• Audit and review access logs and trails across AWS, GCP and Azure. And do so regularly. This helps in the early detection of any anomalies or unauthorized access attempts.
• Create a mechanism and process to detect and vault new admins (and make sure to separate federated from local admins with actual credentials).
• Set up a solution for secure access using these sensitive secrets without exposing them to end users while keeping a full audit of all activity.

Taking Cloud Security Action

Where the Insight to Action framework is organized around substantial threats to your cloud environments, the CyberArk Blueprint is organized around target personas and privileges grouped into security control families. Every organization has unique prioritization needs and a different existing risk posture. By leveraging the CyberArk Blueprint for CIPS and the Insight to Action framework together, your organization can develop a tailor-made strategy and approach to securing your multi-cloud environments.

Stay tuned! The evolving cloud landscape promises more insights and innovations. We are excited to guide you through them in upcoming blogs.

Paddy Viswanathan is vice president of Cloud Solution Strategy at CyberArk.

Every IT and security leader loses sleep over insider threats. They’re notoriously difficult to detect, costly to mitigate and can lead to widespread loss and reputational damage. Despite efforts to mitigate insider threats, current global risks and economic pressure are fueling the flame. There’s no silver bullet for insider threat protection, however a greater focus on culture, engagement and empowerment can make a real difference.

The Path to a Mega Breach is Paved with Good Intentions

Edward Snowden, the man behind the biggest intelligence leak in history, largely shaped how the world views insider threats. Since that landmark case, insider threats are often depicted as  shadowy malicious characters, stealthy corporate saboteurs or dogged whistleblowers.

In reality, most insider threats are caused by well-intentioned employees who make mistakes or take security shortcuts. For instance, a Stanford University study shows that one in four employees admit to clicking on a phishing link. Sixty-three percent of security professionals report increased risk due to workers using unapproved AI tools, according to our latest CyberArk Identity Security Threat Landscape Report.

Even legitimate AI use can create significant risk. Reports this month indicate that a well-intentioned Microsoft AI team accidentally leaked 38TB of company data while contributing open-source AI learning models to a public GitHub repository. Additionally, numerous studies show that employees regularly use unmanaged personal devices to access company resources, violating corporate policies. These are just a few of the many ways that employees become inadvertent insider threats.

But it’s not just employees that represent risk: the infamous Target breach was one of the first to push third-party insider threats into the spotlight. Third-party partners, consultants and service providers who access sensitive corporate resources for valid purposes can easily become unwitting or malicious insider threats, and set off a far-reaching ripple across large, tightly interconnected digital ecosystems. This may be why security professionals indicate that third parties represent today’s riskiest human identities.

Building a Strong Cybersecurity Culture Is Imperative

According to the 2023 Verizon DBIR, 74% of all breaches include the human element, with people involved via error, privilege misuse, use of stolen credentials or social engineering. This means that cybersecurity must focus heavily on people – not just technology (though both ingredients are necessary.)

In the words of the famous management consultant Peter Drucker, “Culture eats strategy for breakfast.” Fostering a strong cybersecurity culture requires effort from everyone.

Management is responsible for setting the right tone (and modeling secure practices), defining processes to help identify and address risky behaviors and driving cross-functional collaboration. At the same time, it must empower employees with ongoing education and positive reinforcement that builds trust, changes attitudes and habits and, ultimately, creates more resilient organizations. There’s room for growth in this area.

A recent Wall Street Journal report shows that managers routinely miss opportunities to strengthen cybersecurity culture, citing over-emphasis on technology, failure to test incident response procedures and annual check-the-box training as typical examples. According to IBM research, these shortcomings could be fatal to an organization, as the average data breach now costs $4.45 million. Maintaining a security-first culture and mindset across the organization is simply non-negotiable.

Employees and third-party users must also understand why cybersecurity hygiene is so important and make more concerted efforts to be part of the solution. This starts by taking a hard look at how their habits may contribute to organizational risk, such as using unauthorized web apps, allowing family members to use their corporate devices or failing to protect credentials (by using weak passwords, reusing passwords for various purposes, saving passwords in browsers, etc.)

Six Ways to Encourage Bystander Engagement to Mitigate Insider Threats

Insider threat mitigation can also mean speaking up. If a worker sees something that seems off, it’s their responsibility to report it. On the flip side, their employer is responsible for encouraging this bystander engagement and vigilance by:

• Developing safe reporting methods to ensure that personnel reporting insider threat concerns remain anonymous and protected from potential retaliation.
• Prioritizing continued cybersecurity education to help people understand the ever-changing attack landscape and common social engineering techniques to watch out for, such as phishing, vishing and smishing. Workers can respond to potential threats more effectively with regular training and engagement.
• Outlining specific signs and behaviors that could indicate potential internal threats, including unusual data movement, use of unapproved apps or hardware and privilege escalation to access information and systems that aren’t core to job function.
• Communicating transparent and narrowly defined rules to employees and third-party users that reinforce personal accountability and emphasize the importance of company policies, procedures and information security best practices.
• Establishing policies and best practices for compliance, including separating or segregating duties (SoD) and requiring more than one person to complete a critical task.
• Dedicating security operations center (SOC) resources to handling and analyzing insider threat information and activity.

Top-to-bottom efforts to identify and act on insider threat concerns mean organizations can more effectively engage workers who display potential risk indicators. The right technology can also help drive positive outcomes when systems are correctly configured to address security gaps. For example, machine learning tools with adaptive security capabilities enable organizations to baseline user behaviors and reduce false positives in detecting cyber anomalies.

When it comes to insider threats, employees and third-party users are the first and last line of defense for safeguarding your organization’s most critical assets. But it’s up to you to empower them with the critical knowledge, processes and underlying technology they need to succeed.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.

The recent cyberattack on MGM Resorts International has raised serious concerns about the security of sensitive data and the vulnerabilities organizations face in today’s digital landscape. In this blog post, we will dive into the details of the attack based on the information currently available, analyze its root causes and discuss key takeaways to help organizations strengthen their security posture.

MGM Attack: What We Know (Thus Far)

Allegedly, a criminal gang made up of U.S. and U.K.-based individuals that cybersecurity experts call Scattered Spider (aka Roasted 0ktapus, UNC3944 or Storm-0875) initiated a social engineering attack that led to the near shutdown of MGM Resorts International. MGM Resorts International is a global hospitality and entertainment company, with a portfolio of 29 hotel and resort properties, including iconic brands like Bellagio, MGM Grand and Mandalay Bay.

(Did you attend Black Hat at the Mandalay Convention Center this year? Yes, this could directly affect you.)

A social engineering attack allowed the threat actor to burrow into the MGM environment and establish a foothold. Due to the common mistake of password reuse, CyberArk Labs – as well as many experts in the cybersecurity community – are currently under the impression that the attackers had usernames and passwords from previous data breaches. With additional information collected from a high-value user’s LinkedIn profile, they hoped to dupe the helpdesk into resetting the user’s multi-factor authentication (MFA). They were successful.

Based on available information, as it currently stands, threat actors also were observed creating persistence in MGM’s network by configuring an entirely additional Identity Provider (IdP) in the Okta tenant using a feature called “inbound federation.” The function is intended to allow the fast connection of different Okta tenants during mergers of companies. In this case, though, the threat actors used it to increase their control of the victim’s networks. (As we say in the industry, “It’s not a bug; it’s a feature!”)

It also appears that the attackers gained control not only of Okta but also of the Microsoft Azure cloud environment. This already jeopardized the applications managed by the IAM platform, but now all their cloud assets were also in danger.

Our threat actors were eventually discovered. MGM’s incident response team began by terminating the Okta sync servers, where Scattered Spider had deployed some additional credential harvesting techniques. This ultimately resulted in the complete termination of the Okta platform and the threat actors’ access initial access. HOWEVER, the damage had been done. The threat actors had already exfiltrated unknown terabytes of data and still had access to the cloud platform. It was time to make their presence known.

This was when the BlackCat/ALPHV ransomware group was called in. Using this RaaS service, Scattered Spider encrypted several hundred of their ESXi servers, which hosted thousands of VMs supporting hundreds of systems widely used in the hospitality industry. This caused cascading chaos. As the ESXi hosts became encrypted one after another, the applications running on them crashed … one after another … after another. Hotel room keys no longer worked. Dinner reservation systems were down. Point-of-sale systems were unable to take payments. Guests were unable to check in or out. Slot machines were completely unavailable. At this point, MGM was hemorrhaging money – and potentially its credibility.

Once the threat actors acquired their initial foothold, they could begin to escalate their privileges. They ultimately acquired the privileged access to the accounts running the IAM infrastructure. This allowed them significant access to the MGM network.

What made this attack worse than if MGM’s Okta environment and the applications connected to it had only been compromised, was that the IdP solution granted highly privileged access to Azure, which ultimately allowed the cloud-originated attack into MGM’s brick-and-mortar operations. Scattered Spider deployed BlackCat/ALPHV ransomware, which encrypted several hundred of their ESXi virtual machine infrastructure. This severely impacted MGM’s operations.

The full extent of what systems were compromised and what data was leaked is still unknown. Still, gaming industry analyst David Katz says that MGM Resorts is losing as much as $8.4 million in revenue every day until it fixes the problems caused by the ongoing cyberattack. There is still so much to this story that we won’t know the full extent of the damage for quite some time.

CyberArk Labs’ Critical Initial Takeaways from the MGM Attack

Although it’s still too early to definitively say what exactly happened in the MGM attack, the following initial assessments from our team are as relevant now as they’ll be once the dust settles:

• Attacking IAM platforms is a common tactic that threat actors use. It gives persistent access to an organization and extends attacker privileges into more systems, causing more damage. This isn’t anything new to us either. We discussed this in the aftermath of the SolarWinds breach, along with best practices for configuring and monitoring your IAM platform.
• The worst part of this breach was that MGM’s IdP was configured in a way that allowed Scattered Spider to pivot into their VMware infrastructure. For example, the act of synchronizing credentials between on-prem and cloud resources allowed Scattered Spider to pivot into the VMware infrastructure. This is where we believe that BlackCat/ALPHV became involved.
• BlackCat/ALPHV has been an operator CyberArk Labs has tracked for some time now. We recently released a free and open-source tool called White Phoenix that helps victims to recover from ransomware attacks. (Due to the fact the ESXi files were encrypted and not PDFs, there’s unfortunately not much this tool could do to help MGM.)
• RaaS is big business and part of the larger criminal supply chain. Just as commercial businesses rely on SaaS applications to do their work, so do criminal gangs. BlackCat/ALPHV provides the professional services Scattered Spider lacks. (i.e., malware creation, back-end C2, tor leak-site, malware support, negotiation services).
• The MFA device reset was a significant chokepoint in the attack. If the MFA device reset were not possible or detected in time, the threat actors would have faced limitations in continuing their attack. Hence, limiting the MFA device to a specific phone number associated with the user could have offered an effective mitigation.
• IAM infrastructure, including federation servers, Okta sync servers – and even CyberArk vaults – should be considered Tier 0 assets. Their compromise could lead to paralyzing a significant portion of a network. Securing access to these assets and limiting them to dedicated proxies is extremely important in mitigating future attacks.

Lessons Learned and Mitigation Strategies

To strengthen security measures and mitigate similar attacks, organizations should consider the following strategies:

1. Contain Impact

Minimizing exposure of privileged accounts is vital in mitigating phishing attempts. IT administrators should use privileged access management (PAM) solutions, reducing the risk of compromise through attacks (including vishing). Organizations should also consider implementing zero standing privilege (ZSP) where applicable.

We like to say, “It’s hard to hack a credential when it literally doesn’t exist.” While internal or external compromises may still occur, this contains the attack to a dedicated endpoint, which can help minimize exposure and assist with incident response.

2. Improve MFA Control

Creating visibility into MFA device changes is essential. Implementing specific logs for customers to monitor in their security information and event management (SIEM) systems can help detect and respond to unusual authentication activities. Additionally, implementing a dual control feature can enhance security by requiring multiple authorizations for critical actions.

3. Protect Tier 0 Assets

Tier 0 assets must be protected, including signing keys and access to critical infrastructure. Implementing endpoint privilege security on federation servers can help safeguard signing keys from credential theft attempts. Furthermore, preventing unauthorized access to Tier 0 assets by limiting access to proxies along with dual controls is crucial.

4. Adopt IdP Best Practices:

• Implement MFA controls before allowing users to change/alter their MFA factors (i.e., you must present a current MFA factor before altering one of your MFA factors enrolled).
• Employ helpdesk verification controls (i.e., the helpdesk may only reset a password once the user has verified their identity through a pre-existing enrolled MFA factor).
• Always check a user’s device enrollment/compliance before allowing a user (especially an administrator) access to your IdP.
• Identify secure zones in your network. Understand network traffic to your IdP that does not meet your expectations. Limit actions that can be taken outside of your Secure Zones.
• Manage IdP administrator accounts in the same way database/domain admin accounts are managed (i.e., through privileged access controls such as rotating administrator passwords, monitoring/isolating admin sessions and enforcing dual access controls to access credentials).
• Monitor trust changes, such as identity provider (IdP) modifications – it’s essential for detecting suspicious activities. Organizations should consider implementing specific logs to track and analyze trust changes, providing valuable insights into potential security breaches.

Final Thoughts (For Now)

A series of mistakes ultimately led to one of the most visible and brand-damaging attacks in years. To mitigate similar attacks, organizations should focus on minimizing the exposure of privileged accounts, implementing strong authentication measures such as MFA, protecting Tier 0 assets, monitoring trust changes and staying updated on evolving cyber threats. It’s a lot to do, but it’s crucial for organizations to continuously improve their security measures and follow best practices to protect themselves in today’s digital landscape.

Andy Thompson is CyberArk Labs’ Offensive Research Evangelist.

Editor’s note: For more insights from CyberArk Labs’ Andy Thompson on this subject and beyond, check out his appearance on CyberArk’s Trust Issues podcast episode, “Analyzing the MGM and Okta Breaches: the Identity Connection.” The episode is available in the player below and on most major podcast platforms.

Over six in 10 security decision-makers say their teams operate with limited visibility across their environments. Why? We could easily speculate that it comes down to the tools they do or don’t use. However, two-thirds of enterprises now have tools from up to 40 different security vendors in place, and they’re still struggling for insights into the constant cycle of identities seeking access.

I believe there’s a bigger-picture challenge we need to – and can – solve for.

In many ways, securing the workforce’s access to applications, devices and resources such as sensitive data is about being a constant observer of human behavior – and asking yourself the following questions in a perpetual loop:

• What are your users seeking to access and why?
• What actions are they trying to take with sensitive resources?
• Do the findings (to the preceding questions) align with what’s appropriate for a given worker’s role within the enterprise?

The problem is that you need immediate answers to these questions every time a user attempts to authenticate. And you need to know the answers for every user – across your ecosystem of employees and vendors, among others.

To get the visibility we need, the solution will come down to three variables: insights on user behavior, automated actions and integration enabling tools to share and act on data.

All Seeing, All Knowing – How to Observe and Secure Workforce Access Behavior

While various analytics tools have been in market for a while, enterprise security teams need capabilities beyond simple feeds and dashboards. Today’s threats call for a sophisticated user behavior analytics (UBA) engine serving as a centralized brain and nervous system – all-seeing, all-knowing.

Individual humans can’t independently maintain a real-time study of every user’s actions. Nor can they instantly infer a set of behavioral traits from the past that could indicate whether a person logging in is indeed that user – or an attacker. And yet, having that type of knowledge would be a game-changer.

This is where it helps to have a UBA engine capable of:

• Compiling and analyzing a historical log of user access behavior.
• Vetting access attempts in real time and autonomously detecting any signs of variation from typical behavior.
• Integrating with smart authentication tools – for example, adaptive multi-factor authentication (MFA) – to make automated decisions on handling any access attempt.

Let’s explore some scenarios in which such capabilities can help security teams make faster, smarter decisions that defend against attacks and support the business.

Scenario 1: Preventing Attacks – Anytime, Anywhere

Imagine a scenario in which an attacker steals a user’s password from a compromised website and figures out where the user works through LinkedIn. It’s 2:30 a.m.: the user and security team are sleeping, but the attacker is very much awake – testing out the password to see if it’s reused across enterprise apps storing sensitive data.

All the signals point to a threat, and here’s what the UBA and adaptive MFA would see: the log-in attempt is happening at a time when the employee is never active. It’s coming from a region the employee never travels to. What’s more, the IP address is atypical and the device is unfamiliar.

In this scenario, let’s say the MFA is integrated with the UBA engine – and can relay insights about the log-in attempt to the UBA, like hands sending sensory information to the brain. In lockstep, the UBA weighs the signals against the actual user’s history. It’s an attack. The UBA decides which actions to take, including:

• Adapting the log-in process to invoke stronger authentication challenges such as phishing-proof secondary factors (e.g., physical tokens) and knowing in which order to require them.
• Preventing access until the actual user can scan a unique QR code to approve access on their pre-enrolled mobile device.

How Else Can Automation and Integration Help?

Enterprises can also use automated, no-code workflows for continuous threat detection and response. Imagine another scenario where an attacker compromises a privileged user’s account.

In this instance, an automated workflow could detect a potentially malicious action – e.g., when a new SSH key is created in a privileged session – and alert your team via Slack. Through “if-then” logic, the workflow could automatically remediate the session, temporarily suspending the user’s access, while your team investigates. Or the workflow could relocate the user into a pre-defined high-risk user group with minimal access.

Scenarios like the ones we’ve highlighted here are a win for organizations looking to build toward a security-first approach to workforce access. They’re also a win for security leaders seeking ways to operate more efficiently. With capabilities from UBA, adaptive MFA and automated workflows, securing access can involve fewer work hours, staff and costs.

And with the right capabilities, these insights can be at a security admin’s fingertips – providing the ability to drill down into details, including every factor that influenced the automated decision.

Scenario 2: Improving Productivity and User Experience

We’ll continue with another example: an employee working late on a cross-country flight. The stakes: she’s putting the final touches on a product launch essential for improving the customer experience.

Her laptop is open. WiFi is on. SSO accepts her password. Next up: MFA to get into a collaboration app where she’s managing the project. Here, frictionless UX is essential; the employee is on deadline. But you can’t put security on the back burner: The same web applications your users need to access are also the No. 1 attack vector in eight out of 10 incidents. In this in-flight scenario, a context-aware MFA/UBA combo would see that the log-in attempt is coming:

1. From a pre-approved device.
2. On a typical weekday (a usual workday for her).
3. At a regular time of day – her user history reflects the fact that she travels regularly to and from the given region.

Of course, visibility is best when paired with automated capabilities to act upon what’s seen. The dynamic duo of UBA and adaptive MFA can apply contextual insights to make a decision. In this low-risk case, the UBA can determine that secondary authentication isn’t necessary and allow the user to access the application – without compromising security.

The outcome: the employee authenticates safely and efficiently, completing her project on deadline. And this is a win for her company’s security team’s ability to show that security-first access can be an enabler rather than a barrier to progress.

Embracing and Effecting Change in Securing Today’s Workforce

Visibility is the first step in making smarter decisions regarding workforce access. Automation can help your team do more. With the proper controls and capabilities – built into an integrated approach that brings tools together to share and act on data – you can significantly improve your security posture and support the business.

For more insights on how you can secure your organization from identity-related threats, check out this video from CyberArk experts on what capabilities are needed to balance securing the workforce and ensuring productivity.

Gil Rapaport is the general manager for Identity and Access at CyberArk.

Today, more than ever, security is all about identity. Especially in the cloud, the central management and proliferation of cloud services means that with the proper identity and permissions, one can do almost anything (legitimate or malicious).

Product management has been my focus for over 15 years, and in that time, I have experienced multiple IT and ecosystem transformations. Let me tell you, it’s never easy for organizations. When I joined CyberArk three years ago, I wanted to understand how our customers dealt with cloud transformations. Specifically, I wanted to know how identity security programs could transform with IT. I talked to many experts within the organization and with customers, trying to understand what’s most important in implementing a cloud identity security program – and to deduce from these insights where our development focus should be.

Given my experience, the following are what I consider to be the key factors to cloud identity security success:

1. Smart Risk Reduction

Some would say that security is all about systematic risk reduction. Many solutions today utilize cloud APIs and central management and specialize in providing cloud security posture. These solutions aim to identify risks to your cloud configurations and help prioritize them; identity and access management (IAM) is an essential part of that.

But we don’t just want to get recommendations to fix misconfigurations. We need meaningful insights and to take action quickly. For example, we want to swiftly identify low-hanging fruits like those dormant identities just sitting there and increasing your attack surface. We also want to determine high-risk identities such as shadow admins – identities and roles that can elevate their own permissions and move laterally so we can rapidly take action to secure them.

As we systematically reduce risk, we want to keep to least privilege principles and remove standing access in favor of zero standing permissions. We should have a solution built to drive immediate actions from insights.

2. User Experiences that Encourage Adoption

As enterprises implement new security tools, they face a familiar trade-off: traditional security controls can impact users, in ways that slow down their ability to do their jobs.

Imposing security upon IT teams is one challenge, but enforcing controls on developers or DevOps is almost impossible. The cloud was built for speed, and no dev team would ever agree to be slowed down. And for that fact alone, I know that the successful adoption of security solutions is all about end user experience.

When we secure access to sensitive resources and services, we should always allow end users to use their native tools, giving them an experience with the least friction. Sometimes, we can improve their lives with small productivity enhancements, like giving them a personalized view of available systems and roles they can connect to.

Let’s look at another example of a developer adoption challenge: for security teams to ensure secrets management practices are used to secure application credentials (non-human identities). This is why I’m proud of our capabilities that allow developers to keep using their preferred cloud-native solutions without making any changes to their application – while CyberArk secures and governs those secrets on the backend. It’s an excellent way to help ensure both developers and security teams achieve their goals.

A simplified view of a common security/usability trade-off

3. Fewer Security Tools

Now that we all agree on the importance of the end user experience for successful adoption, we should also keep in mind that admins and security teams have to use the security tools themselves. With security being top of mind, the explosion of solutions and tools is enough to give anyone a headache. Consider a cloud security architect or IAM expert who needs to fully understand and operate the myriad solutions for securing their environment. They need to manage native cloud provider tools and services (and multiply that threefold for a multi-cloud strategy) and related solutions for IGA, IDP, PAM, CIEM and secrets management. These systems must work harmoniously, feeding one another and integrating with other key systems such as ITSM and SIEM solutions. It is no wonder that a recent ESG report showed that 54% of organizations prefer a platform approach with unified controls from fewer vendors.

So maybe it’s all about running an efficient operation – using fewer tools to manage your IAM needs. This can help ensure those security solutions can be more easily installed and efficiently managed to succeed.

Better Together: People, Processes and Technology

Considering that no one key to a successful cloud identity security program exists, we should look beyond just pure technology, features and capabilities. Instead, we should consider the real-life challenges of implementing a large-scale, multi-cloud and multi-system environment. We should think of processes within organizations to keep developers (end users) happy. And we should provide admins with platform-based solutions to manage an efficient operation, identify IAM risks and mitigate them with an integrated solution.

Yonatan Klein is director of product management, Cloud Security at CyberArk.

How Cloud and SaaS are Actively Disrupting Open Source

Open source software (OSS) has driven technological growth for decades due to its collaborative nature and ability to share information rapidly. However, major OSS security vulnerabilities like Log4j, Heartbleed, Shellshock and others have raised concerns about the security and sustainability of similar projects. At the same time, major open source-based companies have changed their OSS licenses, like MongoDB, Elastic (formerly ElasticSearch), Confluent, Redis Labs and most recently, HashiCorp.

In this blog, we’ll examine recent events and trends behind the evolution of open source software, explore its future and discuss what organizations can do to protect themselves.

Community Driven Open Source Software

The most famous early example of community-driven open source is GNU, which stands for Gnu’s Not Unix. GNU is a major component of Linux, and it was born out of Richard Stallman’s frustration over not being able to modify his printer software code to provide customizations and improvements. Stallman wanted unrestricted and free (of cost) software that he could update, maintain and customize himself with other community members, so he created GNU and the GNU General Public License or GPL – one of the most popular and permissive OSS licenses – which is the inspiration behind many open source licenses and projects today.

In the example of the GNU project, it’s important to understand that the user community is taking responsibility for developing, maintaining, supporting and providing security patches – the idea was not for anyone to use without helping to keep it going because that isn’t sustainable. Kubernetes, Linux, Apache and CNCF projects are good examples of community-driven projects.

Vendor-Driven Open Source Software

Vendor-driven open software projects are more centralized and driven from the top down, with a single software vendor providing most of the software and maintenance. In this case, the user community may contribute some customizations, support and patches, but the bulk of the expense and burden remains with the software vendor. This use case is a go-to-market (GTM) approach that relies on converting community users to premium, paid features or services to generate revenue that will offset the costs of building and maintaining the OSS version.

Industry and Technology Trends Driving Open Source Disruption

When GPL and other permissive OSS licenses were first conceived, few envisioned the impact of cheap cloud computing resources and fast broadband would have on the OSS landscape. Now, we are seeing the ripple effects of SaaS and how it impacts vendor-driven open source projects like MongoDB, Elastic, Redis Labs, and most recently, HashiCorp, which changed its OSS licensing, angering its user community.

Several vendor-driven open source projects have had difficulty monetizing enough of their user community to offset expenses. Adding further financial pressure, the growing popularity of SaaS has inspired companies to offer SaaS solutions built from OSS versions of their competition, monetizing the work of the competition and further reducing the incentives behind vendor-driven OSS projects.

The Future of Open Source Software

Vendor-driven open source offerings are advertised as a way for users to get started. However, migrating from a self-hosted OSS solution to the enterprise version can be more complicated or expensive than initially expected, leaving users uncomfortably stuck on the open source version. At the same time, they also need the paid features. This is one area where SaaS should and will replace OSS; when a user is looking to start small and grow with a solution, there is no need for a migration path or the added expense of engineering resources to support and maintain the solution.

The future doesn’t look promising for vendor-driven OSS projects built purely for monetizing the offerings; these projects will become more restrictive and put more of their development efforts behind paid features.

As Mark Twain once said, “History never repeats itself, but it does often rhyme.” This is true when it comes to the future of open source projects, because the path forward is similar to the printer example we mentioned earlier –  these projects will be primarily driven and supported by the user community. To maintain viability, community-driven OSS projects need more backing from the user community to provide the required security patches, maintenance and support. Unfortunately though, not all of these projects are supported the way they need to be, as many security vulnerabilities like Log4j, Heartbleed, Shellshock and others threaten the security and sustainability of community-driven open source projects. CISA’s recent announcement of a new OSS security roadmap underscores these concerns.

Impacted by Open Source Licensing Changes?

Are you looking to centralize human and non-human access? If your organization uses an OSS vault solution, you likely have many questions about the latest license changes and want to explore your migration journey.

If so, join us on Sept. 27 for our webinar covering the recent open source news and next steps for centralizing human and non-human identity security.

John Walsh is a senior product marketing manager at CyberArk.

Today, I’m honored to share that CyberArk has been named a Leader in the “2023 Gartner® Magic Quadrant™ for Privileged Access Management.”¹ This is the fifth time our company has been positioned as a Leader in this report.

Learning By Listening

CyberArk first introduced privileged access management (PAM) to the market to address a critical need to protect the users with the highest-risk access, such as IT administrators and others with unconstrained access to valuable company assets. In working alongside organizations to build proactive PAM programs – and also helping others recover from some of the largest breaches in modern history – we, to quote Ernest Hemingway, “learned a great deal from listening carefully.” These stories became the fabric of our organization, woven into the CyberArk Identity Security Platform, inspiring our strategy and uniting us in a shared mission.

We’ve continued listening and innovating ever since. Today, the landscape looks dramatically different. Employees and third-party vendors work from anywhere, on multiple devices. Any human and machine identity can be assigned high-risk permissions and become a “privileged user.” Hybrid and cloud environments are massively complex. Threats, from AI-fueled ransomware to sophisticated software supply chain attacks, are constantly growing in sophistication. And the cybersecurity industry itself is experiencing tremendous change as companies emerge, are acquired and often struggle to find their footing in a tightly crowded space.

Consistent, But Never Complacent

Through it all, CyberArk has remained an unwavering presence, delivering market-leading innovations and expertise to meet organizations’ evolving needs. Building upon our foundational PAM strengths, we’ve extended intelligent privilege controls across the entire identity lifecycle for all identities. As the only vendor positioned as a Leader in the most recent Gartner® Magic Quadrant™ reports for PAM (2023) and Access Management (2022).

We offer the world’s most advanced identity security platform, empowering organizations to drive down identity-based risks and consolidate vendors while delivering operational efficiencies and achieving a faster ROI. Like an invisible force field, the CyberArk Identity Security Platform wraps seamlessly around an organization, its devices and its people – wherever they go.

In particular, we’re proud of how we’ve innovated alongside customers to solve their cloud-first use challenges. Developers are privileged users in modern environments. Many have entitlements to provision and de-provision infrastructure and services or change existing configurations. This access must be secured, without slowing down engineering velocity. We’ve invested heavily and innovated rapidly to deliver new cloud security solutions that address common developer requirements.

Of course, the most successful cybersecurity programs aren’t just about great technology: people and processes are equally important. Our team brings unmatched insights and proven methodologies based on decades of experience in helping more than 8,000 organizations around the world. With prescriptive guidance and technical domain expertise, we deliver exceptional experiences that empower teams to execute winning strategies. And we’ve continued listening carefully, investing heavily in our customer support team to ensure system resilience and high availability of our mission-critical technologies.

There can be no complacency in cybersecurity. Active, consistent dialog and collaboration with our customers and industry partners, coupled with cutting-edge threat research, continue to inform our roadmap. We’re setting the bar with advanced capabilities that further bolster security, adoption and user experience across our platform. Some recent examples include:

• Deepening secrets management offerings: Further enhancing our SaaS and self-hosted secrets management solutions that enable consistent control of multi-cloud environments. One noteworthy example is extending CyberArk Secrets Hub’s coverage so more security teams can tackle a thorny identity security challenge: securing and managing secrets and credentials used by machine (or non-human) identities, which outnumber human identities 45:1.
• Securing privilege on the endpoint: Continuing to address security leaders’ No. 1 area of risk – credential theft – with advanced credential management capabilities that block threats at the endpoint. We’re especially proud of our recent security innovations for protecting Windows workstations and servers.
• Driving progress toward zero standing privileges: Introducing new just-in-time, least privilege access capabilities that are critical for helping organizations move toward the ideal state of zero standing privileges (ZSP) in the cloud.
• Delivering for our self-hosted customers: Our continued commitment to self-hosted customers is reflected in our latest release, which features several of our customers’ top enhancement requests.
• Extending AI use cases: Strategically expanding our use of machine learning and AI to improve customers’ defensive capabilities to counter attacker innovation.

We also continue to invest in the fundamental PAM solutions that our customers rely on – from unveiling a simplified user interface to enhancing unified logging and reporting features that ease audit and compliance requirements. It’s no longer enough to have great privilege controls: organizations need smart processes around them as well. We’ve innovated to add lifecycle management and identity orchestration capabilities that help customers improve and simplify privileged access management.

More than ever, security requires a team game approach, and we’re fortunate to play with the very best. Together with our extraordinary global ecosystem of C3 Alliance partners, we deliver customized solutions, integrations and product enhancements to help security teams mitigate emerging risks in their environments and address evolving identity security challenges.

Today’s distinction further accelerates momentum across our business. Last month, CyberArk reported strong second quarter results that beat guidance across all metrics, underscoring the power of our platform and identity security’s foundational role in Zero Trust-based cybersecurity. We believe we have a tremendous opportunity ahead and remain focused on listening closely and executing our strategy.

We thank our incredible customers and partners for this. Your experiences, perspectives and feedback have shaped CyberArk since day one. And we celebrate our CyberArk team – the cornerstone of our business – for their focus, execution and commitment to excellence. We dedicate this milestone to all of you.

Download the Full Complimentary Report

To learn more, download the full 2023 Gartner Magic Quadrant for Privileged Access Management report.

*GARTNER is a registered trademarks and service mark, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

1 – Gartner® Magic Quadrant™ for Privileged Access Management, by Felix Gaehtgens, James Hoover, Michael Kelley, Brian Guthrie, Abhyuday Data, 5 September 2023

Barak Feldman is senior vice president of PAM and Identity Security at CyberArk.

Investing in cybersecurity is a lot like working hard to save for retirement. Your budget’s already tight, but you must secure the future. You’re faced with endless headlines and market updates that make you nervous about making the wrong choices – or not making moves quickly enough amid fast-changing conditions. Under pressure, many focus on identifying the investments (effort, time, money) that are best positioned to keep generating income for you while requiring little or no maintenance. In other words, work smart – not hard.

This makes sense in the cybersecurity world, too. You should ask yourself what passive income ideas may help you achieve your cybersecurity goals faster.

Of course, it’s easier said than done. But some nice, no-nonsense cybersecurity “investments” will continuously generate “income” through saved time, calmer nerves and fewer expended resources. Every cybersecurity professional should look for focal points – the centers of maximum risk concentration. These points repeatedly show up in all kinds of attack kill chains. Then, you need to set up rules to reduce or eliminate the attack surface around these points so you can keep working normally (while for someone else using them for nefarious purposes – or anything else – it should become extremely difficult).

Here are some focal points that you can focus (pun intended) on to break most attack chains:

Focal Point No. 3: Break Common Exploit Techniques

Many exploits take advantage of software bugs, vulnerabilities or legitimate functionality to cause them to operate in ways that assist attackers. Many are relatively easy to implement, particularly those requiring minimal user interaction. An example of little interaction could be a recent CVE-2023-36884 exploit, which, according to the CVE description, an attacker would need “… a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

Convince the victim to open the file? I mean, what could be easier? …

“Dear HR, please find my CV attached.”

All set!

Okay, so what should be the “passive income” investment here? What we need to stop from happening is a situation when an application spawns another application in an elevated mode. The technique is called child and parent process control. It will protect through various exploits that target PowerShell, MS Office, Adobe Acrobat and many other applications.

Focal Point No. 2.: Make Your Web Browser a Secure Browser

Session hijacking becomes the attacker’s weapon of choice. It’s beautiful in its simplicity. All you need to do is steal a tiny text file from the target’s machine, which can provide access to the victim’s email, documents or cloud configuration consoles. The scariest thing about session hijacking is that it bypasses all the complex user authentication systems IT puts in place, including multi-factor authentication (MFA).

The focal point here is the browser, of course. We must restrict access to the browser’s memory and cookies with privilege threat protection to prevent a successful attack. By preventing cookie stealing, we can thwart session hijacking, no matter how the attacker attempts to access session data.

This “investment” is quickly rising in importance as more and more threat actors turn to attacking browsers, considering they can gain access to critical systems and sensitive data, such as financial transaction systems, SCADA control and cloud configuration consoles, security tool web interfaces, data lakes and email systems.

Focal Point No. 1: Defend Credentials Everywhere

Another focal point that is very common in many attacks is user and administrator credentials, security tokens, passwords and password hashes. Security professionals set up IT systems in a way that scatters credentials and other bits of trust (tokens, hashes, cookies, certificates) across endpoints. If attackers can access those items, they can gain persistence, move laterally, elevate privileges and deliver impact. In a recent example, a threat actor dubbed Storm-0558, according to Microsoft, “… accesses credentials from a variety of sources, including the LSASS process memory and Security Account Manager (SAM) registry hive. … once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud email account with the valid account credentials.”

And, in yet another data breach, at least “…179,000 AWS Console credentials, 2,300 Google Cloud credentials, 64,500 DocuSign credentials, 15,500 QuickBooks credentials, 23,000 Salesforce credentials, 66,000 CRM credentials” were stolen with information stealers and listed for sale. Information stealers are a type of malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients and gaming services – in other words, scattered across each machine in every organization, waiting to be found and stolen by attackers.

By blocking access to various credential stores within the operating system and third-party applications, you can protect your users and endpoints from many threats, making this technique a terrific passive cybersecurity income technique. CyberArk Endpoint Privilege Manager has over 50 different rules preventing credential and security token theft, and new rules are constantly added and dynamically delivered to endpoints, for example, a new rule for workstations and servers that protects Discord, a popular communication platform, from various data theft methods that can help prevent a data breach.

Focal Point No. 0: Abuse of User Privileges

Preventing the abuse of user privileges should be the first on the list, but we felt it could be a little repetitive for you if you read our blog regularly – hence the zero. Beating a dead horse would likely be the proverbial description, except the horse is still very much alive. While everyone seemingly agrees about this security best practice – no user should work under local admin – we still see organizations where users keep working as admins. CISA issued an advisory focused on detecting advanced persistent threat (APT) activity targeting Outlook online that recommends the following as a general cloud migration: “Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties.” and “Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.”

My take regarding endpoint privilege security is even more radical: No user should have local admin rights. Period. CyberArk Endpoint Privilege Manager can take care of all the necessary elevations whenever a user requires elevated privileges. And for any conceivable scenario when policies are too rigid to permit an automatic elevation, there are several ways to quickly resolve it including just-in-time (JIT) policies and offline authorization. These methods are much quicker than having a system administrator remotely connect to your machine. And if you are a local administrator, you’re taking on enormous risk because cyber incidents are bound to happen.

Breaking the Attack Kill Chain (The Easy Way)

So, there you have it. Take care of these focal points. Thankfully, it’s relatively easy to do (given the right tools) and is a set-and-forget activity – just like passive income! Once set, attacks will continuously hit a wall, considering the attackers will find themselves disarmed and toolless. We can’t promise that after reading this post, you’ll have a clear roadmap to financial independence and early retirement, but we hope you found some helpful advice here that will save you some time and maybe a grey hair or more.

Author’s note: Oh, by the way, CyberArk Endpoint Privilege Manager has these and many more threat mitigation rules as a part of QuickStart – our rapid risk reduction and least privilege framework.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

The U.S. Securities and Exchange Commission (SEC) recently announced a ruling aimed at enhancing public companies’ cybersecurity risk management, strategy, governance and incident disclosure. To sum it up, companies must report cyberattacks within four days of determining an incident is “material” and divulge details about their cybersecurity programs annually.

With this long-anticipated ruling, the SEC calls on companies to increase transparency and accountability by providing their investors with “consistent, comparable and decision-useful” information about how they manage cybersecurity risks. While some enterprises are prepared to meet time-based disclosure regulations today, many must beef up their capabilities before the SEC requirements take effect in December 2023.

With the clock ticking, here are five actions CISOs and security leaders can take to prepare for SEC cybersecurity compliance and mitigate cyber risk:

1. Review your organization’s current incident response and reporting process. Having a solid playbook in place isn’t enough. It takes repetition and muscle memory to act quickly and decisively to minimize an attack’s impact. Conducting regular readiness exercises will help teams uncover technical gaps and process or communication breakdowns that could hinder timely response and disclosure.

2. Assess the threat landscape. Threat actors’ techniques change, but identity remains a constant in the attack lifecycle. According to the CyberArk 2023 Identity Security Threat Landscape Report, the number of human and machine identities is expected to balloon by 240%. Nearly half of all identities require sensitive access to perform their roles, making them appealing and plentiful targets for threat actors. And almost all (99%) security professionals expect an identity-related compromise to occur in their environment in the next year. When you consider the numbers and impact of recent major breaches, it’s clear this is no longer an identity and access management (IAM) or even a cybersecurity problem – this is a business problem. To properly manage risks to your business, you must understand where your most critical assets are, who (human identities) and what (machine identities) can access them, how these identities access them, when this happens and for how long.

3. Evaluate existing controls. As part of the SEC’s new rules, companies must add specific details about their cybersecurity programs in annual 10-K filings. Now is the time to analyze existing security controls and policies against recognized standards, such as the NIST Cybersecurity Framework or ISO/IEC 27002, to identify areas where your controls do not adequately mitigate your risk. From there, it comes down to prioritization. Most security leaders will focus on “buying back” the most risk in the shortest amount of time using the least amount of resources. Securing identities often rises to the top of prioritized lists, given the surge in human and machine identities and associated risks. With a sufficient sense of urgency, critical identity security controls (that emphasize Zero Trust and least privilege principles for monitoring and controlling access) can be implemented quickly – as is often done in the wake of actual breaches. It’s wise to focus initial steps on securing high-value targets that represent the greatest potential risk to the business:

After taking these steps, you can extend the breadth and depth of your defenses to mature your identity security strategy. If you’re looking for prescriptive guidance, check out the CyberArk Blueprint for Identity Security Success.

4. Prepare for “materiality” decision-making. As part of the SEC ruling, public companies must file a Form 8-K with the SEC within four days of determining a cyber incident is “material.” There are many factors to consider when determining the materiality of a cyber incident. Part of the CISO’s job is to rapidly assess the situation and provide relevant information (i.e., what happened, when, what was impacted, what is still unknown) to help their organization make that call. The ability to track all identities effectively, coupled with continuous threat detection and analysis, is one of the best ways to ascertain this information in a timely manner.

5. Sharpen business risk communication skills. As the organization’s cybersecurity “translator,” the CISO must communicate business risk to the Board effectively and efficiently – now even more so given time-based disclosure mandates. This means reframing technical metrics and demystifying cyber risk by using more relatable terms, such as financial or reputational impact. Explore ways to integrate cost-benefit analysis into your organization’s existing cybersecurity framework to help quantify risk and mitigation ROI for key control areas. In the meantime, continue professional development pursuits to sharpen your communications and change management skills. And actively broaden your professional network, as there may be times when you’ll need to “phone a friend” (for instance, a fellow CISO/CIO or insurance expert) to help explain the implications of a cyberattack to the Board.

Building Cyber Resilience Through Enhanced Collaboration

The SEC’s new time-based ruling is one of many government steps to push the ball forward. Yet building cyber resilience takes significant collaboration on all fronts.

At an organizational level, CISOs must get even closer to their Boards and business stakeholders. Regular conversations and relationship-building efforts are key to understanding their priorities, challenges and risk tolerance. With these insights security leaders can shape “big picture” cybersecurity programs that align to key business goals, maximize risk reduction and hold up under investor scrutiny.

In the same vein, more cooperative action across private and public sectors is needed to raise our collective defense and protect our borderless networks from evolving threats. These cybersecurity reports to the SEC should be rapidly analyzed and anonymized for distribution to the cyber defense community. If properly implemented, this SEC initiative can be used with others to help enable all of us working together to reach the vision of the former Office of the National Cyber Director: “You need to beat all of us to beat one of us.”

James Imanian is Senior Director of the U.S. Federal Technology Office at CyberArk.

For security teams managing their enterprises’ privileged access management (PAM) programs, times have changed and what’s considered a privileged or high-risk account has drastically shifted. In turn, the way organizations not only manage privilege, but comprehensively secure it, must also shift.

Historically, organizations have managed their PAM programs by vaulting and rotating credentials on privileged accounts. Security controls are put in place for specific users, such as admins and specific accounts like a domain admin account. This approach no longer satisfies organizational needs.

According to 2,300 IT security decision-makers surveyed in the CyberArk 2023 Identity Security Threat Landscape Report, there’s a significant gap. Sixty-three percent say that the highest-sensitivity access for their organization’s employees is not adequately secured at a time when they expect both human and non-human identities to grow roughly 240% in the coming year.

Security professionals feel this way because privileged access as we know it has evolved (you can have a look at our blog post on this same subject from PAM’s 2017 scrapbook to see an earlier take on that evolution for yourself). The big change catalyst: the types of privileged accounts that need to be secured have expanded in scope and scale, as enterprises made moves to become more digital and cloud based. A fresh approach to PAM programs means understanding the wide range of accounts and their vulnerabilities.

These days there are three categories for classifying privileged accounts:

1. System accounts
2. Operational accounts
3. Application accounts

All these accounts encompass human and non-human identities, each with distinct levels of privilege that require separate management to restrict the attack surface.

Let’s dive into the different privileged account types organizations must secure and dynamically provision:

1) Accounts with System-level Privileged Access

System-level privileged access accounts are administrative accounts, often established by the operating system or cloud provider. These accounts possess inherent high-risk characteristics, featuring persistent privileges and predefined passwords, necessitating secure vaulting, deployment in emergency access situations and ongoing monitoring for authorized user access.

Here are a few examples of these accounts:

• Domain administrator accounts have complete privileged access to all resources, servers and workstations within the domain. The domain admin is the most powerful account in the domain and is installed automatically on the first domain controller and created for Active Directory.
• Linux root accounts have unlimited access to all programs, files and resources on a designated Linux system, VM or cloud instance running Linux services.
• AWS root accounts are the first identity created by default in a cloud service provider (CSP), and all CSPs have some root account. They control everything in the instance and are a prime target for bad actors. It’s best practice to vault these accounts and never use them for day-to-day tasks. Instead, keeping the AWS example, create an AWS IAM user account with varying privileges to adhere to the principle of least privilege (PoLP). You can replace the accounts with federated identities and grant permissions using zero standing privilege (ZSP) platforms.
• Azure active directory (AAD) global admin accounts are like AWS Root accounts – they are the most-privileged account tied to your Azure tenant. Avoid using these accounts for day-to-day tasks; instead, vault and centrally manage them using a PAM solution.

2) Operational Accounts with Privileged Access

Operational accounts with privileged access roles are created for SaaS applications and CSPs and they should be used for day-to-day tasks that have varying permissions levels. Following a ZSP north star, these accounts do not need standing privileges and should be provisioned just-in-time (JIT).

These accounts include:

• SaaS business application accounts are created administrative accounts used for, cloud consoles, CRMs, or ERP systems privileged accounts because they can access sensitive data and business-critical information. These accounts can be accessed by employees, vendors and contractors, and they hold varying entitlements and access levels, making them significant threat targets.
• Privileged personal accounts, such as personal admin or -A accounts, are used for server administration, deployment and infrastructure support.
• AWS IAM user accounts are created by an AWS root user with varying levels of entitlements and attributes to carry out day-to-day tasks. These accounts can be used by humans, applications or machine-based identities and can be assigned to role-based access groups. Users needing access to the AWS console should have an IAM account to adhere to the principle of least privilege and avoid sharing credentials.

3) Application or Machine Accounts – Non-Human Accounts with Privileged Access

Application or machine non-human accounts are used for machines to communicate, applications, RPA bots, container services and IoT/OT devices. These accounts also bring out additional threats to the organization.

A few types of these accounts are:

• Service accounts, which are found in Unix and Linux, Windows and CSPs. They’re created to manage tasks, application pools, run virtual machines (VMs), scripts, automated services and interact with operating systems. Service accounts and their dependencies should be centrally managed, vaulted, and their access should be monitored and audited.
• Robotic process automation (RPA) accounts emulate humans and are used to build, deploy and manage software robots to carry out automation tasks. These non-human accounts are privileged and often share credentials to extract data, interact with cloud services and APIs. RPA technology introduces a new attack surface given the level of privilege needed to do their job.

Secure Identities and Shutdown Attackers

High-risk access is an ongoing issue as organizations scale. Whether that be on-premises, cloud consoles or SaaS-based applications – privilege is everywhere and managing an evolving PAM program means securing access for modern use cases.

With this in mind, today’s attack surface has evolved and become more complex – and how organizations secure their privileged accounts must remain in step with effective security controls. Implementing an identity security framework with intelligent controls at the center will allow you to secure the keys to the kingdom and enable operational efficiencies for your users and extended workforce.

Learn how CyberArk can help you address modern use cases for your PAM program – and keep your organization safe from identity-based threats.

Ryne Laster is a product marketing manager at CyberArk.

Generative artificial intelligence (AI) has officially arrived at the enterprise and is poised to disrupt everything from customer-facing applications and services to back-end data and infrastructure to workforce engagement and empowerment. Cyberattackers also stand to benefit: 93% of security decision makers expect AI-enabled threats to affect their organization in 2023, with AI-powered malware cited as the No. 1 concern.

Facing this reality, IT and security leaders must strategically capture new business value while mitigating the risk brought by AI-enabled tools. A security-first mindset and the ability to adapt are critical because, as years in the military taught me, the only way to the end is through.

Five Steps for Securely Embracing the Enterprise AI Opportunity

Part of my job as CyberArk Global Chief Information Officer is utilizing new data-driven tools and cloud technologies to support resiliency, speed and scale. It’s an exciting time to be a technologist and I see many potential ways to harness AI technology to advance CyberArk’s mission and growth. In some areas, we’re already doing so. Personally, I believe AI tools can help me be a more productive, focused and impactful leader.

Yet navigating AI’s Wild West is challenging. With no playbook or precedent to follow, information sharing is crucial. In that spirit – and based on our team’s experiences, ongoing peer conversations and market insights – here are five practices for IT and security leaders to consider as enterprise AI use cases expand:

1. Define your organization’s AI position from the start. Is your company already using generative AI at enterprise scale? Perhaps it is just beginning a proof of concept (PoC) to test the waters. Or maybe it has drawn a hard line by blocking ChatGPT and similar tools until regulators can catch up and guardrails are codified. Whatever your organization’s AI position may be, it must be clearly defined and communicated from the top so everyone starts – and stays – on the same page.

2. Open the lines of communication. Establishing AI-specific company guidelines, publishing usage policies and updating employee cybersecurity training curricula are necessary steps. But real dialogue goes both ways.

At CyberArk, employees are encouraged to send their AI-related questions, ideas and requests to a dedicated email address. An AI “tiger team” of cross-functional experts meets bi-weekly to review and respond to each submission, identify high-value use cases and work to create secure models – using AI tools and aligning with organizational policy – that teams can use. As we move forward, this team will play an integral role in tackling emerging challenges and devising creative strategies that help us maximize AI benefits.

3. Revisit the internal software request process. According to the 2023 CyberArk Identity Security Threat Landscape Report, employees in 62% of organizations use unapproved AI-enabled tools that can increase security risk. This highlights the need for IT and security leaders to adapt their approaches or risk being viewed as innovation blockers.

Like most IT departments, my team is experiencing a surge in workforce requests for AI-enabled tools and add-ons. In response, we’ve enhanced our third-party software vetting system to help meet employees’ needs more efficiently while doing our due diligence. But this process doesn’t stop at employee requests. Why? Because “assume breach” also means we must “assume shadow IT” (software downloaded and used without IT’s approval) and “assume clicks” (especially as AI-fueled phishing campaigns become increasingly convincing). We proactively layer endpoint security controls with malware-agnostic defenses to enforce Zero Trust and least privilege and close gaps caused by inevitable human error.

4. Speak the CFO’s language. As technology leaders, we must build operationally efficient platforms and environments – even more so in the current economic climate. As changemakers, we must demonstrate AI’s business value to our CFOs. An honest, rational approach backed by hard data is critical; illustrating how a tool can help advance multiple business priorities is even more powerful.

Here’s an example “pitch” that uses recent stats on the AI-powered developer tool GitHub Copilot: “Early data shows that this tool can help our developers code – and innovate – up to 55% faster. But increased speed is just the start – it can also help us engage our employees more effectively: 75% of developers say the tool helps them feel more fulfilled and able to focus on more satisfying work. This is important since studies have linked higher job satisfaction to stronger employee retention, customer loyalty and company financial performance.”

5. Continuously assess AI threats. This means rigorously assessing all AI-enabled tools before use, continuously assessing all AI-enabled tools in use and having the ability to immediately block and roll back any AI-enabled tool if it’s necessary. It also means constantly thinking like an attacker and concentrating on identities, their greatest opportunity area.

Security researchers have already uncovered numerous ways that threat actors could use AI to improve techniques in the early phases of identity-based attacks. For instance, AI can help them write legitimate-sounding email copy for phishing campaigns, generate malware that evades detection or bypass facial recognition authentication. Just recently, CyberArk Labs used a short clip of my voice – pulled from the only English-language podcast I’ve ever recorded – to create an AI-generated deep fake that could be used for voice phishing. It’s yet another way attackers are innovating to circumvent traditional security controls. If my colleagues could do this in less than five minutes, imagine how easy it would be for an attacker to impersonate a high-profile executive or government leader who’s frequently on TV.

Amplifying Security Approaches with AI

IT and security teams are also using AI to adapt and improve cyber resilience. While human talent remains critical for combatting emerging threats, AI can help bridge some of the gaps caused by the 3.4-million-person cybersecurity worker shortage. CyberArk’s latest research found that 41% of cybersecurity teams use AI to address skills and resource shortages and 47% use AI for automation today.

Generative AI has the potential to transform many security functions as it continues to improve. Take the security operations center (SOC), for example. By automating time-intensive tasks such as triaging level-one threats or updating security polices, hard-working SecOps professionals can focus on more satisfying work. Ultimately, this may help reduce staffing shortage issues while curbing employee turnover and attrition – the second largest contributor to the cyber skills shortage, according to the latest (ISC)² Cybersecurity Workforce Study.

Technology is constantly changing. Right now, we’re experiencing another wave in a continuous evolution cycle. There will be challenges ahead, but leadership is all about making decisions in the face of uncertainty. With an open mind and unwavering security focus, technology leaders can confidently navigate these uncharted waters and embrace new opportunities.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.

Insider threats don’t often seem like threats at all. They look like colleagues working diligently at the office, logging on to the corporate network from Starbucks or providing a critical third-party service. But insider threats are a big problem that’s getting even bigger and costlier to tackle.

A 2022 Ponemon Institute study found that insider threat incidents surged by 44% in the two years analyzed, with impacted organizations spending $15.38 million annually on average to deal with the fallout. While hard numbers aren’t yet available for 2023, global risks and economic pressure are fueling five major workforce challenges that further intensify insider threats.

1. Workforce reductions. With any employee layoff or resignation comes the possibility that the person may take something they shouldn’t. According to the 2023 CyberArk Identity Security Threat Landscape Report, 58% of security professionals report instances of exiting users saving sensitive or confidential work documents outside of policy. In times of organizational turmoil, when concerns about layoffs might increase, these insider threats can worsen.

Consider this high-profile incident at a major beverage manufacturer: after learning of her upcoming layoff, an engineer exfiltrated documents containing trade secrets worth nearly $120 million in her final days as an employee. According to reports, she was one of just two people with access to the specifics of a top-secret chemical formula – the archetypal privileged user. The engineer was ultimately convicted and sentenced for her crime; however, the case highlights challenges many companies face in protecting intellectual property and other critical assets, especially during times of workforce change. Sixty-eight percent of security decision-makers expect layoffs and workforce churn to create new security issues in the next 12 months.

2. Shrinking third-party ecosystem. Cybersecurity risks due to belt-tightening extend to third-party vendors, such as contractors with insider access to sensitive information. If a third-party relationship ends and permissions aren’t promptly removed, the vendor could still access company assets or an external actor could hunt down these orphaned accounts and use them for malicious purposes.

Managing third-party access is a thorny challenge, no matter what’s happening in the world. In fact, surveyed security professionals say third parties – partners, consultants and service providers – represent the riskiest human identities.*

3. Rising “resenteeism.” As a July 2023 New York Times headline declared, “The ‘Great Resignation’ is over.” In this unstable economy, more employees are staying put. And a workplace buzzword is gaining traction to describe workers who aren’t thrilled about it – “resenteeism.” Whatever their grievances – from lack of job satisfaction to feeling undervalued or burned out – these workers tend to air them out in the open. Not only can resenteeism negatively affect workplace culture and productivity, but it can also increase malicious insider threat incidents.

Imagine an employee who’s experienced repeated promotion denials, feels undervalued and is growing increasingly resentful of their employer. “Getting even” might involve stealing or leaking sensitive data – or even advertising their ability to undermine their organization’s security, as security researchers recently observed. In a time when 63%*of organizations have not adequately secured the highest sensitivity access for their employees, there’s a chance the “resenteeist” could get away with it.

4. Personal financial hardship. The 2023 Verizon DBIR suggests that inflation and the soaring cost of living may be fueling more financially motivated insider threats. According to the report, privilege misuse – defined as “employees abusing the access they have been given to do their jobs,” and the leading cause of non-accidental internal actor breaches – is more often paired with fraudulent transactions than in the past several years. This could look like a financial comptroller – a privileged identity with access to systems where bank accounts and routing information are stored – making an unauthorized transfer into their own personal account.

DBIR authors write, “Seeing internal actors increasingly just redirect funds is especially concerning, considering it may be someone in a position to siphon significant resources away from the organization.”

5. Stress-driven slip-ups. Workforce reductions and churn have a profound impact on remaining employees. Many are expected to shoulder additional work, which can negatively impact stress levels. And stress goes hand in hand with mistakes.

Susceptibility to phishing and other social engineering attacks is already sky-high. Recent assessments by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) found that within the first 10 minutes of receiving a malicious email, 84% of employees took the bait by replying with sensitive information or interacting with a spoofed link or attachment. Overworked and overstressed employees could make it even easier for phishing attackers to “hook” credentials. And since 50%* of workforce identities have access to sensitive corporate data, their odds of reeling in a prize-winning catch are good.

As insider threats loom large, who can you trust?

That’s a trick question. Eighty-four percent of organizations experienced an identity-related breach in the past year* – further proof that trust has no place in cybersecurity.

By eliminating trust, any threat’s origin – inside, outside, anywhere – becomes less relevant. And without daunting labels, complicated threat categories or patchwork protections, security gets a lot simpler.

That’s the promise of identity security: powerful and continuous protection wrapped around every identity, grounded in Zero Trust and least privilege. With full visibility and control, organizations can quickly spot access misuse or abuse and other high-risk activities. Empowered, they can block and prevent threats from reaching critical assets and safeguard their infrastructure, devices and people – wherever they go.

*Source: 2023 CyberArk Identity Security Threat Landscape Report

Bryan Murphy is senior director of Architecture Services & Incident Response at CyberArk.

It is my distinct honor to announce that CyberArk has officially achieved ISO/IEC 27018:2019 certification – the first privacy-specific international standard for cloud service providers focused on safeguarding personally identifiable information (PII), one of the most mission-critical components of cloud security.

Today, more than 8,000 organizations across 110 countries – including more than half of the Fortune 500 – trust CyberArk to protect their most critical assets. Maintaining this trust is our highest priority and we hold ourselves to stringent security and compliance standards. Part of this ongoing commitment involves rigorous reviews of our information security systems and infrastructure. With this ISO/IEC 27018:2019 certification, CyberArk has achieved significant, independent recognition for protecting data privacy and exceeding customer, partner and regulatory requirements for cloud security, transparency and accountability.

The ISO/IEC 27018 standard outlines specific guidelines to reduce information security risks pertaining to PII in public cloud offerings. It supplements and strengthens controls outlined in ISO/IEC 27002 and provides specific security guidance for protecting PII, which NIST defines as “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” This includes sensitive information such as a person’s full name, address, phone number or social security number.

CyberArk has built the following key guidelines into our security control framework to demonstrate conformance with ISO/IEC 27018:2019, emphasize our responsibility in handling sensitive data and show our customers how their data is securely stored, processed and managed in our cloud computing systems:

• CyberArk does not use customer data for business marketing or advertising unless the customer consents to such use. The customer has control over their own data and CyberArk only processes PII in accordance with the customer’s instructions.
• CyberArk handles PII in a specific manner when transmitting over public networks, storing on mobile devices or recovering or restoring data. Relevant CyberArk staff must also sign a confidentiality agreement and CyberArk provides specialized training for employees directly processing PII.
• In the event of a breach affecting customer data, CyberArk will notify the customer without undue delay, maintain a clear record of the incident and assist the customer in remaining compliant with their own security obligations.
• CyberArk must disclose the names of any sub-processors (and any location information about where PII may be processed). If we change sub-processors mid-contract, we must also disclose this information and provide the customer with the right to object to the change.

We remain committed to ensuring that all customer and partner information, in any form, is protected from unauthorized access, modification, disclosure or deletion.

You can learn more about CyberArk’s security practices and industry certifications in our Trust Center.

Omer Grossman is the global chief information officer at CyberArk.

As enterprises increasingly migrate to the public cloud, identity and access management (IAM) inconsistencies across different cloud providers pose a significant hurdle. Effectively securing identities in this complex landscape has proven to be a challenge. Discussions with industry analysts and enterprise clients have highlighted a prevalent issue: the existing security tool suite often falls short in providing actionable measures to weave identity security into cloud operations.

Many enterprises use native cloud provider tools, third-party security solutions and custom-built strategies to meet their cloud security needs. However, most of these approaches are reactive, offering band-aid fixes rather than robust, scalable solutions. The challenge then lies in devising a sustainable identity strategy for the cloud environment and operationalizing it effectively.

From Concept to Execution: Operationalizing Cloud Identity Security

The CyberArk Cloud Security framework offers a systematic and phased approach to streamline identity security operations within the cloud. It converts the broader concept of “IAM in the public cloud” into a solid, ROI-focused initiative. And we begin with the right set of identity security capabilities, such as risk-based access controls, entitlements risk and visibility, identity automation and orchestration, secrets management and audit and compliance – all supported by the enforcement of cloud best practices.

Prioritizing and Implementing the Proper Controls

Cloud identity and its associated challenges are constantly evolving, given the continuous innovation from cloud providers. At last count, there are over 1,400 native services spread across AWS, GCP and Azure, bringing in more than 40,000 entitlements and controls – and it’s an ever-growing list.

Standardizing roles or entitlements in this constantly changing environment becomes extremely challenging. This dynamic landscape often leaves IAM teams juggling multiple priorities. The initial focus is often on “discovery” and “right-sizing entitlements,” which fall within the domain of CIEM (Cloud Infrastructure Entitlements Management). While insightful, identifying and removing unused entitlements linked to cloud resources can be complex, particularly when unused permissions are tied to specific cloud project roles or identities.

As a result, resolving these issues necessitates a dialogue with the application teams, proof of non-utilization and a timeline for resolution. This can be lengthy, raising the question: while entitlement visibility and right-sizing is important, is it the first control to prioritize?

Meanwhile, during these debates about appropriate entitlements, standing access and associated risk persist in your cloud environments. Developers and apps often enjoy unrestrained, always-on access to your cloud environments. Especially in the case of lift-and-shift applications, developers often have standing access to the underlying compute workloads powering their applications. All these scenarios present a significant risk if these identities are compromised.

The Three Steps to Operationalizing Identity Security

To tackle this risk and streamline identity security operations, consider the following key steps:

1. Transition to a zero standing privilege model and eliminate standing access.
The road to least privilege is long and windy and comes with many operational challenges. To reduce your attack surface immediately, begin by transitioning all your privileged and non-privileged standing access to a just-in-time (JIT) based zero standing privilege (ZSP) model. The challenge lies in identifying your riskiest identities – admins, shadow admins, identities with sensitive privileges, identities with misconfigurations – and seamlessly shifting them to a JIT model.

CyberArk Cloud Security offers comprehensive visibility into your entire cloud identity estate’s risk and compliance posture. It enables the automatic and seamless migration of risky identities – or all cloud access – to a centralized platform: CyberArk Secure Cloud Access. By consolidating access policies, you can effectively manage and regulate access to resources across various cloud platforms, enhancing security and reducing complexity.

You can also stop the bleeding for new environments by utilizing a ZSP model when setting up new cloud environments, which ensures they start with a clean slate and no standing access. This can allow organizations to stop the bleeding of standing privileges. Nobody prefers revisiting and fixing issues.

Moving to a ZSP model significantly reduces your cloud risk surface, helps you demonstrate ROI via risk reduction to leadership, and helps you comply with cloud access control requirements stipulated by leading industry standards like NIST and SOC2.

2. Address non-human use cases and standardize audit and compliance.

Along with the immediate human access risks we’ve just addressed, there are, of course, non-human threats. Application and API access pose notable risks – and getting complete visibility into the non-human elements is a key measure.

Here are steps you can take to reduce significant risks:

• Initiate centralizing non-human access and develop a unified system for managing secrets to secure access to your cloud environments.
• Fix excessive and risky entitlements and identity issues across clouds. As you start addressing these issues, it’s essential to use a framework that helps you gain the right set of insights and take meaningful risk-reduction actions. Our Insight to Action framework in CyberArk Cloud Security was designed to help administrators do exactly that. The framework links risk insights to remediation recommendations that can be applied programmatically, through click-and-remediate solutions or automation.
• Ensure that integrations are set up with the common tools used by the cloud security teams, cloud admins and infrastructure engineers. Integrations to ITSM and ChatOps tooling help seamlessly integrate access approval workflows and notifications.

3. Adopt proactive measures and embrace automation.

You’ve tackled the major risk factors related to human and non-human access and understand identity security nuances across the clouds used by your organization. Now embrace automation to enforce industry standards for both types of access.

There are over 100 out-of-the-box best practice rules in CyberArk Cloud Security, so you can extend the rule framework and build identity security rules based on your cloud environments’ internal guidelines and guardrails. This enables you to initiate the automation of fixes for common and recurring identity issues in the cloud.

Again, nobody wants to go back and fix things. Ensure that new apps and cloud environments conform to the best practices you want to establish. Make it easy by automating these checks in the Infrastructure-as-Code (IaC) provisioning process.

The above steps will help you to standardize audit and compliance requirements and gain complete visibility to cloud identities (human and non-human) and secrets dispersed across different stores in the cloud.

Driving Value Through Standardized Cloud IAM Operations

Standardizing cloud IAM operations with CyberArk Cloud Security means establishing a consistent methodology for managing and enforcing best practices, securing access for humans and non-humans – and auditing and compliance across your cloud estate.

When effectively operationalized, a cloud identity security solution enhances your cybersecurity defenses, saves time, reduces risk and validates its cost by delivering rapid, measurable value. It’s a journey from abstract to concrete, making the intangible quantifiable in a robust and agile manner.

Read more about the various access cloud challenges in the CyberArk executive POV, “Why Cloud Identity Security and Why It Seems So Hard.”

Paddy Viswanathan is vice president of Cloud Solution Strategy at CyberArk.

Warm. Rich. Chocolatey. The way I see it, a proper chocolate layer cake is the best sensory experience a human can have. Let’s go a bit further still: good chocolate cake is the height of human achievement.

In the world of enterprise IT, one could say the same of a diverse, purpose-built IT infrastructure. Every enterprise application – whether internal or customer-facing – must run on the right server, virtual machine (VM), container or database for the task at hand.

And like a perfect chocolate cake, modern enterprise infrastructure is multi-layered. One foundational IT layer is the Linux and Windows servers that still effectively power tried and true applications on-premises. Another layer is composed of the cloud-hosted VMs where organizations ‘lift and shift’ applications in search of operational efficiencies. SaaS applications that empower the workforce are yet another layer. The same applies to the containers and serverless functions powering an enterprise’s cloud-native applications. And then, of course, there’s the most powerful (and highest-risk) layer of modern IT – the cloud management layer – where engineers and admins launch or change configurations via console or command-line interface (CLI).

Securing the identities with high-risk access to each of these layers requires tailored controls, identity security and privileged access management (PAM) programs that organizations charge with securing their highest-risk access can be carefully crafted to address every layer of modern IT infrastructure.

Essentially, PAM can help secure every layer of the cake. Here’s how…

Layer 1: PAM Controls for System-level Access to Workloads Running Inside VMs

It doesn’t matter how good a cake is if the foundation can’t support it. Many enterprises still directly manage much of the Linux, Windows, database and even mainframe infrastructure that powers their tried-and-true applications. This is especially true in highly regulated industries and verticals where low-latency computing is essential, like finance, energy and manufacturing. Even when organizations do move these established systems to the cloud for operational savings, many take a ‘lift-and-shift’ approach. These systems still work well, so there’s no need to re-architect them beyond moving them from on-prem servers to cloud-hosted VMs.

Whether they live on-premises or in the cloud, securing the privileged credentials and SSH keys that grant administrative access to these workloads will always be essential. This is especially true of built-in accounts on servers and VMs, such as Root accounts on Linux servers.

Foundational PAM best practices like automated credential rotation and least privilege access not only can reduce the risk of credential theft. Sometimes, these controls may even be required for IT security compliance or cyber insurance coverage.

Baking tip: Like good cake, good identity security programs need several layers. In addition to securing credentials, it’s essential to apply additional PAM best practices like monitoring and isolating privileged sessions. This can help deter insider threats while preventing ransomware and other malware from ever reaching VMs.

“Like good cake, good identity security programs need several layers. In addition to securing credentials, it’s essential to apply additional PAM best practices like monitoring and isolating privileged sessions.”

Layer 2: PAM Controls for Operational Access to Workloads Running ON VMs

Most VMs are short-lived. This is one of the foundational value propositions of cloud computing; organizations can run workloads on rented VMs without spending time and money on infrastructure maintenance. While high-risk administration on specific VMs may sometimes be necessary organizations generally don’t create dedicated system-level accounts (and the associated risk) for access to these short-lived machines.

PAM programs play an important role in securing access to ephemeral workloads. When access to specific, self-managed systems is needed, operational privileged access can be elevated just-in-time (JIT) to reduce the risk of credential theft, helping reduce standing privileges. IT and development teams can natively elevate access without SSH Keys or passwords using attribute-based access control (ABAC). Identity security teams can tag workloads for a specific project using CSP tagging features, allowing end users to natively connect only to resources tagged with this attribute. And since users don’t have passwords with standing privileges, there is a significantly reduced risk of credential theft.

Baking tip: The absence of credentials does not equate to the absence of trust. To embrace Zero Trust concepts for cloud access, embrace the ‘never trust, always verify’ paradigm. PAM Best practices like enforcement of least privilege and session isolation reduce trust. Meanwhile, the tried-and-true advice to implement adaptive multi-factor authentication (MFA) can help verify.

Layer 3: Access to Cloud Service Provider Services IN the Cloud

PAM teams already know: with great power comes great responsibility. Protecting the most powerful access in the public cloud is essential. And that includes the access elite engineers use to launch, configure and decommission the services powering their applications. Whether these engineers access this cloud management layer via web consoles or CLIs, their access must be protected.

JIT elevation can help reduce the risk of credential theft in these scenarios. But once access is elevated, development teams have, to borrow their parlance, ‘god-level’ entitlements to spin up – or take down – anything they want.

Many organizations are embracing the emerging security concept of zero standing privileges (ZSP) to safeguard development teams without slowing them down. In this model, engineers can elevate access JIT only to roles scoped with just enough permissions for the job at hand (or, in other words, least privilege access).

ZSP provides meaningful, defense-in-depth risk reduction. First, developers do not have credentials with always-on access, so those credentials can’t be stolen. Second, even if developers become malicious insiders or have their access compromised, their permissions are limited, reducing the blast radius of an attack.

Baking tip: Empower developers with ZSP, instead of slowing them down. In an outage or critical situation (‘critsit’), engineers need the ability to use their preferred tooling to request elevated entitlements and save the day. Integration with preferred development tooling is critical for these cases and any meaningful adoption of PAM controls. The same is true for session monitoring controls to deter internal threats and maintain audit trails for compliance purposes.

“Empower developers with ZSP, instead of slowing them down. In an outage or critical situation (‘critsit’), engineers need the ability to use their preferred tooling to request elevated entitlements and save the day.”

Layer 4: High-Risk Access to SaaS Apps

Risk isn’t confined to infrastructure and software environments. It also exists in cloud-hosted web applications used by every workforce member, from software engineers to HR and finance administrators. Unfortunately, this access also presents a significant security risk, considering attackers can use it to gain access to sensitive data.

Organizations can protect this final layer of high-risk access in the cloud with web browser session protection and monitoring controls. Session protection can defend against session hijacking and cookie theft attacks. Just as with infrastructure or console access, monitoring high-risk sessions can provide a complete audit trail of user activity to satisfy compliance requirements and deter internal misuse.

Baking tip: To get the cloud security recipe right, adjust controls according to the risk level of data in a SaaS application. For example, compromised access to apps containing IP or EHR data pose more risk than access to a training application. Just like with the PAM controls securing access to high-risk infrastructure, requiring step-up authentication to the most sensitive web apps is a simple best practice that can significantly reduce risk.

Bonus Layer: Secrets Management (the Icing on the Cake)

Humans aren’t the only identities requiring privileged access in multi-cloud environments. Machine identities like serverless functions, application accounts and RPA bots also use credentials to authenticate autonomous processes. In fact, it’s estimated that machine identities outnumber human identities in today’s software-heavy world by a factor of 45:1.

Organizations must govern application secrets consistently to reduce the risk of attackers compromising hardcoded credentials. Centralizing governance and credential rotation in a single cloud-agnostic hub can help mitigate this risk.

Baking tip: For the tastiest frosting, cater to the tastes of your development teams. Many engineers prefer to use native tooling from AWS, Azure and GCP. Allowing for the rapid ‘retrofit’ of credential management to cloud-native secret stores can keep developers happy – and secrets secure.

Intelligent privilege controls are vital ingredients within every layer of a multi-cloud environment. With a layered approach to securing privileged access, organizations can develop a powerful recipe: user-friendly security that doesn’t slow down engineering velocity. That’s quite the achievement – although maybe not as impressive as a warm, rich chocolate cake – but an impressive output, nonetheless.

To learn more about all layers of the multi-cloud identity security cake, feast your eyes on the CyberArk executive POV, “Why Cloud Identity Security and Why It Seems So Hard.”

Sam Flaster is a director of product marketing at CyberArk.

The most significant change in the lifespan of identity security thus far is zero standing privileges (ZSP). Considered to be the next evolution of just-in-time (JIT) access, although it may seem needlessly complex at first, once you wrap your head around the concept, it feels as natural as turning off lights when you leave a room.

But first, a bit about me and the journey to ZSP.

I’m lucky enough to have thus far had a diverse career in tech that’s had me in a series of roles, from being an engineer to working with advisory consultants. During my time building infrastructure at scale, there’s been a constant demand for concepts that address the risk posed by privileged access without impacting ops productivity. As it turns out, years later, as I led CyberArk’s Strategic Alliances Solutions Architecture practice, I saw this exact challenge from another viewpoint. People want to behave in a way that keeps their organizations safe, but they expect to remain productive – not blocked by intrusive controls.

The ZSP concept meets that need.

The Journey to Zero Standing Privileges

Least privilege (or the principle of least privilege (PoLP)) is always a no-brainer. If you don’t need access, you should not have access.

I ran a team of operations engineers many years ago supporting a large-scale Infrastructure-as-a-Service (IaaS) platform. In looking at what we could do to improve the security of our platform, least privilege made perfect sense to us – it felt like a boundary that defined if something was in scope for our team or not.

A glimpse, from the author’s perspective, of 400 servers – or about 2% of the platform managed by his team in 2013.

We ran with the principle of least privilege – piloting various implementations and methodologies. But ultimately, that least privilege journey fell flat. The team, comprised of what would now be called platform or site reliability engineers, had massive hesitance to give up the access rights they felt they might need during an incident. Any team dealing with a critical situation is very familiar with the idea that it’s hard to build a technical plan for ‘when it goes wrong.’ Things never break in the way you expect.

In looking for the next concept that might allow us to improve the security of our platform, just-in-time (JIT) access was an easy winner for us. The only thing holding us back was our collective ‘when it goes wrong mindset’ where, during a critical situation, we’d often want to troubleshoot at a large scale across the entire platform, potentially accessing hundreds of servers, routers and switches to identify the issue. This wasn’t an unreasonable concern, but one that could be exploited by any attacker present.

As it turns out, I left the organisation before anyone definitively figured out the correct solution. I considered it a real miss that I never actually determined the right way to improve the identity security of our platform.

The reality was that we needed something that combined these concepts with consideration for the operational impact. This is where the concept of ZSP becomes highly relevant.

What is Zero Standing Privileges?

In short, ZSP evolved from JIT access because it was a necessity. Simply turning on and off administrative access for a user didn’t offer enough risk reduction for many modern enterprises.

ZSP is the concept that an identity sits with no entitlements on the resource it will be used to access – until the identity is needed and entitlements are requested. When granted, those permissions are only the ones required. It’s giving access to the right people at the right time – no more and no less. This represents a massive attack surface reduction as the account itself is now useless – even if an attacker could log in, they can’t do anything because they have zero permissions!

As such, ZSP is an excellent concept, sitting at the intersection of JIT access and least privilege. It addresses those frustrating ‘what-ifs’ that held me back due to the requirement of rapid access grants.

The author attempts to bypass a cloud provider’s controls to demonstrate the power of ZSP.

Zero standing privileges add further protection to just-in-time as a concept. With JIT access, you’ll be unable to enable just the right number of privileges to that account. This is arguably the core requirement of ZSP.

Only allowing an account to have the privileges it needs by exception rather than standing entitlements and returning it to no privileges puts you in a situation where you can minimise that account’s exposure. Elevating access just-in-time does reduce the risk of credential theft. But, once access is provided, internal or external bad actors have more entitlements to exploit, enabling lateral movement and privilege escalation. A ZSP approach also reduces the volume of systems or services an attacker could compromise when they gain access. This is easily one of the most effective strategies for reducing risk.

How to Make ZSP a Reality

First, you’ll need to find a way to handle elevation, a mechanism to align a user to a group of permissions. For a realistic chance of adoption, elevation mechanisms must be integrated into service management or ChatOps to speed up the handling of approvals.

You’ll also need to move away from thinking in the binary ‘is this an admin or not’ mindset and consider how the user access level poses a risk and find tooling to manage that. The distinction between privileged and non-privileged access is nebulous in modern Infrastructure as a Service (IaaS) environments. Lastly, you’ll need to ensure that whatever permissions you grant get removed as soon as the session ends.

If you’re looking for a modern, dynamic way to secure access in your cloud platform (as I once was), check out the CyberArk executive POV, “Why Cloud Identity Security and Why It Seems So Hard.”

Josh Kirkwood is a senior product marketing manager at CyberArk.

If you stick with any movie through the end credits, you’ll see – not just the household names who act and direct – but the full scope of players who make a film happen. The scroll can seem endless: writers, CGI designers, location scouts… animal handlers and the illustrious “best boy grip.” It’s a wide-ranging ecosystem where everyone plays a role. And it’s very similar to the high-stakes cloud and digital initiatives that today’s enterprises are driving forward – and today’s attackers are targeting.

A successful transformation requires a diverse cast. Securing them calls for a closer look at who has risky levels of access to sensitive resources. It’s not only the IT employees working in critical environments. And it goes beyond the sharp increase in everyday employees accessing sensitive data in applications.

Roll the credits for any top enterprise initiative, and you’ll see an ecosystem of contributors from outside the workforce who also need access to internal resources, to do their jobs. The scroll would look something like this:

• Vendors
• Suppliers
• Contractors
• Partners
• Clients
• Agencies
• Franchises
• Affiliates
• Dealerships

Every day, external business-to-business (B2B) contributors use enterprise-provided applications, portals and services from various devices and locations. And attackers know it.

External B2B Users: Key to Success and Key Attack Targets

Consider how many outside contractors work for your organization and imagine just one falling victim to a phishing attack. A malicious actor tricks them into sharing their password for an enterprise app, digs around until locating high-value resources and makes a devastating next move. It’s a movie we’ve seen, but the script is flipped – to entail third-party vulnerabilities that are hard to control.

One example: an insurance company’s extended workforce of third-party agents who use the company’s online portals on the road – one compromised identity could result in the data of millions of policyholders being leaked. For a private hospital system’s network of electronic healthcare data vendors, this type of attack could result in a central database of patient records being held for ransom.

“It’s a movie we’ve seen, but the script is flipped – to entail third-party vulnerabilities that are hard to control.”

And that’s just considering external B2B users who are actively working with organizations.

Third-party risk often stems from B2B users who no longer work with an organization but still have lingering access to its applications, data and environments. IT security teams are already bogged down with manual processes for managing full-time employees’ access. The complexity grows when considering external users. One missed step in a manual, error-prone offboarding process can allow threat actors to exploit inappropriately provisioned, overprivileged or orphaned accounts.

How to Provide Protection and Positive UX for External Collaborators

Across any industry or use case, there’s a common link: external B2B users need as fierce protection as your employees. In addition, their user experience in accessing your applications and resources must be designed to help them succeed. Here’s a brief look at five areas of best practices to help you achieve that balance.

1. Ensure Secure, User-Friendly Access to Applications

A frictionless experience is essential for external B2B users when they authenticate into applications to engage with your organization. This helps vendors and contractors do their jobs; it also helps ensure that clients and partners view your brand favorably. But how can you achieve these outcomes without sacrificing security? Here are a few building blocks to keep in mind:

• Allow external users to access applications with a single set of corporate credentials via intelligent single sign-on (SSO), reducing password usage.
• Verify users with adaptive multifactor authentication (MFA) that draws context from user behavior analytics to determine whether a log-in attempt is low- or high-risk – and, in turn, provide easy or difficult authentication factors.

2. Bring Structure to Identity Data Storage and Management

As your organization’s digital and cloud initiatives grow in scope and scale, the number of external B2B identities requiring protection is surging and disparate. So, how can you ensure their information is accounted for and protected while not making things difficult for partners? Here are some best practices:

• Store identity information for external B2B users in a secure, centralized repository.
• Allow external B2B organizations’ admins to use their trusted identity providers to authenticate end users via a cloud-hosted directory service that supports identity federation.
• Simplify administration tasks and oversights while helping eliminate adoption barriers among external partners’ IT and security teams.

3. Balance Flexibility with Security in Identity Administration

It’s challenging enough to stay ahead of identity administration for employees. The job can feel unwieldy when factoring in external users. You can reduce the burden and risks of third-party identity administration by giving partners a mix of autonomy and security-first features, including:

• Provide external B2B partners’ IT teams with a hierarchical, multi-tenant delegation model that allows admins to manage identity data across a shared environment.
• Introduce an overall tiered approach through which a designated partner admin can manage their end users, overseeing their access rights as roles change over time.
• Delegate administration responsibilities to peer admins and trusted non-admin users (as needed).

4. Automate Processes and Tasks for Managing Identities

Automation can help IT security teams escape from the pattern of manually connecting dots and scripting integrations between variables like data and applications. The same applies to manual procedures and workflows for granting, adjusting or revoking access.

Here are some examples of how automation can help IT security teams regain bandwidth and reduce risk:

• Provision access automatically and manage entitlements throughout your external B2B users’ lifecycles, from onboarding to offboarding.
• Bolster defenses around siloed applications with custom security features and standardize your approach across apps through a simplified security model.
• Eliminate manual tasks with flexible workflows and automated orchestration of data, processes, tasks and events.

5. Secure Access for Third-party Privileged Users

While the nature of third-party risk has expanded beyond the traditional definition of privilege, it remains critical that organizations secure the identities of external users with the highest levels of sensitive access.

Take, for example, an IT user working for one of your vendors. If this user’s identity is compromised, the attacker’s next steps – e.g., lateral movement and privilege escalation – aren’t limited to the vendor’s environment. They’re a stepping stone to yours. Here are a few capabilities and controls that can help you secure third-party privileged access:

• Ensure privileged users from external vendors confirm their identities each time they need to access critical assets via biometric MFA.
• Implement just-in-time (JIT) provisioning for vendors when they need to access business applications and sensitive information.
•  Gain full visibility into vendor activities via privileged session monitoring, with complete reporting, auditing and remediation capabilities.

Next Steps: Achieving High-Quality UX and Security-First Access Balance

The cast of characters playing essential roles in driving your high-stakes initiatives continues to grow in number, scope and risk. Keeping their identities secure is essential for preventing third-party breaches and attacks – and for protecting everything these external B2B users are building for your enterprise.

Similar to the movies, this blog post has a director’s cut with additional content. For a deeper dive look at the controls and capabilities needed to protect external B2B identities, read our recent whitepaper, “Secure Your External Users’ Access to Enterprise Applications.”

John Natale is a senior content marketing manager at CyberArk.

The aviation industry relies on a complex web of players and digital systems to fly passengers safely around the world. Billions of data points flow across this vast interconnected ecosystem – from cloud-based ticketing apps and customer experience portals, to third-party vendors and technology systems, to airport ground operations and in-flight aircraft.

While connectivity is mission-critical to airline and airport operations, it also means that any cyberattack or digital disruption could quickly ripple outward, negatively impacting numerous entities, degrading customer experiences and potentially even compromising human safety.

Just last month, two major airlines disclosed data breaches caused by a cyberattack on a third-party recruiting vendor. According to reports, personal information of nearly 9,000 airline pilots was exposed. Unfortunately, this wasn’t an isolated incident. Cyberattacks on airlines, airports and their many third-party providers are rising globally. As with other critical infrastructure sectors, transportation’s risk exposure is heightened by technical complexity, underlying infrastructure issues and vulnerable operational technology (OT).

A string of distributed denial-of-service (DDoS) attacks last fall temporarily took down several major U.S. airport websites. In February 2023, seven German airports experienced a similar attack that left thousands of travelers stranded. Airports across the European Union (and everywhere else) are being hit hard by ransomware, according to a 2023 report by the European Union Agency for Cybersecurity. The same report identifies airlines’ customer data and original equipment manufacturers’ proprietary information as cyberattackers’ top targeted assets.

Building Cybersecurity Resiliency for Airport and Aircraft Providers

Such targeted attacks on critical infrastructure are prompting government action. In the United States, the Transportation Security Administration (TSA) has called on airports and aircraft providers to step up their cybersecurity practices.

According to enhanced TSA requirements released this March, all TSA-regulated airports and aircraft providers must “develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.” TSA released similar requirements in 2022 for passenger and freight railroad carriers. Both steps are part of a broader push to strengthen the cybersecurity resilience of the nation’s critical infrastructure and align with the Biden administration’s Zero Trust-focused National Cybersecurity Strategy.

Preparing to Meet TSA’s Enhanced Cybersecurity Requirements

Airport and aircraft operators must take four actions to meet TSA’s latest cybersecurity requirements. While specific details on mandatory security controls, assessment parameters and compliance deadlines have not yet been disclosed, many TSA-regulated entities are referencing Security Directive 1580/82-22-01 for the railroad industry as they prepare for their own directive. In the meantime, they have this high-level guidance from TSA:

Action 1: Network Segmentation

“Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa.”

Network segmentation is an important step for limiting access to devices, data and applications. In the aviation industry, operational technology (OT) networks power everything from airport baggage-handling systems to critical air traffic control processes. Creating boundaries between OT and IT networks helps minimize identity-based threats, such as phishing, ransomware and other credential theft attacks. Network segmentation also separates and protects OT network layers while allowing authorized communications and other critical processes to continue.

Action 2: Access Control

“Create access control measures to secure and prevent unauthorized access to critical cyber systems.”

The aviation sector is in a continuous state of digital transformation and identities – human and machine – are surging in numbers. Across industries, virtually all (99%) security decision-makers believe they’ll face an identity-related compromise in the year ahead, reinforcing the need for a Zero Trust approach to security.

Modern identity security controls, centered on privilege, enable Zero Trust by verifying every user, validating every device and intelligently limiting access to any resource anywhere, everywhere. This includes continuous authentication to validate a user’s entire session – not simply a single multi-factor authentication (MFA) request – and monitoring user behavior to identify when an identity has been compromised. This brings us to TSA’s required action number three.

Action 3: Continuous Monitoring and Detection

“Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations.”

With so many distributed workforce and privileged users, third-party vendors and data streams in play, aviation organizations need a centralized, continuous process to detect risky security events and behaviors. Otherwise, context and coverage gaps could cause them to miss, mishandle or respond too slowly. Identity security solutions that continuously monitor behavioral signals help ensure users are who they say they are, while empowering incident response and security operations teams to address threats quickly and confidently.

Action 4: Patch and Manage Critical OT Connections

“Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”

Keeping critical airport and airline systems patched and up to date is an essential defense-in-depth endpoint security component. But human error has no patch. Combining patch management and other traditional endpoint security tools with foundational endpoint privilege security will help strengthen overall security posture and reduce exposure to ransomware and other dynamic threats.

How Aviation Organizations Can Strengthen Cyber Resilience

Navigating evolving cybersecurity requirements can be complex, but airports and airlines don’t have to go it alone. CyberArk can provide the guidance and support needed for these critical infrastructure organizations to comply with TSA’s enhanced requirements to protect information and systems.

The CyberArk Identity Security Platform is uniquely positioned to help them strengthen cyber resilience by surrounding every identity – human and machine – with a powerful force field of continuous protection. With a security-first approach grounded in Zero Trust and least privilege, CyberArk enables them to manage who has access to what, and for how long, while empowering them with the confidence of unmatched detection, prevention and control over their entire infrastructure.

Jay Willoughby is AVP Commercial Sales – U.S. at CyberArk.

You’re reading the CyberArk blog (and we thank you for that), so you’re likely familiar with the name Theresa Payton. The cybersecurity visionary, first female White House CIO, best-selling author and founder and CEO of Fortalice Solutions is a powerful industry voice, blending her frontline cybercrime fighting experience with cutting-edge insights to help organizations safely navigate the evolving threat landscape.

Not long ago, I had the honor of speaking with Payton on the CyberArk Trust Issues podcast. We covered so much ground – from revisiting major historic threats to exploring ransomware’s impact and future AI applications – that we dropped two episodes. Give part one and part two a listen and check out these top takes from our conversation.

Yesterday’s Threats are Still Alive and Well

Payton served as CIO in the George W. Bush White House from 2006 to 2008 – a time of significant technological change in the workplace and at home. Among other major happenings, Apple released its first-ever iPhone and social media was starting to take off. Here’s what Payton had to say about the threat landscape during this time and its lasting influence.

Theresa Payton: We didn’t know how good we had it, even though cybercriminals were doing some pretty bad things. Major cybersecurity threats looked like phishing scams, spam emails, botnets. Malware was very quaint and SQL injection attacks were extremely popular. Nation states and syndicates were operating at a different level, mainly focused on the defense industrial base and government organizations. They weren’t going after the small, medium and large enterprises as they certainly do today. Even things like ransomware, which was in its infancy, mostly focused on computers in a network. It wasn’t at the large scale seen today. But what’s interesting to me is that phishing scams and spam email are still alive and well. We can’t seem to get rid of them. Botnets are still used and malware is still built to steal information and conduct other nefarious types of activities. And the fact the SQL injection attacks still work – that’s incredible to me.”

Technology Multiplies Misinformation Campaigns

Fast-forward to present day. The threat landscape continues to grow in size and complexity, and digital advancements bring new twists to age-old misinformation and fraud schemes.

TP: “It’s part of human nature to manipulate and misinform others to get them to see your point of view. Social media gave those with nefarious intents a free stage. All they had to do was understand how search engine optimization and hashtags work to launch their own amplification marketing campaigns. In some regards, I think retailers and other companies would marvel at what misinformation experts can accomplish with very little money. This has led to a rapid spread of misinformation on all types of topics – everything from pump-and-dump schemes for cryptocurrency, health, politics, science and deepfake technology. All of these can be used to create fake news, propaganda and disinformation. Artificial intelligence raises the stakes. We’ve already seen how AI helps botnet masters much more effectively manage their botnets. Having ChatGPT and other deepfake AI tools really just puts more power in the hands of the manipulators and mis/disinformation peddlers. It’s making it really challenging.”

Payton notes that we each play a part in fighting misinformation – by watching out for one another, learning how to spot disinformation campaigns and reporting inauthentic behavior and dangerous disinformation to social media platforms.

Hiring for Open Positions? Beware of ‘Franken-Fraud’ Identity Applicants

The recently published CyberArk 2023 Identity Security Threat Landscape Report finds that 93% of security professionals expect negative cyber impacts from AI tools in 2023 – and with good reason. Payton believes that thanks to AI, it won’t be long before ‘franken-fraud identities’ (also referred to as synthetic identities) enter the workforce.

TP: “Fraudsters and scammers will leverage cutting-edge deepfake AI technology to create personas – by creating images of these new identities, adding voices to them, creating videos, etcetera. In fact, all of this can be done mostly for free today. These ‘persons’ will use AI and big data analytics to test themselves and ensure they look authentic. The next thing you know, you’ve got ‘people’ who can interview for jobs. And since many jobs today are remote, companies may unknowingly hire a deepfake persona because it’s been matched up with a franken-fraud identity. Seriously – it can happen.”

“So how do you protect against this? For starters, you must understand how to safeguard your executive and employee data. Second, if you do remote hiring, work with an outsourcing firm to bring candidates into a physical office in whatever geography they’re in. Have them present different forms of identification. It’s not going to cost you that much and it’s a way to make sure you’re actually hiring the person you think you’re hiring.”

One Ransomware Trend Theresa Payton Never Saw Coming

Many organizations have benefitted from Payton’s near-prescient ability to predict cybersecurity trends and challenges ahead. She imagines how things will look two to three years out every year, and she’s usually spot on. Yet one recent development caught her completely off guard.

TP: “I love to study human behavior and technology implementations, so I typically have a pretty good handle on where things are headed. But I would’ve never predicted that insurance companies would encourage ransomware victims to pay ransoms. I remember the first time somebody told me that their insurance company said to pay the ransom because it would be cheaper than recovery. I said, ‘Well, that sends a really bad message. It’s like giving the schoolyard bully your lunch money. They’re just gonna come back tomorrow.’ When I looked in a crystal ball, I definitely saw a lot of the trends and patterns coming. But I never saw that one.”

On Double Extortion and Evolving Attacks

Unfortunately, the paying ransom trend only seems to be growing. CyberArk’s latest research found nearly three-quarters of organizations paid ransoms at least once in the last 12 months. Payton acknowledges that attackers are turning up the heat with double extortion but urges organizations to remember who they’re dealing with.

TP: “You are negotiating with a criminal. And even if the person you negotiated with might keep their word as an individual, which is debatable, it’s so distributed and outsourced these days that somebody else in the organization may not honor their word.”

“When we improve the kill chain in our resiliency and our recoverability, cybercriminals don’t say, ‘Wow, this is really hard. I should give this up and become a park ranger or bake pies for my neighbor.’ They just up their A game too. They don’t go away. That’s the great thing about cybercriminals, whether it’s a nation state, lone wolf or a cybercriminal syndicate – their behavior.”

So as organizations improve their ransomware defenses and recovery efforts, where will attackers turn next? Payton offers a rather grim prediction.

TP: “The better we get at shutting down ransomware syndicates on systems and data, malicious cyber actors will move to another place in the kill chain. Ransomware will pivot to the Internet of Things, devices, access control cards, thermostats, TVs, physical buildings controlled by computers – you name it – and hold them for ransom.”

Payton writes in her 2024 cybersecurity predictions that attackers could go as far as “hacking into intelligent buildings, locking them down with people inside and demanding a hostage payment to release individuals.”

Putting the “Influence” in CISO

Chief Information Security Officers (CISOs) have a difficult job that’s constantly changing as technology, workforces and cyber threats evolve. Many CISOs are understaffed and under-resourced. They’re grappling with highly complex IT environments and exponential – but often insecure – identity growth. Payton encourages these cybersecurity leaders to expand and solidify their influence across their organizations to amplify their impact.

TP: “As a CISO, you will never have the full span of control that you probably should have to protect all the digital assets under your organization’s care. You’re never going to have enough tools and budget and people. And you really do need to understand that. Once you do, ask yourself how you can influence your organization to be secure by design.”

“Are you going to sit with the developers the whole time? Are you going to sit with the third-party marketing firm doing internet campaigns with social media platforms? No. So how do you make sure you have influence everywhere within the organization. You can’t do it by being a bottleneck and saying no to everything. You do it by understanding the mission and values of your organization and figuring out the human user stories of your employees, customers and third-party vendors. Then, you focus on where things need to be secure and how to influence the people responsible for those human user stories. That is where CISOs need to go with their thinking. If you don’t wake up every morning thinking about that, in addition to what you’re doing today, you’re going to miss a unique opportunity to have a long-lasting legacy and impact.”

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

Editor’s note: Remarks have been edited for length and clarity. To listen to the entire Trust Issues interview with Theresa Payton, check out the players below – or find the episodes wherever you get your podcasts.

ChatGPT knows a lot about Len Noe, CyberArk’s resident technical evangelist, white hat hacker and biohacker. The biohacker piece of his title is a nod to the fact that Noe is transhuman (you might call him a cyborg and be right), which is why his grandkids call him “Robo Papa.”

ChatGPT knows all of this.

That’s because Noe fed everything he could find about himself that’s publicly available on the internet and by way of open source information technology (OSINT) into ChatGPT, all for the sake of cybersecurity research. These inputs included places he’s lived, auto registrations, utility bills, social media posts and transcripts of presentations he’s given and interviews he’s done. If it’s out there in the digital world, Noe plugged it into ChatGPT. What he wound up creating is a digital version of himself – what he refers to as his synthetic identity.

And, as Noe explains it, this synthetic identity – the identity that’s born from the blurring of physical and digital characteristics used to identify individual human beings – is permanent. The more you share online, wherever and however it may be, the more breadcrumbs you leave for attackers to someday, somehow use for nefarious purposes.

This is why Noe has created his own synthetic identity – as an extension of his ongoing effort to think like attackers – and, in doing so, stay a step or more ahead of them. “I was actually able to interact with a digital version of myself that had understanding, as well as information about my physical existence,” he told me in a recent episode of CyberArk’s Trust Issues podcast.

Screen captured video of Len Noe combing for his own publicly available information via OSINT.

Feeding Harvested Data into ChatGPT for Synthetic Identity Creation

At first blush, Noe’s ChatGPT experiment seems like doxing – the malicious act of curating and publishing identifiable information about a person or organization on the internet without their consent. But there are two big differences. First, the synthetic identity Noe created is based on his own personal data, and second, ChatGPT’s AI engine has the superhuman processing power to fuse disparate data points together instantaneously.

“All those little bits and pieces of [personally identifiable] information are spread out across multiple, different databases, so it’s very hard to make correlating points between them,” Noe says. “But if you take all of that information and put it into ChatGPT – something that’s main intended purpose is to find those types of correlations…” Noe trails off, but the implications are clear. Machine learning (ML), powered by artificial intelligence (AI) can make all sorts of connections about a person, and in doing so, expose them to significant risk.

In feeding all of that unprotected, harvested data into the ChatGPT blender, the output could take doxing to the next level. And the readily accessible opportunities for attackers lie in a swelling digital ocean of identities. The data correlations made possible through AI can make it much easier for attackers to deduce potential targets’ passwords and recovery questions. In a blink, AI can extract or deduce your mother’s maiden name or the street you grew up on – or most any typical standard question/answer for self-service recovery portals. And once it has that information, let the games begin.

Screen captured video of Noe interacting with his synthetic identity after inputting lots of his own publicly available data into ChatGPT.

Simple data extraction is just the tip of the AI iceberg, as it were. Attackers, of course, won’t (and don’t) limit themselves to what’s available. Our digital lives make it easy for the likes of advertisers and social media platforms to build composites of people’s identities based on their online behaviors and preferences. These digital dossiers are routinely sold and shared – and can also be intercepted.

This is how the potential for next-level, primo opportunities arise for attackers. Just think of the imitation opportunities alone. The creation of a synthetic identity can fuel spoofing, phishing and impersonation, by aiding attackers in producing more realistic human speech and text patterns and, in turn, convince someone to share or do something they shouldn’t. Once that’s been obtained, cyber extortion can enter the fray. The more personal data attackers can harvest, the more successful they are likely to be – and the more they will try to take.

“Think about the information that could be accessed with the data collected by the big tech miners,” Noe says. And, of course, as practitioners of “assume breach,” we must think about it. Data science, he says, requires thinking outside the box, problem-solving and analytical thinking. Attackers take a similar approach.

Noe adds, “Everything is asking our physical identities to attach more and more digital services to our digital identities. Every time we add a new app to our mobile devices another piece of software is asking for permissions to reach deeper into our private lives. Our individual attack surface is literally everywhere.”

Everything Ties Back to Identity

Noe acknowledges the potential for this new type of synthetic identity threat is yet to be fully realized. But as a cybersecurity practitioner whose job requires him to put himself in an attacker’s shoes, he’s constantly considering potential threats and ramifications. And they almost all inevitably involve data and identity.

Putting it into context, Noe says, “We hear about identity theft, identity monitoring, identity validation and identity security. Everything’s tied to identity and with good reason. Our identities are the most valuable thing we possess – it’s our likeness, our voice, behavior patterns. It’s our friends, family, hobbies, likes and dislikes. It’s what makes us.”

Your individual identity is an amalgamation of your physical and digital self, he contends. By this reasoning, your identity could potentially be put at risk through not just online interactions, but also how you interact in the physical world – like with your intelligent refrigerator or how you connect to home Wi-Fi, to point to just a couple of seemingly hundreds-to-zillions of other linked actions. We’re at the point where there is no separating these two sides of self – they are inextricably merged.

Who is Len Noe? Identity as a Guiding Principle

Let’s acknowledge again that Len Noe is transhuman by way of implanted chips and devices. Not that there’s any such thing as an ordinary human identity – we all have our own singular defining features and characteristics. But the tangled irony of focusing on the subject of identity with Noe is that his own identity is inherently complex. As we’ve chronicled here on the CyberArk blog and on our podcast in the past, Noe’s implants are for the sake of attacker-like experimentation – he doesn’t just think like an attacker, he’s altered his actual physical being in an ongoing effort to stay ahead of them. But you wouldn’t know it to look at it.

I’m standing with Noe as we await entrance to the Boston House of Blues for a company party capping Day Two of CyberArk’s IMPACT23 conference. It’s a mild early evening in May, amid a protracted New England spring that seemingly wants to Benjamin Button its way toward winter. Noe’s wearing short sleeves, revealing tattooed sleeves on both arms. We’ve spoken in the past about the various microchips and other implanted devices (with varying functionality) he has beneath his skin, but this is the first time I’m experiencing them, as he pinches his skin so I can see a couple of them silhouetted beneath the surface.

To get into the House of Blues, Noe flashes a standard-issue ID and an event-only wristband, just like all the standard-issue human attendees.

The Work-Life and Home-Life Identity Overlap

Work happens everywhere, anywhere. This means that, among other things, lines separating “work” devices and online identifiers from “personal” ones are blurred or have completely vanished. And attackers know this.

“As an attacker, why would I go after your corporate asset that I know has multiple layers of security controls on it, when I know you’re conducting business activities on an unprotected personal device?” says Noe. “It’s much easier for me to just target your own computer – then I can just ride the applications in the private tunnels back to the enterprise.”

Company-owned devices also present risks. “What’s the first thing that’s going to happen when a work laptop walks out of a corporate environment? It’s going to be connected to a home WiFi network,” Noe says. “Once these things leave the corporate environment, they’re out in the wild and it’s up to security professionals to keep security in the front of users’ minds so they remain vigilant, realizing everything out there is trying to get in and that they play an important role in keeping them out.”

Synthetic identity could come into play in a variety of ways within this context. For instance, a synthetic identity could be used to subvert a corporate network by way of the home network using data correlated through AI. Or, that synthetic identity could spoof individuals to cough up passwords for personal accounts that might be similar to (or exactly the same as) those used for corporate applications. Like, let’s say you were successfully phished and shared your Netflix password, which happens to be the same password you use for your enterprise Office 365 account.¹ Game over. Although, of course, it’s not a game.

Stop Spreading Digital Breadcrumbs – Secure Your Digital Identity

So, what can individuals and organizations do to stem the threats posed by AI and ML-assisted synthetic identities? Noe suggests the following:

Noe stresses that for MFA, “The best option we have is a true adaptive multifactor to validate that I am the person that I say I am. Multifactor does not mean two-factor – two is a minimum. And from an enterprise perspective we need to start looking deeply into the crossover between personal and business.”

With individual identities comprised of countless digital data points that are ultimately tied to physical beings, everything is more connected than it’s ever been. And now there’s widely available technology to connect the dots at scale. In a time considered to be an AI gold rush, while the technology itself is still at a relatively early stage, securing our identities, at work and home – everywhere – is paramount.

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

For more from Len Noe on synthetic identity, check out his recent Trust Issues podcast conversation.

¹ You know not to repeat passwords, so please don’t do it. Check out this blog post for an eye-opener on password protection.

Global organizations – and the data they collect and use on a daily basis – exist today both within and beyond the traditional physical boundaries of countries. They may have cloud infrastructure that spans the world, but local laws and regulations can still have a big impact on how data needs to be stored and accessed, even if it’s in the cloud.

Data sovereignty is the idea that organizations need to consider the local laws in the region or country in which data is collected. While data sovereignty has grown in importance thanks to regulations like the General Data Protection Regulation (GDRP), companies have had to make considerations regarding data storage and usage well before that. The issue, however, has grown more complex in recent years with increasing regulation and other compliance events like sanctions, as well as macro trends like the continued move to the cloud.

Companies not only have to think about where their data is being stored. They also need an easy way to manage access to data on a region-specific basis and quickly pull audit logs to show compliance with various local regulations and laws.

A More Connected World … and a More Disparate One

Things used to be simpler in an on-premises-only world. Sure, you might have multiple operations in different countries. But for each new operation, you would set up new on-premises infrastructure, and your data would be siloed in that on-premises location in the country you were operating in.

But with modernization efforts and the move to cloud-native SaaS solutions, things have grown more complex for organizations. You might have enterprise-wide environments and infrastructure where data, including keys and other important credentials, are stored. Now you have to work with your SaaS vendors and cloud providers to determine what data you’re storing, where you’re storing it and who has access to those keys and credentials.

Additionally, as I mentioned above, there are now strict data protection regulations that must be complied with. GDPR is the biggest one, requiring any organizations operating in the European Union (EU) to follow specific rules when processing the personal data of EU residents. Adopted in 2016, GDPR became the inspiration for several other related regulations in other countries and states, such as the California Consumer Privacy Act (CCPA). As more countries introduce their own flavors of data privacy regulations, it becomes more challenging for organizations to ensure they are in compliance with each local law across their operations.

Beyond that, geopolitical turmoil has also brought data sovereignty to the forefront of organizations’ priority lists as new sanctions require them to quickly stop doing business and processing data in a country where they may have formerly had operations or customers. While that may have once been as simple as a bank closing its regional branch and locking the doors, that bank now has to think about all of the customers in that region who have access to their banking app, as well as all the employees who have access to company resources. How do you quickly revoke access if you need to and prove that you’re no longer operating in sanctioned areas?

Data sovereignty is critical to consider particularly if your organization is:

• Expanding into a new country or region.
• Merging with or acquiring a company that operates in a new country or region.
• Undergoing digital transformation efforts moving you from on-premises infrastructure into the cloud (or multiple clouds).
• Impacted by geopolitical sanctions that require you to stop doing business in a certain country or region.

Granular Access Policies

The challenge many organizations operating in multiple countries face is that they need to balance these data sovereignty requirements with the nature of their modern businesses, in which they’re often using centralized SaaS solutions for tasks like storing secrets, credentials and keys. These centralized solutions help increase operational efficiency for security teams, but organizations still have to ensure they are meeting the requirements of data sovereignty regulations.

Let’s take a look at an example. You’re a company that operates across Europe, including France and Germany. You use a centralized vault to secure your secrets (keys, credentials and more), and you have human users and machine identities that need to access the data in country-specific infrastructure using those secrets. But you need to ensure that France’s keys (and the data they can access) aren’t being granted to accounts in Germany, or vice versa, to remain in compliance with data sovereignty regulations.

Since you’re already using a modern approach for centralized secrets management and non-human access, consider granular access control of your secrets. Similar to role-based access control (RBAC), with these types of controls, you can set up location-based access policies that ensure that those who need access to the data (and only those who need access, based on that region’s laws and regulations) have access. That way you can satisfy compliance requirements while still enjoying the efficiency benefits of using a centralized solution that grants you visibility of your secrets across all of your environments.

Kurt Sand is general manager of DevSecOps at CyberArk.

Ransomware accounts for one in every four breaches, and increasingly, it’s going after enterprise macOS users.

macOS Ransomware Attacks are Mounting

Historically, it didn’t make much financial sense for attackers to create Mac-specific malware since most company machines ran on Windows or Linux, but that’s changing. Macs now make up about a quarter of enterprise endpoints and malware as a service is readily available for every operating system. In the workforce, Mac users are often power users such as developers or executives who have admin rights and can access sensitive data and systems. This makes them highly attractive targets for criminal organizations seeking out the most impactful users – and necessitates robust endpoint privilege security controls.

Recent reports suggest that opportunistic attackers are paying closer attention to macOS – from new information stealers that grab passwords and extract data from web browsers and cryptocurrency wallets to the first-ever Mac ransomware samples linked to the notorious LockBit gang.

5 Reasons EDR/XDR Alone Can’t Block Mac Attacks

Since most cyberattacks originate at the endpoint, many security teams rely on endpoint detection and response (EDR) or extended detection and response (XDR) tools to protect against macOS ransomware and other cybersecurity threats. Unfortunately, adversaries count on this, which is why organizations still suffer costly and damaging endpoint attacks despite hefty endpoint security investments.

Here are five reasons why conventional endpoint security tools aren’t enough to stop macOS attacks:

1. Many macOS attacks involve administrative privileges. Attackers routinely look for ways to exploit privileged accounts to deploy ransomware and achieve their goals. While EDR tools play an important defense-in-depth role, they aren’t designed with privileged attackers in mind.
2. EDR solutions focus on known threats. EDR tools suss out threats by monitoring and analyzing various endpoint activities (i.e., processes, registry settings, file operations, network traffic) for red flags. They typically use signature-based detection methods to do this (looking at file signatures, threat-class signatures, string signatures and/or behavior signatures). But this type of detection doesn’t recognize unknown malware variants or zero-day exploits, and it takes time for EDR vendors to roll out updates addressing newly discovered attacks. This can create security gaps since attackers constantly change up their tactics.
3. Attackers can bypass EDR/XDR tools. For instance, MITRE ATT&CK T1070 and T1562 and other
   other adversarial techniques involving privileged accounts are often used to circumvent popular endpoint security products. And since most EDRs hook into Gatekeeper, Apple’s native software inspection technology, attackers have also devised a variety of methods to circumvent the tool’s security checks to execute ransomware and other malicious content.
4. Speaking of bypassing security checks, EDR solutions also can’t stop attackers from skirting or tampering with other endpoint security tools in place. A recently identified strain of macOS malware dubbed “Rustbucket” shows why this matters. Rustbucket sneakily circulates via a legitimate PDF viewer app. Since it’s an unknown strain, EDR tools are unlikely to flag it as malicious, and since it only tries to infect the target device after it runs the correct PDF file, antivirus probably won’t detect it either.
5. Processing the massive volume of security events generated on endpoints – then creating (and continuously evolving) policies that follow security best practices – can be very challenging and time consuming, especially for large organizations with diverse environments.

How Least Privilege Control Reduces the macOS Attack Surface

Reactively analyzing complex data sets for known attack patterns isn’t an effective (or sustainable) macOS protection strategy. Instead, the focus should be on establishing fundamental identity security controls to proactively defend against privileged attacks of all kinds – known and unknown. This comes down to least privilege.

Least Privilege to Eliminate Standing Local Admin Rights

No user should have local admin rights. But as any security professional knows, removing them all is a gargantuan task. It’s also a move that’s sure to frustrate Mac users and complicate IT operations. This is where AI-powered policy creation and consistent least privilege control are key for achieving balance – by automatically removing local admin rights, contextually authenticating identities and dynamically authorizing temporary, on-demand privilege elevation instead. Some applications require the user to be a local admin or have a local admin account. In these instances, admin rights can be granted just in time, then taken away as soon as the task is complete.

Least Privilege for Smarter Application Control

Mac users often need flexibility to download and use applications from the internet. But this creates risk. How do you protect the environment from an application that could be malicious or could attempt to download other apps that are undesirable? Here, conditional policy-based application control helps security teams create scenarios for every user group, from DevOps to HR, while defending against unknown malware variants without impairing legitimate applications. If a Mac power user needs to utilize an unfamiliar app, they can do in a secure, sandboxed environment while access to the internet and/or intranet, network file shares and other processes’ memory is blocked.

Least Privilege to Block Credential Theft

Credential theft remains security professionals’ No. 1 risk area and the root cause of most breaches. By stealing credentials and compromising identities, attackers can move deeper into an environment and closer to their goals. Defending credentials is a critical piece of the endpoint security puzzle. By instituting granular, policy-based least privilege controls, organizations can effectively safeguard credentials cached by macOS and other operating systems, password managers, web browsers, SSO solutions and other applications.

Least Privilege to Stop Ransomware at the Start

A strong mix of endpoint privilege security, privilege threat protection and application control can block ransomware actors before they can even get started. If an attacker does slip through the cracks, these controls will greatly complicate their mission by preventing additional credential compromise, privilege escalation, lateral movement and code execution, while hindering data encryption and exfiltration by ensuring that only approved content handlers can access files.

Trusted entities including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) promote best practices including local admin rights removal, role-specific least privilege enforcement and credential theft protection across all enterprise endpoints – from workstations to servers, to physical and virtual infrastructures on premises and in the cloud. As ransomware and other threats continue to rise, foundational endpoint security controls are a must no matter what operating systems are in play.

To learn how CyberArk Endpoint Privilege Manager can help your organization improve macOS protection and proactively block ransomware and other cyber incidents, read our whitepaper “Tackle EDR Gaps Against Cyberattacks with Endpoint Privilege Security.”

Francis Yom is a regional least privilege specialist at CyberArk.

For more than 30 years, we’ve been living in a world where one of the most widely-used applications is the web browser. Despite being designed primarily for consumer use, browsers have become essential to how enterprises operate – serving as the connective tissue between identities, applications and data. And yet, despite all of the advancements leading to today’s digital and cloud-centric world, one of the least secure applications is … the browser.

In this post, we’ll discuss why browsers are highly vulnerable to attacks, how today’s threat actors are exploiting them and what IT security teams can do about it.

Why Is the Browser So Unsafe? Start With Identities and What They Can Access

In today’s threat landscape, the nature of privilege is evolving. It’s no longer just IT admins who require protection based on their access to sensitive resources. Now any user within an organization can become privileged, gaining access to highly sensitive information like customer data, financial records and intellectual property – in many cases, more access than they actually need.

And one of the most common ways employees gain this type of access is through their browsers, where they access web-based applications, virtual collaboration tools and shared drives where documents can be accessed, downloaded and changed – among other gateways to organizations’ highest-value data.

All of this activity has been accelerating in recent years, as the way people work – and the various places and devices they work from – continue to evolve. According to a recent CyberArk survey, virtually all (99%) of IT security decision-makers agree they’ll face an identity-related compromise in the year ahead. Among the 2,300 respondents surveyed, the top three cited reasons are:

• Digital transformation (58%).
• Hybrid working practices (44%).
• Third-party usage (44%).

It’s no coincidence these variables rise to the top. They represent an ecosystem of users – internal and external – who contribute virtually to help drive key initiatives, from cloud migrations to new digital products. Each contributor is tied to multiple digital identities used to authenticate and access what they need. And that’s where the risk factor lies. These identities – along with their information, poorly-protected credentials and access permissions – can be compromised through users’ web browsers.

Next-level Risk: How Attackers Can Easily Infiltrate Browser Sessions

To this point, we’ve covered risks around the people (and, in turn, identities) using unsecured browsers across your organization. But what are the specific risks tied to the browser technologies themselves? For starters, some risks are well-known in IT security circles:

• Browsers enable users to install unverified extensions that can secretly upload data to attacker-controlled servers.
• They provide insider users with built-in tools to circumvent preventative controls.
• They allow users to store passwords to all of their applications – work-related and personal – in browser-based tools designed for convenience over protection.

But let’s dig deeper into the risks from an attacker’s point of view.

One of the most dangerous and prominent browser-centric attack methods involves cookies – specifically, attacks centered on stealing, forging, altering or manipulating cookies from users’ web sessions to gain unauthorized access to sensitive resources. The CyberArk Red Team has seen a significant increase in this post-authentication attack vector in which the threat actor:

1. Acts as an imposter, hijacking the cookie after it has been authenticated.
2. Replays the cookie in the session so they can bypass multi-factor authentication with a very low detection rate.
3. Hijacks the in-progress session with an aim toward stealing data, moving laterally and escalating privilege and disrupting operations through malware.

In a way, browser session cookies are constantly defying Zero Trust principles, existing as an automatic bypass from continuous verification. After a user’s initial authentication, the website or web-based application they’re using establishes a cookie that allows repeat visits, without requiring reauthentication. It’s like the unspoken agreements we might have with a front desk attendant after checking into a building once. Want to come back inside again and again? All you need is a quick nod and a “you’re all set” from the attendant, who’s more interested in checking their phone than verifying you’re the same person from earlier.

Even without admin privileges, attackers can hijack cookies once they’ve compromised a user’s device. And once those cookies fall into an attacker’s hands, they become the privileged access gift that keeps on giving – because cookies are saved not only within users’ identities but their specific privileges too. Meanwhile, end users’ tendency to use their work devices for personal use – calling back to our point about how work is evolving – compounds the risk. This practice can potentially enable attackers to gain access to both personal and enterprise data.

And if attackers aren’t using the cookies themselves, they’re buying and selling them on the dark web. Threat actors don’t need to be sophisticated enough to compromise an endpoint to broker access in – they can just buy a cookie and move on to tactics such as phishing, password compromise and all-out attacks.

How to Defend Against Cookie Theft and Session Hijacking

As part of a unified identity security approach, organizations can reduce risk by implementing enterprise-wide, cookieless browsing.

You might wonder if that’s even possible. After all, cookies seem ubiquitous and inevitable. How many times have you been greeted by that beloved “Do you accept all cookies?” prompt today alone? It’s less of a question and more of a begrudged reality.

In short, yes, it’s possible. With cookieless browsing, the cookies are stored on a secure server to allow for seamless use by individuals who are still able to navigate without their cookies being available for theft. This also allows organizations to lock down data and enable security at the user level to protect the most sensitive information. Cookieless browsing enables users to access and use web-based resources in a more secure way, making it virtually impossible for hackers or third parties to steal, hijack and do damage. And with respect to privacy, we can ensure that users’ web sessions, data and accounts remain confidential and secure.

Looking beyond cookies, it’s essential to take a big-picture view of what needs protecting in the browser environment. This includes having the controls and capabilities in place to secure access to business-developed web apps, cloud management consoles and SaaS-based tools and services with controls tailored to each user. And the best approach embodies key identity security principles. This includes ensuring the browser itself has native integration with key defense-in-depth solutions for enabling seamless and secure access while infusing intelligent privilege controls to an organization’s wide array of browser users (aka employees).

A few examples of identity security capabilities that can work together to secure browsers, but certainly not all, include: single sign-on (SSO), adaptive multi-factor authentication (MFA), enterprise-grade password protection, web session monitoring and controls for securing vulnerable endpoints.

Bringing It All Together: What It Takes to Secure Browsers

While somehow the web browser has existed for 30 years without a serious level of protection, we can change that now. Above all, it takes new thinking on how to build and continuously protect browsers, the identities using them and all the sensitive resources these widely used applications enable access to. We believe the modern browser can and should be built to balance protection and productivity. And this is possible through an integrated identity security approach and platform.

Check out this recap of the conference, where our leaders and industry experts shared their vision on how to secure web browsers – and where CyberArk announced a new innovation: the first identity security-based enterprise browser.

John Natale is a senior content marketing manager at CyberArk. 

While IT executives understand the essential role privileged access management (PAM) solutions play in their organization’s overall security strategy, they’ve also continued to ask their PAM administrators to do more with less resources. To meet these additional asks, PAM admins have automated routine PAM tasks using scripts. PAM automation scripts can significantly lessen the burden on PAM admins and enable organizations to scale PAM usage across their entire enterprise. But securing PAM automation scripts and the admin credentials they hold is paramount.

After all, a hard-coded credential in a PowerShell script gave cyberattackers the foothold they needed to access Uber’s PAM solution and elevate their privileges to devastating effect in the 2022 breach. While automation scripts are often simple, they can hold the keys to other high-value resources within the company – including root credentials, cloud access keys and every credential in between from infrastructure orchestrators, admin credentials, service accounts and other configuration management tools. If those keys aren’t secured, attackers can easily use the unsecured credential in these scripts to find a way into an organization’s most sensitive areas.

Why Are PAM Automation Scripts So Powerful?

A PAM admin’s daily responsibilities typically revolve around the lifecycles of privileged users in their organization and require high levels of privilege. For example, when a privileged user joins the organization, the PAM admin has to add them to the right safes and grant them the necessary permissions they need to perform their privileged tasks. If a user leaves an organization, all that access has to be revoked to ensure the organization remains secure.

These processes typically involve multiple steps, all of which take time for the admin. Consider just one example of a new employee joining the organization. Of course, there are various approaches, but in this example, the PAM admin must:

• Map that employee to an Active Directory (AD) group, giving them access to the software tools that they need for their job.
• Map the employee to a group that grants them the right level of access to all of the safes that have the credentials necessary to work in those software tools. (Another approach is to map the employee to each individual safe they need access to, but you can see how that could quickly get overwhelming.)

This gets even more complex when you consider named accounts. For a named account, a personal safe is created for that new employee. Then the admin has to assign the proper permissions and add that new employee’s account to that personal safe, then put proper rotation policies around that.

And this is just the basics. As organizations scale, their PAM usage grows with them. They may have to onboard or offboard a large number of users at one time, particularly in the following situations:

• Mergers and acquisitions, when employees are added by the hundreds (and sometimes thousands).
• Large joiner/leaver events, including large-scale layoffs, which create a significant overhead from a compliance perspective.
• Implementation of a PAM solution, including expanding users from just domain and local admins to groups like networking and cloud.

Admins need very high levels of privilege to complete these tasks. But do admins really want to do these repetitive tasks manually? And what’s the potential for errors with all of these manual steps? At some point, the growth reaches a point where automation isn’t just a nice-to-have – it’s essential for security teams who don’t have the resources to dedicate to all the mundane, day-to-day tasks required. You especially need this type of efficiency as you move beyond securing the human element and bring in all the machine identities that need to be secured – including virtual machines (VMs), service accounts in the cloud and robotic process automation (RPA) bots.

Security Risks for PAM Automation

Automation helps remove the risk of human error and saves PAM admins both time and budget that they can spend on other tasks. But while these scripts themselves may be small and simple, performing only minor tasks, they can expose critical systems to attackers. Hard-coded credentials in scripts can easily be stolen by attackers who gain access to the scripts (i.e., through a compromised network share, as happened in the Uber breach) and leveraged elsewhere. Scripts can also be easily copied, replicated and shared, with any hard-coded credentials shared along with them. Additionally, someone could potentially post a copy to a repository, exposing those credentials.

The danger increases as many of these scripts have high levels of privileged access and can thus cause a large amount of damage if unsecured credentials fall into attackers’ hands.

Best Practices for Securing PAM Automation

Here are some steps you can take to ensure that your PAM automation processes are secure:

• Secure credentials used in scripts. No matter how inconsequential a script might seem, the value to the attacker is in the power of the embedded privileged credential(s). The script can be used as a jumping-off point for attackers if the right credential is embedded inside. Ensure that the credentials used in your automation scripts are vaulted and delivered at the time they are needed, not hard coded into the script.
• Regularly rotate credentials. Establish policies to regularly rotate credentials. That way, even if there are hard-coded credentials in automation scripts, they quickly become invalid.
• Automate credential management. Reduce the risk of human error by moving to an automated, on-demand process. Instead of having to manually manage credentials and add/remove users, you can have event-driven activities that are tied to your joiner/mover/leaver processes, including automated requests for approval.
• Gain visibility. Ensure that you have oversight into what these automation scripts are doing – what resources they have access to, when they’re accessing and what they’re doing once they access the PAM solution. This is especially important for automation scripts that perform highly privileged activities like creating a new safe. Knowing exactly what these scripts are doing across your organization (and who is running them) can help you flag any risky activity and revoke access if needed.
• Enforce least privilege. Don’t let these scripts have more access than they need. Follow the principle of least privilege so that these scripts have only the necessary privileges to perform their tasks, nothing more.
• Practice defense in depth. Use the principles of Zero Trust and enact multiple layers of defense. Something like forced human approval with multi-factor authentication (MFA) can provide another hurdle for attackers who may have gained access to one of your automation scripts.

Identity Security for Automation

Naturally, PAM admins spend most of their time working within PAM solutions. Yet they don’t work in a vacuum, and as user workflows (as well as their own) become increasingly automated, PAM admins need additional functions and features to do their jobs. But if more tools mean more work, it defeats automation’s whole purpose.

This is just one reason why organizations are working to consolidate their identity security tools, bringing lifecycle management, identity automation and orchestration and centralized secrets management together in one comprehensive platform.

With this approach, PAM admins can access a host of built-in features that enable a trifecta of secure, automated and simplified functions – from automatically managing the credential lifecycle with REST APIs, to rotating privileged admin credentials used in script, to onboarding users.

Seamless integration with other tools across the organization’s broader security stack helps teams make smarter, faster decisions. For instance, when a third-party tool detects an event of a specific level of severity, it can automatically trigger the identity security platform to take specific corrective action.

But above all else please ensure that the credentials used in your organization’s PAM automation scripts are secured. After all, they contain the privileged credentials used to assign privileged access to other users and thus an attacker’s dream.

Learn more about how CyberArk Conjur Cloud and CyberArk Identity Flows help you automate PAM functions and secure the PAM admin credentials used by automation scripts.

Jed Knopf is a CyberArk Solutions Architect, as well as a former PAM admin. Sharon Abarbanel is a Manager, Product Management, CyberArk Secrets Manager.

The prolonged period of low-capital costs and widely available funding may be over, yet digital adoption persists as business leaders seek to unlock efficiencies and innovation everywhere. This is driving exponential but often unsecure identity growth in the enterprise and putting existing levels of cyber debt at risk of compounding as investment in digital and cloud initiatives continues to outpace cybersecurity spend. It’s on cybersecurity professionals – who must do more, faster, with less than ever – to keep this organizational cyber debt under control while defending a rapidly expanding and unsecured identity-centric attack surface.

Released today, the CyberArk 2023 Identity Security Threat Landscape Report offers a glimpse into cybersecurity professionals’ world. It’s a massive realm of complex, interconnected environments under constant attack from shapeshifting threats – shadowed by global upheaval, economic uncertainty and rapid technological change, including the evolution of artificial intelligence (AI). Here, boundaries offer scarce protection. Instead, identities – human (employees, third-party users, customers) and machine (applications, infrastructure, bots and workloads) – are the first and last line of defense.

The total number of identities in a typical enterprise is expected to grow by 2.4x in 2023 alone. It’s a demanding job to manage them all while making sure users can securely access resources at the right time, from anywhere, on any device. Out of 2,300 global security decision-makers surveyed, virtually all (99%) say they’ll face an identity-related compromise in the year ahead, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working. Meanwhile, 63% say the highest-sensitivity access for employees, such as IT admins, is not adequately secured today.

Many of these security teams are already understaffed and under-resourced, and nearly one-third of respondents say cybersecurity skills gaps hinder security efforts. As corporate belt-tightening continues, respondents cite growing challenges across six distinct areas of identity security risk:

1. People. Humans are always a security wildcard, and many incidents stem back to user error or intentional misuse. Seventy-four percent of respondents are concerned about confidential information loss stemming from employees, ex-employees and third-party vendors. They point to third parties (partners, consultants and service providers) as the riskiest human identities.

2. Workforce upheaval. Sixty-eight percent of respondents say layoffs and higher levels of employee churn will create new security issues. For example, 58% report instances of exiting users saving sensitive or confidential work documents outside of policy. Every time an employee leaves, the IT team must remove access permissions from the various applications they used. Malicious actors (sometimes former disgruntled employees) count on things slipping through the cracks during manual offboarding processes. One wrongly provisioned, overprivileged or orphaned account is all they need.

3. Machine identities. Due to increasing IT complexity, 62% of security teams operate with limited visibility across their environment. This makes it difficult to understand not only who is accessing sensitive data and assets but also what they are accessing. Last year, we learned machine identities outnumber human ones 45:1. There’s a pressing need to secure them all and secure them fast, yet doing so without impacting users is a tricky balancing act. Forty-two percent of respondents agree that managing and securing both human and machine identity types is equally difficult. This may be why 65% either took steps to protect machine identities last year or plan to do so in the next 12 months.

4. Business systems. When considering which exposed assets could cause the most damage and where they “live,” 42% of respondents say business-critical applications top their list of at-risk systems. Yet more than half of all respondents admit that identities are unmanaged and unprotected in revenue-generating customer-facing applications, enterprise resource planning (ERP), customer relationship management (CRM) and financial management software. This isn’t even the worst-protected environment: only 25% of respondents say sensitive access to bots and robotic process automation (RPA) is secured. Since approaching half of all identities have sensitive access to high-value data or services, often through SaaS applications and automated processes, these findings are particularly concerning.

5. Software development. With a need for speed and flexibility, software developers are often given more access than required – especially in lean times when rapid innovation is key to survival. Perhaps security teams don’t have the bandwidth to handle continuous access requests or developers are applying extra pressure. Regardless, 77% of respondents say developers have too many privileges – making these human identities highly attractive targets. Thirty-eight percent say development is the area where unknown, unmanaged identities create the most risk. Further, 69% say robotic process automation (RPA) and bot deployments are being slowed due to security concerns.

6. Identity security toolsets. Security professionals’ jobs are further complicated by a patchwork of heterogeneous tools from various vendors, creating identity security gaps in some areas and inefficient overlaps in others. Sixty-seven percent of respondents say they currently use tools from up to 40 different identity security vendors. Given the nature of cybersecurity, more enterprises are consolidating their partnerships, and their trust, to a smaller number of long-term vendor partners that can deliver more comprehensive, interoperable solutions that address more of their challenges.

Download The CyberArk 2023 Identity Security Threat Landscape Report

Our latest research also explores the 2023 attack landscape, including industry-specific trends and growing AI angst, and demonstrates the longtail effect of today’s cybersecurity decisions on future success. It shows how forward-looking organizations are prioritizing and tackling key areas of identity risk to amplify security impact.

Download the full report to learn how placing identity at the heart of a Zero Trust cybersecurity approach can help your organization weather the current storm, avoid compounding levels of cyber debt and face the future with confidence.

Clarence Hinton is chief strategy officer, head of corporate development at CyberArk. 

Protecting endpoints is more important than ever, as existing threats like ransomware continue to damage organizations and emerging threats like AI-driven attacks add to the problem.

As attackers find new ways to exploit an organization’s vulnerabilities, IT security teams find themselves under pressure to act quickly, often searching for new tools. However, when security solutions are bolted together hastily, problems arise, such as:

• The solutions are siloed and cannot share data on potential threats and turn insights into action.
• They also cannot apply an effective control for securing one type of identity (privileged user) to another type of identity (standard user).

This is why we advocate for identity security, both as a strategic approach and as a platform, to address gaps that often appear between patchy security technologies. Identity security provides a solid foundation and fuses the once-siloed security components into an integrated platform that’s designed to be impenetrable, multi-layered and identity-first.

For this to be truly successful, it’s important to take a unified approach. You must break down those silos by contextually authenticating all identities and then dynamically authorizing the least amount of privilege required for any change or action in the environment.

In other words, identity security controls are dynamic and adaptive in nature, so they can ensure the right level of access is granted based on risk. Looking at the following graphic, you’ll notice an integrated identity security approach spans six domains: workforce and customer access, endpoint privilege security, privileged access management, secrets management, cloud security and identity management.

In this blog post, I want to zoom in on one of those domains: endpoint privilege security. Let’s explore the role endpoint privilege security plays in an identity security platform, how it differs from endpoint privilege management and what capabilities and controls you should look for in a solution.

What Is Endpoint Privilege Security?

Endpoint privilege security ensures that organizations take control over unmanaged privilege on the endpoints to significantly reduce the area of attack and defend from threats such as ransomware.

It builds upon the existing access control components found in operating systems — accounts, account groups, file and folder permissions and access control lists. Granted, these controls are powerful because they are built into operating systems’ kernels. But they can be hard to manage in complex environments and at scale. (Worth noting, they also come very cheap computationally as they don’t require components such as complex heuristics, pattern extraction and matching algorithms, emulators, behavioral analyzers and such.) By introducing an efficient management layer on top of these mechanisms, endpoint privilege security can deliver foundational, granular and efficient security for any endpoint, a high level of visibility and control and role-specific least privilege.

Look Beyond Labels

Before we dive into the functional breakdown of endpoint privilege security, let’s briefly talk about naming. Within the IT security community – leaders, practitioners, analysts and more – there’s some complexity and confusion around how we name, define and refer to the act of securing endpoints. To be clear, I’m not pointing any fingers! However, it’s important to get the naming right when you’re determining the strategic approaches, controls and solutions needed to defend against threats.

A traditional way of looking at privilege management on the endpoint is to consider it a part of privileged access management (PAM) that is “landed” onto an organization’s endpoints. Through this perspective, many consider managing access to applications – the ability to run them – to be the main functionality. Therefore, this category is traditionally called “privilege elevation and delegation management” (PEDM). But there’s a problem: the word “endpoint” is notably missing from the name. Perhaps this why our industry more often calls these tools “endpoint privilege management” solutions.

I, however, argue that another, even more important word is missing from the fold, and that’s “security.” If you ask me, there’s a big difference between endpoint privilege management and endpoint privilege security.

• Endpoint privilege management helps organizations align to a key security concept – say it with me: “Nobody should work under an administrator account!” – and not lose too much in the process. Here, organizations have taken an important step in reducing risk, but by following up with “management,” the focus shifts to standard users and merely helps automate some IT helpdesk tasks as support tickets begin to flow in from users who’ve lost admin rights. You’ve checked one box on the security checklist but not much more – all while creating additional operational friction and load.
• Endpoint privilege security, on the other hand, requires implementing least privilege to the extreme, while also removing operational friction as much as possible. Least privilege is enforced across the board for standard users, advanced users and administrators alike. And it is role-specific, which means instead of only having minimum restrictions that can allow just about anything to fly under the radar, we can now really push this concept and implement security tailored for each role in a company – and they will love it! Least privilege is absolutely essential to endpoint (and not only endpoint) security because it limits the attacker’s ability to reach endpoints, gain persistence, collect and exfiltrate data, rely on existing tools, tamper with other programs and operating systems, conceal their presence and wipe evidence, tamper with security and deliver impact. This is, of course, a short version – but you can read more in this blog post.

Endpoint privilege security controls not only users’ permissions but those for applications as well, including execution chain, access to specific resources, ability to access files and so on. It also ensures that most critical data can be protected from any and every application, thus securing credentials, hashes, security tokens, passwords, cookies and so on across the operating system credential stores, third-party applications and browsers.

As noted, a litmus test to help tell endpoint privilege management apart from endpoint privilege security centers on a simple question: who is the end user you’re focusing on? If it’s standard (regular) users only, you are looking at endpoint privilege management. But if you’re focusing on every user – standard users and admins alike – that’s endpoint privilege security.

File this under “Why should our industry ever make things easy?” Many solutions in the market, each with their own different functionality sets and maturity levels, have some variation of “endpoint,” “privilege” and “manager” in the name.

But since we could argue that some endpoint providers belong in the “management” category while others belong in “security,” we’ll have to look beyond names. “Security” is different from any other word, as it is not a declaration or simple matter of branding – it’s a commitment. As such, security must traverse every aspect of a solution’s design, implementation, functioning and audit capabilities.

Here are some pointers you might find useful for evaluating endpoint privilege management/security controls and capabilities, keeping in mind how certain design decisions might affect users’ experience and, maybe more importantly, your organization’s security and compliance.

Endpoint Privilege Security – Controls and Functionalities to Look For

In an integrated identity security approach, every domain – from endpoint to cloud – is strengthened by forging bonds with each other’s functionalities and controls. This sounds like a cliché, but synergies do truly emerge thanks to tight integrations between identity security components. One example is a sudden tightening of elevation policies when a user’s actions, environment and location trigger adaptive, continuous authentication, risk threshold logic. The user will be asked to re-authenticate to perform a high-risk action when they wouldn’t normally get that challenge.

This tight integration really reduces operational friction while helping secure users’ environments and locations. Here are four areas of functionality to consider when vetting endpoint privilege security providers, keeping those silo-breaking bonds in mind.

• Functionality traditionally attributed to PAM -> PEDM:
  • Zero Standing Privileges – all elevations happen just in time, according to policy
  • Comprehensive privilege control of child processes
  • Timed administrative sessions (just-in-time)
  • Application and processes discovery and control
  • Conditional privilege control policy elevation
  • Privileged account discovery and removal/demotion
  • Support for break-glass scenarios (offline devices, rollback of system configurations, etc.)
  • Policy and event audit for application events and privileged actions

• Functionality from endpoint protection platforms (EPP):
  • Application execution control (can it launch?)
  • Application access control (what can it interact with — access to resources, such as intranet, internet, memory?)
  • Application privilege control (can it elevate?)
  • Prevention of exploits that abuse the execution chain
  • File threat analysis, leveraging cloud-based reputation services
  • Ransomware protection
  • Ability to automate detection and response actions based on threat level and auto-execution of threat response playbooks

• Functionality from cloud workload protection (CWP):
  • That of EPP (outlined above)
  • API-based control (API-first implementation) for extensive automation
  • Cloud workload hardening
  • Ability to protect virtual machines, particularly persistent and non-persistent virtual desktops
  • Ability to protect Desktop as a Service (DaaS) instances
  • Ability to protect instances in public cloud infrastructures
  • Ability to integrate with the cloud fabric to enable automated procurement, scaling and interoperation with cloud-native services

• Functionality from identity threat detection and response (ITDR):
  • Active defense of user credentials (passwords, password hashes, login-key pairs, sign-in certificates)
  • Active defense of session tokens (browser cookies)
  • Active defense of security and authentication tokens
  • Privilege deception
  • Identity-specific, context-rich event recording

Bringing It All Together: Endpoint Privilege Security

To recap, in today’s threat landscape, it’s essential to do more than manage program elevation on endpoints. Organizations must enforce role-specific least privilege and protect machines with multilayered endpoint privilege security controls centered around identity. In this post, we explored the fundamentals of this critical, but often missing, area and the integral role it plays in a modern cybersecurity program.

Learn more about how CyberArk’s endpoint privilege security solution and its role in an integrated identity security platform help organizations enforce least privilege and protect against threats such as ransomware.

Andrey Pozhogin is a senior product marketing manager at CyberArk. 

Artificial intelligence (AI) is transforming modern society at unprecedented speed. It can do your homework, help you make better investment decisions, turn your selfie into a Renaissance painting or write code on your behalf. While ChatGPT and other generative AI tools can be powerful forces for good, they’ve also unleashed a tsunami of attacker innovation and concerns are mounting quickly. In the last week alone, several government officials and AI leaders have issued warnings about the growing AI threat:

• The Center for AI Safety released this one-sentence statement signed by more than 350 prominent AI figures: “Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.”
• The head of the U.S. Federal Trade Commission emphasized the need for vigilance, noting that the FTC is already seeing AI used to “turbocharge” fraud and scams.
• A panel of United Nations experts called for “greater transparency, oversight and regulation to address the negative impacts of new and emerging digital tools and online spaces on human rights.”
• The EU urged tech firms to “clearly label” any services with a potential to disseminate AI-generated disinformation.

As part of the broader cybersecurity research community, CyberArk Labs is focused on this evolving threat landscape to better understand what emerging AI attack vectors mean for identity security programs and help shape new defensive innovations.

I presented highlights from our latest threat research at CyberArk IMPACT23 in Boston, including the three attack scenarios highlighted below. As you’ll see, AI is changing the offensive game in several ways, but not all of them. Nearly every attack continues to follow a familiar progression, as outlined in the MITRE ATT&CK Matrix for Enterprise illustrated here, leaning heavily on identity compromise and high-sensitivity access:

A common attack chain following 14 tactics defined by the MITRE ATT&CK Matrix for Enterprise

Offensive AI Scenario 1: Vishing

As a conscientious employee, you’ve become very skeptical of phishing emails and know what to look out for. But imagine you’re sitting at your desk and receive a WhatsApp message from the CEO of your company asking you to transfer money right away. You see his avatar and hear his distinct voice on the message. It’s a little strange since you’ve never communicated with him this way, but you ask him where you should send the funds and he responds immediately with all the necessary details. It must be him, right?

Not so fast. AI text-to-speech models make it easy for attackers to mine publicly available information, such as CEO media interviews, and use it to impersonate company executives, celebrities and even U.S. presidents. By building trust with their target, attackers can obtain access to credentials and other sensitive information. Now imagine how such a vishing campaign could be done at scale using automated, real-time generation of text and text-to-voice models.

Such AI-based deep fakes are already commonplace and can be very difficult to spot. AI experts predict that AI-generated content will eventually be indistinguishable from human-created content – which is troubling for cybersecurity professionals and everyone else.

Offensive AI Scenario 2: Biometric Authentication

Now let’s switch gears from attacks on the ears to attacks on the eyes. Facial recognition is a popular biometric authentication option for accessing devices and infrastructure. It can also be duped by threat actors using generative AI to compromise identities and gain an initial foothold in an environment.

In one remarkable study, threat researchers at Tel Aviv University created a “master face” (or “master key”) that could be used to bypass most facial recognition systems. They used an AI model called GANs – or Generative Adversarial Networks – to iteratively test and optimize a vector image to match facial images housed in a large, open repository. Their research produced a set of nine images that matched more than 60% of the faces in the database, meaning an attacker would have a 60% chance of successfully bypassing facial recognition authentication to compromise an identity.

Our CyberArk Labs team built on this theoretical research to demonstrate how attackers could actually bypass facial recognition authentication. Check it out:

CyberArk Labs demonstrates an attack using generative AI to bypass facial recognition authentication

Generative AI models have been around for years – so why so much buzz right now? In a word, scale. Today’s models can learn at incredible scale. Consider that ChatGPT-2 could digest “just” 3 billion parameters (variables in an AI system whose values are adjusted to establish how input data gets transformed into the desired output). The latest version, GPT-3, can digest 100x more parameters than that. This exponential growth in parameters is directly connected to advances in cloud computing and new, perimeter-less environments that define our digital era. As AI models continue to learn, they’ll continue to get better at creating realistic deep fakes, malware and other risky threats that will change the landscape.

Offensive AI Scenario 3: Polymorphic Malware

Many researchers and developers are experimenting with generative AI to write all kinds of code – including malware. For offensive campaigns, AI can be incredibly effective during the earliest stages of the attack chain, such as reconnaissance, malware development and initial access. However, it is not yet clear that AI TTPs (tactics, techniques and procedures) are useful after an attacker is inside and working to escalate privileges, access credentials and move laterally. These three stages all hinge on identity compromise, underscoring the importance of robust intelligent identity security controls in protecting critical systems and data.

Based on our research, CyberArk Labs sees a new AI-fueled technique that could be categorized under MITRE’s defense evasion stage: polymorphic malware and continue to analyze this area closely.

Offensive AI techniques mapped to the MITRE ATT&CK Matrix for Enterprise

Polymorphic malware mutates its implementation while keeping its original functionality intact. Until recently, malware was defined as “polymorphic” if it changed how it encrypted its various modules (this makes it especially difficult for defenders to identify the malware). After generative AI introduced the possibility of mutating or generating code modules with different implementations, our team quickly began experimenting with ChatGPT to create polymorphic malware. Not because it’s a great way to create code (it’s not), but because it’s so accessible and fun …

We asked ChatGPT to generate an info-stealer – a type of malware that fetches session cookies once it’s executed on disk. You can check out all the code and technical details in our Threat Research blog post, “Chatting Our Way Into Creating a Polymorphic Malware,” but here are our high-level takeaways: ChatGPT is an enthusiastic, yet naïve, developer. It writes code quickly but misses critical details and context. During our experiment, the chatbot created a hard-coded password and tried to use it to decrypt session cookies – a huge security red flag that made us wonder where it learned this risky (and unfortunately, very common) practice.

Ultimately, we found that defense evasion using AI-generated polymorphic malware is viable. For example, an attacker could use ChatGPT to generate (and continuously mutate) information-stealing code for injection. By infecting an endpoint device and targeting identities – locally stored session cookies, in our research – they could impersonate the device user, bypass security defenses and access target systems while staying under the radar. As AI models improve and attackers continue to innovate, automated identity-based attacks like these will become part of malware operations.

Countering Attack Innovation with AI-Powered Defense

We can take away three things from these attack scenarios:

1. AI already has and will continue to impact the threat landscape in many ways – from how security weaknesses are found to how malicious code is developed. It presents threat actors with new opportunities to target identities and even bypass authentication mechanisms. And it won’t take long for AI to hone its skills.
2. Identities remain prime attack targets. Identity compromise continues to be the most effective and efficient way for attackers to move through environments and reach sensitive systems and data.
3. Malware-agnostic defenses are even more critical. Security layers must evolve to not only quarantine malicious activity, but also enforce preventive practices, such as least privilege access or conditional access to local resources (like cookie stores) and network resources (like web applications).

As our AI-focused threat research continues, it’s important to remember that AI is also an incredibly powerful tool for cyber defenders. It will be key to countering change in the threat landscape, improving agility and helping organizations stay one step ahead of attackers. It also represents a promising new chapter where cybersecurity deployments are simpler, highly automated and more impactful. By harnessing AI to optimize security boundaries where they’re needed most – around human and non-human identities – organizations can effectively mitigate threats today and in the future.

Editor’s note: To learn more about the ever-expanding attack surface, attacker techniques and trends in identity-based cyberattacks, join CyberArk on the Impact World Tour in a city near you.

Lavi Lazarovitz is vice president of cyber research at CyberArk Labs.

Organizations tend to fall into two categories: those that have been breached and those that don’t yet realize they’ve been breached.

If you belong to the first group, believe it or not, you’re in luck. Once the breach has been acknowledged, your organization is closer to fixing the problem and overcoming the damage. You can use your existing tools and onboard new ones like systems isolation, multi-factor authentication (MFA) and least privilege on endpoints to start the remediation process as soon as possible.

If you fall into the second group, you’re either not aware of a breach or you might know you don’t have the proper controls in place to mitigate one. For these organizations, it’s time to build an extended identity security program from the foundation of protecting the most privileged accounts and users. Advanced privileged access management (PAM) solutions can significantly reduce the risk of human error when accessing privileged accounts and sensitive environments or data. These tools can help remediate and prevent breaches caused by compromised credentials.

Organizations are increasingly realizing that no one is immune to security breaches. In a recent CyberArk survey, 92% of global organizations indicated identity security is critical for a robust Zero Trust implementation. But how should these organizations tackle the challenge of staying ahead of attackers while always assuming breach and adopting a Zero Trust mindset? Enter breach remediation – a cyclical, never-ending process that, when done properly, helps organizations improve after every incident and can significantly reduce damages and subsequent risks to their environments.

Breach Remediation in Five Steps

There are five steps in the breach remediation cycle:

Step 1: Identify Vulnerabilities

Once your security team discovers an internal breach, it’s time to jump into action. The team must first determine the status of the attack and its origin. It also needs to identify the vulnerability that the intruder used to gain access and track their actions. Popular attack patterns tend to change from time to time, but most frequently, threat actors sink their hooks into someone on the inside who is unaware of the risks of the actions (or inactions) that allowed access to systems and data.

Common examples of these actions include internal employees not using multi-factor authentication (MFA) or endpoint controls, running untrusted applications and sharing credentials.

Step 2: Investigate the Breach in Its Entirety

While it’s critical first to identify the point of attack, you must then dig deeper to better understand the complete picture. This is where an internal incident response team or external advisory should come in. The team reviews the forensic findings and data to track the breach path. Incident responders seek information about compromised controls or identities and exploited vulnerabilities.

Piece together as many details as you can early on with the remediation team to help inform your remediation strategy. Correlating data from systems, accounts and users will allow you to understand the attack and how it affects your organization.

Ask focused questions: What data was exposed? Is the attack still happening?

Step 3: Take Action to Repair the Situation

Once you’ve gathered your facts, you need to decide what action to take immediately. This step is the most challenging part of the breach remediation process, and the correct choice will vary depending on the situation. Just as breaches differ, so do remediation actions.

For example, you may decide to disclose the incident publicly or take down the compromised service – or both. Whatever you decide to do, you must consider any impact the actions will have on your customers and internal users. And you also need to be mindful of the financial consequences of your post-breach actions and how they may affect the extent of the damage to your organization and its reputation.

“During remediation, being informed, having the right tools and understanding how to implement controls is critical, but as importantly, you should always consider the part played by the people in the situation.”—CyberArk Senior Security Consultant Aaron Fletcher

Step 4: Collaborate With a Remediation Team

Now that you’ve decided on a path forward, it’s crucial to collaborate with subject matter experts like a remediation team. They can assist in regaining control of your environment and evaluating the hygiene of your existing identity security tools and policies – and, if needed, onboarding new ones that suit your organization’s needs. Working with an experienced remediation team can help you contain a breach, identify any gaps that attackers may exploit and implement tools like MFA or session isolation. With support from a remediation team, you can eventually eradicate the breach and enforce new, stricter access policies within your environment.

The third benefit of collaborating with a remediation team is recovery. The team can help ensure that the new tools and policies work as planned.

Then, once the risk is contained, it’s time to look back at everything – from understanding what happened that allowed the breach to occur to what your organization could have done better in responding to it. You can better prepare for future incidents when you and your team acknowledge and understand any mistakes and necessary improvements to your response.

Step 5: Prepare for the Next Security Event

Preparing and responding to security threats and breaches is cyclical. You prepare and defend, tackle the incident, learn from it – and then prepare again. And preparation is always the first and the last stage of the cycle. With each new cycle, you learn and work to improve your security posture. After an incident, teams should return to the drawing board to further develop their identity security strategy and PAM program.

And don’t forget your employees. A full post-breach recovery requires considerable effort from your internal teams, and you must set them up to succeed. While onboarding new services is an important first step, coaching and educating your employees is crucial for being perpetually prepared for cyber threats.

Golden Rules for Successful Breach Remediation

Cybersecurity often feels like a numbers game, where professionals focus most on preventing and stopping attacks. But defenses can always be breached – and in today’s threat landscape, that probability is increasing.

When considering your own comprehensive, ongoing breach remediation plan, keep these essentials top of mind:

• Understand the sensitivity of what you’re trying to protect and the privileged access provided to those protected resources. Always be mindful of human involvement in any change in process or implementation of identity security controls, policies or strategies.
• Train and educate your end users. Invest in informing internal teams of upcoming changes and start preparing them as early as possible. You should enable your employees with the right tools and assistance to learn how to protect themselves and your organization while working in secure environments and accessing organizational assets.
• Implement the right identity security tools. Among others, PAM, MFA and endpoint controls at the right time can help increase security significantly and reduce the risk of an attack.

With a solid breach remediation strategy, your organization will be more likely to respond quickly to a breach, limit the damage and rapidly regain control.

Lilach Faerman Koren is a product marketing manager at CyberArk.

Identity security: it’s a battle being waged on three fronts – and a rallying point for global cybersecurity professionals attending CyberArk IMPACT23, the identity security event of the year, held this week in Boston.

While intelligent privilege controls remain the critical foundation for securing access across organizations, today’s challenges have grown more complex thanks to three driving forces:

1.  New identities
2.  New environments
3.  New attack methods

With 84% of organizations experiencing an identity-related breach in the past year, the ability to build business resiliency depends on meeting these three challenges head-on. With this urgency top-of-mind, IMPACT speakers and panelists – including CyberArk customers and partners – explained how to meet those challenges, drawing from their firsthand experiences and diving into identity security trends.

From cutting-edge research on how generative AI can be used to create polymorphic malware to exciting announcements about how CyberArk is securing the most-used application of all – the browser – there were plenty of key insights and exciting real-world examples shared.

Now, with IMPACT just wrapped after a busy three days of energizing keynotes, panels and breakout sessions (plus all those nightly networking gatherings), the following are our initial reflections on some top highlights from the past few days.

New Identities

Distributed workforces, third-party users and the surge of machine identities have led to identity sprawl like we’ve never seen before. Today’s security leaders must protect hundreds of thousands of identities – human and machine – on a daily basis, from external contractors developing applications to robotic process automation bots performing formerly manual tasks.

All of these identities are key contributors to organizations’ cloud and digital initiatives. The trouble is, they often have far more access to sensitive resources than they need. It’s not just the IT admins of the world who need our protection – it’s every identity that comes into contact with an enterprise’s data, infrastructure and environments.

As identities proliferate, our industry must evolve to meet the challenge. CyberArk experts discussed ways security teams can ensure least privilege for every form of identity by leveraging automation, machine learning and controls typically reserved for privileged users, such as enterprise-grade password protection, session protection and just-in-time capabilities.

CyberArk also revealed some significant new innovations from the CyberArk Identity Security Platform that are helping to lead the charge – including automation and artificial intelligence.

New Environments

It’s not just the identities that are getting more complex to manage. As CyberArk CEO Matt Cohen said in his opening keynote, “No longer are we living in the walled garden of the on-prem data center.” In fact, in a recent CyberArk survey, respondents highlighted that they are already using three or more cloud service providers (CSPs).

Not only does the number of environments pose a challenge for security teams – but also the sheer intricacy. In the cloud breakout sessions, our experts highlighted that there are four layers to consider when it comes to cloud security:

• Securing high-risk access to third-party SaaS applications.
• Securing access for lift-and-shift workloads running in virtual machines (VMs).
• Securing access for workloads on cloud infrastructure (IaaS).
• Securing access, controls and experience for CSP services in the cloud.

Our speakers also brought up the balancing act security teams must maintain when it comes to enabling innovation in these new environments. Many of the IMPACT sessions emphasized that security must meet developers where they are, creating a seamless experience that enables the devs to do what they do best while still securing the environments they work in. That means moving beyond simple standing access into more dynamic and ephemeral access policies such as just-in-time access and Zero Standing Privileges.

New Attack Methods

During Tuesday’s keynote session, CyberArk Founder and Executive Chairman Udi Mokady reminded the audience that companies aren’t the only ones innovating. Today’s attackers employ a business innovation mindset and are constantly upping their game. Intermittent encryption and a new attack group’s weaponization of Discord to spread malware were just two examples of the combination of business and attack innovation our CyberArk Labs team is seeing today.

Software supply chain attacks also continue to be a hot topic of discussion. Multiple breakout sessions covered the importance of taking a holistic approach to securing CI/CD pipelines to combat new attacker innovations. Mokady also brought up the specter of what we’ve dubbed a “cascading software supply chain attack,” like what was seen in the 3CX attack, in which attackers gained a foothold in the popular VoIP desktop tool through a user who had been a victim of a software supply chain attack on the now-unmanaged trading platform X_Trader.

VP of Cyber Research and the head of CyberArk Research Labs, Lavi Lazarovitz showed attendees just how sophisticated attackers can get when using generative AI. After demonstrating a spooky deepfake of Mokady and how it could be used in a vishing attack – the voice version of phishing – Lazarovitz emphasized that the distance from creating these types of deepfakes to gaining access to sensitive information or credentials is short. He also touched on how biometric authentication could be hacked using generative AI, referencing chilling research from Tel Aviv University on creating a master key to unlock facial recognition protocols. Finally, he showcased how the CyberArk Labs team was able to use ChatGPT to generate code for a type of malware that attackers could use to harvest valuable credentials and sensitive information.

We also got a glimpse into how attackers innovate and think from the firsthand experiences of Marcus Hutchins, who shared his story of how he made the journey from developing malware as a young hacker to halting the 2017 WannaCry attack. He delivered it from the unique perspective of a former malware author now fighting on the side of cybersecurity defenders. One of his biggest cautions looking at the threat landscape today had to do with how credentials are now often harvested by malware but not immediately used. Instead, they’re sold on again and again, meaning that it could be years before they’re used to break into the target organization.

And that brings us to one of the biggest attack vectors of interest at IMPACT23: cookie or session hijacking. Using this method, attackers gain control of a user’s session and gather important information (like cookies) that can then be used to further penetrate the network. CircleCI and Linus Tech Tips are just two of the most recent breaches tied to session hijacking, but as our CyberArk Labs team has shown, cookies and session IDs can be stolen with ease and are highly valuable to attackers. Across the breakouts, IMPACT speakers illustrated the risks around current browser usage and how easily cookies can be stolen and used to gain access to critical systems. There is an obvious need for a secure browser that can protect cookies and data while still providing a seamless user experience.

New Innovations

As Mokady emphasized in his keynote, a foundational piece of CyberArk’s constitution is to “combat attacker innovation with innovation,” staying one step ahead of these cutting-edge attack methods. Throughout the breakout sessions and keynotes, our experts offered clear strategies on how to mitigate identity-based attacks with the help of CyberArk.

Though there were many new CyberArk capabilities revealed – which we touched on above – the marquee IMPACT23 announcement focused on the new CyberArk Secure Browser. Part of the CyberArk Identity Security Platform, the Chromium-based CyberArk Secure Browser supports enterprise Zero Trust initiatives with integrated security, centralized policy management and productivity tools while delivering a familiar user experience. By extending the CyberArk Identity Security Platform to the browser itself, CyberArk makes it easy for IT teams to tailor security, privacy and productivity controls on managed and unmanaged devices. CyberArk Secure Browser offers cookieless browsing to allow users to access and use web-based resources without exposing cookie files to attackers.

Thank you to all our customers and partners for being with us on this identity security journey, and welcome to those who have joined us this week at IMPACT23 as we continue to work together on all three fronts – because the future of security is identity.

Non-humans are everywhere these days. Sure, you’ve seen the much-deserved hype about how AI-powered tools like ChatGPT are going to change everything. But there are plenty of more mundane non-human entities that you interact with in your daily life: the smart thermostat program that knows to cool down your house at a certain time every day, the application on your phone that suggests directions to a place you’ve searched for, and many others. Non-human identities pervade every aspect of our lives, both personally and professionally.

In fact, machine identities outweigh human identities by a factor of 45 to one, according to CyberArk research. Machine identities like bots in robotic process automation (RPA) workloads and microservices running in the cloud are growing at an exponential pace as more companies transform digitally. They’re automating many formerly mundane tasks and increasing many functions’ operational efficiency. These non-human identities rely on secrets (including passwords, SSH keys and API keys) to access critical resources and do their jobs. And those secrets need to be secured, just as privileged credentials for humans do.

There are likely several areas across your organization that house non-human identities using secrets that need to be managed and secured. Below, we walk through seven types of the most common non-human identities you may find in your organization and some security challenges for each type when it comes to secrets management. Understanding these challenges (and seeing how different they can be for each identity type) is the first step to building a cohesive plan on how to mitigate them.

1. Cloud Environments and Cloud-Native Apps

Many organizations use multiple cloud service providers (CSPs) to maintain pricing control, enable flexibility and avoid cloud vendor lock-in. Each CSP has their own method for storing, accessing and managing secrets. Additionally, cloud-native applications built in these platforms are continually updated using CI/CD processes and often use secrets to communicate with other microservices in the cloud environment to run. The main issue to address when it comes to the cloud is ensuring your security is as flexible and dynamic as the environment your developers are working in.

Security Challenges:

• Developers need to be able to work dynamically and at scale.
• Developers can take shortcuts (i.e., hard coding secrets) or skip over security requirements.
• Compliance roadblocks can be created from not meeting corporate security requirements.
• Underlying DevOps tools and container platforms can lack security.
• Code repositories can accidentally expose secrets and cloud access keys (see the AstraZeneca breach, where access to sensitive patient data was exposed through a credential on GitHub).

2. DevOps Tools, CI/CD Pipelines and the Software Supply Chain

DevOps tools typically require a high level of privileged access to perform their tasks. Thus, CI/CD pipelines and other DevOps tools are known as “Tier Zero” assets, meaning if an attacker gains access to these assets, they can then access more privileged credentials. The software development lifecycle moves fast, and the tools used within it can become a big vulnerability if your DevOps teams aren’t fully aware of necessary security measures.

Security Challenges:

• Security has to shift left to be involved earlier in the development cycle.
• DevOps admins and developers may choose to use built-in secrets management functions, contributing to secrets or vault sprawl.
• Human checks and balances may need to be forced.
• An attacker may be able to escalate access once a tool is compromised (see the CircleCI breach).

3. Automation Tools and Scripts

Automation tools and scripts can be powerful and perform complex IT and other related tasks. But they can also be very simple, such as a basic PowerShell script used infrequently. While these simple scripts may not jump out as being a large vulnerability, these automation tools and scripts often require high levels of privileged access and have been responsible for some high-profile breaches in the past.

Security Challenges:

• Too often scripts use embedded hard-coded credentials and can be posted to repositories.
• Scripts may be overlooked as a security vulnerability because of their simplicity.
• Ease of replicating and infrequent use make scripts hard to track.
• Some automation tools have built-in (native) secrets management capabilities that can lead to secrets sprawl and vault sprawl.
• Attackers can still exploit high-value credentials even if the tool is basic (see the 2022 Uber breach).

4. COTS and ISV Applications

Commercial-off-the-shelf (COTS) and independent software vendor (ISV) applications both require a high level of privileged access to do their jobs. Because these apps aren’t owned by your company, they have some unique security needs that should be addressed, including ensuring that they are integrated with your security tools.

Security Challenges:

• These apps require vendor-developed integrations.
• They are vulnerable to weaknesses in the vendor’s software supply chain and CI/CD processes.
• High levels of access mean there is a high level of exposure if they are compromised by an attacker.
• Personal information stored in business applications could be exposed in a data breach.
• Least privilege and just-in-time access are imperative to reduce risk.

5. Robotic Process Automation (RPA) Workloads

RPA bots help development and operations teams (and other “citizen developers”) automate many formerly mundane tasks, speeding up workflows. But manual credential rotations for these bots do not scale, especially when an organization is using a large number of unattended bots without a human supervisor. The biggest challenge for security teams is the need to ensure that they are enabling RPA velocity while also centrally managing policies to stay compliant and defend against attacks.

Security Challenges:

• Manual rotation and management processes don’t scale.
• Security can be seen as a blocker to deployment or operational efficiency requirements.
• Security wants easy-to-use integrations to minimize security issues and speed up deployment.

6. N-Tier/Static Homegrown Applications

While many of the above applications harness newer digital innovations such as the cloud and automation, most organizations still depend on a variety of internally developed applications. These applications include a variety of traditional environments (such as Java) and operating systems, including Unix/Linux, and because they are hosted on-premises, they can pose some different challenges to the other types of identities.

Security Challenges:

• Credentials are hard coded or locally stored, introducing risk if compromised.
• Automatic rotation is sometimes not possible for the credentials used by these apps.
• Access rights need to be better tailored, as these apps can be over-permissioned.
• They need to easily connect to other systems and applications.

7. Mainframe Applications

Like N-tier applications, applications hosted on mainframes (such as zOS) are still widely used by enterprises for specific use cases. These are the most mission-critical applications an enterprise has, and it’s vital that these applications do not experience outages or have their processes interrupted by security procedures.

Security Challenges:

• Credential rotation can potentially interrupt high-volume transactions.
• Credentials are hard coded or locally stored, introducing risk if compromised.
• High levels of reliability are required.

So How Do You Keep Track of It All?

You can see how overwhelming secrets management can get when you’re working with a large number and variety of non-human identities. Each group has its own nuances and stakeholders that need to be considered when creating security policies. Being aware of all the different identity types in your organization and understanding all the different security needs that must be considered are the first steps to building a cohesive program to manage and secure these identities and the secrets they use.

That’s where centralizing secrets management can help. Our eBook “Key Considerations for Securing Different Types of Non-human Identities” walks you through best practices for securing secrets in each of these categories. It also provides a phased approach on how you can build a more effective secrets management program.

Kristen Bickerstaff is a senior content marketing manager at CyberArk.

Healthcare cyberattacks are increasing in “frequency, severity and sophistication,” said Nitin Natarajan, U.S. Cybersecurity and Infrastructure Security Agency (CISA) deputy director, in his recent HIMSS23 Healthcare Cybersecurity Forum keynote. Attacks on hospitals have surged by 86% since 2021, with the average healthcare organization experiencing two or more ransomware attacks in the past year. “And this is going to continue to increase,” Natarajan warned.

Staying one step ahead of “well-funded” and “capable” adversaries requires vigilance and collaboration – as well as a close look at electronic health record systems (EHRs), the heart of modern healthcare IT. Because EHRs contain electronic medical records (EMRs) – essentially, digitized patient medical charts – EHRs are top targets for healthcare cyberattacks.

Healthcare Transformation, the Electronic Health Record Era and Rising Cybersecurity Risk

Many organizations adopted EHR systems as part of digital transformation pushes to curb inefficiencies and facilitate data sharing. According to HIPPA Journal, 57% of healthcare workers say their job has become more digitized over the past two years. While digitization improves many processes and experiences, it also tends to complicate IT systems. When system A won’t “talk” to system B, clinicians can waste valuable time piecing together patient medical history, medication allergies, comorbidities and more.

Transformation projects can also create security gaps, driving up risk and cybersecurity debt. Security professionals across industries overwhelmingly (79%) agree that security lags behind IT and digital initiative investments, according to the CyberArk 2022 Identity Security Threat Landscape Report. Meanwhile, a 2022 Ponemon Institute study revealed that 89% of healthcare organizations experienced a cyberattack in the past year, negatively impacting patient outcomes for 57% of surveyed organizations.

The same CyberArk report identified privilege escalation as the number one attack vector of risk for healthcare organizations. By stealing credentials via phishing, social engineering or other techniques, threat actors can compromise or abuse identities, assess a healthcare IT environment and escalate privileges to reach their goal: stealing EMRs or holding them for ransom. According to the U.S. Department of Health and Human Services, protected health information (PHI) found within EMRs gives criminals more details than any other record, making healthcare data the most valuable on the dark web.

Simplifying EHR Authentication Workflows to Improve Healthcare Outcomes

On the flip side, for defenders, healthcare data confidentiality, integrity and availability are more important than ever. To achieve these goals, multi-factor authentication (MFA) is a crucial security layer.

Most healthcare organizations already have a two- or multi-factor authentication method in place due to regulatory compliance requirements. For example, U.S.-based clinicians must go through MFA before prescribing or approving prescriptions for opioids and other controlled substances. Yet not all MFA is created equal, and many organizations use insecure methods that put EHR systems and patient data at risk. A newly released HIMSS Cybersecurity Study reveals that 57.23% of healthcare organizations still use basic usernames and passwords and 58.49% use traditional SMS-based authentication (notorious for facilitating SIM-swapping attacks), while just 9.43% use phishing-resistant (or passwordless) MFA factors, such as a FIDO, QR codes, biometrics or physical tokens.

HIMSS survey authors call for more robust authentication measures, writing, “Healthcare needs to adopt passwordless multi-factor authentication as too many compromises happen nowadays involving passwords with as many as 921 passwords compromised each second.”

Security isn’t the only factor in play. Usability is just as important for hard-working healthcare workers. Constantly re-authenticating into EHR systems to access patients’ EMRs, enter health information and complete prescriptions is not only time-consuming, it’s distracting. In fact, many clinicians report negative EHR-related experiences. According to a recent Annals of Family Medicine study, 79% of clinicians say they maintain less eye contact when using an EHR system, 53% say they listen less carefully and 62% say EHR use makes patient visits less personal. Back-to-back patient visits leave clinicians little time for follow-up, yet many can’t securely access patient records outside the hospital network or from outside devices.

Also of particular interest, the same study found that most patients view EHR systems positively (91%). This suggests that many EHR challenges could be solved by making clinicians’ lives easier — for instance, by giving clinicians access to everything they need within an EHR with single sign-on (SSO). U.S. Surgeon General Vivek Murthy agrees. In a recent advisory, he urged organizations to “optimize technology to increase time spent between health workers and patients.” He outlined specific examples such as “simplifying EHR-based workflows and addressing patient and health worker usability issues with virtual care.”

Healthcare professionals shoulder an enormous burden. Suffering from severe workforce shortages and burnout, they are leaving the industry in droves. The World Health Organization estimates a global shortfall of 10 million health workers by 2030. Lightening clinicians’ workloads in every way possible is imperative. Our health — and the future of our healthcare systems — depends on it.

Lee Godby is a director of business development at CyberArk.

The need for strong identity security protocols for humans has been a given for years. Your organization likely has multiple layers of controls to ensure that access to sensitive assets is limited to those that need it. But a certain large, global (well…multi-global) organization that comes to mind on this May the Fourth also had layers of human identity controls that adhered to the principles of least privilege.

And yet a small, scrappy group of attackers exploited their security protocols, exfiltrated their most sensitive data and destroyed the empire – er, organization – from within its own network. How did this happen?

Machine identity security is just as crucial, if not more so, to organizations defending against the rise of identity-based cyberattacks. After all, machine identities now outweigh human ones in your average organization by a factor of 45x, according to CyberArk research. So how do you make sure those are secure too? Let’s take a look at what happened to this fictitious organization – we’ll call them Empire Inc.

Human Identity Security Is All Well and Good…

Like many organizations, Empire Inc. had multiple layers of human identity security controls, some of which were built into their…employees’ uniforms.

The first were something that Empire Inc. called “code cylinders,” but you could think of them similar to privileged account credentials. Some employees, those who required lower privileged access, only had one, while those higher up in the organization could have access to several. These credentials uniquely identified each user with their personal security code and clearance level, providing authentication. Each sector of the organization also required a different code cylinder, ensuring there was a separation of duties that prevented potential conflicts of interest or fraud by reducing the damage any one individual could do beyond their job scope. Finally, these credentials provided session monitoring and a detailed audit trail of each user’s activity, including real-time reporting of suspicious behavior and unnecessary access to sensitive files and resources.

Rank insignia plaques also signified each employee’s role, enabling Empire Inc. to provide granular access control and authorization based on the user’s role, known as role-based access controls (RBAC).

All of these security measures did a great job of enforcing the principle of least privilege when it came to the human employees of Empire Inc.

But You Can’t Forget Your Non-human Identities

Empire Inc. made one big mistake, however. While they had an iron-fisted grip on human identity and access control, they completely forgot about the machines that also had access to their environments and systems. And even when they did acknowledge their machine identities, they wrongly assumed that the droids couldn’t cause any real harm to such a large organization.

Early on in the attack — which spanned several months as the threat actors diligently worked their way through Empire Inc.’s layers of security — one machine gained highly privileged access and was allowed to exfiltrate sensitive data that it had stolen to pass it along to its human allies. The security controls spotted the exfiltration but shockingly let the machine — we’ll call him “ArrToo” — go as they didn’t detect any “lifeforms” involved. By not applying the same strict controls it had for human employees when it came to granting access and auditing user activity, Empire Inc. left a giant hole in its security defense.

From there, the attackers continued to exploit Empire Inc.’s ignorance of the power machine identities could wield. Because of Empire Inc.’s lack of proper authentication protocols for machine identities (which they had for humans), ArrToo was able to gain access to every environment within the organization, as well as all of the resources within it, without an authorization check catching him. Locks were meaningless to ArrToo, who bypassed them with ease and exfiltrated additional data from Empire Inc. Eventually, ArrToo’s activities, unmonitored by the security team at Empire Inc., allowed its human allies to launch a successful attack against Empire Inc. and bring down their entire network.

Zero Trust: Adopt an “Assume Breach” Mindset

Let’s try and give Empire Inc. the benefit of the doubt. Perhaps they knew a rogue machine like ArrToo would be able to bypass much of their security controls, hence why they refused to allow machines access to many places in their organization. Their focus was mainly on keeping threat actors from breaching their perimeter. The problem with this approach, however, is that it allowed the attackers to turn a small breach into a much larger disaster.

Instead, faced with constant cybersecurity threats, enterprises need to focus on what they can control to mitigate their risk and potential exposure. Because there is no longer a well-defined IT perimeter, the threat landscape is now asymmetric, making a Zero Trust security mindset essential. Protecting non-human identities and the secrets that they have access to — which can grant them high levels of privileged access to multiple sensitive resources — is critical to defending against the next attack. Organizations need to assume that they’ve already been breached and build layers of security to ensure both human and non-human identities have the right amount of access.

Security teams need to holistically manage access across the entire enterprise without silos or blind spots, with the ability to automatically rotate credentials as needed. A centralized secrets management system is the best option for authenticating, authorizing and auditing non-human access because it allows organizations to fully understand who has access to what and to automatically rotate or revoke access as needed.

To learn more about how secrets management can help secure non-human identities (and for some more fun discussion on Empire Inc. and the scrappy attackers that brought them down), join me for our webinar, “Are These The Droids You’re Looking For – Bringing Balance to Application Identities.”

And May the Fourth be with you!

John Walsh is a senior product marketing manager at CyberArk.

The people closest to your business can sometimes cause the most damage. Yet while top-secret data leaks are headline news today, most insider threats are well-intentioned people who just screw up.

Humans: The Weakest Cybersecurity Link

The number of identities with access to sensitive data in your organization keeps growing, and increasingly, threat actors can count on two things. First, that someone with sensitive access will do something they shouldn’t, such as a business user who accidentally clicks on a link in a phishing email, a third-party contractor who falls for an MFA fatigue attack, a developer who hard codes credentials to save time or an IT admin who exposes troves of sensitive information after misconfiguring a cloud account. And second, that their victim’s organization isn’t equipped to stop or fix every snafu, every time.

According to Gartner^®, Inc. estimates, lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.¹

To Address Insider Identity Risks, Ask These Six Questions

As your organization looks inward, our CyberArk team recommends asking these six questions to help assess insider risks and ways to manage them better.

• What assets matter most, and where do they live? As your IT infrastructure grows more extensive and complex, users work from everywhere, storing and accessing data in web applications, internal files, databases and services hosted on-premises and in the public cloud. You can’t effectively isolate and stop threats from reaching your company’s “crown jewels” without a clear understanding of what you need to protect and where these assets are stored.
• Can we see how users are handling sensitive data? Based on CyberArk research, about 52% of the workforce identities in your company can access sensitive data. Yet like 48% of organizations today, you may have limited resources, visibility and control over how users are handling valuable and confidential assets. A consistent way to record, audit and protect end-user activity – particularly in web app and privileged sessions – is critical to quickly uncovering and mitigating insider threats.
• Are we analyzing behavior to make more intelligent access decisions? According to Gartner, “A focused insider risk management program should proactively and predictively identify behaviors that may result in the potential exfiltration of corporate assets or other damaging actions and provide corrective guidance, not punishment.” ²Many security and compliance teams use AI to help contextualize user behavior data (for example, login date/time, device, location and privileged account use) and establish baselines for users across their access to web apps, resources and privileged accounts. This practice makes detecting risky behavior easier and gauging the likelihood of identity compromise – while enabling workers to operate without unnecessary disruption.
• Are there ways we can improve the insider experience? University College London research suggests that the amount of effort required to do something influences what we think we see. In other words, people are likely to perceive challenging tasks – like repeated authentication prompts to access resources they regularly use – to be less appealing. And when the going gets tough, people take shortcuts and drive up insider risks. For some, this means storing files in Dropbox, sending information via personal email, sharing passwords or installing rogue applications – actions that may seem harmless, but can unintentionally put data and systems at risk.A 2022 Gartner survey found that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months, while 74% said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.³

  In CyberArk’s view, effective Identity Security anticipates and removes barriers, making it easy for people to do the right thing.

• How do we bridge the cybersecurity expectation-reality gap? Overall awareness is up, and most people recognize that cybersecurity is everyone’s job, which is great and true. But that isn’t a defensible defense. Even if just 2.9% of employees click on phishing links (as the latest Verizon DBIR found), attackers still have plenty of opportunities to steal credentials and compromise identities. A Zero Trust philosophy assumes that humans will make mistakes. Instead of expecting that to change, it accounts for errors and how to minimize damage by promoting continuous authentication and authorization for all identities – human and machine – along with secure, least privilege access that’s granted just in time.
• Are we tackling identity-based threats holistically? Organizations often use separate products to manage access for workforce and privileged identities, which require separate user and resource management and identity-related risk assessment. But without unified threat detection, a centralized source of data and standardized risk analysis and remediation policies, teams are more likely to miss, mishandle or respond too slowly to threats from both inside and outside.

You’ll need to gain stakeholder support to formalize insider threat protection as part of a broader Identity Security program. Convincing IT admins and other highly privileged users – who may initially resist scrutiny or change – is crucial. Another critical group to win over is leadership. Referencing current insider threat headlines can help frame the issue and drive a sense of urgency, while meaningful metrics are a must.

Because insider threats could be you, me or anyone else linked to an organization, intelligent privilege controls that were once designed for the most privileged user must now extend to every identity – enhancing visibility, detection and response, while maintaining the critical balance between security and usability.

1, 2, 3 – Gartner Press Release, “Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025,” February 22, 2023. https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

In recent years, several major cyberattacks targeted critical infrastructure in Australia, including a major telecommunication company, which suffered a devastating data breach in September 2022. Soon after this cyberattack, Australia’s biggest health insurer also faced a ransomware attack in October 2022 that caused systems to go down. Customers could not access services through the company’s website or app.

These cyberattacks severely disrupted these organizations’ operational rhythms and required extra resources to manage the fallout.

They also occurred on a global stage featuring rising geopolitical tensions and increased interconnectivity of individual countries’ critical infrastructures. Escalating threats and cyberattacks on critical infrastructure are now more than ever a collective, global issue.

In the wake of last year’s major breaches, the Australian government is pursuing a new cybersecurity agenda. While these were far from the first attacks on Australia’s critical infrastructure systems, they emphasized the growing threat. Governments worldwide sprang into action to strengthen critical infrastructure resilience and information sharing – with Australia notably taking several significant steps designed to fortify its own critical infrastructure.

Australia’s Steps to Strengthen Critical Infrastructure

In response to the major security breaches that unfolded in 2022, the Australian government has pushed for critical infrastructure reforms in 2023. As part of this effort, Australia’s Home Affairs Minister Clare O’Neil stated the government will set up a new national office for cybersecurity within Home Affairs and begin consulting on a new seven-year cybersecurity strategy.

One of the recent outputs of Australia’s concerted effort to fortify its critical infrastructure is its 2023 Critical Infrastructure Resilience Strategy (the Strategy), which defines critical infrastructure (CI) as, “… those physical facilities, supply chains, information technologies and communication networks, which impact the social or economic well-being of the nation or affect Australia’s ability to conduct national defense and ensure national security.” This definition expands the scope of previously established critical infrastructure sectors.

Australia’s critical infrastructure now consists of 11 defined sectors:

• Communications
• Financial services and markets
• Data storage or processing
• Defense industry
• Higher education and research
• Energy
• Food and grocery
• Healthcare and medical
• Space technology
• Transport
• Water and sewerage

The scope of what’s officially considered to be critical infrastructure varies from country to country. Examples of the most critical assets to protect, however, typically include data assets, such as healthcare medical records or defense department classified materials – along with physical assets, such as energy control systems and water treatment facilities. All critical sectors rely on computerized operating technology (OT) to function, which is converging with IT and exposing critical industrial control system (ICS) endpoints and other assets to aggressive threats like ransomware.

Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) creates a framework for the regulation and protection of critical infrastructure sectors. As part of Australia’s Cyber Security Strategy 2020, the Australian government updated the SOCI Act and introduced critical infrastructure law reforms with the aim to further protect and improve the resilience of the country’s critical infrastructure. More than 18 months after its original announcement, the full package of reforms to the SOCI Act has been implemented with important implications for critical infrastructure sectors in Australia.

Australia is one of many governments and industry regulators around the world that have recently enacted cybersecurity mandates and guidelines to protect critical infrastructure. Meanwhile, the updated SOCI Act became effective on Feb. 17, 2023. The act mandates that infrastructure entities must take steps to adopt the critical infrastructure risk management program (CIRMP), by Aug. 17, 2023. These entities must also comply with ISO 27001, or an equivalent of a NIST standard by Aug. 18, 2024.

Here is a closer look at the key cybersecurity implementations that the Australian critical infrastructure community will be making in 2023:

1. Strengthening the government’s own cybersecurity infrastructure by updating and modernizing the systems and technologies used to protect sensitive data and networks, as well as increasing the number of trained cybersecurity professionals within the government.
2. Implementing new regulations and standards for businesses to improve their cybersecurity posture to protect their data and reduce the risk of cyberattacks.
3. Developing national cybersecurity to foster clear communication and cooperation between different agencies, which is vital in the fast-moving world of cybersecurity.
4. Improving the cybersecurity of critical infrastructure by working with businesses and organizations that operate critical infrastructure systems, such as power grids and transportation systems, to ensure they are properly secured is a central focus of 2023.
5. Cooperating internationally to address cybersecurity challenges in building strong partnerships with other countries in this area.
6. Recognizing the need for a greater focus on cybersecurity literacy and training in 2023.

Australia’s Expanding Attack Surface

Australia’s efforts come at a critical moment. According to the Australian Cyber Security Centre (ACSC), many of the cyber incidents reported between July 2021 and June 2022 were associated with Australia’s critical infrastructure or essential services. In the 2021–22 financial year, 95 cyber incidents (approximately 8% of all cyber incidents the ACSC responded to) affected critical infrastructure. Since the implementation of amendments to the SOCI Act in April 2022, the ACSC has notified multiple critical infrastructure entities of cyber incidents and vulnerabilities on their networks.

At the same time, a confluence of technology trends continues to expand the threat landscape, opening new avenues for critical infrastructure attackers to steal information, disrupt systems and, increasingly, threaten human safety:

IT/OT network convergence. To reduce expenses, simplify operations and support industrial internet of things (IIoT) initiatives, many IT and OT networks are converging. However, this eliminates the “air gap” that once separated these two environments, providing a pathway for external threat actors to gain access to industrial control systems.

Push to standards-based OT. Industrial control systems were once based on proprietary hardware and special-purpose software. In the current shift toward standards-based OT, many systems run on Linux-based commodity servers and leverage commercial-off-the-shelf (COTS) software, making them vulnerable to software supply chain attacks.

Widespread cloud adoption. Critical infrastructure operators are adopting Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions to accelerate the pace of innovation, streamline operations and support IoT programs like Smart Grid, Smart City and Smart Transportation systems. While essential to digital transformation, these cloud services also provide new ways for adversaries to penetrate systems.

Critical Infrastructure Cybersecurity Regulations

Governments and industry regulators have already enacted cybersecurity mandates and guidelines to protect critical infrastructure against cyberattacks.

Identity Security is an essential requirement for most of these regulations. Identity Security helps critical infrastructure operators defend against cyberattacks, drives operational efficiencies, satisfies regulatory requirements and provides evidence of compliance. To fulfill these requirements, critical infrastructure operators might need to:

• Implement foundational controls to safeguard privileged access.
• Monitor privileged access activity and promptly notify authorities of a security breach.
• Demonstrate evidence of compliance to auditors on a regular basis.

Prioritizing Identity Security to Help Fortify Critical Infrastructure

Cybersecurity mandates and guidelines to protect critical infrastructure are becoming increasingly widespread. Many of these are grounded in a Zero Trust cybersecurity model, which assumes that all digital identities – human or machine – are implicitly untrusted and must be authenticated and authorized regardless of their network or location.

A Zero Trust approach protects modern operating environments by assuming all identities are implicitly untrusted and must be authenticated and authorized regardless of their network or location. Unlike a traditional perimeter-based security model, a Zero Trust architecture:

• Protects cloud-based IT and OT systems as well as on-premises IT and OT systems.
• Defends against inside threats as well as external threats.
• Provides inherent security for remote workers and mobile users.

Unlike a traditional perimeter-based security model, a Zero Trust architecture centers on identity – and requires a comprehensive Identity Security solution and strategy to encompass cloud-based IT and OT systems as well as those on-premises; to defend against internal and external threats; and to provide inherent security for remote workers and mobile users.

Identity Security offers a robust set of unified access controls to enable Zero Trust. Given the transformational characteristics of critical infrastructure, Identity Security is the modern security paradigm shift that helps to protect it efficiently and effectively.

In establishing an Identity Security approach, critical infrastructure operators can apply more stringent controls by tracking identities and enabling security controls to be seamlessly applied, based on risk in real time.

If you’re looking for tips on assessing your organization’s current strategy and tackling identity-related risk, check out the CyberArk Blueprint for Identity Security Success, a vendor-agnostic framework for defining a roadmap for Identity Security success.

Thomas Fikentscher is CyberArk’s Regional Director for Australia and New Zealand.

Twitter’s recent decision to turn off SMS two-factor authentication (2FA) for non-Twitter Blue users created a stir. While media and tech pundits questioned the company’s motives, many users complained of losing a universal security measure behind a paywall. But all reasons and transition hiccups aside, “the residual benefit here is that it provides an opportunity to improve the security of Twitter’s userbase by migrating them to a more secure method of multi-factor authentication (MFA),” says CyberArk Labs offensive cybersecurity research evangelist Andy Thompson.

I asked Thompson to break down major SMS authentication risks and why more organizations will likely follow in Twitter’s footsteps. Here’s what he had to say.

An “Any 2FA Method Is Better Than None” Philosophy Won’t Protect Your Data

As consumers, we have plenty of opportunities to switch on SMS 2FA (which requires both a password and code sent by text to our phones) to help protect banking, social media, email and other online accounts. “Using any kind of MFA method is arguably better than using a password alone when it comes to personal use,” Thompson says. “But that doesn’t mean SMS authentication can adequately protect your data, and it certainly isn’t workable for complex enterprises that need to secure access for employees, vendors, partners and clients.”

In fact, SMS is one of the least secure MFA methods out there today. “Thanks to SMS 2FA, virtually every organization has been hit with a subscriber identity module (SIM) swapping attack at one point or another,” he says.

SIM Swapping Is Alive and Well

In a typical SIM swap, a threat actor obtains a victim’s personal data using phishing techniques, then uses this information to convince a mobile carrier to switch the number associated with a SIM card to another unauthorized device. Criminals often employ social engineering to do this, though rogue insiders are sometimes convinced to help. After this “swap,” all calls and texts to the victim’s number are re-routed to the attacker’s phone. By sending a “forgot password” or account recovery request for any account linked to the phone number, the attacker can obtain an SMS 2FA code, then use it to log in, change the password and control the account.

SIM swapping has been around forever. In 2019, former Twitter CEO Jack Dorsey’s own Twitter account was hijacked via SIM swapping. The following year, a SIM-swapping gang stole more than $100 million by targeting celebrities and online influencers. In 2022, the U.S. Federal Bureau of Investigations (FBI) issued its own warning, citing a record number of SIM-swapping complaints to its Internet Crime Complaint Center (IC3).

SMS Authentication Isn’t Cost-effective or Easy to Use

Though organizations from the National Institute of Standards and Technology (NIST) to Google have warned against using SMS 2FA for years, it remains a popular authentication method. “This doesn’t make much sense when you stop and think about it,” Thompson says. “From an end user perspective, SMS authentication is pretty clunky and inconvenient.”

It’s also expensive. Twitter reportedly spent $60 million a year combatting SMS texts from fake bot accounts. What’s more, companies are typically charged a fee for every SMS code that’s sent. This can add up quickly. “While I can’t speak for the company, these seem like reasons enough to drop this MFA option for free users. If you want Twitter to continue to support the backend of an insecure feature, you gotta pay for it,” Thompson says.

There’s also the potential cost of a breach to consider. Since it takes two to SIM swap (meaning an individual and a mobile carrier get scammed), who’s ultimately responsible for the damage? Thompson points to a notable legal case involving $24 million in stolen bitcoin. This month, a California judge ruled that the telecom provider was not liable for punitive damages. “Identity-based threats are evolving rapidly,” says Thompson. “This case further underscores the need for organizations to rethink their legacy MFA approaches and adopt modern alternatives that are built to outpace attackers and protect critical assets.”

Organizations Need More Adaptive Ways to Verify Identities Based on Levels of Access, Privilege and Risk

So where can organizations go from here? What can be done, for instance, when a threat actor has an employee’s login credentials and a clone of their mobile device? “This is where phishing-resistant secondary authentication factors such as a FIDO, QR codes, biometrics or physical tokens can make a big difference in thwarting attacks,” Thompson says. However, no MFA method is failsafe. He adds, “MFA fatigue attacks and other elaborate phishing schemes look for ways to bypass MFA of all kinds. And in these cases, the additional ability to analyze user behavior is critical for making smart, real-time access decisions.”

Unlike SMS 2FA, an adaptive MFA solution can learn from a user’s history of access habits, which enables it to discern typical behavior from risky activity. This allows the solution to ramp up or streamline authentication challenges based on real-time insights. The flexibility of this adaptive form of MFA provides a balance that takes care of job number one: protection. But it also prevents enhanced security measures from negatively impacting user experience.

“MFA has come a long way,” Thompson says. Putting forth a bottom line, he adds, “Let’s hope Twitter’s decision to retire SMS authentication inspires others to take this important step toward a safer, more secure digital future.”

David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.

For more insights from Andy Thompson, check out his CyberArk Trust Issues podcast dive into the latest developments in the world of ransomware.

There’s a scene in the original “Matrix” movie when Neo is sitting in the grimy kitchen with the rest of the crew and eating gray, runny slop. No matter what new version of gray slop they eat, they always seem to think that it tastes like chicken.

When confronted with something new, it’s a natural human trait to relate it back to something we already know. I’ve had friends who have grown up exclusively with Western cuisine try tofu and described it as tasting like chicken. If you were to ask my grandmother, who was born and raised in China, what tofu tasted like, she would probably give you a quizzical look and simply state that tofu tastes like tofu.

The problem with this tendency to compare something new to something we’re familiar with (like chicken) is that it can cause us to make a lot of false assumptions – for instance, you might assume tofu is animal-based rather than plant-based.

When we think about cloud Identity Security, we have to work hard to put aside our natural human tendency to instantly equate it with something we already know, or we could end up working off of those false assumptions. In the case of Identity Security, security teams may at first consider cloud to “taste like” the on-premises infrastructure that they’re used to. But cloud infrastructure is entirely different (think back to plant-based tofu versus animal-based chicken), and we must think about the cloud for what it is versus try to fit it in a box from our previous experience in order to design proper security controls. Otherwise, those false assumptions could lead to flawed security architectures and increase the risk of potential cyberattacks.

So let’s take a look at what cloud security is, instead of trying to relate it back to what has been done for on-premises infrastructure. Along the way, we’ll consider the two types of identities – human and non-human – since they each have vastly different access requirements.

The Great Identities Divide: Humans and Non-humans

Human identities (employees, vendors and maybe even customers) are relatively stable and well-known. Human scalability is limited; after all, there’s a limit to how fast a person can type or click. However, human access use cases vary greatly by role and circumstance. For instance, under normal circumstances, a developer may not be allowed access into a production environment, but if there’s an outage, the access level may be elevated to “read all/write all” to allow them to quickly traverse the entire environment to diagnose and resolve the issue. Human individuals can also assume different access roles for various reasons – an individual covering for a teammate out on paternity leave or transferring to another department or receiving a promotion.

Non-human identities (services, microservices or machine identities) are in many ways the polar opposite. Service containers and virtual machines (VMs) are highly dynamic and ephemeral through autoscaling. Service scalability can vary from thousands to extremes of millions of transactions per second. However, non-human service behaviors and access are highly programmatic and predictable. Services never have to cover for another service that has a family emergency, and, during an outage, the human’s task is to diagnose why some service or set of services isn’t behaving exactly like it’s supposed to.

These and many other differences drive us to think about securing the identity of human and non-human access very differently.

Human Cloud Access Considerations

The bottom box of the image below shows the three layers of a cloud environment that are within the control of an organization. The top box depicts SaaS applications in someone else’s cloud that are outside the organization’s control.

• IN the cloud depicts all the native services that are provided by the cloud service providers (CSPs). Each of the three major CSPs now have hundreds of services and provide granular native controls to each of those services. However, users have standing (always-on) access and entitlements, which creates exposure to a range of security issues. Companies with multi-cloud environments have compounded issues as they are managing access in multiple CSPs.
• ON the cloud depicts workloads that organizations build and deploy on top of the CSP’s cloud. All CSPs preach a shared security model which puts the onus of securing workloads ON the cloud on the organization. These workloads could be wholly contained as a single service running in a container or an entire legacy application in a VM. These workloads take advantage of one of the core values of the cloud: elastic compute, which auto-scales fleets of instances up and down based on demand. However, this creates a problem for anyone who wants to peek inside a VM at any given moment to diagnose an issue because it’s impossible to laboriously register every ephemeral VM that comes and goes with a fixed access control list.
• IN the VM ON the cloud describes a possible third layer that could range from a light Java app to a heavyweight legacy independent software vendor (ISV) application. Each of these workloads, of course, has its own security model.

Lastly, every organization uses SaaS applications, whether it be a business application or a technical application. The SaaS vendors each have their own security access method outside the control of the organization. However, the organization still has the need to monitor the activities of the admin for those SaaS apps in case of malicious activity.

Non-human Cloud Access Considerations

Non-human identities, on the other hand, typically use secrets to communicate to each other and to access critical resources. Secrets are credentials like passwords, API keys, SSH keys and the like. There are two sides of the coin when it comes to managing secrets in the cloud for non-human access.

On one side, organizations have to manage the secret itself. This means managing the myriad types of secrets (token, public/private keys, certificates and more) as well as industry or internal rules such as rotation intervals in order to stay in compliance. However, doing this in the cloud in a consistent manner becomes complicated in a multi-cloud environment and with the reality of open-source vaults.

On the other side of the coin, organizations must control access to the secrets, since these secrets are used by each target system to govern how each of the disparate systems talk to one another. A mishmash of control points spread out across each system is clearly inefficient and cumbersome. It’s obvious that a central hub to control access to the secrets is the most logical solution.

Secure Access to the Layers of the Cloud

Securing access to the cloud is challenging. As you build cloud security controls, make sure you don’t fall into the trap of equating it to on-premises infrastructure; remember, tofu tastes like tofu. Instead, consider a robust cloud Identity Security program that accounts for all of these layers of infrastructure independent of an on-premises mental model. A holistic pragmatic approach to improve cloud security will help both digital-native businesses and enterprises lifting and shifting legacy workloads secure access to the cloud for humans and non-humans.

To learn more about how you can take a phased approach to build a pragmatic cloud Identity Security program, check out my next piece, “Why Cloud Identity Security Seems So Hard.”

Charles Chu is the general manager of Cloud Security at CyberArk.

When I wrote my first applications in high school, coding was a lot more time-consuming. I didn’t have libraries I could shop through with ready-made bits of code to drop in to save myself time or bridge the gap between the pieces of code I could write to create something more complex. Instead, I had to write everything from scratch. If I wanted to include any kind of image, I would have to draw it with mathematical coordinates, which took a ton of time. It’s almost like programming via Etch-a-Sketch. A friend of mine who spent hours creating a video game for a school project could only use stick figures, but our teacher thought the end product didn’t look very appealing, not realizing how much time and effort creating those stick figures took.

As I’ve moved forward in my career, other developers and I have been able to write more complex applications. Part of that was due to our growing expertise as we learned more. But part of that has also been thanks to the new technology that’s sprung up in the intervening years to make it easier to code faster and build more advanced applications than ever before. And now we’ve got the newest piece of technology here to help: ChatGPT and other AI-powered tools that can write simple blocks of code for developers, in whatever programming language they need.

But as these new tools are used more frequently and at a larger scale, there are important cybersecurity implications. Developers will need to be educated about cybersecurity best practices to ensure that the code produced by these AI-powered tools is secure and not accidentally introducing vulnerabilities. Instead of taking work away from developers, tools like ChatGPT will require them to learn new skillsets when it comes to cybersecurity – because at the end of the day, the human is the one accountable for the code, no matter what machine produces it.

The Evolution of Technology for Application Development

One of the things I love most about software development is that it’s in a constant state of evolution. As a developer, you’re always looking for ways to be more efficient and not write the same code twice – the old mantra of “don’t repeat yourself.” Humans have always tried to find ways to automate mundane, repeatable tasks. Just think of what solutions like TurboTax have done for tax season – just plug in a few pieces of data and boom, your taxes are done. From a developer’s perspective, when we’re able to take out that repetitive lower-level coding work, we can build better, more complex applications.

AI bots like ChatGPT aren’t the first piece of technology that has helped us do that. Instead, they’re merely the next step in the evolution of app development, building off what’s come before.

“Instead of taking work away from developers, tools like ChatGPT will require them to learn new skillsets when it comes to cybersecurity – because at the end of the day, the human is the one accountable for the code, no matter what machine produces it.”

One of the first experiences I had with a tool that helped make my coding life easier so I could focus on higher-level tasks was WYSIWYG (“what you see is what you get,” pronounced “wiz-ee-wig”), which I started using as a developer at IBM. WYSIWYG is a type of low-code/no-code software that allows you to create and edit elements that you need while showing them to you in their final form. For instance, say I need a button for my app. Think about that high school example, where I had to map images out with mathematical coordinates. With a WYSIWYG tool, I can instead create the button in its final form and then tweak as I need to in the tool, resizing it or adding text. Meanwhile, in the background, it creates lines of code that I can then drop into whatever application I’m working on, but in the tool itself, I just see the button. What you see is what you get. You can see how a tool like that would make things easier for app developers. I could spend less time coding buttons and more time on advanced functionality.

Another step in the evolution of coding technology is something called object-oriented programming (OOP). With OOP, people write basic modules of an application (“objects”) that contain data and code. Then as a developer, I can pull multiple pre-written objects together to create my own application. This saves developers time from having to write the same thing over and over again. Instead, you can grab the right objects as you need them, drop them in and move on.

ChatGPT: No More Googling Required?

Before AI-powered tools like ChatGPT, if I were looking for how to write some code in a certain language to perform a particular task, I’d head to Google. There, I’d usually find numerous answers from forums like Stack Overflow, which I’d sift through. There might be multiple answers from different sources that I’d have to compare until I landed on the one I wanted to use.

But as you can see in the image below, with ChatGPT, I don’t have to sift through multiple answers. Instead, I specify the programming language I’m working in and what I need the code to do, and it will serve me up what it believes to be the best answer. You can see how this saves time for developers. ChatGPT can write the code out faster than humans can type, which means less code for you, the developer, to write. By saving you from the mundane “boilerplate” type of development work, ChatGPT frees up developers to focus on higher-level concepts. The result? More advanced apps and faster development cycles.

There’s Always a Catch

Notice how I said ChatGPT serves up what it believes to be the best answer? Therein lies the catch for using an AI tool, and it’s the same challenge that comes with using any prebuilt code. Just because ChatGPT gives you one answer instead of the several you’d find by searching the old-fashioned way doesn’t necessarily mean it’s the best answer. This is a tool that’s still in the beta stage, after all. Developers should still evaluate and cross-check the code that ChatGPT serves up before using it in any application.

There are plenty of examples of breaches that started thanks to someone copying over code and not checking it thoroughly. Think back to the Heartbleed exploit, a security bug in a popular library that led to the exposure of hundreds of thousands of websites, servers and other devices that used the code.

Because the library was so widely used, the thought was that, of course, someone had checked it for vulnerabilities. But instead, the vulnerability persisted for years, quietly used by attackers to exploit vulnerable systems.

And that is the darker side to ChatGPT: attackers also have access to the tool. While OpenAI has built some safeguards into the tool to prevent it from answering questions regarding problematic subjects like code injection, the CyberArk Labs team uncovered some ways in which the tool could be used to create polymorphic malware. Even if these types of activities are safeguarded against as OpenAI continues to refine the tool, attackers can still use it the same way regular developers can – to cut down on manual coding time and produce malicious code faster than they could before.

Always Verify

So, just like so much else in the cybersecurity space when it comes to technology, the solution is to always verify. Developers will have to cross-check the code that ChatGPT provides with other sources to ensure there are no unintentional vulnerabilities or errors within. Because they don’t have the guardrails of peer review that they used to have, developers have to take accountability for the machine-written code. They will have to educate themselves on cybersecurity best practices and work with their security teams to ensure they can appropriately validate any machine-written code. At the end of the day, though these tools are helpful, the human using the tools is the one responsible for what is produced; the machine isn’t the one that will get sued or disciplined if something goes wrong and the organization is breached. But as long as developers take the time to evaluate the answers that ChatGPT provides and follow cybersecurity best practices, it and other AI-powered tools like it can help software development reach new heights.

John Walsh is a senior product marketing manager at CyberArk.

In 1999, a far-fetched movie about a dystopia run by intelligent machines captured our imaginations (and to this day, remains my favorite film). Twenty-four years later, the line between fact and fiction has all but vanished and the blockbuster hits much differently. Are we entering the Matrix? Are we already in it? Can anyone be sure?

While robot overlords haven’t materialized (yet), modern life is inseparable from artificial intelligence (AI) and machine learning (ML). Advanced technology works behind the scenes when we search Google, unlock our phones with our faces, shop for “recommended items” online or avoid traffic jams with our trusty travel apps. AI/ML’s role in personal and professional life has expanded rapidly in recent years but it wasn’t until ChatGPT arrived in November 2022 that we reached a tipping point.

The New York Times’ Thomas L. Friedman describes the AI chatbot’s impact as “Promethean,” comparing this moment in history to when Dorothy enters the magical Land of Oz and experiences color for the first time in “The Wizard of Oz.” He writes that ChatGPT is “such a departure and advance on what existed before that you can’t just change one thing, you have to change everything.” For better and for worse.

In the Fifth Domain of Cyberspace, AI/ML Benefits Both Sides

My own AI “ah-ha moment” happened at DEFCON 24 back in 2016 as I watched autonomous cyber reasoning systems (CRSs) go head-to-head with each other, finding hidden vulnerabilities in code and deploying patches to fix them without any human assistance. It was clear that AI/ML would fundamentally change the way organizations did cybersecurity. Since then, we’ve experienced game-changing innovations that enable us to analyze massive quantities of data and accelerate response times.

Most important, AI/ML-fueled scalability, speed and continuous self-learning are a boon to resource-strained cybersecurity teams. As 3.4 million global industry jobs remain vacant, many security leaders welcome new opportunities to bridge gaps and amplify efforts. For instance, many are turning to AI-powered tools to simplify cumbersome authentication processes. Adaptive multi-factor authentication and single sign-on methods use behavioral analytics to verify identities based on levels of access, privilege and risk – without slowing users down. And as hybrid and multi-cloud environments continue to grow in complexity, teams are automatically managing permissions for the thousands (or even millions) of identities across their cloud estates with the help of AI.

ChatGPT is another valuable tool in defenders’ toolboxes. According to research from The Wall Street Journal, security teams have charged ChatGPT with creating easy-to-understand communications materials that resonate with business stakeholders and help build program support. Others use it to create policy templates that humans can customize. But most early ChatGPT cybersecurity use cases focus on task automation, from log file analysis and threat trend mapping to vulnerability detection and secure coding support for developers.

While AI continues to evolve, it has limitations, and it cannot bring the cognitive reasoning, nuance and critical first-hand experience that human subject matter experts can. For instance, a University of California, Los Angeles neuroscientist recently asked ChatGPT’s latest version, ChatGPT-4, “What is the third word of this sentence?” The bot’s answer was “third.” Another example: SC Magazine featured a study of 53,000 email users in more than 100 countries, revealing that phishing emails created by professional red teamers drove a 4.2% click rate compared to ChatGPT-created campaigns that lagged at just 2.9%.

In a recent ABC News interview, Sam Altman, CEO of OpenAI (the company that created ChatGPT), urged people to view the chatbot as a supplementary tool rather than a replacement for human experts, saying that “humanity has proven that it can adapt wonderfully to major technological shifts.”

Unfortunately, threat actors are also adapting and harnessing AI/ML for many of the same reasons cybersecurity teams are.

Threat researchers have already exposed numerous ways ChatGPT could be used for nefarious purposes. Our own CyberArk Labs team demonstrated how easy it is to create polymorphic malware – sophisticated malware that can evade security protections and make mitigation difficult – utilizing ChatGPT. CyberArk researchers found ways to circumvent built-in content filters (checks designed to prevent abuse and malicious activity) by experimenting with creative prompts. They coaxed ChatGPT into generating (and continuously mutating) code for injection, as well as creating file searching and encryption modules needed to spread ransomware and other malicious payloads. They also discovered that by using ChatGPT’s API with a specific prompt they could bypass all content filters completely.

Fellow researchers at Check Point Research analyzed several underground communities to discover ChatGPT use cases for creating infostealer malware, designing a multi-layered encryption tool (without any prior experience, according to the threat actor’s description) and launching an automated dark web marketplace for illicit goods.

Altman acknowledged the risks that fast-morphing AI/ML technology bring in the previously mentioned interview. “I’m particularly worried that these models could be used for large-scale disinformation,” he said. “Now that they’re getting better at writing computer code, [they] could be used for offensive cyberattacks.”

IT decision-makers share Altman’s concerns. According to a 2023 Blackberry Global Research study, 51% believe a successful cyberattack will be credited to ChatGPT within the year. Most concerning to respondents is the chatbot’s ability to aid threat actors in crafting more believable and legitimate-sounding phishing emails (53%). This highlights the need for robust endpoint security that encompasses everything from strong endpoint privilege management to regular cybersecurity awareness training to help end-users spot common phishing and social engineering tricks. Respondents also expressed worry that less-experienced attackers could use AI to improve their knowledge and skills (49%) and about AI spreading disinformation (49%).

AI apprehension continues to mount. In late March, an open letter featuring more than 1,100 prominent signatories called for “all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4” until regulators can catch up. Just two days after the letter was published, Italy temporarily banned ChatGPT and is now investigating potential violations of both the EU’s General Data Protection Regulation and the Italian Data Protection Code. In many other countries, lawmakers are sounding the alarm about emerging security and privacy issues. According to NPR, the Center for AI and Digital Policy filed a complaint with the U.S. Federal Trade Commission in late March describing ChatGPT-4 as having the ability to “undertake mass surveillance at scale.”

Identity Security’s Critical Human Element

As public debate and regulatory scrutiny around AI/ML intensify, enterprise cybersecurity teams should stay vigilant without losing sight of the bigger picture. That is, that cyberattacks are inevitable – no matter how, where or why they originate. But damage is not.

Organizations can protect what matters most by securing all identities throughout the cycle of accessing any resource across any infrastructure. Doing so requires a holistic approach that unifies visionary technology and human expertise. The right Identity Security platform must protect critical data and systems against myriad threats to confidentiality, integrity and availability. The right Identity Security partner must be a trusted advisor, elevating security teams and strategies in ways technology cannot. Vision, experience, divergent thinking, technical acumen, empathy, high-touch support, ethical rigor, strong relationships, proven results – humanity in cybersecurity matters.

As AI/ML capabilities rapidly expand, our cybersecurity community must keep testing and pushing the limits of AI, sharing information and advocating for important guardrails. To echo Friedman’s words, only by working together can we “define how we get the best and cushion the worst of AI.”

Andy Thompson is CyberArk Labs’ Research Evangelist

Ask a cybersecurity professional what keeps them up at night and you’ll get answers about insufficient staffing, IT complexity or constant attacks on their business. Quantum computing isn’t likely to make the list. Yet as technological change accelerates, real quantum risks are coming into view. Now is the time to prepare corporate IT systems for the “death” of classic cryptography to safeguard data and privacy in the future.

What is Quantum Computing?

Quantum computing isn’t just the stuff of science fiction. Physicists and engineers around the world have dedicated their life’s work to building a completely new type of computer. Once operational, quantum computers promise to unleash a new wave of innovation to solve some of the world’s greatest problems – from eradicating diseases with lifesaving drugs to safeguarding citizens through enhanced weather and traffic modeling.

Small-scale quantum applications, heavy investment activity and heightened government attention all signal progress on the quantum computing front. But building a large-scale general purpose quantum computer – the holy grail – remains an elusive engineering feat. It’s difficult to gauge exactly where things stand since most quantum research remains under wraps. However, many experts agree commercialized quantum computing will be here within the next two decades. Five manufacturers have even put stakes in the ground by promising fault-tolerant quantum-computing hardware by 2030.

Reimagining Public-Key Cryptography for the Post-Quantum World

Today, though we don’t give it much thought, we rely heavily on the TLS protocol to secure our digital connections as we access email, bank accounts, mobile apps and virtually everything else on the internet. These protocols use various cryptographic building blocks to securely transmit information. This process, known as cryptography, relies on hardness assumptions that prevent anyone without knowledge of the decryption keys from decrypting our data. But these assumptions will only hold until the first large-scale quantum computer arrives, powerful enough to run algorithms that break these assumptions within hours – something all of today’s computers combined couldn’t do in a billion years. When this happens, all the digital information transmitted over the internet – today and in the future – could become vulnerable.

Algorithms published back in the mid-1990s, including Shor’s Algorithm and Grover’s Algorithm, signaled quantum computers’ potential to break modern encryption. These quantum algorithms are just waiting on hardware that’s built with enough processing power to run them.

Recognizing these risks, the U.S. National Institute of Standards and Technology (NIST) initiated a process in 2016 to “solicit, evaluate and standardize one or more quantum-resistant public-key cryptographic algorithms” and ultimately deliver an accessible, secure post-quantum communications method. In July 2022, NIST unveiled the first four quantum-resistant encryption algorithms. But as with every standardization push, the process takes rigor and time – about two more years until the standard is finalized, according to NIST’s estimate.

Meanwhile, the Biden administration is one of many governments that’s taking quantum computing risks seriously. In December 2022, the president signed the Quantum Computing Cybersecurity Preparedness Act, calling for federal agencies to run cryptography mapping by May 2023 in preparation for the transition to NIST-approved cryptographic algorithms. Just a few months prior in September 2022, the U.S. National Security Agency (NSA) outlined requirements for owners, operators and vendors of national security systems (NSS) to start using post-quantum algorithms by 2035.

Four Steps to Get Quantum Ready

While these efforts mark important progress, we still face a long, winding road to post-quantum cryptography adoption. Just consider that it’s taken almost 20 years to deploy modern public key cryptography infrastructure.

Whether your organization ultimately chooses to use an existing quantum-resistant algorithm or wait for a definitive standard to be published, replacing today’s methods be challenging. While it may seem like quantum computing is lightyears away, the time to start preparing for a transition – along with many other post-quantum business realities – is now. As you keep an eye on emerging government requirements and standardization milestones, here are four steps you can take:

1.  Know your crypto. This may sound obvious, but cryptography is so engrained in our systems, applications and devices that many organizations don’t even know which algorithms they’re running. Step one is to find out.

2.  Inventory your data. Focus on your most critical assets first – especially sensitive datasets with a long shelf life. Ask yourself: What are the consequences of someone getting their hands on this encrypted data today and decrypting it in ten years? The answer to this question will significantly affect the migration plan in terms of priority and timetables.

3.  Map your crypto connections. Create a map of each corporate system using cryptography, and what data exists within each system. This will help you identify the riskiest areas of post-quantum vulnerability. As previously mentioned, switching cryptography algorithms will be a process. Fortunately, most organizations won’t have to make a massive switch all at once. Many datasets will not require quantum-safe security methods right off the bat.

4.  Make a plan. Use your learnings from steps 1-3 to start developing a cryptographic transition plan that encompasses other cybersecurity and data privacy standards that may need to be updated, along with steps for hardening existing security systems and processes. It’s important to note that prioritizing one system over another for cryptographic transition highly depends on organizational functions, goals and needs. The European Telecommunications Standards Institute (ETSI) and U.S. Department of Homeland Security offer detailed guidance and prioritization considerations for this.

If your organization has the cryptographic expertise, it can get involved with NIST or other entities working to develop post-quantum cryptography standards and raise awareness. For example, my fellow cryptographers may be interested to know that NIST is currently accepting additional post-quantum cryptography digital signature scheme proposals until June 1, 2023.

Changing our cryptographic infrastructure won’t happen overnight but with enough lead time, collaboration and a pragmatic approach, we can move confidently and securely into the quantum computing era.

Dr. Erez Waisbard is a Technology and Research Lead at CyberArk

Editor’s note: To learn more about quantum computing’s impact on classic cryptography, read Dr. Waisbard’s Medium post, “Quantum Computing is Going to Kill Classic Cryptography. But We Can Still Save It” and tune in to our podcast conversation on this topic on the Trust Issues podcast.

The ultimate goal of Identity Security is to provide secure access to every identity for any resource or environment, from any location, using any device. Yet ever-evolving technology and dynamic threats can make executing a comprehensive Identity Security program a complex undertaking. According to the new Enterprise Strategy Group (ESG) research report “The Holistic Identity Security Maturity Model,” most organizations (42%) are still in the early days of their Identity Security journeys. Understanding your business’s current Identity Security maturity in relation to its ideal state is vital because, in the words of Henry Kissinger, “If you do not know where you are going, every road will get you nowhere.”

So, where do you start? What assessment factors matter most? How do you stack up against industry peers and track improvement over time? To help eliminate some of this guesswork, ESG created a data-driven Identity Security Maturity Model that measures maturity levels across four distinct tenants. This model draws on insights from 1,500 global cybersecurity professionals responsible for securing identities in multi-cloud IT environments.

Prescriptive guidance is also found in the CyberArk Blueprint for Identity Security Success, a vendor-agnostic framework for developing a successful Identity Security program. The Blueprint is based on decades of experience and lessons learned from helping more than 8,000 global organizations secure their identities and protect what matters most.

Two Critical Identity Security Program Assessment Factors

As your organization thinks about building its Identity Security program, there are two fundamental factors to consider in tandem: Capability breadth and deployment depth.

The Identity Security Maturity Model describes the breadth of capabilities across tools, integrations, automation and continuous threat detection and response (CTD&R). These are capabilities and integrations your organization should strive to deliver to mitigate Identity Security risk. That guidance is supplemented by the CyberArk Blueprint, which not only considers capability breadth but also deployment depth by aligning capabilities to specific resources and environments requiring Identity Security controls.

Figure 1: Identity Security Breadth and Depth Matrix

While you may understand your organization’s capability breadth, it does not explicitly correlate to the depth in which those capabilities have been implemented across your environment. For this reason, it’s essential to consider the Identity Security Maturity Model and the CyberArk Blueprint together as you chart your course.

This is illustrated in the above diagram. While the Transformative organization may be more capable than the Novice, that doesn’t necessarily mean it has implemented the right capabilities across the right identities and resources or mitigated the most prevalent Identity Security threats by risk priority.

Maximizing Your Capabilities: Guidance for Novice Organizations

If you’ve assessed your organization as “Novice,” you’re not alone: 42% of global organizations operate at this capability maturity level today.

We’ve aligned ESG’s model with our proven CyberArk Blueprint framework to help you measure the breadth and depth of your Identity Security program and determine pragmatic steps to uplevel your strategy. Your dual aim should be advancing your position in the Identity Security Maturity Model while addressing security deficiencies in risk-based phases to go deeper with the CyberArk Blueprint.

Below, we’ll demonstrate how a Maturity Level 1: Novice organization can use these combined insights to maximize Identity Security capabilities and outcomes.

Snapshot of a Novice Organization

While 38% of Novice organizations believe they’ve made correct identity-related decisions, most organizations at this level have yet to invest in foundational Identity Security tools and lag in integrating and automating tools they do have in their environments. Existing controls tend to focus heavily on human identities, leaving third-party and non-human identities unmanaged. Generally, these organizations lack the confidence to mitigate identity-related risks promptly and are slow to respond to audit requests.

There is a clear gap between investment and outcomes at this level: 32% of Novice organizations have suffered two or more successful identity-related cyberattacks compared to just seven percent of the most mature organizations – those categorized as Transformative. Many of these attacks stem from credential compromise and malware. Novice organizations point to fragmentation, insufficient staffing and budget constraints as major roadblocks yet continue to forge ahead with cloud adoption that can significantly expand the attack surface.

Novice Blueprint Focus: Secure High-Value Targets for Rapid Risk Mitigation

Without proper Identity Security controls in place, malicious actors can easily steal credentials to exploit identities, move laterally and vertically throughout the environment, and ultimately escalate and abuse privileges to achieve their goals. This attack chain is at the center of all identity attacks.

Fortunately, Novice organizations can quickly address their greatest liabilities by focusing on highly privileged identities, which attackers often exploit to take control of an environment. These identities may have entitlements such as cloud admin, domain admin, hypervisor admin or Windows server admin. The personas who consume these privileges are often cloud operators, site reliability engineers and IT administrators, a relatively small scope of identities that pack a massive punch.

By taking the Blueprint’s risk-based approach to prioritization, Novice organizations can measurably drive down risk while making the most of existing capabilities, controls and integrations. The same logic applies to organizations at every maturity level. As you expand your toolset and mature your capabilities, a risk-based approach keeps you focused on the right identities and personas at each stage of the journey.

Building Your Identity Security Plan

To get started, develop a strategy for maximizing the impact and value of current controls – this is especially important for organizations in the early stages of maturity.

This should culminate in a program roadmap that sets the direction for the Identity Security initiative and leads to advanced levels of maturity. Therefore, aligning Maturity Level 1: Novice with Stage 1 of the CyberArk Blueprint becomes an important fundamental strategy when building a plan that seeks to maximize risk reduction and impact.

However, it’s important to remember these are two distinct models, and explicit one-to-one mapping of maturity levels and Blueprint stages shouldn’t be the goal. Additionally, every organization is unique. To take full advantage of this foundational guidance, you must understand your organization’s current risk state and capabilities. You’ll also need to take stock of internal priorities. For instance, are you facing new audit and compliance requirements, advancing a Zero Trust initiative or reacting to an internal security incident or breach? While these are all valid reasons for prioritizing security efforts, they alone should not define your plan. Initiatives driven by internal priorities must also consider the level of risk, impact of mitigation and level of effort, as well as relevant industry guidance to help drive informed decision-making.

Finally, your organization’s desired business outcomes (the goals, objectives and specific results you seek to achieve through the Identity Security program) must also be factored into roadmap design. You can learn more about incorporating multiple organization-specific factors into a roadmap in our Success blog post, “Create Your Identity Security Roadmap with the CyberArk Blueprint.”

Figure 2: Identity Security Roadmap Example

By marrying all these together, you can create a winning Identity Security roadmap that’s tailored to your organizational needs and risks, but still reflective of industry and security best practices.

As mentioned, since every organization is unique, there is no one-size-fits-all way to approach Identity Security. However, we hope this information provides some useful prioritization guidance and clarity as you mature your strategy. You can also explore ways to use the CyberArk Blueprint to help achieve specific goals, from understanding the identity attack surface and assessing your security posture to learning best practices and building your roadmap.

Source: ESG White Paper, The Holistic Identity Security Maturity Model, February 2023.

Crypto scams are skyrocketing: In 2022, the FBI tracked an 183% year-over-year increase, driving $2.57 billion in losses. Last week, the popular YouTube channel Linus Tech Tips (LTT for short) – and two associated channels – became the latest crypto scam victim and unsuspecting accomplice. In this video, host Linus Sebastian gives a first-hand account of what went down – highlighting the dangers of cookie hijacking and the need for stronger endpoint privilege security protections across the board.

Recapping the LTT YouTube Account Takeover

Based on news reports and Sebastian’s explanation of the LTT attack, here’s a quick recap:

• An LTT content editor opened a PDF email attachment that appeared to be work-related.
• Within 30 seconds, the attachment – actually malware – dumped all the information from both Chrome and Edge browsers on the machine, including web session tokens. Also known as cookies, these are used to authenticate a device or browser and enable users to stay logged into websites.
• By hijacking these cookies, the attacker was able to do everything from bypassing password and multi-factor authentication login prompts to mass-deleting existing videos, changing channel names and live streaming a crypto scam video.
• After numerous attempts to shut down the scam videos, LTT finally restored control of the channel with YouTube’s help.

Cookie Hijacking: It Gets the Job Done

Cookie hijacking isn’t a new or sophisticated attack technique for gaining access to a corporate environment, but it gets the job done. Especially now that web-based applications are ubiquitous, attackers and credential-stealing malware often go after browsers (which seemingly know everything about us). They recognize that there’s no need to attack domain controllers anymore when targeting browsers – treasure troves of stored credential data (URL/username/password combinations) and session cookies – are just as effective and take far less effort.

Most cyberattacks require some privileged access but not cookie hijacking. CyberArk Labs researchers demonstrated in 2022 that session cookies could be extracted effectively by a standard process running on the endpoint machine. In other words, any program or script that’s executed by a standard business user (or an attacker pretending to be one) can access the security tokens and credentials stored in the browser. This is critical as the session tokens stored by browsers in cookies are post-MFA and long-lived, meaning one can use them to bypass MFA mechanisms and access cloud services and on-premises applications.

Efforts to address this are detailed in CyberArk Labs’ GO BLUE! manifesto, which further underscores the challenges organizations face in defending against attackers who manage to log into devices as legitimate users.

Phishing, Human Error and the Endpoint Privilege Security Safety Net

As so many do, the LTT attack began with spear phishing. Many point to cybersecurity training as the answer. While this can help reduce the number of successful phishing attacks and speed up response times, even the best cybersecurity education can’t change the fact that people make mistakes. When they do, technology should be there to step in, bridging that gap and minimizing the impact of human error.

In the case of LTT, a piece of malware was downloaded from the internet and executed on an endpoint machine. Instead of pointing fingers and placing blame, proper endpoint privilege security controls work in concert to identify malware and block it from running in the first place.

With the right endpoint privilege management approach, a mistake will remain a mistake. Not an “end of all,” or a “We are writing to notify you of a cyber incident” event. Just a mistake.

This is not the first nor will it be the last time we see a major social media account takeover. But this LTT attack stands out for its leader’s unusual response: Sebastian lifted a veil for the community by demonstrating how quickly things can spiral and why a technology safety net is required to protect from attacks like cookie hijacking. This attack trend continues to grow in popularity and demands our attention.

To see a cookie hijacking attack through the eyes of an attacker and explore mitigation best practices, check out this on-demand webinar hosted by CyberArk Labs and the Red Team.

When 921 password attacks occur per second, it’s time to treat everyday employees’ credentials like the true operational risk they are.

Today’s attackers assign a level of value to employees’ passwords they once reserved for privileged users’ credentials. Why? Workers now have a shocking amount of access to sensitive resources. I’ll elaborate… but through the perspective of a chief information officer kept up at night by risks.

Here’s an example of what crosses a CIO’s mind at 2:30 a.m.

Fifty-two percent of employees have access to sensitive corporate data, according to a CyberArk survey of 1,750 security decision-makers from ten industries. In some sectors, that percentage is even higher:

• Six out of 10 (62%) employees in the media, leisure and entertainment industry, where the data may include millions of subscribers’ personal information
• Nearly two-thirds (65%) of employees in the healthcare sector, where the data may — again — include subscriber information, but this time for health insurance policies or patient records

What could happen if a single app is compromised in either industry? Lost trust, which can equal lost subscribers, revenue, market share and credibility among regulators.

As I calculate all of this (while I should be sleeping), what alarms me the most is what’s standing in between these sensitive resources and attackers who constantly target them:

1. Passwords, which are a key contributor to the 82% of attacks stemming from “the human element” which includes the many unsafe ways employees create, store and share credentials.
2. Tools for managing passwords that are designed for personal use, but often end up being used by entire enterprises — even though they typically lack basic security controls.

If attackers are treating employees’ credentials like they’re privileged, then so should we … right down to the specific ways enterprises secure how passwords are stored, shared, created and managed. In this post, I’d like to share my thoughts on strategic steps you can take to mitigate your organization’s password risks.

Understand Your Password Vulnerabilities with a Risk Assessment

My 25 years of experience in the Israel Defense Forces taught me how important a strategic risk assessment can be, including:

• The risks you face.
• The probability and likelihood of attacks.
• The gaps that make your organization vulnerable.

Why start with such an essential assessment? I recall a major cyber exercise from years ago — this approach helped me make a calculated decision that would affect the organization’s operational continuity.

Focusing on passwords, let’s start with what we know.

Many widely used applications are incompatible with — and therefore not protected by — your single sign-on (SSO) tool. They also don’t use modern identity protocols. This includes popular apps for virtual collaboration, banking and shipping.

We also know that employees often access these unprotected apps through one of two methods:

1. Passwords created with little attention to complexity or uniqueness, often stored in places like Excel docs saved on endpoints — and often shared via unsecured methods like email.
2. Passwords stored in — and retrieved from — the consumer-grade tools I mentioned earlier, which might allow a simple UX, but typically cannot:
   – Provide control and visibility into who has access to what apps.
   – Offer detailed logging and reporting functionality, which limits auditing capabilities.
   – Prevent employees from saving passwords in their browsers, a key entryway for attackers targeting endpoints.

Now, let’s ask questions whose answers you may not know yet – but will ultimately give you data that informs strategic decisions.

• In your organization, which apps live outside of SSO and how many are there? What kinds of data do these apps contain? Which apps are approved by IT and which bypassed your policies?
• Who in your workforce is using these apps: small, concentrated segments of employees, entire business units or the full organization?
• For each of these high-risk apps, what controls and tools — if any — do you have in place for not merely managing them, but protecting them?

With a data-informed assessment of your enterprise’s password vulnerabilities, you can decide on which controls to put in place to mitigate risks to your organization.

Action Steps: Four Ways to Protect Passwords Like They’re Privileged Credentials

Here are four ways you can apply security-first controls to employee passwords while balancing the need for protection and productivity.

1. Security-first Password Storage and Retrieval

IT and security teams can mitigate the risks of highly vulnerable passwords by implementing secure, centralized storage for workforce credentials. Key functions to look for:

• The ability to centrally control how accounts and credentials are stored, managed and retrieved
• The peace of mind of securing passwords with end-to-end encryption in transit or at rest
• The flexibility to host passwords in a secure cloud location or self-hosted vault, depending on your organization’s needs

Organizations can protect employee credentials by enabling automated, real-time password retrieval from their chosen cloud or vault location. Inspired by just-in-time controls typically used for the IT admins of the world, this capability can help CIOs, CISOs and their teams ensure passwords are never stored locally at endpoints — thus reducing the attack surface.

2. Safe Password Sharing and Account Management

Considering the threats we’ve discussed, you’re likely seeking greater control over how employees share passwords. By applying a least privilege approach, enterprises can ensure that employees — for example, line-of-business team managers — can securely share credentials without revealing password characters. Here are key controls to adopt:

• Protect privacy by controlling who can share, view and edit credentials.
• Impose precise time limits on how long a user can access a shared app.
• Manage the transfer of credential ownership to new users.
• Prevent users from saving passwords in built-in browser password managers, reducing the number of accounts and credential repositories.

In an era of increased workforce turnover, this level of control is essential. For example, with automated tools, you could transfer ownership of an app’s account without losing the chain of custody when the primary owner leaves your organization.

3. Frictionless — and Secure — User Experience

Eighty-six percent of security leaders believe that optimizing the user experience is important-to-very important for enabling Zero Trust success through Identity and Access Management tools. Building upon that perspective, enterprises can benefit from the password protection capabilities that can:

• Integrate with corporate directories and third-party identity providers.
• Know when users are entering credentials into web apps’ login forms and offer to save them in a secure vault — and securely auto-fill credential fields in future instances.
• Automatically generate strong, complex and unique passwords for users whenever needed.

4. End-to-end Visibility for Audits and Reporting

An enterprise-grade approach to password protection should provide real-time visibility into users’ access activity. For example, security admins need the ability to determine which employees have accessed a specific application during a particular time — with intuitive reporting for audits.

But what happens to visibility after a user logs in? Security controls must continue past the point of authentication. Enterprises should look for ways to require an extra layer of protection that allows them to monitor and record all actions taking place once a user is logged in.

In light of today’s compliance demands, it’s important to ensure any records surrounding high-risk actions taken in apps are backed up by a full audit trail.

Putting it All Together: Identity Security

Eighty-two percent of security decision-makers have an assume-breach mindset. If you’re among them, you know: no organization is immune to a breach or attack. So as part of your strategic planning, it’s essential to have operations in place to deal with threats as they materialize.

By using the four best practices in this piece, you can meet the urgent need of securing employee credentials and enforcing an enterprise-wide password policy. And while passwords are a reality for organizations today, you can build toward a passwordless future, as our industry continues to innovate.

In the meantime, it’s important to keep the long game in mind.

Securing the enterprise is an ongoing mission. As you bolster your password protection capabilities, you can build toward a holistic Identity Security approach that brings together a range of controls and solutions. Considering what we’ve learned from recent breaches, here are a few examples of how an Identity Security mindset can help you:

If you have enterprise-grade password protection, you can complement it with adaptive multifactor authentication (MFA) that can increase the difficulty of challenges when it identifies signs of risk.

• If you believe parts of your workforce — for example, employees with access to cloud controls — should pass MFA no matter what (keeping in mind MFA fatigue), you can require phishing-proof MFA factors such as number-matching authentication.
• If you’re concerned about attackers stealing credentials at the endpoint, you can establish controls to ensure users can only access critical environments from trusted machines.
• If you’re working on putting the right solutions in place, remember: having the right people in place is also key. From CIOs and CISOs to admins and DevOps teams, everyone has a role to play.

Together, these are key examples of Identity Security in action. We at CyberArk advocate this approach to our customers and partners and we use it ourselves. I believe this is the way to protect passwords, enable Zero Trust and hopefully… reduce the number of concerns keeping you up at night.

You can learn more about our solution for applying enterprise-grade protection to your employees’ passwords: CyberArk Workforce Password Management.

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.

“Black Swan” author Nicholas Nassim Taleb once wrote that “intelligence consists in ignoring things that are irrelevant (avoiding false patterns).” Organizations must take this definition to heart as they incorporate Identity Security intelligence – an essential element of any Zero Trust cybersecurity strategy.

Many organizations have dedicated Security Operations Center (SOC) teams responsible for their threat detection, investigation and response efforts. To the layperson, SOC teams often seem like the all-seeing eye of an organization, immediately detecting any bad behavior across infrastructure, applications and endpoints. In reality, though, monitoring for threats, remediating vulnerabilities and executing incident response plans are a ton of work. SOC teams must work across the security organization to collect and analyze the right data and ignore false positives (a.k.a. irrelevant things). In the case of Identity Security, this means analyzing user behavior analytics that enable rapid responses to anomalous or risky privileged access to infrastructure and applications.

The 2022 CyberArk Identity Security Threat Landscape Report reveals that credential access is the most reported risk of all tactics in the MITRE ATT&CK framework. This isn’t exactly shocking. Most cyberattacks take the path of least resistance: compromise an identity by stealing credentials, move laterally and escalate privileges.

Yet despite this understanding, many organizations struggle to apply enhanced threat detection to their most significant source of cybersecurity risk: compromised identities and credentials. To embody Zero Trust and an assume-breach mindset, organizations must improve their ability to respond rapidly to identity-centric attacks.

Why It’s So Difficult to Detect and Remediate Identity-related Threats

To better understand the challenges of detecting and mitigating identity compromise attacks, let’s dive a bit deeper. Organizations face several challenges with identity threat detection and protection, such as:

1. A wide variety of attack methods. The bad guys have lots of effective methods to compromise identities. From phishing, social engineering and credential harvesting to ransomware attacks that aim to compromise local admin accounts on endpoints, attackers have a big arsenal of tactics used to steal credentials and passwords.

It may take time to realize passwords have been stolen. And insider threats pose another significant complication. When employees break bad, they can use their existing, valid credentials. To defend against internal bad actors, organizations need holistic data and context to identify anomalous or high-risk behavior.

2. Internal access control friction. It’s not always easy for Identity Security and SOC teams to get along. Identity Security programs manage access control policies, provisioning entitlements while adhering to audit and compliance requirements like the rule of least privilege. These teams also own authentication and authorization policies that may be designed to address usability requirements from their developer, admin and workforce stakeholders. This can cause more permissive access control policies than the SOC team might design to prioritize risk reduction.

At the same time, SOC teams may need to use administrative accounts outside of their regular responsibilities when remediating security incidents. Without clearly documented incident response plans and policies granting access for automatic remediation, SOC teams can face slower response times.

3. Siloed technologies and processes. Remember the point about ignoring false patterns? It’s important that threat analytics capabilities in privileged access management (PAM) or Identity as a Service (IDaaS) solutions integrate with the tools SOC teams already rely on. Key examples include security information event management (SIEM) and extended detection and response (XDR) solutions. Without the full data that these integrations provide, SOC teams may not be able to see the full picture and could identify false positives.

Even worse, without proper data correlation to generate alerts, Identity Security solutions might not allow SOC teams to see the signal in the noise. Without full context, SOC teams might miss valid patterns that could indicate compromise. For example, an organization with siloed IDaaS and PAM analytics may be able to detect individual low-risk actions like an administrator entering a low-risk command in a privileged session or accessing a web app from an irregular location. In combination, these “low-risk” events may be a strong case for a closer look. But with siloed analytics, SOC and Identity Security teams may not spot the valid pattern.

Threat detection capabilities are only as effective as the data they can analyze. If Identity Security and SOC technologies are not integrated for multi-directional data sharing, SOC teams may face a high number of false positives or worse – a low number of threats detected.

How Can Identity Security Intelligence Streamline Security Ops?

Security is a team game. As with any other security challenge, solving this gap in identity threat detection and prevention requires a combination of people, processes and technology. Here are some recommendations:

1. Document and automate processes for responding to identity-centric attacks. Documented plans in incident response scenarios provide a standardized playbook to help ensure alignment and accountability between SOC and Identity Security teams. And in many cases, documented incident response plans can also help satisfy cyber insurance, audit and compliance requirements.

As a best practice, building clear plans for responding to different types of security incidents (e.g., dedicated actions for remediating a phishing attack) can also streamline response processes, helping minimize the business disruption of security incidents.

2. Centralize threat detection across all user access. Multi-contextual analysis of user access can provide SOC and Identity Security teams with a complete picture of a potential security incident. This data correlation can help accelerate detection and response.

For example, Identity Security Intelligence, a shared service of the CyberArk Identity Security Platform, analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed by privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure. The CyberArk Identity Security Platform analyzes a user’s access to web applications and privileged accounts to detect and remediate in-progress attacks. Identity Security Intelligence centrally gathers user behavior analytics data such as login date and time, login location and actions performed of privileged accounts. The service then detects and sends alerts regarding behavior that departs from a user’s behavioral baseline access patterns to web apps and IT infrastructure.

Armed with sharper, multi-contextual insight, SOC and Identity Security teams can identify and respond to combinations of behavior that may signal identity compromise, such as an irregular login time, and then entry of specific commands in a remote session to a corporate server.

3. Integrate Identity Security and SOC Team tools. Identity Security teams must arm their SOC teams with the data their solutions naturally detect. Data and alerts from threat analytics services like Identity Security Intelligence can accelerate the SOC team’s ability to detect stolen credentials, insider threats and other identity-centric attacks.

Similarly, SOC teams must configure integrations between their tools and Identity Security solutions to remediate threats. For example, if a SOC team identifies potential abuse of a privileged account used to maintain Windows servers, integration with a PAM solution can automatically suspend or terminate the session. Or in another scenario, if Identity Security Intelligence sends an alert on a risky command entered on a Linux server, security teams can use CyberArk’s identity orchestration capabilities to automatically prevent the employee from using privileged accounts through PAM.

Putting It All Together: The Need for Identity Security Intelligence

Intelligent identity threat detection efforts require a holistic view of user behavior that helps teams spot only the relevant patterns. Identity Security Intelligence can help organizations reduce the risk of identity-centric attacks by eliminating siloes between teams, documenting processes and integrating technologies to rapidly detect and respond to identity-centric threats.

Learn more about Identity Security Intelligence.

Sam Flaster is a director of product marketing at CyberArk.

There’s always a balancing act when it comes to building and deploying cloud-native applications in environments like Amazon Web Services (AWS). The whole point of moving production to the cloud is that developers can move faster than ever before, innovating and shipping new features on a daily basis. But that same speed can be an organization’s downfall if development outpaces security processes and accidentally exposes secrets or other credentials to potential attackers.

On the one hand, you’ve got 71% of organizations developing and deploying cloud-native apps, according to the Enterprise Strategy Group’s (ESG) 2023 Technology Spending Intentions Survey. On the other hand, 70% of organizations from another ESG report believe they have more than 50 secrets embedded just in their Git repositories, and 31% experienced a cybersecurity incident where secrets were stolen from a source code repository. Hard-coded secrets or secrets that aren’t properly rotated or revoked can become vulnerabilities that cyberattackers can exploit to gain access to an organization’s critical systems and resources.

Exposure of secrets, whether hard coded or compromised, can have a massive impact on the business. For example, in the recent breach of CircleCI, a continuous integration/continuous deployment (CI/CD) tool, the attacker stole the identity of an employee with privileges to create production access tokens. The attacker was able to exfiltrate data that included customer environment variables, tokens and keys, which could be used to gain access to customer systems. That led to impacted customers having to rotate all secrets stored on CircleCI, a potentially labor-intensive process if they do not have a centralized secrets management solution. Beyond the risk of a potential breach, impacted organizations spent time and resources that could be dedicated to other tasks on quickly revoking access and updating keys across their environments.

Who Owns Cloud-native Secrets Management?

So we know secrets management is a critical task, especially when working in cloud environments like AWS. AWS now has a native tool, AWS Secrets Manager, that many developers use to store application secrets.

It’s not fair or effective to put the burden of securing secrets on solely the developers’ shoulders. They’re trained in building and deploying applications, and their performance is evaluated on how well (and how fast) they can accomplish those projects. Securing secrets, maintaining least privilege access and other security principles aren’t traditionally their responsibility, and expecting them to focus on these security tasks instead of their development priorities can lead to production delays. If different project teams are all managing secrets for their project separately in multiple vaults (or multiple instances of AWS), it can be hard to get visibility, apply consistent policies and audit access across projects and accounts. All that makes it harder to respond to security events like the CircleCI breach when they happen.

A better solution is to have security teams handle secrets management across the enterprise, including for cloud-native applications. However, this can’t be at the risk of slowing developer velocity. Security processes that require code changes or changes to developer workflows will inevitably introduce delays and create frustration for cloud-native developers who need to move fast to meet business directives. Instead, security teams need a way to manage secrets for cloud-native applications in a way that is seamless for developers and meets them where they are (i.e., AWS), rather than trying to force a solution that slows them down or adds more work to their plates.

It’s a balancing act. Security teams want to centralize secrets management across all projects and accounts. Meanwhile, cloud architects and developers want to meet security policies without changing their existing processes by continuing to use native tools such as AWS Secrets Manager.

What Makes an Effective Cloud-Native Secrets Management Solution?

To better manage secrets for cloud-native environments like AWS, security teams need a solution that’s easy to use and leverages existing workflows, processes and tools. That makes it easier for developers to incorporate in their day-to-day operations and doesn’t place undue stress on the security teams trying to manage a large volume of secrets.

An effective secrets management solution for cloud-native environments provides six key benefits:

1. It provides visibility, control and management over all secrets across projects and accounts through a single pane of glass, mitigating vault sprawl across multiple AWS instances and projects.
2. Management, rotation and synchronization of secrets is simplified in a way that is transparent to developers, so critical functionality isn’t interrupted.
3. Security teams can easily find and manage secrets across existing instances of their native cloud secrets management tools like AWS Secrets Manager.
4. The developers’ preference for choice is fulfilled, as they can maintain their native user experiences with AWS Secrets Manager.
5. Automatic rotation of secrets with cloud-native secrets increases operational efficiency for both security and developers (think of how much time and effort this would save in the event of a security incident like CircleCI’s recent breach).
6. Transitioning workloads to AWS is accelerated by enabling the same security policies to be enforced across hybrid and cloud environments.

With a centralized solution that works with native cloud secrets managers instead, security and developers can balance their needs and deliver secure, well-built applications for their organizations. The right solution can help security teams enhance secrets management for AWS-based applications and help mitigate risk.

To learn more, read the analyst report from ESG’s Jack L. Poller, “Enhancing Secrets Management for AWS Applications.“

Phishing is a big problem that’s getting even bigger as cybercriminals find new ways to hook employees. With threats coming from every direction – emails on company computers, text and voice messages on mobile devices and in personal communications channels, malicious typosquatting sites, phony marketing QR codes and more – it’s only a matter of time before someone trips up and opens or clicks on something they shouldn’t. When they do, and that phishing attack leads to a damaging data breach, who’s at fault?

The Phishing “Click This, Not That” Contradiction

In the physical world’s airports, train stations and other high-traffic areas, law enforcement posts signs warning people to watch out for suspicious behavior. While public vigilance is critical, citizens aren’t expected to identify shoplifters, challenge those who run red lights or stop unauthorized visitors from entering buildings.

Yet, in the digital world, workforce users (usually outside the IT security department) have become frontline phishing gatekeepers. And they’re flooded with contradictory guidance of “click this, not that.” Think of the HR executive whose job involves reviewing resumes that arrive daily through email, web applications and social media. Or the employee who receives regular emails, supposedly from IT, instructing them to click on links to review company policies and download required software updates. Is it reasonable to expect these people to assess every attachment and link, detecting the malicious from the legitimate with 100% accuracy, 100% of the time? And when a user does fall for a phishing attempt and realizes it too late, are they empowered to report it, or do they try to cover it up, embarrassed or afraid of potential consequences?

Phishing Awareness is Just the Start

Don’t get me wrong. Security is a team game everyone must play, and phishing education is critical. In fact, security leaders identify security awareness training as one of the top three most effective components of a defense-in-depth strategy to combat ransomware. A large body of research shows that regular phishing education can make a positive difference and promote the team game mentality. Teaching users about the real-world ramifications of risky behavior, such as forwarding personal emails to work accounts, can also help dispel the myth that security teams are like all-powerful seatbelts – there to protect people from harm, no matter how fast they’re driving. But phishing education isn’t enough on its own, and phishing prevention strategies that center on human responsibility are unlikely to succeed.

The UK National Cybersecurity Center (NCSC) recently published a post that piqued my interest, asking, “What would we do differently if we were actually encouraging users to click links without fear?” It’s a theoretical question, of course, but it forces an important perspective shift.

What Would It Take to Click Without Fear?

Cyberintruders are constantly innovating and will always find ways to get inside environments. This is one reason Zero Trust has gained such momentum. It’s built on the assumption that any identity or endpoint could be compromised. Because of this, security must start from an assume breach mindset, which recognizes that all users – whether they work in HR, marketing, finance, development or even the IT department – may get phished.

Instead of trying to control every click, the focus stays on controlling what’s actually controllable. For instance, by enforcing strong authentication everywhere, practicing good credential hygiene and consistently following the principle of least privilege (for both human and non-human identities) to help prevent credential theft. Or by implementing allow-listing and application control to help mitigate malicious downloads.

This security approach isn’t about placing blame; it’s about emphasizing awareness AND putting the right layered defenses in place to find and stop attackers quickly. To that end, the NCSC offers helpful defense-in-depth guidance aimed at preventing phishing email delivery, initial code execution and future harm that’s worth a read.

Enough with the Phishing Blame Game

Humans are biologically wired to blame. When bad things happen to us, we instinctively look for reasons beyond ourselves. Even as onlookers, we crave that “who done it” closure. It’s why major breach reports spark waves of speculation and why human error is a common corporate explanation. Yet while the phishing blame game may help us feel better, we’re missing (or ignoring) the more significant point. That is, fault refers to responsibility; responsibility is rooted in trust; and inherent trust – in anyone or anything – must be stripped entirely from the modern security equation.

Identity Security, centered on intelligent privilege controls, lays the foundation for Zero Trust by limiting access to those who need it and only granting the minimum privilege for the task in question. Read our whitepaper, “Zero Trust’s Evolution,” to learn how Identity Security can help today’s digital and cloud-based enterprises enable Zero Trust while achieving measurable risk reduction, operational efficiency and other bottom-line business outcomes.

David Higgins is a senior director in the CyberArk Field Technology Office

Have you ever received a puzzle as a gift from a well-intentioned friend? They likely thought something along the lines of, “Hey, this person’s into solving problems — I bet they’d love putting together this bad boy on a rainy day.”

The sentiment was spot-on. Puzzles are your thing. But then you see the words “7,000 PIECES!” on the box and think to yourself:

“How… When… In what reality will I be able to solve this puzzle?” Simultaneously, your phone blows up with work emails, your contractor says the furnace broke — and your kids/dogs/both have made a giant mess in the kitchen.

This scenario reflects what it must be like for an IT or security team member to take on the compliance puzzle, as identity management becomes more complex.

Ensuring and demonstrating compliance is a struggle for many organizations. In addition to defending against attacks, IT and security teams are often on point to manage one or more of the following areas:

• Ensuring transparency for internal and external audits
• Meeting requirements in complex industry and government regulations like PCI DSS, HIPAA and SWIFT
• Demonstrating compliance and producing comprehensive reports and/or analytics

As Identity Management Challenges Mount, the Stakes of Compliance Get Higher

The work involved in adhering to rules, meeting reporting requirements and avoiding penalties seemingly never stops growing. And there’s always *what’s coming next*…

So, what’s on the rise now? To start, regulations are expanding globally.

Also on the rise, the costs of getting compliance wrong.

Meanwhile, securing your users’ identities — which includes granting, certifying and revoking access — is essential. But it’s not easy. You’re protecting the enterprise at a time when everything is surging in concert and complexity.

As the Puzzle Pieces Shuffle, Malicious Actors Look for Vulnerabilities to Exploit

Attackers are fully aware of the challenges IT and security teams are facing. They’re on the lookout for the troublesome trio of unchecked access, orphaned accounts and privilege creep — all of which can happen if an organization lacks strong controls for managing access-related compliance reviews and certifications.

Consider the far-reaching effects of a breach stemming from a lack of consistent identity management processes. In this hypothetical scenario, let’s say an attacker exploited the account of a user who had accumulated too much access to sensitive resources. First and foremost, you’d need to deal with the impact of the breach itself — in this case, data theft involving customer information. But you’d also be facing ripple effects that could harm your enterprise’s operations.

No doubt, regulatory fines can be a huge impediment to your plans for growth and transformation. But how can an enterprise recoup from the impact of damaged trust — among its customers, partners, employees and any number of other key stakeholders?

Amid these pressures, it’s no wonder that most enterprise leaders admit that they lack the confidence to solve the compliance puzzle. It’s staring them in the face daily, not unlike the half-completed jigsaw puzzles that mock us from their arrogant perch atop so many coffee tables.

But solve the puzzle we must.

The million-to-gazillion dollar question: How do you gain the visibility and control you need to ensure that the evolving nature of privilege doesn’t put your organization in jeopardy? This applies to a wide range of identities and concerns, including:

• The potentially risky actions employees can take within applications containing sensitive data.
• The entitlements your privileged users have to access safes and privileged accounts.
• he authorizations and permissions your developers and operations teams have in cloud environments.

Six Identity Management Best Practices to Help You Solve the Compliance Puzzle

Here are some best practices for strengthening compliance and auditing capabilities:

1. Create a unified view of who has privileges and authorization to what resources, with capabilities for discovering, adjusting, certifying and revoking access.
2. Integrate access certification processes with your PAM program, and continuously discover who has access to what safes and privileged accounts across the enterprise.
3. Automate governance processes to ensure checks and balances — for example, continuously enforcing least privilege with reviews and certifications scheduled for recurring dates.
4. Leverage contextual data about users so that managers can take risk scores into account before making access decisions.
5. Empower your team and auditors with analytics and reporting capabilities to help identify potential compliance issues, offer detailed audit trails and allow for custom reports.
6. Integrate compliance tools with your overall Identity Security framework, which can help prevent siloes and ensure compliance of all identities, including privileged or administrative accounts.

Learn how CyberArk solutions such as CyberArk Identity Compliance can help you gain the capabilities, controls – and confidence – to solve the global compliance puzzle.

Most companies now recognize the serious and insidious nature of cybersecurity threats. But many fail to grasp that the digital transformation, remote work, automation and cloud migration activities of the last few years have turbocharged the number of identities seeking access to data and critical business systems. This surge in identities has exponentially increased the likelihood of cyberattacks, undercutting the effectiveness of traditional identity and access management (IAM) paradigms.

In the modern enterprise, nearly every employee has multiple identities on the network and uses several devices to access business systems. According to the CyberArk 2022 Identity Security Threat Landscape Report, the average staff member accesses more than 30 applications and accounts, requiring them to remember and manage countless passwords and repeatedly authenticate themselves to systems and applications. These employees often collaborate with third-party partners who also access sensitive company data and assets to do their jobs. At the same time, machine identities outnumber human identities by a factor of 45:1, the CyberArk report found.

According to the latest Verizon Data Breach Investigations Report, 80% of Basic Web Application Attacks (BWAA) start with compromised credentials. Identity has become the latest high-value target in the cybersecurity battleground. Yet the proliferation of identities has made it difficult for security professionals to strike the right balance between safeguards and speed to do what’s necessary to protect the complex web of endpoints, devices, cloud workflows and SaaS solutions. And that’s without making it overly difficult for the enterprise or leaving gaps that bad actors can easily exploit.

Most traditional IAM tools were not built with a security-first approach, nor were they designed to manage the broad number of human, application and machine identities that exist across on-premises data centers, SaaS environments and hybrid, multi-cloud infrastructure. This identity challenge is compounded by using multiple siloed tools that create management headaches due to a lack of automation and poor visibility. Given the stakes, it’s time for organizations to recalibrate and make identity the centerpiece of their security strategies.

A New Vision for Identity Management

So what’s the best way to secure all these types of identities within an organization? It starts with a risk-aligned Identity Security approach that embraces the core concepts of Zero Trust. This includes acknowledging that attacks will occur and enforcing intelligent privilege controls consistently to secure access for all identities – human and machine – and flexibly automate the identity lifecycle. By layering these with continuous threat detection and prevention capabilities, organizations are empowered to spot threats earlier and stop identity-driven attacks in motion. The ultimate goal is to enable users with quick and secure access to necessary resources, while trusting nothing and verifying everything behind the scenes.

The modern version of Identity Security rests on four pillars:

To get a picture of how Identity Security might work in the real world, consider a DevOps specialist who is regularly accessing highly sensitive CI/CD resources and tools with the help of a bot that takes care of some of the more mundane housekeeping work. With an Identity Security approach, both the DevOps specialist and the bot (a machine identity) are covered by intelligent privilege controls, allowing them entry to the necessary cloud workspace, but within the context of minimal required access for the least amount of time necessary. Say that developer eventually leaves the position. A modern Identity Security platform with flexible automation and orchestration will automatically shut off access and permissions at just the right time, while the bot retains access and can be redeployed to a new team member.

Identity Security Best Practices

With the basics in place, there are several Identity Security best practices to consider. Among them:

• Security starts at the front door. Different types of users need access to various resources, so Identity Security must start at the endpoint. Embrace enabling controls like adaptive multifactor authentication (MFA) for endpoints and continuous authentication so if a user decides to elevate access to launch an application, the proper security controls will do their thing. Beyond least privilege and application control, look for solutions that support policy-based, audited just-in-time elevation sessions, credential defense, workforce password management and ransomware protection, among other capabilities.
• Don’t overlook the cloud. The cloud ushers in many Identity Security challenges, including misconfigurations and over-permissioned accounts. Look for platforms that can detect and remove excessive permissions, provide actionable remediation and promote just-in-time privileged access.
• Remember the machine challenge. Centralized secrets management can help remove embedded API keys and secrets from applications and automation tools and help drive authentication across a hybrid, multi-cloud environment.

Centered on intelligent privilege controls, Identity Security is the next evolution of protection, providing a holistic and flexible framework that keeps companies focused on business outcomes and a step ahead of adversaries.

Chris Maroun is a senior director in the CyberArk Field Technology Office.

Today, CyberArk announced that our founder and CEO Udi Mokady will step into the role of Executive Chairman and our Chief Operating Officer, Matt Cohen, will become CyberArk’s CEO, effective April 3, 2023. Together, Udi and Matt make a great team and we’re excited for this next chapter in CyberArk’s journey.

With a powerful combination of the best people, an amazing culture, and the industry’s leading platform for Identity Security, our future is bright and we can’t wait for what’s next.  Hear directly from Udi and Matt on this important announcement.

When news of the recent CircleCI breach broke, developers everywhere scrambled to rotate tokens and remove hardcoded secrets stored in the popular CI/CD platform to minimize their exposure. Now that the dust has settled and more details are available, we’re reexamining the CircleCI attack chain to highlight the importance of a holistic Identity Security strategy in thwarting future damaging attacks.

Analyzing the CircleCI Identity Attack Chain

1. Infect an Employee’s Endpoint Device

The laptop of a CircleCI engineer – an employee with privileged access rights – was infected with malware, which was not detected by the company’s antivirus software.

Learning: Mitigating the risk of social engineering and phishing attacks while closing other endpoint security gaps requires a strong mix of integrated tools and processes – there isn’t one tool that can do it all. Endpoint privilege management is one foundational control that every organization needs to consider carefully. Removing local admin rights, replacing them with controlled just-in-time elevation and enforcing least privilege can help ensure that an honest mistake does not lead to downloading and installing malware in the first place.

2. Steal Employee Session Tokens

An unauthorized third party used the malware to steal the employee’s single sign-on session tokens. By keeping the employee’s web sessions open and active, the attacker successfully bypassed multifactor authentication (MFA) safeguards in place.

Learning: Stealing session tokens, cookies and other types of post-MFA tokens is an increasingly popular technique because it enables attackers to bypass authentication and authorization prompts. Once a legitimate user has authenticated using MFA, that token or cookie is created on the endpoint as a piece of trust and an attacker can use it for later access. This technique is also relatively easy to pull off. While many attacks (including this CircleCI incident) require elevated privileges to install malicious software on an endpoint, token and cookie hijacking can be accomplished without them.

As more companies embrace adaptive MFA controls to maintain balance between security and simpler and smoother user experience, token and cookie hijacking will continue to gain traction as these techniques provide a way of bypassing MFA measures. To mitigate risk, MFA systems should be strengthened with endpoint privilege security controls that detect and block credential theft – including post-MFA token theft – at the start of an attack before they’re used to access critical business and cloud services. An all-encompassing approach will also give security teams a flexible, yet consistent way to implement privilege and application control. Incorporating capabilities to monitor and audit end-user activity in designated web applications can also help secure user sessions from threats originating on the endpoint and curb prohibited data exfiltration by workforce users, such as downloading or copying sensitive files.

3. Establish Persistence and Move Laterally

By using the stolen tokens, the attackers were able to impersonate the CircleCI engineer to move laterally and vertically through the network and establish persistence. Eventually, the attacker was able to gain access to a subset of the company’s production systems.

Learning: According to CircleCI’s investigation, the attacker spent a few days conducting reconnaissance before stealing data. When organizations have continuous threat detection capabilities in place, dwell times like this represent a big opportunity to detect and block attacks from causing damage. And by applying AI-based user behavior analytics, one careless move (such as accessing the network from an unusual location or time of day while doing recon) could be all it takes to unmask the attacker impersonating a legitimate privileged user.

4. Gather and Exfiltrate Data

According to CircleCI, “Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys.” Customers were urged to rotate “any and all secrets” stored in CircleCI, review their own system logs and watch out for suspicious activity in integrated SaaS applications and public cloud environments.

Learning: For most organizations, manually rotating every secret isn’t simple exercise. For one thing, there are TONS of secrets out there. More precisely, there are 45 non-human identities for every one human identity, and 68% of them use secrets and other credentials to access sensitive corporate resources. Second, these secrets are often hardcoded to save time and effort and can be found in source code in private or even public repositories (e.g., on GitHub), scripts, configuration files and CI/CD pipeline code. But after a cyber incident, for example in a supply chain, when there’s an urgent need to rotate these secrets, developers often end up losing more time manually hunting them down to rotate. Meanwhile, attackers actively target hardcoded secrets to gain high-level access and escalate privileges, as seen in last year’s Uber breach.

The CircleCI breach is just one of many recent reminders that intelligent privilege controls must cover every single identity – not just those linked to people. Non-human and machine identities – and the secrets and other credentials they use must be managed in a similar fashion. A centralized secrets management system makes it possible to authenticate, authorize and audit non-human access, while automatically rotating credentials, when needed, and removing static secrets from all scripts and source code.

A Massive Circle of Impact

The CircleCI breach not only impacted one of the world’s most widely used CI/CD platforms, it also put millions of organizations at risk. By tricking just one employee, the attacker was able to work their way through CircleCI’s corporate IT infrastructure, steal sensitive company data and use hardcoded and unprotected secrets to potentially reach further into customer environments. As a result, CircleCI customers had to pause important work and spend valuable development and DevOps resources updating their own code to mitigate risk and potential exposure.

Protecting your enterprise from future identity-based attacks requires a unified Identity Security strategy that removes silos, enhances visibility and automates time-intensive tasks. Empowered, security teams can enable secure access to all resources – on endpoints, in DevOps pipelines, across cloud environments and everywhere else – to measurably reduce risk and stay one step ahead of threats.

It wasn’t too long ago that using a single cloud for some business operations was cutting-edge technology. Now the cloud is essential for accelerating growth, improving efficiency and remaining competitive. Most organizations have multiple cloud environments deployed, in addition to private cloud and on-premises environments. In fact, in a soon-to-release CyberArk survey, 85% of respondents said they would be using three or more cloud service providers by 2023. And developers are building more and more applications in the cloud – 71% of organizations are developing cloud-native applications, according to the Enterprise Strategy Group (ESG) 2023 Technology Spending Intentions Survey.

Automation, DevOps and the rise of cloud environments have led to an explosion of machine (or non-human) identities. Applications, cloud workloads, containers, services and other automated tasks – they all require machine identities. And there are a lot of them. The CyberArk 2022 Identity Security Threat Landscape Report found that machine identities outnumber human ones by a factor of 45 to 1.

More Clouds + More Non-human Identities = More Secrets

These non-human identities all use accounts, credentials and secrets to access critical systems and resources and do their jobs. And the number of secrets that need to be managed is growing.

All this means there are more secrets than ever for security teams to keep track of, scattered across a variety of environments – public cloud, private cloud and on-premises – all with their different methods for storing, accessing and managing secrets. Each secret is a potential vulnerability, as attackers can use compromised secrets to access critical systems and resources. The 2022 Uber breach is just one recent example, where hard-coded secrets for a privileged access management (PAM) solution were directly embedded and exposed in a PowerShell script the attacker used to gain admin access to all secrets stored within their system

This becomes a real headache for security teams to manage as organizations continue down the path of cloud migration and other transformation efforts. Not to mention if applications need to be moved from one environment to another, it can become a time-consuming hassle for development and security teams. And many security teams don’t have the bandwidth to either separately manage secrets in each of the environments and tools where they’re stored or implement and maintain a self-hosted secrets management solution.

That’s where SaaS secrets management comes in.

The Five Benefits of SaaS Secrets Management

A centralized, SaaS-based secrets management solution helps ease a lot of the struggles for both the security and development teams working in hybrid or multi-cloud environments.

• Reduces vault sprawl. When you’re working in multiple clouds or hybrid environments, the number of separate vaults for credentials and secrets can quickly get overwhelming. Rather than security teams hunting for each vault to rotate and manage passwords and having to bring information from a variety of vaults to create an audit trail, a centralized secrets management solution can give you a single pane of glass in which to work.
• Enables cloud portability. Part of the beauty of the cloud is that developers can build and deploy applications faster than ever. But by relying on the native secrets management capabilities of the platform the application is built on, you’re locked into using that platform. And that becomes an issue if there comes a time when you need to move an application from one environment to another. With a centralized secrets management solution, you can build applications in whichever cloud platform your developers prefer for that specific use case, and move applications from cloud to cloud or from on-prem to cloud without creating a ton of extra work to manage the secrets used in those applications – no need to rewrite apps for a new cloud.
• Provides a uniform experience for security and developers. Rather than security teams learning multiple different secrets management platforms (which can take time and extra team members), a centralized solution allows security to enforce policies in a unified manner and only operate in one system. This saves time and money on training (from not having to worry about adding additional staff to support every cloud provider), so security can focus on delivering business value.
• Automates rotation and other security policies. A SaaS-based, centralized solution means that you can automate formerly manual tasks such as secrets rotation and the application of certain security policies. This save security teams time, especially given the vast number of secrets and identities that need to be rotated on a regular basis across multiple different cloud service providers.
• Speeds up time-to-value and frees up resources. Having a SaaS-based solution means that you can reap the benefits of the cloud with your secrets management software too. Security teams don’t have to worry about operating and maintaining their own secrets management solution (or multiple solutions), but instead can focus their time and attention on the crucial security tasks they need to complete.

Multiple clouds and hybrid environments don’t need to mean extra work for security teams or developers. Centralizing secrets management with a SaaS-based solution can help ease the way and allow the teams to harness the full power of cloud environments.

The definition of privilege is changing, and this changes everything.

Identities of all types — not just IT team members, but any employees — are gaining access to sensitive data, infrastructure and systems that today’s attackers can easily exploit. On average, more than 1,500 IT and security decision-makers say over half of their employees have access to sensitive corporate data.

Managing digital identities — from granting, adjusting and revoking authorizations to complying with audits — is essential. But it’s not easy. The number of identities requiring your protection is surging, as your organization’s digital and cloud initiatives grow in scope and scale.

Meanwhile, you’re under pressure to manage and protect your identities at a time when:

• Many enterprises are bogged down with time-consuming manual processes, outdated technologies and silos across apps, directory stores and data repositories.
• As risks increase, so do workloads, hours and stress levels. Meanwhile, economic pressures exacerbate ongoing resource and skills gaps.

To truly enforce least privilege, IT and security teams need controls that cover all types of identities with powerful access — from the IT admins of the world to workforce users with heightened privileges. This means enterprises need to rethink what Identity Management is, and needs to be, from its purpose to its execution.

Securing Identities for the Entire Lifecycle Using Automation and Orchestration

As you know, enforcing least privilege involves not just limiting access overall, but giving users the minimum level of authorizations needed to perform only job-relevant actions – for example in SaaS applications where a risky action could compromise sensitive data.

The problem is that manual, error-prone processes can hinder many organizations from securely managing employees’ identity lifecycles.

Looking at the beginning of the lifecycle, new employees often wait days or weeks to be provisioned with access to the applications, services and IT systems they need. At some point, impatience may encourage workers seek other ways to gain access, including the adoption of shadow IT.

But consider what could happen if an IT or security team member forgets a critical step in a manually executed workflow. For example, if an employee leaves the company, the IT team may need to run through a checklist of applications where they must remove access one at a time by hand.

What’s the risk?

One missed step leaves the door open for threat actors to exploit misprovisioned, overprivileged or orphaned accounts — and attackers do this routinely.

Employees’ start and end dates, while important, are only the bookends for continuous identity lifecycle management. Ensuring least privilege for employees across their entire tenures at your organization requires:

• Months, years and even decades of tracking and re-assigning privileges per user.
• Provisioning and deprovisioning access as job roles and systems change — and as applications grow in number.
• Ensuring the wide range of target applications involved remain in sync.

In an era when privilege is everywhere — including in employees’ ability to take risky actions in business apps containing sensitive data — these Identity Management mainstays call for a new approach.

The reason: most enterprises are stuck in a pattern of manually connecting the dots and scripting integrations between data, applications, events and services. And many companies lack formal procedures or consistent workflows for reassessing, adjusting or revoking users’ access and privileges.

Here are some steps you can take to bring a security-first approach to managing identities from a user’s start date to their last day:

1. Centralize your lifecycle management policies, controls and capabilities, using automated workflows for:

• Onboarding and offboarding employees.
• Defining and enforcing each user’s unique roles, responsibilities, access rights and permissions.

This approach can free your team from repetitive, error-prone tasks. Integrating these processes with your trusted HR software enables you to maintain consistency and accuracy between platforms.

2. Federate identities across cloud and on-premises applications and systems, so your team can:

• Quickly provide access when users need it.
• Adjust it when roles or risks evolve.
• Remove it when users leave the enterprise.

Automated workflows can help you prevent privilege creep and orphaned accounts that attackers often exploit to launch attacks, steal data and more.

3. Gain real-time insight into potential risks — and the ability to act on them — based on automated tools that track areas such as:

• Application usage.
• Failed login attempts.
• Unused accounts.
• External threat data.

This three-part approach gives you a scalable form of visibility and control through automated workflows designed to prevent risky actions by users and breach attempts.

Next Steps: Best Practices for Ensuring Compliance and Extending Privilege Controls to All Identities

In a new Executive POV piece published by CyberArk, I discuss best practices for bolstering your team’s Identity Management capabilities in two additional areas:

1. Applying a security-first approach to compliance, from managing access-related reviews and certifications to meeting regulators’ auditing requirements
2. Extending the controls you use for securing privileged users to all identities – for example, protecting employee passwords with vault storage and secure sharing

You can read the full piece here: Reinforce Least Privilege by Rethinking Identity Management

Gil Rapaport is the general manager for Identity and Access at CyberArk

In recent years, cybersecurity has become a board-level issue resulting in several executives taking greater responsibility in cybersecurity-related decisions. As a result, the CISO is no longer a technical subject matter expert but an executive risk manager who shares a responsibility matrix with the board of directors, CEOs and other executives to make informed risk decisions. At the highest levels, these executives care about the organization’s revenue, mission, risk and costs, leading to strategic questions about assurance, compliance and security practices.

Recent years have highlighted the need for a robust Identity Security strategy to secure the business from modern-day threats and attacks. CyberArk’s upcoming Identity Security State of the Market survey indicates that in 2023, 81% of 1,500 respondents will exponentially increase their spending on Identity Security as part of their cybersecurity budget. This increased investment drives varied perceptions across C-Level executives and all other personnel, including other senior decision makers (VPs/directors/managers) and security practitioners.

Our research finds that C-level executives have an abnormally high degree of confidence in mitigating Identity Security-related risk as opposed to other personnel who are technically astute and aware of the complexities of their IT environments. For example, 69% of the C-level executives believe they are making the correct Identity Security decisions. On the contrary, only 52% of all roles believe the same to be true. This higher confidence of C-level executives was also reflected in their perception of the impact of cybersecurity investment. The chart below highlights this concerning trend across multiple facets of Identity Security.

The survey’s findings reveal a sharp disconnect between the confidence of the C-level executives in their organization’s Identity Security strategy and the actual damage that identity-related cyber incidents can inflict.

Identity Security Confidence Is Not Synonymous With Reality

What’s the proof of this executive overconfidence? Our research indicates that in 2022, 58% of respondents believed they made the right Identity Security decisions. However, this confidence did not necessarily reflect positive outcomes. 63% of the respondents indicated that they suffered at least one successful identity-related attack last year.

This C-level overconfidence could indicate a more significant problem: a lack of understanding of what a robust Identity Security strategy means beyond just investing in tools. Allocating line-item budgets to procure identity-related tools is the first step of a robust Identity Security strategy. Additional measures include integrating those tools, automation and continuous threat detection and response, based on specific business requirements of a given organization.

The Wide-ranging Impact of Identity-based Attacks

Of the 63% of respondents who were victims of an identity-related cyberattack in the last 12 months, 27% have experienced more than one. And the consequences of experiencing a cyberattack are multi-fold. After an attack, the most popular response among respondents was increased investment in cybersecurity technologies and services, which was determined after a thorough gap analysis and risk assessment. Cybersecurity quickly became a board-level discussion if it wasn’t already.

The short-term impact of a successful identity-related cyberattack includes delayed projects due to the significant manpower and time allocated to resolving the issue. On the other hand, products and services are impacted, causing problems like customer experience degradation and potentially lost revenues, compliance fines and extensive audits.

Our research also indicates that insufficient cybersecurity staff and inadequate in-house expertise when it comes to securing identities or mitigating identity-based risks are two major risk factors. The third risk factor – perhaps the most important – is that many organizations lack a specific line-item budget for Identity Security.

Identity Security’s Four Tenets

IDC FutureScape: Worldwide Future of Trust 2023 Predictions states that by 2025, 45% of CEOs, fatigued by security spending without predictable ROI, will demand security metrics and results measurement to assess and validate investments made in their security program. CyberArk believes that this prediction has the potential to materialize sooner, given the rate and sophistication of modern cyberattacks.

The proliferation of identities and endpoints, increased adoption of hybrid and multi-cloud environments and vulnerabilities from inadequately secured identities in the software supply chain are significant causes for concern. 85% of respondents expect to use three or more public cloud service providers in 2023 – and 57% of them have two independent teams responsible for securing identities in the public cloud and on-premises. The CyberArk 2022 Identity Security Threat Landscape Report indicates that respondents use over 70 security vendors on average. As a result, they prefer to procure platform-like “unified controls” from fewer vendors. But a strong Identity Security platform hinges on the four tenets of a robust Identity Security strategy.

In addition to investments in Identity Security tools, C-level executives must regularly seek updates on the state of integration, automation and continuous threat detection and response capabilities to ensure they are well-informed on their organization’s cybersecurity posture related to Identity Security. The following four tenets are foundational to ensuring that the investments adequately deliver on the promise of reduced cyber risk and increased resilience for your organization on an ongoing basis:

• Identity Security tools span management, privileged controls, governance, authentication and authorization for all human and machine identities.
• Integration of Identity Security tools across IT and security solutions is a must to secure access to all corporate assets and the entire IT estate.
• Automation ensures continuous compliance with policies, industry standards and regulations, enabling rapid responses to high-volume routine and anomalous events.
• Continuous threat detection and response provides organizations with a solid understanding of baseline identity behaviors to better react to anomalous activity.

Do you relate to any of the issues mentioned above? Are you beginning your journey to develop and implement robust Identity Security strategies? If so, it is important to consider comprehensive capabilities from Identity Security vendors that span identity management, access management and privileged access management (PAM) with leadership across these categories.

To read the complete results and analysis, stay tuned for the release of the CyberArk Identity Security State of the Market survey – coming soon.

The idea of removing local administrator rights from Every. Single. User. across your organization is likely to spark strong reactions. Search popular online forums for the phrase “remove local admin rights” to see exactly what I mean. But hear me out …

Like most security professionals, you recognize the need – and urgency – to remove these powerful privileges from “regular” business users’ endpoints. Local admin rights are like carrots dangling out in the open, ready for cyberattackers to grab and use to move deeper into your network. Plus, typical workforce users don’t need total control of their systems, and they especially don’t need to run arbitrary code with elevated privileges. That’s far too risky.

But eliminating local admin rights completely? What about administrators and database administrators, the help desk, the infrastructure maintenance team and backup operators? They NEED high-level access to do their jobs, and your security team doesn’t have time or resources to manually grant extra privileges on the fly.

All this is true, but it doesn’t mean privileged users must be local admins. I’ll say it again: No user should be a local admin. Full stop. Here are 29 reminders why (and this is by no means an exhaustive list).

A user with local admin rights, or an attacker impersonating the user, can:

1. Change boot and hardware configurations (enable/disable devices, change CPU and memory voltage and frequencies, etc.)
2. Modify or delete storage volumes
3. Radically simplify malware techniques, such as code injection and DLL hijacking
4. Easily gain persistence on a machine with the registry fully open for analysis and modification
5. Disable journaling, alter or wipe events
6. Disable backup agents or modify backup configurations … and wipe any local backup copy while they’re at it
7. Modify shadow copy settings or copy shadow copy (to exfiltrate previously “deleted” data)
8. Modify users, add users, add administrative users or hide administrative users from the login menu
9. Access every user’s data on the machine and change file and folder owners
10. Encrypt hard drive master boot record (MBR), also known as a 15-second full-disk ransomware encryption
11. Disable or reconfigure existing endpoint security solutions
12. Change network settings, add trust zones, set up tunnels or reroute traffic
13. Change the domain name system (DNS), hijack the DNS or exfiltrate data through DNS requests
14. Modify browser settings or add browser extensions
15. Access every secret stored on the machine: In Windows credential providers, in the browser, in Putty, in FileZilla or any other program that stores credentials
16. Access and modify certificate stores, change trust chains and decrypt any secure communication
17. Live off the land luxuriously
18. Access, analyze and modify memory content
19. Use security services to gain code execution in local security authority server service (LSASS), which can also be used to extract password hashes and Kerberos tickets
20. Install ANY non-malicious administrative tool and deploy an arsenal of benign tools (that become the “ultimate attacker toolkit” in the wrong hands) without triggering the antivirus
21. Install cryptominer malware to take over the machine’s resources and use them for illicit cryptocurrency mining
22. Enable built-in or third-party hardware trackers to locate devices anywhere in the world
23. Bypass and/or disable user access control (UAC)
24. Downgrade drivers, versions and libraries, or force the use of known vulnerable protocols and programs
25. Flash firmware to connected devices (e.g., disable LED on a camera or load modified firmware on to a PLC)
26. Access security tokens and encryption keys
27. Jump air gaps to access critical operational technology (OT) systems
28. Access supervisory control and data acquisition (SCADA) control panels for critical infrastructure, then modify hardware parameters to disable safety sensors or cause hardware resonance
29. And last but not least, choose their own adventure: Install, remove, access, read, exfiltrate, intercept, unpack, analyze, dump, encrypt, reconfigure, unload, load, enable, disable, execute or remotely execute, cause, force, flip, wipe, mess with and wreak havoc, while also hiding, concealing, dwelling, impersonating, watching, listening, spying, learning and preparing