With the growing risk of identity-driven breaches, as seen in recent ransomware and supply chain attacks, businesses are starting to appreciate the need for identity security. As they assess how best to strengthen identity protection, there is often an urge to settle for security features or modules included in enterprise bundles from the same vendor providing their identity or identity and access management (IAM) layer.
A common example can be seen in organizations with a Microsoft E3/E5 bundle that is already using Active Directory + Azure AD as the identity layer. They may settle for Microsoft Defender for Identity and/or Azure AD Identity Protection to address their identity security needs.
While using multiple products from the same vendor as part of an enterprise bundle is usually cost effective, there are cases in which this compromise can lead to costly, catastrophic breaches — and combining identity and identity security is one of them. Customers often don’t fully appreciate what to look for in an identity security solution.
Before examining the reasons why this compromise is flawed, let’s review a few definitions.
Distinguishing Between IAM and Identity Security
IAM is the part of an organization’s IT security strategy that focuses on managing digital identities and users’ access to data, systems and other resources. IAM technologies store and manage identities to provide single sign-on (SSO) or multifactor authentication (MFA) capabilities, but are not designed primarily as a security solution for detecting and preventing breaches.
Identity security, on the other hand, is a comprehensive solution built for the sole purpose of detecting and preventing identity-driven breaches, especially when adversaries manage to bypass legacy security measures. The ideal identity security solution should be part of a broader security platform with deep visibility into every layer of the enterprise that is exposed to breaches to create more accurate detections and responses, including endpoints, cloud workloads, identities and data.
Pitfalls in Buying IAM and Identity Security from the Same Vendor
Competing Interests
This may sound like a no-brainer, but avoiding areas of a vendor’s competing interestsis often overlooked when making cybersecurity purchasing decisions. There should be a clear separation of responsibility. In accounting, an auditor conducts an independent examination to verify the numbers are correct, and in software development, code is tested after the developers have written it. The same concept applies to security; when you buy identity and identity security from the same vendor, you ignore this basic tenet of ensuring neutrality.
Microsoft Active Directory is built on decades-old legacy technology and is widely considered to be one of the weakest links in an organization’s cyber defense strategy. New AD vulnerabilities are discovered every year, including a recent one that could result in total domain compromise in a matter of seconds. At the same time, it is one of the most widely used identity stores: over 90% of Fortune 1000 organizations still rely on it, making Active Directory a very appealing target for identity-based attacks.
As the identity vendor, Microsoft has some obligationsto provide its customers with patches for AD vulnerabilities, but that is just one part of the equation. If Microsoft is also the identity security vendor, it should also promptly provide detection and remediation capabilities so adversaries cannot launch attacks exploiting vulnerabilities in its products — but that is an area where it has repeatedly failed its customers.
In contrast, when the identity security is provided by a neutral, security-focused vendor like CrowdStrike, this competing interest is eliminated. CrowdStrike’s sole focus is to protect customers from breaches.and provide proactive detection and remediation capabilities to the customer — and not patch vulnerabilities in identity products.
Another area of competing interest lies in integrations. An identity security offering should be able to integrate with and provide visibility across a wide array of identity products to provide a unified identity view. However, when an identity vendor also provides the identity security layer, there is no incentive to integrate with other identity vendors to provide a single pane of glass that gives visibility into multiple identity stores across a hybrid landscape. The difference is apparent with Microsoft Defender for Identity — it is Microsoft-centric, whereas CrowdStrike Falcon® products work not only with Active Directory and Azure AD but also with other best-of-breed IAM/MFA vendors like Okta, Ping, Duo, CyberArk and others.
Lack of Security Depth
Although the word “identity” is part of “identity security,” the emphasis must be on security. An ideal identity security solution should be part of a broader security platform that can correlate security information from multiple sources.
The CrowdStrike Security Cloud correlates trillions of security events per day with indicators of attack, the industry’s leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities and data. This laser-focus on security, incorporating a wide variety of attack data, enables Falcon products to deliver hyper-accurate detections as well asautomated protection and remediation.
That single-minded focus on security is hard to achieve for a software behemoth like Microsoft, which has years of deep technical debt from legacy products and also a wide swath of new offerings ranging from cloud infrastructure and services to software, hardware and gaming. Due to its legacy approach from a pre-cloud world, Microsoft is constantly playing catch-up to fix newly discovered vulnerabilities across its products. The company has experienced a string of security issues over the years, including AD supply chain compromise, the PrintNightmare vulnerability and common AD misconfigurations that attackers exploit.
This shortcoming was once again shown in the recent noPac exploit, which allowed malicious actors to combine two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), leading to privilege escalation with a direct path to a compromised domain. While CrowdStrike Falcon Identity Threat Protection automatically detects attempted exploitation of these vulnerabilities and can block noPac with a simple policy to enforce MFA, Microsoft’s response was to provide patches to address these vulnerabilities in its own product but with the onus on the customer to apply these patches into every AD domain controller.
Vendor Lock-in
Competing interests grow more complex when the vendor providing the identity layer also happens to be selling cloud infrastructure and has a vested interest in moving customers to its cloud.
When faced with a newly discovered vulnerability or an architectural flaw in its on-premises identity layer (such as Active Directory), a vendor may simply encourage customers to start using its cloud identity layer (like Azure AD) to avoid the vulnerability. This is practically impossible for customers that have built layers of applications on top of their AD infrastructure that would take years to migrate. More importantly, moving to the cloud does nothing to protect them from adversaries currently exploiting AD vulnerabilities to wreak havoc.
Interestingly, a recent report from Microsoft disclosed that adoption of MFA in Azure AD remains low, with the majority of Azure AD identities requiring only a username and password — underscoring the fact that Azure AD is not a magic remedy for the security challenges of AD.
Vendor lock-in hurts customers by preventing them from taking advantage of today’s multi-cloud reality. This can be countered with an identity security solution from a neutral vendor, like CrowdStrike, which has no vested interest in pushing customers toward a specific cloud infrastructure. It also provides a longer timeframe for organizations to plan and implement a hybrid cloud migration without having to worry about breaches during the transition.
Finally, a multi-identity vendor security approach gives enterprises the flexibility to choose their MFA provider. CrowdStrike Falcon Identity Protection enables out-of-the-box integration with most leading MFA providers — including Okta, Duo and Google Authenticator — providing organizations with a frictionless MFA experience, instead of being further locked into one MFA solution like with Microsoft.
Why Identity Security Should Be Separate from Identity
Modern attacks like ransomware are typically identity-driven, and a strong identity security solution should be a key component of your overall security posture. Settling for an identity security solution that is included in an enterprise bundle from your identity vendor will lead to poorer security outcomes and increase the risk of breaches. Your identity security needs would be much better served by a solution from a neutral security vendor to secure all critical areas of enterprise risk — endpoints, cloud workloads, identity and data.
Venu Shastri is a director of product marketing at CrowdStrike.