Threat Detection in the CIAM Context: What's Old is New Again

Stephen Cox
Stephen Cox
  • Jan 14, 2020
  • 5 min read

There’s a funny saying in modern computing: “There is no cloud, it’s just someone else’s computer.” It’s amusing to say the least. I’d gladly emblazon it on a T-shirt and joke about it with my colleagues. But in actuality, it’s no joke. Looking at the reality of today's computing landscape, there is very much a cloud, and the world is moving toward it at a frightening pace. (And it is someone else’s computer.)

I know what you’re thinking. Ugh, not another blog about the buzzwordy term "digital transformation." I actually don’t think the term is deserving of its oft-maligned status. It’s accurately describing what is happening right now. That is a topic for another blog. But I digress. If you aren’t blown away by the pace of this historic period in computing, just look at the major cloud providers’ revenues over the last few years. It’s happening, and it’s happening fast.

Technology has always moved fast, but we are changing the way we architect, build and deploy our products. We are increasing the number of channels in which we engage with our customers. This is often referred to as “attack surface.” With increased surface comes increased risk and even attack vectors we may not be aware of. Attackers are very good at exploiting this security gap.

While new technologies arise that detect and mitigate threats in our advanced cloud environments, it's important to remember some things never change. The saying, “What’s old is new again,” couldn’t be truer. Authentication has long been an element of security programs. For decades, it has protected organizations’ front doors through the VPN, or servers within the environment via username- and password-driven log-in prompts. The data extrapolated from these mechanisms often proves invaluable in the result of a breach, as incident responders use it to track attackers’ movements once they have gained a foothold in an environment. Incident responders often had to cobble this information together across server logs, VPN logs, Windows event logs and whatever other data they could obtain.

Below are examples of data that prove useful to security analysts and incident responders within the identity context.

Device metadata, which sheds light on the following:
  • Is the device known to be associated with this identity?
  • Has the phone number been recently ported?
  • What is the metadata around the carrier network associated with the phone?
  • Has the phone been rooted?
Location metadata, which sheds light on the following:
  • Is the geolocation known to be associated with the identity?
  • Is the geolocation of the identity coming from outside a geo-fence?
  • Has the geolocation been included in an allow or deny list?
  • Is the geolocation exhibiting an improbable travel event for this identity?
Network metadata, which sheds light on the following:
  • Is the IP known to be associated with this identity?
  • Has the IP been included in an allow or deny list?
  • Is the IP of the identity associated with an anonymity network or other proxy?
  • Is the IP of the identity associated with a bot network?
Password-related metadata, which sheds light on the following:
  • Does this identity appear to be under attack by a brute force, credential stuffing or spraying attack?
  • Is the password related with this identity known to be breached?

All of this metadata adds up to a much better picture of what is happening at the identity layer. The fact that our context is now the cloud makes little difference. I would argue identity-related metadata is even more valuable today. The convenience and global reach of your applications means you must have a firm and centralized understanding of who is registering and logging in to your various channels. You must understand where they are logging in from, what they are accessing and when anomalous activity is present. This data can help you develop a model of your customers’ behaviors and rapidly enable your incident responders in the event of a breach.

Mitigating identity risk today is difficult. A disheartening reality of the cloud is attackers have access to it and use it against us. Attackers build networks of compromised desktops, servers and cloud nodes to launch their campaigns. This often makes identity attacks highly distributed in nature, stemming from a vast number of nodes. It can make it challenging to combat purely at a network level. Moreover, this designates “identity” as a fundamental security pillar – it’s as important as the network and endpoint, the places where we have spent most of our threat detection focus during the age of the Internet.

While technologies will continue to evolve and push us to even greater heights in how we interact with our customers, many things will stay the same. Identity should be at the core of your security program – not only for the enterprise, but especially for your customers. Every breached customer represents potential lost value for your brand. Enabling your security analysis and incident responders with rich identity-related data is an indispensable part of maintaining your brand’s integrity.

More articles from this author