Identity Management in 2025: How Security Teams Can Prepare

Whereas 99% of companies plan to speculate extra in safety, solely 52% have totally carried out multi-factor authentication (MFA), and solely 41% adhere to the precept of least privilege in entry administration.

Adversaries, together with nation-states, state-funded attackers and cybercrime gangs, proceed to sharpen their tradecraft utilizing generative AI, machine studying (ML) and a rising AI arsenal to launch more and more refined identification assaults. Deepfakes, tightly orchestrated social engineering and AI-based identification assaults, artificial fraud, living-of-the-land (LOTL) assaults and plenty of different applied sciences and techniques sign that safety groups are in peril of dropping the warfare towards adversarial AI.

“Identification stays one of many hairiest areas of safety—in actually fundamental phrases: you want authorization (authZ: the correct to entry) and authentication (authN: the means to entry). In pc safety, we work actually arduous to marry authZ and authN,” Merritt Baer, CISO at Reco.ai, informed VentureBeat in a latest interview.

“What we now have to do is guarantee that we use AI natively for defenses since you can not exit and battle these AI weaponization assaults from adversaries at a human scale. You need to do it at machine scale,” Jeetu Patel, Cisco’s government vp and chief product officer, informed VentureBeat in an interview earlier this yr.

The underside line is that identities proceed to be beneath siege, and adversaries’ continued efforts to enhance AI-based tradecraft focusing on weak identification safety are fast-growing threats. The Identity Defined Security Alliance (IDSA) latest report, 2024 Trends in Securing Digital Identities, displays how susceptible identities are and the way shortly adversaries are creating new assault methods to use them.

The siege on identities is precise – and rising.

“Cloud, identification and distant administration instruments and legit credentials are the place the adversary has been shifting as a result of it’s too arduous to function unconstrained on the endpoint. Why attempt to bypass and take care of a classy platform like CrowdStrike on the endpoint when you might log in as an admin person?” Elia Zaitsev, CTO of CrowdStrike, informed VentureBeat throughout a latest interview.

The overwhelming majority of companies, 90%, have skilled no less than one identity-related intrusion and breach try within the final twelve months. The IDSA additionally discovered that 84% of corporations suffered a direct enterprise affect this yr, up from 68% in 2023.

“The long run is not going to be televised; will probably be contextual. It’s uncommon {that a} dangerous actor is burning a 0-day (new) exploit to get entry—why use one thing particular when you should use the entrance door? They’re nearly all the time working with legitimate credentials,” Baer says.

“80% of the assaults that we see have an identity-based aspect to the tradecraft that the adversary makes use of; it’s a key aspect,” Michael Sentonas, president of CrowdStrike, informed the viewers at Fal.Con 2024 this yr. Sentonas continued, saying, “Refined teams like Scattered Spider, like Cozy Bear, present us how adversaries exploit identification. They use password spray, they use phishing, they usually use MTM frameworks. They steal legit creds and register their very own units.”

Why identity-based assaults are proliferating

Identification-based assaults are surging this yr, with a 160% rise in makes an attempt to gather credentials by way of cloud occasion metadata APIs and a 583% spike in Kerberoasting assaults, in accordance with CrowdStrike’s 2023 Threat Hunting Report.

The all-out assaults on identities emphasize the necessity for a extra adaptive, identity-first safety technique that reduces danger and strikes past legacy perimeter-based approaches:

Unchecked human and machine identification sprawl is quickly increasing menace surfaces. IDSA discovered that 81% of IT and safety leaders say their organizations’ variety of identities has doubled during the last decade, additional multiplying the variety of potential assault surfaces. Over half the executives interviewed, 57%, think about managing identification sprawl a main focus going into 2025, and 93% are taking steps to get answerable for it. With machine identities persevering with to extend, safety groups must have a technique in place for managing them as properly. The everyday group has 45 times extra machine identities than human ones, and plenty of organizations don’t even know precisely what number of they’ve. What makes managing machine identities difficult is factoring within the numerous wants of DevOps, cybersecurity, IT, IAM and CIO groups.

Rising incidence of adversarial AI-driven assaults launched with deepfake and impersonation-based phishing methods. Deepfakes typify the reducing fringe of adversarial AI assaults, reaching a 3,000% increase final yr alone. It’s projected that deepfake incidents will go up by 50% to 60% in 2024, with 140,000-150,000 cases globally predicted this yr.  Adversarial AI is creating new assault vectors nobody sees coming and creating a brand new, extra advanced, and nuanced threatscape that prioritizes identity-driven assaults. Ivanti’s newest analysis finds that 30% of enterprises haven’t any plans in place for the way they’ll establish and defend towards adversarial AI assaults, and 74% of enterprises surveyed already see proof of AI-powered threats. Of the vast majority of CISOs, CIOs, and IT leaders collaborating within the research, 60% say they’re afraid their enterprises should not ready to defend towards AI-powered threats and assaults.

Extra energetic focusing on of identification platforms beginning with Microsoft Energetic Listing (AD). Each adversary is aware of that the faster they’ll take management of AD, the quicker they management a whole firm. From giving themselves admin rights to deleting all different admin accounts to insulate themselves throughout an assault additional, adversaries know that locking down AD locks down a enterprise. As soon as AD is beneath management, adversaries transfer laterally throughout networks and set up ransomware, exfiltrate beneficial information and have been recognized to reprogram ACH accounts. Outbound funds go to shadow accounts the attackers management.

Over-reliance on single-factor authentication for distant and hybrid employees and never implementing multi-factor authentication to the app degree company-wide. Current analysis on authentication developments finds that 73% of customers reuse passwords throughout a number of accounts, and password sharing is rampant throughout enterprises right this moment. Add to that the truth that privileged account credentials for distant employees should not monitored and the situations are created for privileged account misuse, the reason for 74% of identity-based intrusions this yr.

The Telesign Trust Index reveals that in relation to getting cyber hygiene proper, there may be legitimate trigger for concern. Their research discovered that 99% of profitable digital intrusions begin when accounts have multi-factor authentication (MFA) turned off. “The emergence of AI over the previous yr has introduced the significance of belief within the digital world to the forefront,” Christophe Van de Weyer, CEO of Telesign, informed VentureBeat throughout a latest interview. “As AI continues to advance and change into extra accessible, it’s essential that we prioritize belief and safety to guard the integrity of non-public and institutional information. At Telesign, we’re dedicated to leveraging AI and ML applied sciences to fight digital fraud, guaranteeing a safer and reliable digital surroundings for all.”

A well-executed MFA plan would require the person to current a mixture of one thing they know, one thing they’ve, or some type of a biometric issue.  One of many main explanation why so many Snowflake customers were breached is that MFA was not enabled by default. CISA gives a useful fact sheet on MFA that defines the specifics of why it’s essential and the way it works. 

Ransomware is being initiated extra typically utilizing stolen credentials, fueling a ransomware-as-a-service increase. VentureBeat continues to see ransomware assaults rising at an exponential price throughout healthcare and manufacturing companies as adversaries know that interrupting their companies results in bigger ransomware payout multiples. Deloitte’s 2024 Cyber Menace Developments Report discovered that 44.7% of all breaches contain stolen credentials because the preliminary assault vector. Credential-based ransomware assaults are infamous for creating operational chaos and, consequently, vital monetary losses. Ransomware-as-a-Service (RaaS) assaults proceed to extend, as adversaries are actively phishing goal corporations to get their privileged entry credentials.

Sensible steps safety leaders can take now for small groups

Safety groups and the leaders supporting them want to begin with the idea that their corporations have already been breached or are about to be. That’s a necessary first step to start defending identities and the assault floor adversaries goal to get to them.

“I began an organization as a result of this can be a ache level. It’s actually arduous to handle entry permissions at scale. And you’ll’t afford to get it fallacious with high-privileged customers (execs) who’re, by the way in which, the identical of us who ‘want entry to their e mail instantly!’ on a enterprise journey out of the country,” says  Kevin Jackson, CEO of Level 6 Communications.

The next are sensible steps any safety chief can take to guard identities throughout their enterprise: 

1. Audit and revoke any entry privileges for former workers, contractors and admins Safety groups must get within the follow of frequently auditing all entry privileges, particularly these of directors, to see in the event that they’re nonetheless legitimate and if the individual remains to be with the corporate. It’s the most effective muscle reminiscence for any safety crew to get within the behavior of strengthening as a result of it’s confirmed to cease breaches. Go attempting to find zombie accounts and credentials frequently and think about how genAI can be utilized to create scripts to automate this course of. Insider assaults are a nightmare for safety groups and the CISOs main them.

   Add to that the truth that 92% of safety leaders say inner assaults are as advanced or more difficult to establish than exterior assaults, and the necessity to get answerable for entry privileges turns into clear. Practically all IAM suppliers have automated anomaly detection instruments that may assist implement a radical identification and entry privilege clean-up. VentureBeat has discovered that roughly 60% of corporations are paying for this function of their cybersecurity suites and should not utilizing it.
   

2. Make MFA the usual with no exceptions and think about how person personas and roles with entry to admin rights and delicate information may have biometrics and passwordless authentication layered in. Safety groups might want to lean on their distributors to get this proper, because the scenario at Snowflake and now Okta logins with 52-character-long user names have been permitting login session entry with out offering a password.

   Gartner initiatives that by subsequent yr, 50% of the workforce will use passwordless authentication. Main passwordless authentication suppliers embrace Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access, and Windows Hello for Business. Of those, Ivanti’s Zero Sign-On (ZSO) is built-in into its UEM platform, combines passwordless authentication FIDO2 protocols, and helps biometrics, together with Apple’s Face ID as a secondary authentication issue. 
   

3. Get just-in-time (JIT) provisioning proper as a core a part of offering least privileged entry. Simply-in-Time (JIT) provisioning is a key aspect of zero-trust architectures, designed to cut back entry dangers by limiting useful resource permissions to particular durations and roles. By configuring JIT classes based mostly on position, workload, and information classification, organizations can additional management and shield delicate belongings.

   The not too long ago launched Ivanti Neurons for App Control enhances JIT safety measures by strengthening endpoint safety by means of utility management. The answer blocks unauthorized purposes by verifying file possession and making use of granular privilege administration, serving to to forestall malware and zero-day assaults.
   
4. Forestall adversaries and potential insider threats from assuming machine roles in AWS by configuring its IAM for least privileged entry. VentureBeat has discovered that cyberattacks on AWS cases are growing, and attackers are taking over the identities of machine roles. Remember to keep away from mixing human and machine roles in DevOps, engineering, manufacturing, and AWS contractors.

   If position assignments have errors in them, a rogue worker or contractor can and has stolen confidential information from an AWS occasion with out anybody figuring out. Audit transactions and implement least privileged entry to forestall such a intrusion. There are configurable choices in AWS Identity and Access Management to make sure this degree of safety.

Predicting the way forward for identification administration in 2025

Each safety crew must assume an identity-driven breach has occurred or is about to in the event that they’re going to be prepared for the challenges of 2025. Implementing least privileged entry, a core element of zero belief, and a confirmed technique for shutting down a breach must be a precedence. Implementing JIT provisioning can also be desk stakes.

Extra safety groups and their leaders must take distributors to process and maintain them accountable for his or her platforms and apps supporting MFA and superior authentication methods.

There’s no excuse for transport a cybersecurity venture in 2025 with out MFA put in and enabled by default. Complicated cloud database platforms like Snowflake level to why this must be the brand new regular. Okta’s newest oversight of permitting 52-character person names to bypass the necessity for a password simply reveals these corporations must work more durable and extra diligently to attach their engineering, high quality, and red-teaming internally in order that they don’t put prospects and their companies in danger.