Identity Security Posture Management (ISPM)

What is identity security posture management (ISPM)?

Identity security posture management (ISPM) is a framework used to strengthen and maintain the security posture of an organization’s identity infrastructure to prevent breaches. ISPM involves monitoring and analyzing identities, access rights, and authentication processes across your entire ecosystem. This gives you insights into your identity risk profile and guidance on how to remove that risk. ISPM is a proactive approach to security that can help your organization prevent identity-based attacks before they start.

What security challenges does ISPM address?

Managing identity security posture has become increasingly complex. The identity landscape spans IT infrastructures and multi-cloud architectures and includes multiple identity stores. Identity means more than users — it includes machines, service accounts, workloads, and more. Without end-to-end visibility across the identity landscape, it is difficult to get a true understanding of an organization’s security posture.

Improperly managed identities can provide easy entry points for adversaries to quickly and easily gain access to your organization’s critical resources. According to Gartner, preventative security controls that support an ISPM framework can help your organization avoid misconfigurations, vulnerabilities, and risk exposure.

Misconfigurations

Misconfigurations can leave organizations susceptible to adversaries and increase the risk of a breach. Common misconfigurations include over-privileging accounts, improper identity life cycle management, and failing to implement multi-factor authentication (MFA) correctly.

• CrowdStrike reports that 8 out of 10 intrusions use compromised identities/stolen credentials in their 2023 Global Threat Report.

To avoid misconfigurations, ensure that all accounts are provisioned properly. Avoid default settings, set up identity and access management (IAM) controls, and continuously monitor configurations for suspicious changes.

Vulnerabilities

90% of organizations rely on Active Directory, a legacy technology that is inherently vulnerable to attacks. Common vulnerabilities within identity stores are exploited by Pass-the-Hash (PTH) attacks to move laterally, and other attacks are designed to infiltrate an organization’s identity infrastructure.

• 50% of organizations have experienced an Active Directory attack in the last two years.
• There was a 583% year-over-year increase in Kerberoasting attacks in 2023.

Address identity-based vulnerabilities by taking proactive measures to improve identity hygiene, including passwords and conditional access controls. You can also consider hardening your security with an identity solution that supports an ISPM framework.

Risk exposure

Reduce your overall identity attack surface by removing unnecessary or excessive access rights. This includes reducing the risk of accounts that could be susceptible to account takeover like dormant accounts with stale passwords. Additionally, consider implementing least privilege access to restrict access rights for users, accounts, and processes to only the resources required to perform legitimate functions.

5 ISPM implementation must-haves

The five must-haves to keep in mind when implementing ISPM include:

1. Comprehensive identity visibility

The identity landscape is complex and spans across cloud, on-premises, and hybrid environments. It is critical to have identity visibility into all users, accounts (human or service), access rights, and configurations — regardless of where they reside.

2. Risk assessments

Organizations can regularly conduct risk assessments to identify potential vulnerabilities in their identity management systems and take steps to mitigate those risks. Risk assessments include discovering identity security gaps, identifying compromised credentials and impacted accounts, understanding possible attack paths that adversaries can exploit, and more.

3. Continuous monitoring

Once an organization has a better understanding of their identity security posture, they can create a baseline for normal user and device activity. Organizations can then continuously monitor and analyze users and devices to identify anomalous activity and suspicious behavior to identify potential security threats.

4. Multi-factor authentication

ISPM promotes the use of MFA to add an additional layer of security to the authentication process. MFA requires users to provide multiple forms of verification, such as something they know (password) and something they have (a mobile device). MFA grants conditional access to an organization’s critical resources.

5. Cloud infrastructure entitlement management (CIEM)

Identity security posture extends beyond the controls and access that users have within the organization. Organizations need an additional layer of security that accounts for cloud-based environments. CIEM helps organizations manage entitlements across all of their cloud infrastructure resources. This helps mitigate the risk that comes from the unintentional and unchecked granting of excessive permissions to cloud resources.

Holistic identity security

Today’s identity security posture spans across resources and apps, people and machines, cloud and on-premises environments, and more. This complexity makes identity an incredibly viable target for adversaries. Successful attacks can streamline an adversary’s path to an organization’s most important resources.

Enterprises should consider a holistic approach to protecting themselves against identity-based attacks. Critical layers of identity security include ISPM, CIEM, and identity threat detection and response (ITDR). Gartner defines ITDR as “The collection of tools and best practices to defend identity systems. ITDR tools can help protect identity systems, detect when they are compromised, and enable efficient remediation.”

Adding multiple identity security layers increases an organization’s ability to protect itself from breaches. Additionally, a unified identity security solution helps organizations drive additional business value, including reduced costs, greater operational efficiencies, faster remediation of threats, and more.

The CrowdStrike approach

The CrowdStrike Falcon^® platform is a fully integrated solution that supports ISPM, CIEM, and ITDR security frameworks from a single place. CrowdStrike ensures comprehensive protection against identity-based attacks in real time. With a single sensor, the Falcon platform gathers and analyzes all of your identity and configuration data, providing instant visibility into your entire identity landscape.

The Falcon platform supports an ISPM framework by:

• Unifying visibility and least privilege enforcement across your identity ecosystem
• Highlighting potential risks and providing key insights into possible identity-based attack paths that adversaries can exploit within your identity infrastructure
• Shutting down security vulnerabilities with instant visibility into the hygiene of your identity store (including Active Directory) and potentially compromised credentials
• Simplifying multi-cloud permissions management and continuously detecting and preventing identity-based threats
• Detecting and remediating identity indicators of attack (IOAs) and indicators of misconfiguration (IOMs)
• Accelerating threat response by remediating vulnerabilities across identity, endpoint, and cloud from a single platform
• Meeting compliance requirements and security posture across identities