What is identity protection?

Identity protection, also known as identity security, is a comprehensive solution that protects all types of identities within the enterprise—human or machine, on-prem or hybrid, regular or privileged—to detect and prevent identity-driven breaches, especially when adversaries manage to bypass endpoint security measures.

Because any account, be it an IT administrator, employee, remote worker, third-party vendor, or even customer, can become privileged and provide a digital attack path for adversaries, organizations must be able to authenticate every identity and authorize each request to maintain security and prevent a wide range of digital threats, including ransomware and supply chain attacks.

While identity security is an important component within the security architecture, it is important to remember that it is just one element within a broader security platform. To ensure the strongest protection, organizations must develop a comprehensive cybersecurity strategy that includes endpoint security, IT security, cloud workload protection and container security, in addition to identity security. The identity security solution should also integrate with the organization’s existing Identity and Access Management (IAM) tools and processes, as well as a Zero Trust architecture.

Why should organizations care about identity protection?

Analysis from the CrowdStrike Overwatch team indicates that eight in ten (80%) of breaches are identity-driven. These modern attacks often bypass the traditional cyber kill chain by directly leveraging compromised credentials to accomplish lateral movements and launch bigger, more catastrophic attacks.

Unfortunately, identity-driven attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.

Further, the rapid shift to a digital workforce, caused in part by the COVID-19 outbreak, has dramatically expanded the attack surface for many organizations. This has amplified the need for organizations to activate a strong, flexible identity security solution that protects the business and its assets from threats that may emerge from remote workers using home networks or device.

Identity security is sometimes seen as the last line of defense for organizations. These solutions are intended to stop adversaries that have managed to circumvent other security measures, such as endpoint detection and response tools.

How is identity protection different from IAM technologies?

Identity and Access Management (IAM) is part of the organization’s overarching IT security strategy that focuses on managing digital identities, as well as the user’s access to data, systems and other resources. While IAM often helps reduce identity-related access risks, related policies, programs and technologies typically are not designed primarily as a security solution.

For example, IAM technologies that store and manage identities to provide SSO or MFA capabilities cannot detect and prevent identity-driven attacks in real-time. Likewise, IAM solutions are an important part of the overall identity strategy, but they typically lack deep visibility into endpoints, devices and workloads in addition to identities and user behavior.

Identity security does not replace IAM policies, programs, and technologies. Rather, identity security serves to complement and enhance IAM with advanced threat detection and prevention capabilities.

Where does AD hygiene fit into identity protection?

An organization’s Active Directory (AD) – a directory service developed by Microsoft for Windows domain networks in 1999 – is widely considered one of the weakest links in an organization’s cyber defense strategy. Built on decades-old legacy technology, AD is one of the most widely used identity stores and is still relied upon by over 90% of Fortune 1000 organizations. This makes it a prime target for adversaries to breach the network, move laterally and escalate privileges.

Any security compromise of AD undermines the entire identity infrastructure, leading to potential data leaks as well as potential system corruption/takeover or catastrophic ransomware or supply chain attacks.

A good identity security solution should therefore include robust AD security capabilities to enable deep, continuous, unified visibility of all users across the enterprise as well as the ability to detect and prevent malicious AD-attacks in real-time.

How is identity protection related to zero trust?

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

This framework is defined by various industry guidelines such as Forrester eXtended, Gartner’s CARTA, and more recently NIST 800-207, as an optimal way to address current security challenges for a cloud-first, work from anywhere in the world.

Organizations that want to enable the strongest security defenses should utilize an identity security solution in conjunction with a Zero Trust security framework. They must also ensure that their solution of choice is compliant with industry guidelines, such as those outlined by NIST.

Identity protection use cases

A comprehensive identity security solution will deliver a host of benefits and enhanced capabilities to the organization. This includes the ability to:

• Stop modern attacks like ransomware or supply chain attacks
• Pass red team/audit testing
• Improve the visibility of credentials in a hybrid environment (including identities, privileged users, and service accounts)
• Enhance lateral movement detection and defense
• Extend MFA to legacy and unmanaged systems
• Strengthen the security of privileged users (e.g. privilege escalation, account takeover)
• Protect the identity store from protocol attacks (e.g., NTLM) and takeover (e.g. pass-the-hash, golden ticket)
• Detect attack tools (e.g., mimikatz)

Building a comprehensive identity protection solution with CrowdStrike

The CrowdStrike^® Falcon platform provides real-time, continuous visibility and security across the organization’s assets. CrowdStrike helps customers establish a comprehensive security strategy, including Identity Security principles, to create a cybersecurity solution that offers the following capabilities:

Real-time detection and prevention: The Falcon platform enables ongoing, automatic monitoring, detection and response capabilities so that organizations know exactly what’s happening – from a threat on a single endpoint to the threat level of the organization. Intelligent EDR automatically detects and intelligently prioritizes malicious and attacker activity.

End-to-end visibility: The Falcon platform provides continuous visibility and security across a variety of touchpoints, including endpoint hardware type, firmware versions, operating system versions, patch levels, vulnerabilities, applications installed, user and programmatic logins, and security or incident detections and, in the case of identity incidents and many types of lateral movement, prevention.

Robust AD security: Falcon’s advanced AD security capabilities add risk analysis through context and threat scoring to basic IAM functions to help security teams to make better, more informed access decisions and enforce conditional access on all requests. Conditional access principles open the door to new types of segmentation based not simply on network boundaries, but on policies touching the context of identity, behavior, and risk of the user credentials.

IAM integration: Falcon Identity Protection tools offer full identity audits and understanding of accounts, protocols, and services accessed by each. The Falcon platform offers multiple APIs into partner MFA/IAM providers, SIEM, SOAR technologies, and more, letting you see end to end all your devices and identities, and control over those pieces in real time.

Zero Trust NIST compliance: As the only NIST compliant Zero Trust cybersecurity provider, Falcon Zero Trust quickly discovers all users and user types in your extended network (regular, privileged, service accounts) and delivers continuous insights and behavioral analytics to detect and respond to risk and threats in real time. The adaptive capabilities of the platform allow you to automate responses with the right type of enforcement or notification based on identity, behavior, and risk.

Open API First Platform: The Falcon platform provides a full-spectrum set of Restful / JSON APIs that enable end customers and the CrowdStrike partner ecosystem to integrate third-party tools that help to seamlessly implement your  Zero Trust Architecture. Some examples of third-party integrations include Okta, ZScaler, NetSkope, ForeScout, Splunk/Phantom and many more. CrowdStrike’s Identity Protection can feed directly into SIEM via JSON, CEF, and LEEF formats, and many SOARs.