- Identity Jedi Newsletter
- Posts
- The 44th Edition of the Identity Jedi Newsletter: ITDR SPECIAL EDITION
The 44th Edition of the Identity Jedi Newsletter: ITDR SPECIAL EDITION
Identity That's Done Right
Wednesday 7/20/23 - Identity Jedi Newsletter - Subscribe
Hey Jedi welcome to the 44th edition of the Identity Jedi Newsletter! Another special edition coming at ya, and this week. It’s all about Identity Threat Detection and Response ( ITDR) or as I’m now referring to it Identity That’s Done Right! ( Shout out to Robert Block for that quote!)
Jedi We are coming off our biggest growth month of the newsletter, and none of that is possible without you. Let’s keep this thing going! Hit the link to share the newsletter and get yourself some free stuff!
Special Edition Index
Deep Dive Links And Articles |
Commentary | My Beef with Gartner The “Gap” between identity and security |
My Beef with Gartner
Yeah, we knew this was coming sooner or later. Let me first say I respect the work and research that Gartner does and while I agree with the overall premises of what they define as ITDR, I disagree with some key points.
Get your popcorn.
Ok, first, let’s look at Gartner’s definition of ITDR
ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.
I’m 1000% in agreement with this, nodding vigorously until the last word.
Infrastrcuture.
Sigh. Ok this is where the nuance comes in. Yes, it’s important to protect identity infrastructure. I’ve said for many years, that once the bad guys figure out that IAM tools hold the keys to the kingdom, we’re fucked. However, we don’t build businesses around infrastructure; we build them around identities. Let me explain.
When’s the last time you heard an organization say: “We’re happy to report record numbers this quarter and it’s all thanks to our Active Directory system”.
I’ll wait…..
…….
Yeah, that’s right, NEVER. Because we build tools to empower PEOPLE to create widgets or services to sell. Those same PEOPLE accomplish those tasks by using information systems, and in order to do that, we have to create digital representations of them, and those representations we call digital identities. We take these identities and assign them access to applications and data. We even create digital identities that represent applications. It’s these things ( the digital identities) that we need to protect, in ADDITION to the infrastructure. It’s a small thing but extremely important. Because the infrastructure by itself, means nothing if digital identities aren’t tied to it.
Let’s dive a little deeper into the difference. Protecting infrastructure, specifically in this case, means making sure the IAM system and/or application is intact. So think Active Directory, Okta, SailPoint., etc. It’s a bad day if your Active Directory decides it’s not accepting authentication requests, or Okta decides no one can log in today. That’s a different threat than if your Active Directory is responding to authentications and 50 more Domain Admin accounts have recently been created. That’s a different kind of threat.
Speaking of threats, let’s look at how Gartner defines and identity threat:
An identity threat is a potential cyberattack related to identity infrastructure, such as access management (AM) tools, directory servers, certificate authorities, and other IAM systems and stores. An identity threat focuses on circumventing, bypassing or abusing identity systems in order to enable a cyberattack.
Pretty sure you can guess my response to this.
Okay I’ve talked about what I don’t like, now let me talk about what I do like.
Everything else..lol.
Listen, we’ve done tremendous things with the current generation of identity products. We’ve established best practices, created and (actually implemented) standards to make things easier. But it’s time for identity to get involved in the fight. I’ll never say that the decision to silo identity products was a bad one. I think we, as an industry, needed this to silo these products so we could build expertise in each area. But identity has never been a one-product problem. It orchestrates several things, all coming together in a very choreographed dance. ITDR is that dance.
The “Gap” between security and identity
Let’s talk about the “Gap”. I’ve written before about how identity has claimed to be a security product, and how we are finally starting to catch up with the marketing hype. But why is there a need to catch up at all?
First let’s think about how we approach security. We often use the term “layered approach,” another way to discuss the castle defense model. Which is to take your most precious resource, put it in the middle of the castle, and build many walls to surround it. Once you run out of walls, then you build moats.
The logic here is that the more walls in front of your resource and attacker, the longer it will take for them to get through, giving you time to defeat them.
Makes sense, right?
We’ve deployed this same thinking model for centuries and to almost everything. Including cybersecurity. Firewalls, network topologies, authentication systems, etc. All of them are just walls we are placing in front of our resources.
The problem is, we missed a resource. We focused solely on protecting data, and applications; we forgot about identities. In doing so, we created the following gap:
Security tools do a great job at monitoring threats to the outside walls, servers, devices, and applications and detecting when things make it through. I refer to this as infrastructure access. However, they have limited visibility into identities and how they access that infrastructure. While on the other side, identity tools have limited ( I would say no) visibility into infrastructure access.
Additionally, Identity systems are mostly preventative controls. ( I said mostly, all you AuthN/AuthZ readers, calm down). This means that the result of an action with this system is to prevent something from happening. Cool. Spend 15 minutes with a toddler and see how well prevention works. In the words of the great Ian Malcolm: “Life finds a way”
In the world of cybersecurity, that means access will not stay the way you provisioned,, policies will not get followed, and in general: shit happens.
So what do we do with said shit?
We pick it up, of course. But in this case, we haven’t. We’re like that one dog owner in the park, who sees their dog drop a turd, and then just walks away. Because, ya know, someone else will pick it up. ( If you’re reading that last part and are offended…well…. not sorry)
We’ve expected security to pick up after us , because it’s “their” job to ya know do all the cool security stuff. But as we’ve said they don’t have the visibility to understand how an identities interacts with the things they are protecting. So what we get is a perfect use of the age old picture below:
And that my friends, is the Gap.
Cisco and Oort sitting in a tree…
So Cisco has announced its intent to acquire ITDR company Oort. A BIG congratulations to the Oort team! I was lucky enough to have the CEO of Oort, Matt Caufield on the podcast earlier this year and I love their view of the market and what they are building. Can’t wait to see what’s next for them with the Cisco team.
Not only does this validate the market for ITDR, but I also think it kicks off the next round of acquisitions that we’ll see in the Platform Wars. Security vendors need to talk Identity, and Identity vendors want to get more security like, I’m betting that over the next 18 months we’ll see two more acquisitions in this space. Another traditional security company, and one of the big identity vendors. ( Which includes uncle Tommy B aka Thoma Bravo).
I think things are about to get VERY interesting.
Here’s the official statement
A little homework this time with the Good Reads section. Given the breakdown of ITDR above, check ou these two articles and think about where a potential gap could. Ask yourself? What system would handle the identity controls for this? How could a breach to this be mitigated? Why is David giving me homework?
Identity Jedi Show Podcast
Quick Update: The Identity Jedi Show will be moving to it’s own Youtube channel! I’ll update this section with the correct links once it’s launched, and also bringing a LIVE version of the Identity Jedi Show. You’ll be able to send in questions, interact with realtime, and even be a guest on the show! Details coming soon
What did you think of this weeks newsletter? |
The Last Word
I think I’ve pretty much said it all…lol. I think ITDR is here to stay, but I belive it’s important to focus on the infrastructure and the identities. We focus on protecting what’s important, and that’s identities.
Book Update: Thanks to everyone that has purchased the book! I’m amazed at how many have sold in such a short period. I am working on an audio version as well for those of you who prefer to listen to books; I”ll keep you updated.
Be Good to each other, Be Kind to each other, Love each other
-Identity Jedi
The JEDI COUNCIL
Slight pause as I’m cooking something up content-wise for you.
Reply