Identifying and securing ownership of assets can be a challenging task. In addition to multifactor authentication, conditional and privileged access can help organizations to batten down the hatches. But introducing AI technologies often adds a nightmare of complexity.
“It [using AI technologies] has been a huge challenge for organizations because policy management, compliance management and security touch on every single application and every single system,” Naresh Persaud, US cyber digital identity and cyber AI blueprint leader for Deloitte says.
Deloitte’s industrial and financial customers save time with the consultancy’s identity product
Recently, Deloitte worked with a large industrial customer after identifying that account ownership was sometimes unclear in their existing system. When an endpoint event was identified, it was difficult to trace who owned the targeted account and whether it existed under multiple names.
“With identity management systems, we can link the named user of that account and at the same time we can identify whether the account was vaulted in an identity in the privileged access management system,” Persaud explains.
The system also identifies any other accounts associated with a user so they too can be examined for any evidence of intrusion. Persaud refers to this as the blast radius.
“If I compromise a privileged account, I might be able to use that account to reset the password for other accounts,” he says. “Immediately identifying the blast radius, determining an appropriate response and putting that information into the alert — that gives the analyst in the security operation center much better telemetry than they had before.”
The system helped connect pieces of the puzzle that might otherwise have to be done manually. The security analyst who flagged the issue would have needed to contact an identity system administrator — an inefficient process in even the most well-oiled operation. Identifying those points of contact and automating the communication process made for a much more efficient response.
Time is often consumed by attempting to map the data related to an incident to the MITRE ATT&CK framework, for example. Industry analysis suggests this can take up to 30 minutes. “With AI enablement an analyst can drastically reduce this time up to 70-80%,” Persaud says.
Persaud claims that the Deloitte solution was able to simplify the documentation. It created a dashboard that identified related accounts that were not vaulted and allowed for closer review of privileged accounts. Unvaulted accounts could be vaulted in short order and any vulnerabilities in privileged accounts could be pinpointed and addressed. This provided a higher level of precision to the way the customer does security now compared to before.
Deloitte also worked with a financial services client that had a similar visibility issue.
“It is challenging for a lot of organizations to get a complete picture of what their assets are and what controls apply to those assets,” Persaud says. He explains that Deloitte’s identity solution assisted the customer in connecting users with the assets they utilized. As they discovered these assets, they were able to fine-tune the security controls that were applied to each in a more refined fashion.
“If the system is going to [process] financial data and other private information, we need to put the right controls in place on the identity side,” he says. “We’ve been able to bring those two pieces together by correlating discovery of assets with discovery of identity and lining that up with controls from the IT asset management system.”
As a result, the users were able to more quickly integrate applications.
How apexanalytix uses Microsoft Azure to manage identity security
“Identity protection is one of the critical controls for any organization in terms of protecting digital assets,” Vishal Grover, CIO of supply chain management platform provider apexanalytix says. “But it is important to maintain the balance between restriction and business requirements.”
Apexanalytics has used Microsoft products, such as Defender, for more than a decade. “Initially, we were primarily using it for antivirus. Then advanced threat protection came into the picture. Then identity protection. We kept adding more controls and more validations to strengthen the entire security posture,” he tells.
The company has been particularly concerned about the increased identity risk as it expands its international footprint — notably opening offices in Hong Kong in 2016 and Saudi Arabia in 2024. As the offices interact and employees travel to other locations, it is crucial that any access to its systems is verified as legitimate.
Their security team has deployed Azure Active Directory (AAD) to verify geographical boundaries — the locations from which employees might reasonably be expected to access their systems from. For example, if an employee based in the US who rarely travels attempts to log in from a remote location where they are unlikely to be, a red flag is immediately raised. Unless the user’s physical presence in that location can be verified, their credentials have likely been compromised.
“From a user perspective, anytime someone is traveling outside of their base location, they need to reach out to the IT and security teams to list their specific location,” Grover notes. The adoption of these policies requires reasonable adjustments to user behavior and company policy. But the rewards are substantial.
“If you think from a broader risk management perspective, this has been fundamental to our security model,” he says. The ability to simply track the locations of employees and assign risk accordingly is a significant advancement in risk monitoring for a company growing its international presence. The company looks out for instances of impossible travel, such as if an employee has entered the system in one location and then in another at a distant location that they could not have possibly reached during a specified period, an alert is raised.
Security analysts also use the software to scan for risky sign-ins. If a user logs in from an IP that has been blacklisted, an alert is raised.
They have increasingly relied on conditional access policies that rely on monitoring user behavior. If a user typically spends an average amount of time on certain applications and then radically changes their behavior the activity is flagged and investigated.
The company continues to evaluate its policies at least quarterly in order to ensure that they accord with its evolving business strategies. Grover feels confident that Azure’s capabilities are up to the task but remains vigilant to new potential vulnerabilities that will need to be addressed.
No Responses