Aug 18 2022

3 Best Practices for State Agencies to Strengthen Identity Protection

According to the CrowdStrike Global Threat Report, 80 percent of security breaches use compromised identities.

In their mission to provide services to citizens, state and local governments require employees, contractors and third-party providers to access sensitive information. When identities and credentials are compromised, it exposes agencies to cyberthreats that range from ransomware shutting down critical services to the theft of personally identifiable information of employees and citizens.

According to the CrowdStrike Global Threat Report, 80 percent of all breaches use compromised identities, and 25 percent of attacks succeed via unmanaged devices, making it difficult to detect these breaches. As the traditional network perimeter continues to dissolve, identity is the critical line of defense encompassing all users and devices. Identity is the primary function enabling and securing everything from DevSecOps and dispersed, connected Internet of Things devices to remote workers.

As state CIOs work to align identity protection and identity and access management processes with security strategy and policies, an emerging enterprise cybersecurity method and solution can help reduce the overall risk to their mission and operations.

Identity detection and response (IDR) is an enterprise cybersecurity method that relies on the use of identity-related information to detect and mitigate malicious attack campaigns within government or corporate networks. Identity is the foundation of emerging security concepts such as zero trust, which requires all users to be authenticated, authorized and continuously validated before accessing applications and data.

Click the banner below to gain access to specialized content as an Insider.

Ransomware and Supply Chain Risks Compromise Identities

To be effective, identity protection must be part of a holistic, layered defense strategy offering a specific threat response for ransomware attacks and supply chain risks that compromise identities.

For example, ransomware attacks have two key elements: code execution and stolen credentials. The attacker sends a phishing email to an employee, who clicks on an attachment and downloads malware to the system. The attacker then moves throughout an organization’s network with the employee’s identity. If an agency does not have tools to address both elements of the ransomware attack, it can be a challenge to stop it.

Compromised credentials are a part of supply chain attacks as well. As such, identity protection must fit into an overall information security strategy and platform along with endpoint protection, data protection and cloud security.

As state and local CIOs and security teams think about how to align identity protection within their overall enterprise, here are three best practices to consider:

RELATED: How ports are working to combat supply chain issues with an information highway.

1. Visualize Identity Assets

IT and security teams should identify all their identity assets and all potential attack surfaces. For example, legacy systems might not have the ability to support multifactor authentication, which is a huge risk. Multicloud environments or administrators working from home are also potentially vulnerable.

Microsoft’s Active Directory, which enables administrators to manage permissions and access to network resources, is complex. It can be difficult for administrators to determine all the user identities in the directory service. Often, many service accounts are nonhuman identities tied to applications, and some administrators might not be aware that these accounts exist. Security teams need to actively monitor all accounts and identities within Active Directory to determine if owners are using these accounts.

IT and security teams should identify all their identity assets and all potential attack surfaces.”

Kapil Raina Vice President of Zero Trust (Identity and Data Security) Marketing, CrowdStrike

2. Mitigate Identity Risks

With so many touchpoints for identities to be exposed, agencies must be able to combat risk from both a static and a dynamic perspective.

Static mitigation takes place before threats happen and requires proper password hygiene to avoid generating opportunities for attack. It’s important to determine whether administrators are using old protocols to set up Active Directory.

Dynamic mitigation involves looking at real-time use of identity. Dynamic mitigation involves the use of real-time machine learning models to indicate, as a user logs in to a system, whether that behavior is normal for that particular user at that time.

Administrators also need to know that when they set rules to allow or stop a transaction, the results will be accurate. Leaving this task to the systems administrator can cause false positives.

Solutions that incorporate techniques such as conditional access and adaptive authentication can adjust a user’s risk profile without interrupting their workflow. If a user’s normal behavior changes — for example, they begin to move systems or data — their risk profile rises, and they can be challenged to validate their identity. If the person passes the challenge, then the risk profile can be readjusted.

DISCOVER: The keys to countering cyberattacks against state and local agencies.

3. Optimize for Maximum Security and Coverage

Agencies want maximum security and coverage everywhere — for every user and system, regardless of the manufacturer. Optimization requires a platform preintegrated with solutions such as an endpoint protection and intelligence service from a provider of identity authentication and risk management solutions. A platform solution can continuously monitor and learn the behavior of users, service accounts and devices to prevent risky activities and potential threats. The solution can receive information from the identity authentication solution and send a risk profile to the identity tool to help an administrator make informed decisions.  

Legacy systems, custom applications or cloud applications can all be protected with conditional access without the need for software agents to be installed on endpoints or customization. Optimization is about extending risk mitigation to more surface areas and improving the user experience by tuning the risk model.

EXPLORE: How states and localities are successfully using identity and access management.

Adopt a Single Platform with Support for Integration

Regardless of the IDR solution an agency chooses, the focus should be on whether it is sustainable. A single platform that works within existing environments and integrates with other security tools should increase productivity, lower false positives and compliance challenges, and provide a return on investment that can be applied to spur business and digital transformation.

tsingha25/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.