How Smarter Identity Segmentation can Reduce Risk

The past two years will be remembered for COVID-19. But they will also be remembered for another (digital) pandemic that has transformed the cyberthreat landscape: Ransomware is the most significant cybersecurity threat facing organizations—but it’s a threat that can be countered.
Network segmentation is a tried and trusted technique for reducing an attack surface. However, this strategy does not protect against modern attacks using ransomware tactics or supply chain breaches where compromised credentials are a key factor.

The method of segmentation that provides the most risk reduction at reduced cost and operational complexity is identity segmentation, which restricts access to applications and resources based on the user.

The Time to Act is Now

According to CrowdStrike’s Global Security Attitude Survey, 66% of organizations suffered at least one ransomware attack in 2021, with the average ransom demand a staggering $6 million.

The most common cause of breaches is compromised or stolen user credentials, as reported in the Cost of a Data Breach 2021 Report; it takes organizations an average of 250 days to identify.

It’s not hard to think of at least one example of a large-scale ransomware attack in recent times that had serious consequences not only for the organization targeted but for governments and the public too.

One that stands out is the Colonial Pipeline attack of May 2021, carried out by DarkSidea ransomware-as-a-service (RaaS) group. One compromised password allowed hackers to take down the largest fuel pipeline in the U.S. which, in turn, led to shortages up and down the east coast.

Entry was gained through a virtual private network account and led to a temporary halt to all pipeline operations, causing chaos across the supply chain. It’s reported that the private company had to pay an estimated $5 million in bitcoin to regain control and continue services.

The evolution of ransomware attacks has escalated in the last few decades and new techniques are becoming more dangerous—and costly. The rise of double-extortion ransomware attacks is concerning, whereby criminals not only demand a ransom for the stolen data but threaten to release it publicly if it’s not paid.

So, how can organizations adapt their security strategy to keep pace?

Zero-Trust is the Way Forward

Mostly, the traditional network security perimeter and legacy castle-and-moat approaches have disappeared as enterprise infrastructure has grown increasingly complex and cloud adoption has increased.

Instead, zero-trust approaches focus on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

And it’s fast becoming the premier way to protect against ransomware breaches. In a recent CrowdStrike customer survey, over 80% said identity protection is the most important aspect of zero-trust.

As promoted by the U.S. government’s executive order, zero-trust allows users full access but only to the bare minimum they need to perform their jobs, helping to contain a breach and limit the spread of ransomware.

According to the NIST 800-207 standards, zero-trust is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level.

Network Segmentation and Identity Segmentation

It’s important to distinguish between two approaches to segmentation—network and identity.

Network segmentation is a strategy used to segregate and isolate segments of the enterprise network to reduce the attack surface. However, in today’s complex threat and IT environment, security strategies must prioritize moving the perimeter closer to the resource than in the castle-and-moat strategy or as in traditional microsegmentation strategies.

By comparison, identity segmentation moves the perimeter closer to the user—the last line of defense, restricting access to applications/resources based on identities.

As witnessed in several recent ransomware attacks (such as, again, Colonial Pipeline and the attack against meat giant JBS), cybercriminals have leveraged user credentials for lateral movement and attack progression.

Ransomware adversaries may not follow the kill chain in a linear manner; that is, they may not start with an email phishing attempt, then move to endpoints and exploit a vulnerability to run malicious code to identify and leverage identities before moving laterally within the network to locate business-critical drives and resources to encrypt.

Instead, attackers can enter through a compromised third-party contractor’s identity—one single entry point is all the adversary needs to bring an organization to the ransomware negotiation table.

This trend is also affecting the cyberinsurance market, with rates rising by up to 30% in 2021 according to HX Nova Portal. Providers are responding to the rapidly changing risk landscape by deploying capacity more cautiously and raising prices, while delicately balancing the need to leverage one of their main growth sources.

Stopping Ransomware With Identity Segmentation

In the case of a ransomware attack, access can be thwarted in real-time, stopping the breach and limiting the leverage.

But for this to work in practice, security leaders and SOC analysts must have the visibility to proactively identify and stop evolving adversarial techniques, tactics and ransomware. The following are “musthaves” in the age of double-extortion ransomware:

  • Monitoring what accounts—including human, service and privileged accounts—are up to in real-time
  • Understanding the risk level for every account as it changes with respect to behavior, access patterns and established baselines
  • Visibility into the attack path and interrogating why abnormal behavior has been identified
  • The ability to threat hunt, dive deeper into specific identity-based incidents and respond based on priority
  • Implementing policies to trigger multifactor authentication (MFA) in real-time based on both risk and deterministic controls to stop attack progression and to comply with cyberinsurance requirements
  • The ability to export instances into SIEM tools and store them for compliance reasons

Every organization has unique challenges due to its business, digital transformation maturity and current security strategy. Zero-trust, if implemented properly, can adjust to meet specific needs and still ensure an ROI on your security strategy. There is a growing market for specialist zero-trust solutions, helping organizations to reduce friction, spend and complexity.

Avatar photo

Narendran Vaideeswaran

Narendran Vaideeswaran is Director Product Marketing, Identity & Zero Trust at leading global cybersecurity company CrowdStrike. He is a technology enthusiast, having worked in the information technology space for decades. Narendran started his career as a network engineer for a large multi-national bank, and scaled out to marketing IT hardware and software, both small and enterprise-class.

narendran-vaideeswaran has 1 posts and counting.See all posts by narendran-vaideeswaran