With the growing risk of identity-driven breaches, as seen in recent ransomware and supply chain attacks, businesses are starting to appreciate the need for identity security. As they assess how best to strengthen identity protection, there is often an urge to settle for security features or modules included in enterprise bundles from the same vendor providing their identity or identity and access management (IAM) layer.

A common example can be seen in organizations with a Microsoft E3/E5 bundle that is already using Active Directory + Azure AD as the identity layer. They may settle for Microsoft Defender for Identity and/or Azure AD Identity Protection to address their identity security needs.

While using multiple products from the same vendor as part of an enterprise bundle is usually cost effective, there are cases in which this compromise can lead to costly, catastrophic breaches — and combining identity and identity security is one of them. Customers often don’t fully appreciate what to look for in an identity security solution.

Before examining the reasons why this compromise is flawed, let’s review a few definitions.

Distinguishing Between IAM and Identity Security

IAM is the part of an organization’s IT security strategy that focuses on managing digital identities and users’ access to data, systems and other resources. IAM technologies store and manage identities to provide single sign-on (SSO) or multifactor authentication (MFA) capabilities, but are not designed primarily as a security solution for detecting and preventing breaches.

Identity security, on the other hand, is a comprehensive solution built for the sole purpose of detecting and preventing identity-driven breaches, especially when adversaries manage to bypass legacy security measures. The ideal identity security solution should be part of a broader security platform with deep visibility into every layer of the enterprise that is exposed to breaches to create more accurate detections and responses, including endpoints, cloud workloads, identities and data.

Pitfalls in Buying IAM and Identity Security from the Same Vendor

Competing Interests

This may sound like a no-brainer, but avoiding areas of a vendor’s competing interests  is often overlooked when making cybersecurity purchasing decisions. There should be a clear separation of responsibility. In accounting, an auditor conducts an independent examination to verify the numbers are correct, and in software development, code is tested after the developers have written it. The same concept applies to security; when you buy identity and identity security from the same vendor, you ignore this basic tenet of ensuring neutrality.

Microsoft Active Directory is built on decades-old legacy technology and is widely considered to be one of the weakest links in an organization’s cyber defense strategy. New AD vulnerabilities are discovered every year, including a recent one that could result in total domain compromise in a matter of seconds. At the same time, it is one of the most widely used identity stores: over 90% of Fortune 1000 organizations still rely on it, making Active Directory a very appealing target for identity-based attacks.

As the identity vendor, Microsoft has some obligations  to provide its customers with patches for AD vulnerabilities, but that is just one part of the equation. If Microsoft is also the identity security vendor, it should also promptly provide detection and remediation capabilities so adversaries cannot launch attacks exploiting vulnerabilities in its products — but that is an area where it has repeatedly failed its customers.

In contrast, when the identity security is provided by a neutral, security-focused vendor like CrowdStrike, this competing interest is eliminated. CrowdStrike’s sole focus is to protect customers from breaches.and provide proactive detection and remediation capabilities to the customer — and not patch vulnerabilities in identity products.

Another area of competing interest lies in integrations. An identity security offering should be able to integrate with and provide visibility across a wide array of identity products to provide a unified identity view. However, when an identity vendor also provides the identity security layer, there is no incentive to integrate with other identity vendors to provide a single pane of glass that gives visibility into multiple identity stores across a hybrid landscape. The difference is apparent with Microsoft Defender for Identity — it is Microsoft-centric, whereas CrowdStrike Falcon® products work not only with Active Directory and Azure AD but also with other best-of-breed IAM/MFA vendors like Okta, Ping, Duo, CyberArk and others.

Lack of Security Depth

Although the word “identity” is part of “identity security,” the emphasis must be on security. An ideal identity security solution should be part of a broader security platform that can correlate security information from multiple sources.

The CrowdStrike Security Cloud correlates trillions of security events per day with indicators of attack, the industry’s leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities and data. This laser-focus on security, incorporating a wide variety of attack data, enables Falcon products to deliver hyper-accurate detections as well as  automated protection and remediation.

That single-minded focus on security is hard to achieve for a software behemoth like Microsoft, which has years of deep technical debt from legacy products and also a wide swath of new offerings ranging from cloud infrastructure and services to software, hardware and gaming. Due to its legacy approach from a pre-cloud world, Microsoft is constantly playing catch-up to fix newly discovered vulnerabilities across its products. The company has experienced a string of security issues over the years, including AD supply chain compromise, the PrintNightmare vulnerability and common AD misconfigurations that attackers exploit.

This shortcoming was once again shown in the recent noPac exploit, which allowed malicious actors to combine two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), leading to privilege escalation with a direct path to a compromised domain. While CrowdStrike Falcon Identity Threat Protection automatically detects attempted exploitation of these vulnerabilities and can block noPac with a simple policy to enforce MFA, Microsoft’s response was to provide patches to address these vulnerabilities in its own product but with the onus on the customer to apply these patches into every AD domain controller.

Vendor Lock-in

Powered by Fruition