The Need for East-West Observability to Protect Against Compromised IAM
By Martin Roesch
In a Zero Trust world identity is the new perimeter, and identity and access management (IAM) technologies like MFA and 2FA replace strong perimeter security, which work great – until they don’t.
In a recent study at least 35% of all compromised accounts during the past year had MFA enabled and another report finds that in 90% of recent BEC investigations, MFA was in place at the time of unauthorized access. Technology vendors themselves have also been targeted: password managers like LastPass, Twilio’s 2FA service, and even IAM platforms like Okta have been successfully compromised over the last two years.
Zero Trust network access (ZTNA) relies on the fact that the mechanisms that you use to provide attestation are never subverted, compromised, or otherwise rendered ineffective, and that privileged access management and IAM platforms are never wrong. In practice, this is not “zero trust”; this is frequently “put all your trust in one basket.” When something does go wrong and these technologies aren’t trustworthy anymore, how would you even know?
Lack of observability x 2
The first challenge in determining if trust boundaries have been circumvented is that the backup security infrastructure that most organizations deploy in ZTNA are technologies that reside on the devices themselves – either on-board logging mechanisms or EDR agents or CWPP in the cloud. There’s an inherent problem with depending on self-reporting by the devices and workloads that are under attack to provide consistently correct output in the presence of an attacker that has compromised that device.
As a sophisticated attacker starts to develop their access strategy, they will try to do so in a way that defeats whatever mechanisms you have for identifying their presence – turning the logging mechanisms off, scrubbing logs, disabling agents, even using tools that are native to the box to carry out post-compromise activities to avoid raising suspicions by using specialized tools that may be detected. They don’t want the endpoint defenses to note their presence and either take action or trigger an alert.
The follow-on challenge if the attacker manages to silence the on-board defenses, is that your ability to understand what has happened and the activities that are starting to unfold in the environment are only going to be surfaced by something that the attacker can’t avoid or control, such as activity on the network.
In Zero Trust architecture (ZTA) where almost all network traffic is encrypted, appliance-based deep packet inspection approaches, such as NDR, are too complex and costly to deploy everywhere on the network. So, organizations make tradeoffs and typically only instrument the prime North-South interconnects between networks and very rarely East-West traffic among the participants within an organization. However, when you’re at the point where an attacker is subverting your IAM infrastructure, they will typically be focused on lateral movement and establishing persistence to further develop their attack and expand the scope of devices involved. Activities that would be easy to pick up and reveal very distinct signs of compromise and misuse are missed in a North-South-only DPI environment.
Why Netography Fusion®
The Netography Fusion Network Defense Platform (NDP) has been architected to address this challenge, so you don’t have to put all your trust in one basket. It provides comprehensive, continuous observability across your multi-cloud and on-prem environments to validate correct network segmentation and enforcement of access controls in addition to detecting compromises.
- As a cloud-native platform, Fusion enables 100% frictionless deployment so you can monitor any segment or instance at any time, including places you can’t or don’t want to deploy an appliance or agent.
- Fusion relies on enriched metadata to identify anomalous activity in real-time regardless of encryption, so you can visualize network activity and detect the presence of attackers, often in less than an hour.
- From a single console, the platform inspects North-South and East-West traffic equally well at scale, to find signs that trust boundaries are being circumvented which could indicate suspicious lateral movement and potential data exfiltration.
- It validates that the policies you’re pushing to your infrastructure to do network segmentation and enforcement of access controls are working as intended.
- And it allows you to quickly make corrections as well as update trust boundary rules when you add new segments or modify existing segments.
It turns out, with an NDP like Netography Fusion, Zero Trust doesn’t have to be an all or nothing proposition. When IAM has been subverted and user accounts taken over by attackers, Fusion leverages an immutable source of truth you can trust – your network – to provide East-West observability in order to get ahead of attacks. Continuously monitoring what’s happening across your entire network, Fusion detects violations in your ZTA and can validate your policies in real-time so you can continue to adopt Zero Trust with confidence.