Uncovering Hidden Paths to Privilege™: A Deep Dive into Identity Security Insights

In today’s cybersecurity landscape, identity has become the new frontline. As organizations grapple with increasingly sophisticated cyber threats, securing identities and the privileges associated with them is more critical than ever. BeyondTrust, a leader in both Privileged Access Management (PAM) and Identity Threat Detection and Response (ITDR), is stepping up to this challenge with its newest solution: Identity Security Insights®. This tool is designed to proactively uncover hidden Paths to Privilege™ and identity vulnerabilities, strengthening your organization’s security posture.

In this blog, I sit down with Josh Fu, VP of Product Marketing at BeyondTrust, to explore how Identity Security Insights is transforming the way organizations approach identity security. From the core problems this solution addresses, to real-world examples of its impact, we delve into the details that make Identity Security Insights a game-changer in the market.

Rohit: Let's start with the basics. Can you give a brief overview of the problem that Identity Security Insights is designed to solve?

Josh: The core problem we're addressing with Identity Security Insights is that threat actors are increasingly likely to log in rather than hack in. This means they're exploiting unknown privilege pathways to gain unauthorized access to environments. Every identity—whether human or non-human—can be a target, posing significant risks as potential entry points for threat actors to escalate privileges. The sheer number of identities and associated accounts, often with excessive and evolving privileges, is overwhelming for organizations to manage and secure.

Rohit: It’s fascinating—and a bit alarming—how the dynamics of cyber threats have shifted. The fact that attackers are more likely to exploit legitimate access rather than breach defenses through hacking really underscores the need for comprehensive identity security. It’s no longer just about keeping bad actors out; it’s about making sure that even legitimate access doesn’t turn into a gateway for attacks.

Josh: Exactly. The challenge isn’t just about managing explicitly assigned privileges, but also about identifying the hidden pathways that attackers can exploit. Traditional security tools and approaches, like extended detection and response (XDR) and cloud native application protection platforms (CNAPP), while valuable, are often reactive. They struggle to provide the full coverage and visibility needed to proactively address these risks. Identity Security Insights was designed to close these gaps by providing a unified, proactive approach to identity security.

Rohit: That makes perfect sense. Relying solely on reactive tools is like closing the barn door after the horse has bolted. Taking a proactive stance to identify and neutralize these hidden risks before they can be exploited is increasingly vital in today’s cybersecurity landscape.

Rohit: You mentioned that Identity Security Insights is designed to uncover hidden Paths to Privilege. Can you give us some examples of the types of vulnerabilities and risks that this refers to?

Josh: Absolutely. Identity Security Insights is equipped to detect a wide range of potential risks, both known and unknown, that could lead to privilege escalation. One key example is dormant and partially revoked (or partially decommissioned) identities. These are accounts that may seem inactive or partially disabled, but can still be exploited by attackers to gain unauthorized access.

Rohit: That’s interesting. Dormant accounts often fly under the radar, but they can be a serious vulnerability if left unchecked.

Josh: That’s exactly what we saw with the Midnight Blizzard attack on Microsoft. Dormant development IDs were the initial attack vector that led to the production email compromise. This example of Identity Security Insights detecting indirect paths that give seemingly innocuous development accounts the true privilege of a production admin is a perfect real-world example of how Insights is different than other products.

Rohit: What other Paths to Privilege does the solution address?

Josh: Some other critical examples include:

• Privileged Entra ID or Azure Active Directory accounts that are not managed by a PAM solution. These accounts can pose significant security risks if they’re not properly controlled.
• Potential privilege escalation via ownership of groups. Attackers might gain control of certain groups to escalate their privileges within an organization.
• Outdated browser usage and activity in domain accounts, which can indicate vulnerabilities that attackers might exploit.
• Unusual numbers of MFA failures in quick succession, which could be a sign of an attempted password spray or brute-force attack.
• Activity on partially disabled identities and recently re-enabled privileged accounts is flagged as these could suggest unauthorized access.

Rohit: What about more sophisticated threats, like those involving certificates or unusual configurations?

Josh: Great question. Identity Security Insights also detects:

• Active Directory Certificate Services (ADCS) vulnerabilities, which is critical for preventing privilege escalation attacks.
• Overprivileged application identities with weak credentials. We’re seeing attackers exploit these with increasing frequency lately.
• Unknown connections between production and non-production environments, which are crucial for preventing lateral movement within a network.

Rohit: Covering such a wide array of potential threats would really help organizations gain the visibility they need to manage these risks proactively and leave no stone unturned when securing their entire identity estate.

Rohit: What are some of the other unique features of Identity Security Insights that set it apart from other solutions on the market?

Josh: One of the standout features of Identity Security Insights is its ability to offer complete visibility and coverage across all types of identities and systems—whether on-premises, cloud, SaaS, and identity infrastructure. This is crucial because if defenders can't see the risk, they can't fix it.

We do this with incredibly high accuracy by leveraging supervised and unsupervised machine learning to automatically uncover identity security posture issues that might otherwise go unnoticed given the scale of data and hidden admin privileges. This analysis is paired with insights from our dedicated threat research team, which acts as a force multiplier.

Rohit: This level of coverage sounds like a major advantage in today’s complex IT environments, where threats can come from any direction.

Josh: Another key feature is our proactive and reactive approach. Proactively, we provide clear visibility into all accounts, privileges, misconfigurations, entitlements, and potential escalation paths. Reactively, we detect identity-driven threats and privilege abuses, allowing for rapid remediation through integrated PAM controls and incident response workflows.

Rohit: The proactive and reactive combination is powerful. It’s not just about putting out fires as they happen but also about preventing them from starting in the first place.

Rohit: One of the challenges many organizations face when adopting new security solutions is ensuring they integrate smoothly with existing systems. Many organizations already have a complex stack of security tools, and adding a new layer without disrupting existing workflows is crucial. How does Identity Security Insights handle integrations, especially for organizations with diverse IT environments?

Josh: That’s a great point. Seamless integration is critical for any security solution to be effective. Identity Security Insights is designed with this in mind, offering both native and webhook integrations that allow it to fit seamlessly into an organization’s existing infrastructure. Whether you’re using ITSM, SIEM, SOAR, or proprietary solutions, Identity Security Insights can easily connect and work alongside these tools.

Rohit: How does this work for organizations that are already using BeyondTrust’s PAM solutions?

Josh: BeyondTrust customers who are already using our PAM solutions have an added advantage. They can instantly pivot to built-in PAM controls to remediate issues detected by Identity Security Insights. For instance, if a potential threat is identified, the system can quickly take action by eliminating risky and unnecessary privileges or even blocking access to prevent an attack from escalating.

Rohit: It's clear that Identity Security Insights offers a comprehensive solution. Can you share some real-world examples where this solution has made a significant impact?

Josh: Certainly. One of the most notable cases was the detection of the Okta support breach in October 2023. Identity Security Insights was able to identify this breach weeks before Okta's public acknowledgment. It detected session hijacking, proxy-based administrative actions, and other anomalies that would have otherwise gone unnoticed. This early detection allowed our customers to mitigate the threat before it could cause any harm.

It also allowed us to help Okta in their investigation. After we shared details of our detections, Okta stated in a post-breach analysis blog that they used an IP address that BeyondTrust had linked to the threat actor via our security solution to identify what files were accessed.

Rohit: This is an impressive example that shows how Identity Security Insights not only identifies risks, but also prevents them from escalating.

Rohit: What should organizations keep in mind when implementing an identity security solution like this?

Josh: Implementation can be challenging, and there are common pitfalls to avoid.

1. Avoid Narrow Focus - It's important not to have too narrow a focus—identity security needs to encompass all users, not just privileged accounts. Identifying indirect privilege pathways, which may arise from vulnerable configurations or interconnected systems, is crucial.
2. Leverage AI and Machine Learning - Utilize the solution’s AI and machine learning capabilities to automatically uncover hidden risks and prioritize the most critical issues.
3. Adopt a Proactive and Reactive Approach - Combine proactive visibility into all accounts and privileges with reactive threat detection and remediation to stay ahead of potential security incidents.
4. Another critical point is to avoid reliance on custom scripts and niche tools to combine and correlate data from siloed systems. This approach is not scalable and can leave significant gaps in security coverage.

Our solution is designed to integrate seamlessly with existing systems, providing out-of-the-box connectors and integrations to collect data from a wide range of sources. This makes it easier to gain full coverage and visibility, which is essential for managing and enforcing least privilege access effectively.

Rohit: It sounds like BeyondTrust has put a lot of thought into making this solution both powerful and easy to implement.

Before we wrap up, what advice would you give to organizations evaluating identity security solutions?

Josh: My advice would be to start with a clear understanding of your organization's specific needs and challenges. Identity security is a complex field, and there's no one-size-fits-all solution.

Rohit: Why should organizations choose BeyondTrust’s Identity Security Insights?

Josh: Identity Security Insights offers a comprehensive and proactive approach to identity security, ensuring organizations can stay ahead of threats by uncovering hidden privileges and addressing vulnerabilities before they are exploited. By leveraging advanced machine learning, and insights from a dedicated research team, our solution provides the visibility and control needed to protect your identity estate across all environments.

In today’s complex cybersecurity landscape, having a proactive approach to identity security is not just beneficial—it’s essential when attackers are more likely to log in than hack in. For organizations looking to strengthen their identity security posture, Identity Security Insights provides not just a solution, but a strategic advantage. By leveraging the highest maturity level of machine learning, combined with the insights of a dedicated research team, this solution helps organizations gain the visibility and control needed to protect their identity estate across all environments.

If your organization is serious about fortifying its identity security, consider taking advantage of BeyondTrust’s free Identity Security assessment. It’s an opportunity to gain valuable insights into your current security posture and see how Identity Security Insights can help you build a more resilient defense so you can stay one step ahead of evolving threats.

Hear more from my conversation with Josh in episode #19 of The Identity Navigator podcast.