When you deploy a security product, you assume that it will serve its purpose. Unfortunately, this often turns out not to be the case. A new report, produced by Osterman Research and commissioned by Silverfort, reveals that Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) solutions are almost never deployed comprehensively enough to provide resilience to identity threats. Additionally, service accounts – which typically fall outside the protective scope of these controls – are alarmingly exposed to malicious compromise. These results and many more can be found in “The State of the Identity Attack Surface: Overview of Critical Protection Gaps,” the first report that analyzes organizational resilience in the face of identity threats.
What is the “identity attack surface”?
The identity attack surface is any organizational resource accessible through a username and password. The primary way attackers target this attack surface is through compromised user credentials. In this way, the identity attack surface differs significantly from other attack surfaces. When targeting endpoints, for example, attackers must develop innovative malware and zero-day exploits. But in the world of identity, the default attack tool is legitimate usernames and passwords. And with around 24 billion username-password combinations available on the Dark Web, that means the only task attackers need to do is gain initial access.
But I implemented MFA and PAM to prevent attacks
And you, though? According to the report, which summarizes the findings of 600 identity security professionals surveyed worldwide, the vast majority of organizations have MFA and PAM solutions in place but remain vulnerable to attacks. Here’s why:
Less than 7% of organizations have MFA protection for the majority of their critical resources.
One of the questions asked by the survey was: How much of the following resources and access methods are you currently able to protect with MFA?
- Desktop connections (e.g. Windows, Mac)
- VPN and other remote connection methods
- Command line remote access (e.g. PowerShell, PsExec)
- Local and legacy applications
- IT infrastructure (e.g. management consoles)
- Virtualization platforms and hypervisors (e.g. VMware, Citrix)
- Shared network drives
- OT Systems
This graph summarizes the results:
These numbers imply a critical gap, since a resource without MFA is one that an adversary can transparently access using compromised credentials. Translating this into a real-world scenario, a malicious actor using a command-line tool that is not protected by MFA – such as PsExec or Remote PowerShell – will encounter no obstacles when moving across a network in order to implant a ransomware payload on multiple machines.
Only 10.2% of organizations have a fully integrated PAM solution
PAM solutions are notorious for their long and complex deployments, but how bad is it really? The report reveals the answer: It’s bad. Here is an aggregation of respondents’ responses to the question “Where are you in your WFP implementation journey?” »
As you can see, most organizations are stuck somewhere in their PAM journey, which means at least some of their privileged users are exposed to attacks. And keep in mind that admin users are attackers’ quickest path to your crown jewels. Failing to protect them all is a risk no organization can afford to ignore.
78% of organizations cannot prevent malicious access with compromised service accounts
Service accounts are a well-known blind spot. Because these non-human accounts are often highly privileged but cannot be protected by MFA – as well as because they are typically undocumented and therefore unmonitored – they are a prime target for adversaries.
Here are the answers to the question: “How confident are you in your ability to prevent attackers from using service accounts for malicious access in your environment?” »
Note that the term “support” is a bit misleading here, as the lack of real-time prevention essentially negates the security value of being able to detect account compromise.
How well are you protecting your environment’s identity attack surface? Use the maturity model
The report does more than just point out weaknesses and gaps: it offers a useful scoring model that, based on aggregated results across all aspects of identity protection, can reveal your level of resilience to security threats. ‘identify.
The report reveals that very few organizations – just 6.6% – have a disciplined and implemented identity protection strategy in place. But use this template to answer the same questions and see how your organization stacks up, as well as what actions you need to take.
Ready to see how resilient you are in the face of identity threats? Access the report here.